BrianPitt
Enthusiast
Enthusiast

Shared Device / Mult-User Staging / DEP

Jump to solution
Does anyone know of any step by step instructions on proper setup of Shared iOS / macOS Devices in WorkSpace ONE?  I have read documentation on setting up Shared Config in the console under Devices and Settings but am unclear on the setup of actual devices.  Where does Multi-User Staging option come into play with this?  How does Apple DEP affect / interract with this?

Any detailed information I can find is greatly appreciated as VMWare's documentation for this is seriously lacking....
Labels (1)
1 Solution

Accepted Solutions
MHaagSoehner
Enthusiast
Enthusiast

Hey Brian,


it's pretty easy when you've done it once:


First of all, it works with DEP-supervised devices.


You need to create a ' Staging User' . You'll use that user to enroll the device. I'm using an Active Directory user for that but you can also use a basic user.



  1. Import your AD user or create a basic user.

  2. Edit that user and open the Advanced tab.

  3. Expand the 'Staging'-option and enable the options ' Enable Device Staging'  and ' Multi User Devices' .

  4. Enroll a device with that user. I've only used iPads as shared devices so I don't know how it works for macOS.

  5. After enrollment, just open the Intelligent Hub and it should automatically ask you to login with a user.

Thinks to keep in mind:



  1. If you have your Group Assignemnt Mode set to ' Automatically Select Based on User Group' , the device will get all profiles assigned to the user that logs in since it will be moved to their OG.

  2. You'll have to enable the device passcode for shared devices in the settings: Settings >> Devices & Users >> General >> Shared Device.

It works pretty well but I've had a case where if you log out and instantly log in with another user WSONE Boxer won't update and the new user will have access to the old user's email account for a few minutes.


Cheers!
Max

View solution in original post

19 Replies
MHaagSoehner
Enthusiast
Enthusiast

Hey Brian,


it's pretty easy when you've done it once:


First of all, it works with DEP-supervised devices.


You need to create a ' Staging User' . You'll use that user to enroll the device. I'm using an Active Directory user for that but you can also use a basic user.



  1. Import your AD user or create a basic user.

  2. Edit that user and open the Advanced tab.

  3. Expand the 'Staging'-option and enable the options ' Enable Device Staging'  and ' Multi User Devices' .

  4. Enroll a device with that user. I've only used iPads as shared devices so I don't know how it works for macOS.

  5. After enrollment, just open the Intelligent Hub and it should automatically ask you to login with a user.

Thinks to keep in mind:



  1. If you have your Group Assignemnt Mode set to ' Automatically Select Based on User Group' , the device will get all profiles assigned to the user that logs in since it will be moved to their OG.

  2. You'll have to enable the device passcode for shared devices in the settings: Settings >> Devices & Users >> General >> Shared Device.

It works pretty well but I've had a case where if you log out and instantly log in with another user WSONE Boxer won't update and the new user will have access to the old user's email account for a few minutes.


Cheers!
Max

View solution in original post

BrianPitt
Enthusiast
Enthusiast
After enrollment with the Mulit-User Device Account, the Device will be enrolled to the Multi-User account correct?  So when User A gets teh device and opens / logs into the HUB, their settings / apps / profiles would come down to the device.  When they are finished with the device, they logout of the HUB and their settings are wiped correct?  What does the passcode that needs set actually do with the Shared Device?  I was looking at that setting and was curious

Thanks so much for your help!
0 Kudos
MHaagSoehner
Enthusiast
Enthusiast
Hey,

After enrollment with the Mulit-User Device Account, the Device will be enrolled to the Multi-User account correct?
- Yes. I'd suggest you to create a special OG, ' Shared Devices'  or something.

So when User A gets teh device and opens / logs into the HUB, their settings / apps / profiles would come down to the device.
- The device will only receive the user's profiles if the Group assignment mode is set to auto. Apps will be available and will automatically be installed if configured.

When they are finished with the device, they logout of the HUB and their settings are wiped correct?
- Yes, but it takes a few minutes until all app data is removed.

What does the passcode that needs set actually do with the Shared Device?
- If you enable that passcode, the users will have to set a passcode in the SSP to check out devices. Disregard my 2nd keep in mind from my first post. Just use a normal passcode profile, but that will be applied anyway if you have it for your normal users.



0 Kudos
BrianPitt
Enthusiast
Enthusiast
If our support staff is handing out the devices to the users and taking them back in once they are done and logout, would the passcodes provide any benefit? 

Everything else makes perfect sense and I greatly appreciate you listing it all out!!!
0 Kudos
MHaagSoehner
Enthusiast
Enthusiast
I just checked. I'm not using the device passcode (found in Devices & users >> General >> Shared Device) myself. I'm just pushing down the normal passcode profile for iOS devices. If I understand it correctely, the user needs to set a passcode in the AW SSP before he can log in to any shared devices.

Depends on if you want that or not, i guess.

Happy to hear 😄 Don't forget to mark it as an answer to help other people in the same situation 🙂
0 Kudos
chengtmskcc
Expert
Expert
Nice write up there Maxlmlllan. I have the same setup for my environment and it works beautifully. This is a much better configuration than dedicating a device per user.
0 Kudos
KevinMigliaccio
Contributor
Contributor
We have used the multi user devices  quite extensively.. a few things to consider... We make a Default staging OG based on the department the device will be deployed this way you can see who manages any subset of devices. We found that when devices were checked in  and all became lumped into one OG we had a hard time managing them especially for compliance issues, by breaking them into subgroups we can have better accountability when the device is not assigned to a user.   We also found that you can streamline the workflow of installing and removing applications by having the core apps that don't change in the default staging OG then when it moves to user OG the apps are already there. the only apps we don't install at the default OG are mail so that it clears the settings in between users.  The one major headache we have encountered is being in healthcare we require passcodes on all devices...Our setup has devices in the default staging OG install single app mode airwatch agent profile so the device is alway secure, however Apple forces the passcode to be removed each time a user logs out of a shared device, we initially had users enter a default code upon sign out so the device remains compliant but that has become increasingly impossible due to the speed which the device locks and the compliance message cant be accessed. We resolved this by excluding shared devices from the passcode compliance when logged out.  The other issue we experienced is since we have a compliance policy that checks device last seen running every 5 minutes devices will not come out of single app mode and allow access to the device until the check is complete this means each time a user signs out the device it could take up to 5 minutes.  We currently have almost 300 shared devices over multiple campuses and OG's, and have worked through a lot of these little caveats.  I hope some of this helps.
0 Kudos
chengtmskcc
Expert
Expert
Kevin, I'm in health care as well. Just curious, do you also have multiple DEP profiles? And do you use Ground Control to provision your devices?
0 Kudos
chengtmskcc
Expert
Expert
' however Apple forces the passcode to be removed each time a user logs out of a shared device,'

This is not happening to my shared device after the user logs out from the Hub app. How did you get this working?
0 Kudos
KevinMigliaccio
Contributor
Contributor
we do use multiple DEP profiles primarily to assign devices to specific OG's when signed in ( not in use),  it allows us to create a basic Staging user where the email address is the manager responsible for that subset of devices. we do not use ground control, we looked at it and found it offered very little  benefit for us. The passcode has always been removed from Apple devices for us and is readily apparent because we have a compliance policy that notifies immediately when its removed via email to user and notification on screen.
0 Kudos
chengtmskcc
Expert
Expert

Thanks, Kevin.


Update: Passcode not being cleared after user logs out of Hub app is a bug with version 19.03. It's fixed in 19.04.


If you are a SaaS customer, you can also work with support to implement the patch without upgrading to the newer version of the console.

0 Kudos
Boe_K
Enthusiast
Enthusiast
Anyone have any ideas on how to be able to use Safari with a shared device but have it clear out the history when the user logs out?
0 Kudos
chengtmskcc
Expert
Expert
Boe, we've been trying to find the answer to that question for months. Not just native app such as Safari but many 3rd party apps as well. So as far as we know, we have SSO for sign-in but no sign-out.

Do let me know if you found a way somehow.
0 Kudos
NoWorriesWA
Contributor
Contributor
Hi All,
We are setting up out MultiUser devices (android and apple).
A couple of things I have found is that sometimes it takes a couple of minutes for a user to log in (profile load)
and Outlook is not clearing data when a user logs out and a new one logs in (we have set this in Shared Device Settings)
Any ideas please.
0 Kudos
chengtmskcc
Expert
Expert
Lindsay, sounds like your profiles might not have been set up correctly which could cause the issues you mentioned. I would start with that first.
0 Kudos
NickEales
Enthusiast
Enthusiast
So far for us the only reliable way to 100% get rid of all the profiles/user data is to wipe the device. Shared device through any hub/agent has always been quite unreliable for large scale deployments.
0 Kudos
SHMike
Contributor
Contributor
Kevin, I have about the same configuration as you do for our shared devices in a healthcare setting. I'm running into a little annoyance with the latest iOS 13 and passcodes. Ever since the update when a user logs in and the passcode profile is applied and they are prompted to set a passcode. Its using the full keyboard instead of the dial pad like it use to. I've open a ticket with VMWare and was told it was Apple that did that and nothing could be done. Are you seeing this issue also?
0 Kudos
KevinMigliaccio
Contributor
Contributor
yes we are seeing the same behavior since the updates.. I also was told nothing could be done.
0 Kudos
cm1190
Enthusiast
Enthusiast

Maybe you can give me a hint?
I still did not understand the multiuser device setup.
Do I need an additional "Organization Group" for these devices?
And how to I add "boxer" the correct way? I assigned boxer app to predefined smart group "All Corporate Shared Devices".
But it does not matter when login/logout from hub, the boxer mails keeps account from the first user who used it.

Thanks.

0 Kudos