Re: Shared Devices - Best Practices

Bobby2234 · ‎11-26-2018

Hi All -

Does anyone have instructions on setting up shared devices, according to best practices? I have looked over numerous documents from AirWatch, but none show step by step instructions on how to setup shared devices. Throw DEP phones into the mix, and things get worse.

I opened a support case and the rep said there isn't any documentation!? For example... I setup a separate OU strictly for shared devices, then using the staging user with multi device setup, enrolled the phone. Based off previously built profiles, the iPhone then setup email for the staging user (not what I want), and a passcode. So the phone now has a passcode that a shared user wouldn't know. I know there is a shared password settings page which I need to look into more. After unlocking the phone and giving it to a new user, they enroll, but then the phone is still asking for the staging users email, not the newly enrolled user. So I excluded the staging user from all profiles....So with 4-5 workarounds, I have it somewhat working but this is a whole process. Manual work and not what AirWatch is built for.

To make a long story short.. If I setup a brand new DEP phone, it is set to go to a specific OU, but if it's shared, I need it to enroll in the shared devices OU. So many variables, overhead, and manual work that i figured there is a much easier way. Can anyone help? Thanks

Bobby2234 · ‎11-28-2018

Bump =/

topher86 · ‎11-28-2018

I'd create two separate DEP profiles (you may have to) if your going to have both use cases. Then you need to assign the DEP profile to the correct devices. You could create separate MDM containers (sometimes called MDM servers) in Apple DEP (or Apple Business/School Manager) and have the devices assigned to that MDM server go straight to the default DEP profile you set on your separate OU. You can move specific serial numbers or even entire orders to a MDM container with Apple. ASM allows us to set a default MDM for each device type, iPad, macOS, tvOS, etc. I can't answer anything about the staging stuff, I enrolled each of ours (even if shared) with their own account, either a synced AD account or basic AirWatch account. You can also assign DEP profile directly in the Airwatch console.

Bobby2234 · ‎11-29-2018

Thanks, Chris.

I have 5 separate DEP profiles, one being ' Shared Devices' ... so that part is OK. My basic goal is to have what is shown in this video:

https://youtu.be/VqzoBJ72tko

Problem is... AirWatch provides very little documentation on how to *correctly* set it up. I can get it to that point but I feel like I am setting up a bunch of workarounds instead of one seamless setup. And I am doing still has a bunch of manual steps and high potential for user error. Bobby

topher86 · ‎11-29-2018

OK so you are doing multi user staging. For your exchange active sync email profile, you need to make sure it's setup as a user profile and only applied to your actual users and not the staging user. You only actually enroll a DEP device when you are on the remote management page. The logging in and out of the agent is just that logging in and out. Anything that's happening on the device, even when not logged into the agent, is either a device based profile, or user profile applied to the staging user. To be honest, this is Airwatch's workaround for Apple not having multiuser support. An iOS device isn't meant to be used that way, with the lone exception of education. If you are paying for support or are in a SaaS environment, they should be able to help you correctly build out the smart groups and the profiles based on your use case, or at the minimum, provide you with some documentation or written instructions. One thing I noticed in that video was Apps reinstalling every time a user logged in. I think that's a lot of unnecessary workload on device and network, etc. If you can, I'd try to create some user based profiles that would either hide or show Apps based on user rather than having them uninstall and reinstall. If those Apps store sensitive user data, that's another story and more complicated. If most of the devices are on the same Wi-Fi, I would definitely setup a Mac mini and turn on caching services, that way they can at least download them locally instead of from the Apple App Store. But, like I said, I've never used staging users so I'm far from any expert.

I did find this, which isn't much, and the actual device enrollment they discuss is not DEP enrollment, but I don't think that should make a difference for this.
https://docs.vmware.com/en/VMware-AirWatch/9.1/vmware-airwatch-guides-91/GUID-AW91-StageaMultiUserDe...

chengtmskcc · ‎01-23-2019

Bobby, I know this is an old thread but how's your setup coming along?

I've setup multi-user iPad and it worked beautifully until yesterday. After logging off from the iPad, the user profiles belonging to the user remain instead of pulling down the profiles belonging to the staging user.

NickEales · ‎01-25-2019

This approach works and we used to do it pre DEP on about 1000 devices but when DEP came along we moved away from using the Agent to authenticate on a device. Hassles involved:

- Not supported by Apple
- Sometimes profile assignment would just go out of sync so could never be sure whether the right profiles/apps were available on the device.
- Locally stored data was not wiped when logging out resulting in risk of data leakage
- Support couldn't log a user out remotely

As soon as DEP came available we moved to fully DEP enabled authentication through LDAP. So when people log out it's basically a device wipe which solves all the above issues and also makes for a very simple Airwatch configuration.

We have been waiting for Apple for proper profile support much like the Apple School Manager allows but its reliance on Apple IDs is a worry and not suitable for our environment.

chengtmskcc · ‎01-25-2019

Thanks for sharing Nick.

Update on my issue: support confirmed it only occurs in my CN and not others. So I'm at their mercy when this will be resolved.

Speaking of Apple ID, I once visited my child's school during a science fair. There were numerous iPads for showing different apps. Guess what? I found an unique Apple ID on every single one of them. I guess their IT guy didn't know about Apple School Manager which is FREE.

All

Shared Devices - Best Practices

Device Management