Forum Discussion
Shared AFW device
So we usually setup AFW devices for our staff for their own use. Now there is a scenario where we have 2 members of a team with rotating shifts that fill 1 role. We would need to configure the same phone for both users, but we don't want their Microsoft account/apps to get mixed together or exposed to the other. Is there any configuration to do so?
A mutli-user setup is not very simple and the options may differ greatly depending on the UEM manufacturer.
Work Managed is a basic requirement. You cannot use a Work Profile.I am aware of two technical approaches that could cover such scenarios.
In both cases, the app from the UEM manufacturer locks the device and requires a user login to continue. If no user is logged in, a login screen for the user credentials is forced. The device is usually configured for a staging user."Native Android Check-In Check-Out"
With a native approach, a secondary user is set up on the device when logging in. The logged-in users therefore have a very native experience and the user data is very well separated from other users.
However, I have no experience of whether the user is deleted again when they log out. If so, users may be busy setting up the apps for every shift.Multi-users are an optional feature for OEMs. Samsung, for example, has only implemented multiple users on tablets.
Technical information about Multi-Users:
https://developer.android.com/work/dpc/dedicated-devices/multiple-users"Kiosk App"
Some UEM manufacturers have a kiosk application that can be used as an app launcher.
Ideally, the app then has multi-user functionality.
In this case, however, users do not have a native interface. It is also technically challenging for the manufacturer to ensure that all personal data is deleted when the user logs out. (Calls, messages, accounts, local files, etc.)I saw on your profile that you use Intune. Maybe someone here has experience of what Microsoft's solution looks like here. 😀
Some MDM's provide something to do this using the Android API's like Soti with "shared device" where app data gets cleaned up when user loggs out.
But here as well as Alex_Muc already wrote " I have no experience of whether the user is deleted ... when they log out. If so, users may be busy setting up the apps for every shift."
And this especially goes for apps like office 365 where the app grabs data from the servers in order to have everything available. Also they need to be aware of locally stored data maybe deleted each time.
Natively Android can support this, with persistent user profiles and data persistence, but Google has decided support for that in AMAPI based EMMs like intune isn't a priority, so we have to work around it with mostly app-based solutÃons.
For Intune Microsoft has documented quite a process that includes guidance on app support also:
https://learn.microsoft.com/en-us/entra/identity-platform/msal-android-shared-devices
https://learn.microsoft.com/en-us/entra/identity-platform/tutorial-mobile-android-device-shared-mode
Give that a gander and see how you get on!
Intune doesn't remove all user data after each logout action. Most of the apps do not do that as far as I know. This has to do with the time it takes to download all the data again when logging back in. Storing some data locally makes sure that you can be back up and running again quicker.
For these cases we have used an app developed by a former Samsung employee called Selective Wipe (https://www.tabnova.com/enterprise-apps). With managed app configurations you can tell this app what to wipe and when to wipe. This can be done on an interval, but can also be triggered by a user. It clears all app data and therefore, logs of from all of them.
I'm not sure if they support single device use, we have only worked with them for some customers with over 500 devices. you have to reach out and ask for a pricing, might be worth the shot.
