This blog will provide guidance on how to set up a shared device mode using Microsoft Intune. This mode operates on a session-by-session basis, with all data being cleared after each session, making it ideal for settings like kiosks or frontline workers where a single device is shared among multiple users. In this mode, users do not have personal profiles on the device. The device is cleared of any session data when a user logs out, ensuring each session starts anew. The experience is akin to logging into a public workstation.Shared device mode is a functionality of Microsoft Entra ID that enables frontline workers to securely use a shared device throughout the day, logging in and out as needed. This feature employs the Microsoft Enterprise SSO plug-in to minimize the frequency of sign-ins required during a session.
Create an Enrollment profile
Step 1: Log in to https://intune.microsoft.com and go to Device -> iOS/iPadOS -> Enrollment -> Enrollment Program Token. Choose the ADE token, click on Profiles, then click on Create profile, select iOS/iPadOS, give it a suitable name, and click on next.
Step 2: Choose "Enroll with Microsoft Entrashared Mode" under User affinity and select the appropriate options under management options and tap on Next
Step 3: Choose the correct option under setup assistance and examine the configuration tab on create to finalize the configuration.
Once completed you can see the profile under yoru ADE token
Assign Devices to the profile using Dynamic Group
Step 1: Create a dynamic device group with proper naming convention and dynamic query as (device.enrollmentProfileName -eq "Shared Ipad") and tap on Create.
Dynamic Device Group configuration
After a device is assigned to the profile, it will be added to the security group.
Create a configuration for SSO app Extension
Access device configuration, create a device feature, and expand Single sign-on app extension. Then configure it with SSO app extension type: Microsoft Entra ID, Enable shared device mode: Yes, Key: device_registration, Type: String, Value: {{DEVICEREGISTRATION}}, and assign the configuration to the dynamic device group
Set up the Microsoft Authenticator app
Deploy the Microsoft Authenticator app to designated devices. Make the app mandatory for all devices using a filter or for a specific group. Ensure the Microsoft Authenticator app has been obtained through an Apple volume-purchase program.
Users must open Microsoft Authenticator to configure the device for Shared Device Mode.
Conclusion
Configuring a shared device mode with Microsoft Intune and Microsoft Entra ID provides a secure and efficient environment for shared devices, especially in settings like kiosks or for frontline workers. By following the steps in this guide, you can create an enrollment profile, assign devices using dynamic groups, configure the SSO app extension, and deploy the Microsoft Authenticator app. This setup enhances security by clearing session data after each use and streamlines the user experience by reducing sign-in frequency. Implementing these configurations will help maintain a seamless and secure workflow for all users sharing the device.
Comentários