cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Enroll Android Enterprise dedicated devices into Azure AD Shared device mode
By
Intune_Support_Team
Published Oct 28 2020 03:27 PM 35.3K Views
Intune_Support_Team
Microsoft
‎Oct 28 2020 03:27 PM

Enroll Android Enterprise dedicated devices into Azure AD Shared device mode

‎Oct 28 2020 03:27 PM

By: Charlotte Maguire | Program Manager - Microsoft Endpoint Manager - Intune & Shantaram Punukollu | Sr Program Manager – Identity

 

Updated 4/30/2021 for general availability 

 

Microsoft Endpoint Manager - Intune now supports automatically enrolling Android Enterprise dedicated devices into Azure AD Shared device mode. This new feature was released in public preview in the October (2010) service release and in the April (2104) service release we announced general availability. The blog below has been updated with several new screenshots.

 

Today, Microsoft Endpoint Manager customers have the option to enroll their Android devices as Android Enterprise (AE) dedicated devices. With this new capability, customers can now optionally enroll their AE dedicated devices into Azure AD Shared device mode, which will allow end-users to gain single sign-on and single sign-out across all of the participating applications on the device. For an application to participate with Azure AD Shared mode, it must integrate with Azure AD's MSAL library. More information about Azure AD Shared Mode and its capabilities can be found here.

 

Here are additional capabilities included with this release:

  • Ensure device compliance with Conditional Access - Customers using Azure AD shared mode on dedicated devices will be able to secure their corporate data on user sign-in with Conditional Access that is based on device compliance.

  • Customized sign-in experience - Customers will be able to leverage new Managed Home Screen customizations that were built specifically for Azure AD Shared device mode. For example, admins can allow users to define a session PIN for the duration of their shift and configure an automatic sign-out timer.

 

To learn more about Azure AD Shared mode, dedicated devices, and/or Managed Home Screen, please see the following articles:

 

To learn more about how to use the features, read on!

 

What steps do I need to take prior to enrolling with this scenario?

In the Microsoft Endpoint Manager admin center, follow the steps listed here to get your dedicated device enrollment profile(s) and device groups appropriately set up.

 

With Intune's April release, you will notice an option to specify a "Token type" when you create an enrollment profile. You can choose "Android Enterprise dedicated device (default)," or "Android Enterprise dedicated device with Azure AD shared mode." To enroll your devices with Azure AD Shared device mode automatically set up during enrollment, choose the latter.

 

Step 1 - Create AE enrollment profileStep 1 - Create AE enrollment profile

Step 2 - Select token type and expirationStep 2 - Select token type and expiration

 

Check that any applications you want users to sign into with this solution have integrated with Azure AD's MSAL library and global sign-in and sign-out calls. If needed, read about how to add Managed Google Play apps to your devices and how to assign apps to groups.

 

How do I enroll my dedicated devices into Azure AD shared mode?

To enroll with Intune's dedicated device solution, make sure that you have factory reset devices that meet the requirements found here. Identify the enrollment method you would like to use, and follow the appropriate steps listed here.

 

Once you begin enrollment with an "Android Enterprise dedicated device with Azure AD shared mode" you will see screens similar to the ones shared below. Follow the steps on-screen to complete enrollment.

 

Set up your work phoneSet up your work phone      Install appsInstall apps      Work checklistWork checklist

Register shared device screenRegister shared device screen      Device registeringDevice registering      Shared device registeredShared device registered

      

What are the new Managed Home Screen features and how do I use them?

Microsoft’s Managed Home Screen supports Azure AD Shared device mode and offers customizations specific to this scenario. As always, Managed Home Screen can be optionally used on your dedicated devices to provide a locked-down, tailored experience for your end-users, giving them access to a curated set of apps, settings, and more. The main features Managed Home Screen is releasing alongside their support of Azure AD Shared device mode can be found below.

 

Sign-in screen & wallpaper for sign-in screen

This is an optional set of configurations to show a sign-in screen to end-users when Managed Home Screen is on the device and no user is signed in. Use of this feature ensures that the only action an end-user can take on a signed-out device is to sign in. Users can still access the Managed Home Screen settings pane, if configured by IT. Additionally, the debug menu is still accessible.

 

You can also configure a sign-in screen wallpaper that is separate from the wallpaper shown after sign-in.

 

Sign-in screen wallpaperSign-in screen wallpaper

 

Session PIN

An optional set of configurations that allows your end-user to set IT choice of numeric or alphanumeric PIN that lasts for the duration of their signed-in session. The prompt to set a PIN appears directly after initial sign in and the PIN is completely cleared upon sign out. This PIN can be used throughout the session to access specific permissions, rather than needing to use full user credentials.

 

Set your session PINSet your session PIN

 

Automatic sign-out

An optional set of configurations that allows you to choose if end-users on the device should get signed-out after a specified period of inactivity. You can also choose whether or not to give user notice of the auto-sign-out with configured time frame in which they can choose to resume if they are still using the device.

 

Automatic sign-out promptAutomatic sign-out prompt

 

Customer facing folder

This is an optional specification for any folders you create on Managed Home Screen. If you specify a folder as customer facing, then when the folder is launched it cannot be exited until the logged in user enters their session PIN. This allows the logged in user to share their device with another end-user without fear of accidentally sharing sensitive information. The logged in user also has the option to switch user when exiting the folder, which will sign out all apps on the device and return the user to the sign-in screen.

 

Fig 1. Home screenFig 1. Home screen Fig 2. Enter session PINFig 2. Enter session PIN

Fig 3. Session PIN enteredFig 3. Session PIN entered Fig 4. Switch User promptFig 4. Switch User prompt

 

Custom privacy statement

On the Managed Home Screen sign-in screen, notice a link to Microsoft’s privacy statement. Choose whether or not to include your organization’s privacy statement, as well, by including a link and a title for the link. If you use this feature, both privacy statement links will appear on Managed Home Screen’s sign-in screen.

 

Things to note:

  • To receive single sign-in and single sign-out while in Azure AD shared device mode, each app must participate. Today, Microsoft applications that participate with Azure AD shared device mode include Teams and Managed Home Screen.
  • App Protection Policies (APP) are not currently supported on Intune’s Android Enterprise dedicated devices, though they are also not formally blocked. If a user targeted with APP signs into an APP-protected application, they will be prompted to install the Company Portal application, and the user’s sign in will effectively block other users from signing into the same application. It is recommended that users signing into apps on dedicated devices not be targeted with APP. With Intune’s November release, APP will be formally blocked on dedicated devices. With the November change, even if users are targeted with APP, they will not receive APP when using apps on their dedicated devices. As a result, they will be able to sign into and out of apps on their dedicated devices without blocking other users from sign-in. Users targeted with APP on non-dedicated devices will not be impacted.

 

How can you reach us?

Let us know if you have any additional questions on this by replying back to this post or tagging @IntuneSuppTeam out on Twitter.

 

Post updated:

  • Images and blog updated on 4/30/2021 to reflect general availability
14 Comments
MoZZa
Iron Contributor
‎Jan 29 2021 11:42 AM
‎Jan 29 2021 11:42 AM

Hi All,
Testing this out now (first spare moment in months LOL).
Will check back with findings.

0 Likes
Like
RichardRiley
Copper Contributor
‎Feb 11 2021 05:09 AM
‎Feb 11 2021 05:09 AM

Hi,

 

Whilst testing this I noticed a few things:

 

1. Outlook does not sign out when switching user, I am guessing that is because Outlook does not participate with SSO in this mode. Any ideas as to when that will happen?

 

2. When I leave a session, the interface can be buggy. For example Chrome will appear with a Sign-out page, which if not closed will remain open in the background and open up multiple tabs each time someone signs out. Sometimes it also goes back to the home screen of the session you've just signed out of and after a few seconds will then go back to the initial Managed Home Screen sign-in page.

 

3. The signing in page, sometimes once I've entered in my Azure credentials and it comes up with the set pin page, it will jump back to my company's sign in page. Pressing the back button will take me back but thought you should be aware.

MaxFlohr
Copper Contributor
‎Mar 05 2021 12:59 AM
‎Mar 05 2021 12:59 AM

Hi, 

 

You mentioned "Today, Microsoft applications that participate with Azure AD shared device mode include Teams and Managed Home Screen."

 

Is there any date, where we can expect that Microsoft Apps like Outlook, Onedrive etc. participate? Our customers don't switch to Android with Intune because of this lack of intergation.

 

Best regards

tobiassandberg
Copper Contributor
‎Jun 07 2021 12:58 PM
‎Jun 07 2021 12:58 PM

I also have the same question as @MaxFlohr. Is there any update on this, ping @Intune_Support_Team?

sfinnset
Copper Contributor
‎Jun 15 2021 01:46 AM
‎Jun 15 2021 01:46 AM

I also have the same question as @MaxFlohr and @tobiassandberg . Is there any update on this?
 @Intune Support Team?

0 Likes
Like
MichaelOliv
Iron Contributor
‎Jul 20 2021 02:23 AM
‎Jul 20 2021 02:23 AM

I made a quick test.

Maybe it miss a configuration but I connect a first account with this new system.

I connected to Teams app. Then I sign out with Manage home screen setting..

Then I connect a second account. I open Teams. Teams sign out the first account just at this moment so I could quickly read some chat of the previous account. Not good.

 

I used a Samsung in Android 8.

0 Likes
Like
sfinnset
Copper Contributor
‎Aug 03 2021 05:49 AM
‎Aug 03 2021 05:49 AM

Teams is working with Managed home screen deployment with sign-on/sign-off, but not other Office Apps ( Outlook, Ondrive, Word, Excel..)

0 Likes
Like
choops2000
Copper Contributor
‎Aug 26 2021 07:44 PM
‎Aug 26 2021 07:44 PM

Can confirm that the "To use your work or school account with this app, you must install the Microsoft Intune Company Portal app. Tap "Go to store" to continue." dialog is still being presented on app protected apps on Android Enterprise Corporate Dedicated in AAD Shared mode devices.

 

Our App protection polices are configured for unmanaged devices only.

 

Is the November fix mentioned in this article slated for Nov 2020 or 2021?? 

 

I also can confirm that the unsupported apps e.g. Outlook retain their data from previous sessions.  You can open a previous user's email as an example, which isn't ideal.

0 Likes
Like
BrianKorrow
Copper Contributor
‎Sep 29 2021 05:45 PM
‎Sep 29 2021 05:45 PM

Great feature. Can’t wait for edge and outlook to support this so we can clear browser sessions between logins. 

BrianKorrow
Copper Contributor
‎Nov 01 2021 06:24 AM
‎Nov 01 2021 06:24 AM

The September update improved the experience, however the ability to control edge browser (I.e clear Saml tokens, cookies, history, reset browser to default) and the ability to close any open apps at user change is a necessity. In healthcare any unintended exposure to PHI is a violation. Is there a beta community for this in playstore?  Would love to be a part of it.  There is a lot of potential here. 

0 Likes
Like
Alex Ledger
Copper Contributor
‎May 11 2022 10:04 AM
‎May 11 2022 10:04 AM

Been testing this out for duty phone.  Woild be ideal if the user was able to answer standard phone calls without having to log into the phones.  Also dont seem to be able to use the Samsung dialer app to make calls from the Home Screen.

0 Likes
Like
fiansari
Brass Contributor
‎Sep 28 2022 08:51 AM
‎Sep 28 2022 08:51 AM

Hi , I was testing edge experience and everytime edge starts it asks to sign-in for sync , however I tried to disbale Sync and enable Azure AD SSO in general settings but still every time a user sign-in in MHS , edge will request sign-in and SSO will not work , is there a way to resolve this?

 

Thanks & Regards,

0 Likes
Like
Husam15
Copper Contributor
‎Feb 20 2023 04:33 AM
‎Feb 20 2023 04:33 AM

Any idea how to enable the phone number login method to users? 

 

Like in this Demo: https://www.youtube.com/watch?v=y8fhA-FakSA

 

Thanks 

0 Likes
Like
CroxTech
Copper Contributor
‎Nov 28 2023 03:11 PM
‎Nov 28 2023 03:11 PM

Hi Microsoft 

I have been testing this functionality for a customer and the results are still very inconsistent. Do you have any updates for the this and the questions already raised please as it doesnt seem to perform as suggested in your videos.

 

Thanks

 

0 Likes
Like
Version history
Last update:
‎Nov 30 2023 04:14 PM
Updated by: