From the frontlines: Delivering critical early responder device management

By: Catarina Rodrigues – Product Manager 2 | Microsoft Intune

In high-stakes environments like emergency response, speed, accuracy, and security are essential. Whether it’s paramedics delivering life-saving care or police officers responding to critical incidents, frontline teams need real-time access to information—right where the action is. To meet these demands, emergency services are increasingly deploying mobile devices, paired with advanced device management solutions, to empower their teams in the field.

I’m Catarina Rodrigues, a Product Manager in the Microsoft Intune team, and in this blog of the “From the Frontlines” series, I’ll share my experience working with emergency services, exploring how to deploy and manage iPads and Android tablets using Intune. For more information refer to: Frontline worker device management overview in Microsoft Intune.

Shared iPads in ambulances

Ambulances operate around the clock, often with rotating crews. To ensure seamless and secure access to clinical apps, maps, and emergency protocols, organizations are increasingly often equipping vehicles with iPads that are prepared to be shared by personnel working shift.

There are different ways to support Apple devices for frontline scenarios depending on the requirements. Shared iPad mode is recommended for shared use of iPads; it creates multiple user partitions, making it easy for several users to log in and access their applications and data according to their preferences. Intune together with Apple's Automated Device Enrollment (ADE) makes it simple to address this scenario seamlessly, enabling zero-touch provisioning and device supervision for additional security configurations.

Below is an ADE enrollment profile configured to setup devices as Shared iPads:

• User affinity: Enroll without User Affinity
• Supervised: Yes
• Locked enrollment: Yes
• Shared iPad: Yes

You can then configure the number of maximum cached users and inactivity settings for these profiles, as needed.

Once iPads are enrolled and functional, users will be able to setup their profiles, where they’ll have access to the applications and data according to their permissions. Once their profiles are setup, users can see them in the login screen, as they will be available for them to login again in the future.

Benefits of Shared iPad with ADE for IT admins and frontline workers

• Zero-touch deployment: Devices are automatically enrolled and configured via Apple’s Automated Device Enrollment (ADE), reducing manual setup and ensuring consistency across the fleet.
• Targeted assignment: Enables IT admins to permanently assign an iPad to a specific ambulance, streamlining shift handovers and ensuring paramedics always have access to the right tools.
• Persistent configuration: Shared iPad can cache up to 100 user profiles (24 recommended on a 32 or 64 GB iPad), ensuring device settings and apps remain consistent and reducing login friction.
• Enhanced security and compliance: While these devices are shared, device-level management and app protection policies keep sensitive data secure and encrypted.
• Remote actions and support: IT teams can monitor, lock, or wipe devices remotely through Intune, with supervision mode enabling deeper administrative controls, such as Lost Mode and Locate Device.

This setup gives paramedics immediate access to clinical apps, maps, and protocols and all information they might need to access or share without compromising security or adding friction to their workflow.

Fully managed Android tablets for police

For police departments, data sensitivity is paramount. Officers need access to real-time intelligence, case files, and communication tools without risking exposure of confidential information. While there are other options to enroll Android devices in Intune (you can see an overview here), setting up corporate-owned, fully-managed Android tablets with Intune can deliver the data protection and device lock-down that police departments need, while ensuring police officers remain productive. Users won’t be able to change pre-defined configurations and install applications from the public store. These devices are associated with a single user, in this case a police officer, as they aren’t intended for shared use. To ensure minimal disruption in the working day of these users, IT admins can use device staging to decrease the number of steps needed to enroll a brand-new device and get it to a functional state.

Device staging

Device staging is designed to simplify and accelerate the deployment of corporate-owned, fully managed Android devices—especially in high-stakes environments. Instead of requiring police officers to navigate a lengthy setup process, IT teams or authorized third-party vendors pre-configure the devices using a secure enrollment token generated in the Intune admin center. This token allows the device enrollment and provisioning without needing the officer’s credentials, ensuring that critical apps, such as Intune and Microsoft Authenticator, are installed and ready before the device is even handed over.

When the officer powers on the device for the first time, they simply sign in to the Intune app, and the device completes its configuration, applying all necessary policies and security settings (see image below). This approach not only saves valuable time during rollouts but also ensures that every police officer receives a consistent, secure, and fully operational device from the moment they turn it on—an essential advantage when reliability and speed are crucial.

In the picture below, you see the steps users go through to complete enrollment which requires authentication using the Intune application, so that apps and policies assigned to that user identity are applied.

Microsoft Intune and Android Enterprise corporate-owned, fully managed enrollment

To enable device staging, IT sets up an Android Enterprise enrollment profile, with a token associated that has a configurable expiry date, up to 65 years in the future. This token can be revoked any time as needed. In addition, IT can also apply a device naming template to all the devices that are enrolled under the same profile, making it easier to identify and group devices by police station, department, or region. You can check the supported strings for this device naming template here.

Below you can see an example of an enrollment profile configured with the following parameters:

• Token type: Corporate-owned, fully managed, via staging
• Apply device name template: Yes
• Device name template: {{SERIAL}}
  
  

Benefits of corporate-owned, fully managed, via staging for IT admins and frontline workers

• End-to-end control and security: IT admins retains full control over the device lifecycle—from provisioning to retirement—ensuring that only approved apps, settings, and security policies are applied and maintained throughout use.
• Simplified, secure user experience with Managed Home Screen: Managed Home Screen provides a locked-down, customizable launcher that ensures users access only approved apps and settings. This minimizes distractions, enhances security, and delivers a consistent, role-based experience across all devices—ideal for high-stakes field environments.
• Faster, frictionless rollouts: Device staging eliminates the need for users to complete complex setup steps. Devices arrive pre-enrolled and pre-configured, so users can simply sign in and start working immediately.
• Consistent, compliant configuration: Every device is enrolled with the same baseline—apps, policies, and restrictions—ensuring compliance with organizational standards and reducing variability in the field.
• Reduced IT overhead: By shifting setup responsibilities to staging teams or vendors, IT departments can scale deployments without increasing support load or requiring one-on-one onboarding.
• Operational readiness from day one: Users receive devices that are mission-ready, with secure access to critical apps like dispatch systems, communication tools, and field data—right out of the box.

This setup gives officers the tools they need while maintaining operational integrity and data confidentiality.

Summary

This blog post explored how to securely manage devices used by emergency services teams. These examples are applicable to other scenarios where workers need to access confidential, sensitive information while in the field. I hope this blog inspires you to try these methods and look forward to answering questions in the comments.

This blog is part of the “From the Frontlines” series, where we explore different scenarios of how workers in field use devices and how IT admins can enable them. Check the other blog posts for more inspiration!

Please refer to the documentation here for more guidance:

• For information on how to support Apple devices in the frontline refer to: Get started with iOS/iPadOS frontline worker devices.
• For information on how to set up Shared iPad refer to: Shared iPad devices.
• For information on how to support Android devices in the frontline refer to: Get started with Android frontline worker devices.
• For information on how to set up corporate-owned, fully managed Android devices refer to: Set up enrollment for Android Enterprise fully managed devices.
• If you'd like to learn more about incorporating device staging to reduce user steps during enrollment see: Device staging overview.
• To ensure your organization can navigate modern security challenges following Microsoft's Zero Trust approach see: Zero Trust security strategy.

As always, if you have any questions let us know in the comments or reach out to us on X @IntuneSuppTeam or @MSIntune!