Oct 23 2023 07:11 AM
Oct 23 2023 07:11 AM
We need to enroll a couple of computers as shared devices in Intune. These devices are Windows 11 computers, but we plan to add a couple of iOS devices as well in the short term (iPads). These machines still need to be managed with Intune for updates, security policies, etc.
Until now we have used an administrator account to set up these machines, but this is not ideal as employees can leave the company and the machines need to be reassigned to a new primary user, the management name needs to be updated, etc.
I am considering using a dummy user as an Enrollment Manager to set up shared machines, but I am wondering if there are best practices for this. In particular:
Thank you for sharing your opinion and past experience on this.
Oct 23 2023 07:28 AMSolution
Hi @Giovanni Rossi,
for setting up shared devices in Intune you can follow this best practices:
Use a resource account. This is the most secure option, as the account will only be used for enrolling and managing shared devices. You can create a dedicated resource account in Azure AD.
Assign the Intune Device Enrollment Manager role to the resource account. This will give the account the necessary permissions to enroll and manage shared devices in Intune.
Use a strong password for the resource account. The password should be complex and unique, and it should be changed regularly.
Consider using a password manager. A password manager can help you to create and manage strong passwords for all of your accounts, including the resource account.
Do not give the resource account access to SharePoint sites or other company data. The resource account should only be used for enrolling and managing shared devices.
Enable MFA for the resource account. MFA adds an extra layer of security to your account, making it more difficult for unauthorized users to access it.
Configure shared devices to require no user interaction. This allows the device to be fully managed by Intune without needing the resource account to log in regularly.
Set up an automated process to assign the shared device to a new primary user when needed. This ensures that the reassignment process is straightforward when an employee leaves the company or a new user needs access to the device.
Configure Intune to deploy the necessary apps and security policies to the shared devices automatically. This ensures that these devices stay compliant with your organization's security requirements.
Implement a clear naming convention for shared devices. This makes it easy to identify the purpose, location, or any other relevant information about the device.
Regularly monitor the status of shared devices through Intune's reporting and analytics tools to ensure they remain compliant and secure.
Document your procedures for setting up and managing shared devices in Intune.
Periodically review your shared device setup and make any necessary updates to ensure it aligns with your organization's changing needs and security policies.
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If the post was useful in other ways, please consider giving it Like.
Nov 01 2023 10:41 AM
Nov 02 2023 02:17 AM
@Char_Cheesman thank you for mentioning that.
In our scenario, the 10 users limitation for TPM would not be an issue since these are production and quality control devices shared only by a couple of employees over the day.
These could be set up as kiosk devices, but on some of those machines, the users need to access SharePoint to save data and I would prefer that each user has his/her own session.