Forum Discussion
Does anyone allow multiple users on their Androids?
I've got a use case for some multi-user Android tablets and I'm trying to figure out the best solution. I know Android allows you to create secondary users by default but it appears that Microsoft Intune is disabling this setting automatically. Doesn't seem to be a way to allow it given that the only options are block or not configured. I put in a ticket with Microsoft and I'm sure their answer will be to use Microsoft Entra Shared Mode and the Managed Home Screen but that doesn't work very well.
Also, it appears multi-user functionality is documented by Google and an EMM can set it up so the user can create secondary users using the standard Android settings or the DPC can create the secondary user. Also looks like there's some work to be done as far as making sure the DPC can still manage the secondary users as well.
https://developer.android.com/work/dpc/dedicated-devices/multiple-users
So I am curious for those using other EMMs: do you allow secondary users on any of your Android devices?
8 Replies
We do with Entra shared device mode but its not ideal way to do it, the login take to long time.
I know this is a Android forum but shared iPad has Entra ID login and support for multiple profiles with fast(er) login.
We have some customers (mainly healthcare) which ask for shared device usage. But in most cases, we advice against is. Logging in to apps is a challenge, making sure user (and patient) data is removed or kept safe from other use is also a big challenge. And MFA is another one.
Shared entra mode build multiple profiles on a device, resulting in a slower user experience and more storage is needed. I'm not a fan of Microsoft interpretation of shared device use.
When a customer is using Samsung hardware, a good solution for shared device uses is Knox Authentication manager. This works as an overlay app which is able to login on other supported apps. And logs out at the end of a shift, making sure your account cannot be used by others. And data is deleted from those apps.
But i really believe we are slowly moving towards a future where we no longer use shared devices and more personal devices. Only kiosk solution without the need for multi user login will survive.
Shared entra mode build multiple profiles on a device
Hmmm I didn't think this was true. From my testing, it seems that it doesn't create multiple user profiles, instead it just uses one user profile and signs in/signs out the Microsoft account.
Also I agree with Moombas shared use devices aren't going anywhere. I come from education which is interesting because in a K12 setting single user devices are the standard. Students, faculty and staff are all issued a device that only they use. But in higher education, it's a completely different story. Very few colleges or universities have the money to issue a device to each student and sometimes we can't even give a device to each faculty member. So, shared use devices become the norm.
Thanks for the link to Knox Authentication Manager. We use Samsung devices but don't pay for any Knox services and it looks like this requires a license.Shared devices might be migrating more to individual /named devices in the healthcare setting where a relatively more affordable device like a Zebra HC20 can be issued and also where the data on the devices is arguably a lot more sensitive. Other usecases like education, logistics, retail etc still very much rely on shared devices. Multi-shift 24 operations in warehouses for example very much expect to have the same devices used across multiple users and multiple shifts.
Bluefletch handles the shared device use case on Android fairly well. They have a custom launcher that the end user logs into and then can support various forms of SSO into the individual apps from there. They have permissions that can control what apps an end user has access to depending on their user profile and have scripting to clear out existing sessions across multiple apps in order to provide seamless handoff to the next end user.SOTI has something similar with their integration of Microsoft Shared Device mode but I believe it is limited to Entra ID accounts still.
Sry, don't agree to your last paragraph ;)
We use devices in stores shared by several users but yet not with a specific login for each.
But i would like to switch to a personalized login as the MDM we use, provides some kind of possibility for shared user which sounds similar to the Samsung Authentication manager you mentioned.
Also need to mention, some manufacturers provide a "secure folder" on their devices where you can put apps inside with a dedicaded login (even to the folder itself). I would really like to have that from Google for fully managed as we have store employees and store manager witha ll access to the same devices. With that solution the store manager could login on each phone and next time a normal employee could use it without risk as the secure folder and seperated apps inside it are not accessible for them.
So, sometimes the possibilities vary by MDM or even OEM but in general i guess we will finally end up in a quite specific setup with a mix of a split all over from BYOD combined with COPE and fully managed.
We are using Shared Entra mode with Managed Home Screen, but it took some tinkering to get it working.
The biggest issues we faced were the difference in what settings are available and what should be set in the Configuration Policies and what should be configured using App Configuration for the Managed Home Screen.
Also there is only a few apps it seems that support multiple users
