By: Charlotte Maguire | Program Manager - Microsoft Endpoint Manager - Intune & Shantaram Punukollu | Sr Program Manager – Identity
Updated 4/30/2021 for general availability
Microsoft Endpoint Manager - Intune now supports automatically enrolling Android Enterprise dedicated devices into Azure AD Shared device mode. This new feature was released in public preview in the October (2010) service release and in the April (2104) service release we announced general availability. The blog below has been updated with several new screenshots.
Today, Microsoft Endpoint Manager customers have the option to enroll their Android devices as Android Enterprise (AE) dedicated devices. With this new capability, customers can now optionally enroll their AE dedicated devices into Azure AD Shared device mode, which will allow end-users to gain single sign-on and single sign-out across all of the participating applications on the device. For an application to participate with Azure AD Shared mode, it must integrate with Azure AD's MSAL library. More information about Azure AD Shared Mode and its capabilities can be found here.
Here are additional capabilities included with this release:
Ensure device compliance with Conditional Access - Customers using Azure AD shared mode on dedicated devices will be able to secure their corporate data on user sign-in with Conditional Access that is based on device compliance.
Customized sign-in experience - Customers will be able to leverage new Managed Home Screen customizations that were built specifically for Azure AD Shared device mode. For example, admins can allow users to define a session PIN for the duration of their shift and configure an automatic sign-out timer.
To learn more about Azure AD Shared mode, dedicated devices, and/or Managed Home Screen, please see the following articles:
To learn more about how to use the features, read on!
In the Microsoft Endpoint Manager admin center, follow the steps listed here to get your dedicated device enrollment profile(s) and device groups appropriately set up.
With Intune's April release, you will notice an option to specify a "Token type" when you create an enrollment profile. You can choose "Android Enterprise dedicated device (default)," or "Android Enterprise dedicated device with Azure AD shared mode." To enroll your devices with Azure AD Shared device mode automatically set up during enrollment, choose the latter.
Check that any applications you want users to sign into with this solution have integrated with Azure AD's MSAL library and global sign-in and sign-out calls. If needed, read about how to add Managed Google Play apps to your devices and how to assign apps to groups.
To enroll with Intune's dedicated device solution, make sure that you have factory reset devices that meet the requirements found here. Identify the enrollment method you would like to use, and follow the appropriate steps listed here.
Once you begin enrollment with an "Android Enterprise dedicated device with Azure AD shared mode" you will see screens similar to the ones shared below. Follow the steps on-screen to complete enrollment.
Microsoft’s Managed Home Screen supports Azure AD Shared device mode and offers customizations specific to this scenario. As always, Managed Home Screen can be optionally used on your dedicated devices to provide a locked-down, tailored experience for your end-users, giving them access to a curated set of apps, settings, and more. The main features Managed Home Screen is releasing alongside their support of Azure AD Shared device mode can be found below.
This is an optional set of configurations to show a sign-in screen to end-users when Managed Home Screen is on the device and no user is signed in. Use of this feature ensures that the only action an end-user can take on a signed-out device is to sign in. Users can still access the Managed Home Screen settings pane, if configured by IT. Additionally, the debug menu is still accessible.
You can also configure a sign-in screen wallpaper that is separate from the wallpaper shown after sign-in.
An optional set of configurations that allows your end-user to set IT choice of numeric or alphanumeric PIN that lasts for the duration of their signed-in session. The prompt to set a PIN appears directly after initial sign in and the PIN is completely cleared upon sign out. This PIN can be used throughout the session to access specific permissions, rather than needing to use full user credentials.
An optional set of configurations that allows you to choose if end-users on the device should get signed-out after a specified period of inactivity. You can also choose whether or not to give user notice of the auto-sign-out with configured time frame in which they can choose to resume if they are still using the device.
This is an optional specification for any folders you create on Managed Home Screen. If you specify a folder as customer facing, then when the folder is launched it cannot be exited until the logged in user enters their session PIN. This allows the logged in user to share their device with another end-user without fear of accidentally sharing sensitive information. The logged in user also has the option to switch user when exiting the folder, which will sign out all apps on the device and return the user to the sign-in screen.
On the Managed Home Screen sign-in screen, notice a link to Microsoft’s privacy statement. Choose whether or not to include your organization’s privacy statement, as well, by including a link and a title for the link. If you use this feature, both privacy statement links will appear on Managed Home Screen’s sign-in screen.
Things to note:
Let us know if you have any additional questions on this by replying back to this post or tagging @IntuneSuppTeam out on Twitter.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.