Managing Multiple Users on a Single Windows Device with VMware Workspace ONE UEM
In today’s blog post, we will discuss how to manage multiple users on a single Windows device using VMware Workspace ONE Unified Endpoint Management (UEM). We will cover how to enable features, register devices, and manage different user accounts on a shared device.
Enable Features and Register Devices
To manage multiple users on a single Windows device with UEM, you need to have the following features enabled in your UEM SaaS tenant:
1. MultiUserPhase1EnrollmentSupportFeatureFlag
2. DeviceStateChannelInterfaceEnabledFeatureFlag
You can enable these features by creating a support ticket with VMware and requesting that they be activated in your UEM SaaS tenant. Once enabled, you must set the “Default Action For Inactive Users” to “Restrict Additional Device Enrollment” in UEM. Additionally, ensure that “Publish Workspace ONE Intelligent Hub” is enabled.
Registering devices as Corporate-Shared is required for managing multiple users on a single device. To register a device, you need the Serial Number of the machine. You can find the Serial Number using the following command in the Command Prompt:
wmic bios get serialnumber
Once you have the Serial Number, log in to the UEM console and go to the “Devices” tab. Click on “Lifecycle” and then select “Enrollment Status.” Click on “ADD – Register Device” and select “Ownership” as Corporate-Shared. Enter the Serial Number, and click on “SAVE.”
Managing Different User Accounts
To manage different user accounts on a shared device, you need to join the device to Azure Active Directory (AAD). You can do this by following these steps:
1. Log in to Windows using a local admin account.
2. Open the Microsoft account window and click on “Join this device to Azure Active Directory.”
3. Type in the first AAD user account and click on “NEXT.”
4. The first account will always get the local admin permission, and all other accounts will get the user account permission.
5. Click on “Join.”
6. Sign out from the windows local admin account and click on “Other user.”
7. Log in with your AAD first user account, and wait until the device is set up.
At this point, you will notice that Workspace ONE Intelligent Hub is installed automatically, which is required to install IH for all users. Never install Intelligent Hub manually for Shared devices.
Start the Hub and log in as the first user. In UEM, check the current user name. Restart the Windows machine and log in with the second AAD account. Start the Intelligent Hub and log in with the second AAD account. Notice the same machine with different user accounts. Also, check the UEM console to see the different user name on the same Windows machine.
Current Limitations of Shared Devices
While managing multiple users on a single Windows device with UEM is possible, there are some current limitations with shared devices. VMware is working to resolve these limitations with upcoming releases. Some of the limitations include:
1. Only Azure AD users can be managed as Corporate-Shared devices.
2. Only one user can use the device at a time. If multiple users try to log in simultaneously, only the first user will be able to access the device.
3. The device will always enroll using the first user’s credentials, even if other users attempt to enroll the device.
4. Users will not be able to use their own credentials to enroll the device.
5. Shared devices do not support Fully OOBE with Windows Autopilot. You must use the Azure AD join method to connect the device to Azure AD.
Conclusion
Managing multiple users on a single Windows device with VMware Workspace ONE UEM is possible by enabling specific features, registering devices as Corporate-Shared, and joining the device to Azure Active Directory. While there are some current limitations with shared devices, VMware is working to resolve these limitations with upcoming releases. With this information, you can effectively manage multiple users on a single Windows device using UEM.