Tech Community Live: Microsoft Intune
Mar 20 2024, 07:30 AM - 11:30 AM (PDT)
Microsoft Tech Community
SOLVED

Best practices for enrolling shared devices in Intune

Brass Contributor

We need to enroll a couple of computers as shared devices in Intune. These devices are Windows 11 computers, but we plan to add a couple of iOS devices as well in the short term (iPads). These machines still need to be managed with Intune for updates, security policies, etc.

 

Until now we have used an administrator account to set up these machines, but this is not ideal as employees can leave the company and the machines need to be reassigned to a new primary user, the management name needs to be updated, etc.

 

I am considering using a dummy user as an Enrollment Manager to set up shared machines, but I am wondering if there are best practices for this. In particular:

  • Is it better to use a "dummy user" account or a "resource account"?
  • What kind of license is required for this user? Intune Plan 1? Even if this is a resource account?
  • Any issue if, after setup, the "dummy user" never logs in the device anymore?
  • Other considerations to keep in mind for this scenario?
  • As this user would not be an admin and wouldn't have any access to SharePoint sites or other company data, it would be easier to make an exception from dual factor authentication, would this be considered an acceptable risk or a big no?

Thank you for sharing your opinion and past experience on this.

G.

3 Replies
best response confirmed by Giovanni Rossi (Brass Contributor)
Solution

Hi @Giovanni Rossi,

 for setting up shared devices in Intune you can follow this best practices:

Use a resource account. This is the most secure option, as the account will only be used for enrolling and managing shared devices. You can create a dedicated resource account in Azure AD.

Assign the Intune Device Enrollment Manager role to the resource account. This will give the account the necessary permissions to enroll and manage shared devices in Intune.

Use a strong password for the resource account. The password should be complex and unique, and it should be changed regularly.

Consider using a password manager. A password manager can help you to create and manage strong passwords for all of your accounts, including the resource account.

Do not give the resource account access to SharePoint sites or other company data. The resource account should only be used for enrolling and managing shared devices.

Enable MFA for the resource account. MFA adds an extra layer of security to your account, making it more difficult for unauthorized users to access it.

Configure shared devices to require no user interaction. This allows the device to be fully managed by Intune without needing the resource account to log in regularly.

Set up an automated process to assign the shared device to a new primary user when needed. This ensures that the reassignment process is straightforward when an employee leaves the company or a new user needs access to the device.

Configure Intune to deploy the necessary apps and security policies to the shared devices automatically. This ensures that these devices stay compliant with your organization's security requirements.

Implement a clear naming convention for shared devices. This makes it easy to identify the purpose, location, or any other relevant information about the device.

Regularly monitor the status of shared devices through Intune's reporting and analytics tools to ensure they remain compliant and secure.

Document your procedures for setting up and managing shared devices in Intune.

Periodically review your shared device setup and make any necessary updates to ensure it aligns with your organization's changing needs and security policies.

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

Hi @Giovanni Rossi,

We resurfaced your question during this episode of Unpacking Endpoint Management. Please see the panel's answer at around 52:35.

@Char_Cheesman thank you for mentioning that.

 

In our scenario, the 10 users limitation for TPM would not be an issue since these are production and quality control devices shared only by a couple of employees over the day.

 

These could be set up as kiosk devices, but on some of those machines, the users need to access SharePoint to save data and I would prefer that each user has his/her own session.

1 best response

Accepted Solutions
best response confirmed by Giovanni Rossi (Brass Contributor)
Solution

Hi @Giovanni Rossi,

 for setting up shared devices in Intune you can follow this best practices:

Use a resource account. This is the most secure option, as the account will only be used for enrolling and managing shared devices. You can create a dedicated resource account in Azure AD.

Assign the Intune Device Enrollment Manager role to the resource account. This will give the account the necessary permissions to enroll and manage shared devices in Intune.

Use a strong password for the resource account. The password should be complex and unique, and it should be changed regularly.

Consider using a password manager. A password manager can help you to create and manage strong passwords for all of your accounts, including the resource account.

Do not give the resource account access to SharePoint sites or other company data. The resource account should only be used for enrolling and managing shared devices.

Enable MFA for the resource account. MFA adds an extra layer of security to your account, making it more difficult for unauthorized users to access it.

Configure shared devices to require no user interaction. This allows the device to be fully managed by Intune without needing the resource account to log in regularly.

Set up an automated process to assign the shared device to a new primary user when needed. This ensures that the reassignment process is straightforward when an employee leaves the company or a new user needs access to the device.

Configure Intune to deploy the necessary apps and security policies to the shared devices automatically. This ensures that these devices stay compliant with your organization's security requirements.

Implement a clear naming convention for shared devices. This makes it easy to identify the purpose, location, or any other relevant information about the device.

Regularly monitor the status of shared devices through Intune's reporting and analytics tools to ensure they remain compliant and secure.

Document your procedures for setting up and managing shared devices in Intune.

Periodically review your shared device setup and make any necessary updates to ensure it aligns with your organization's changing needs and security policies.

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

View solution in original post