Set up an Android device in Shared Device Mode
In this tutorial, you learn how to add shared device mode support to an Android device with the Microsoft Authenticator App or a Mobile Device Management (MDM) tool like Microsoft Intune. Employees sign in once for single sign-on (SSO) to all SDM-supported apps and sign out to make the device ready for the next user with no access to previous data.
In this tutorial:
- Zero-touch set up via Microsoft Intune
- Supported third-party MDMs for zero-touch setup
- Manual setup with the Microsoft Authenticator app
Prerequisites
- An Azure account with an active subscription. If you don't have one, create an account for free.
- An Android device running Android OS version 8.0 or later. Ensure the device is wiped either by a factory reset or uninstalling all Microsoft and other SDM-enabled app.
- Microsoft Authenticator app latest version installed on the device.
- For setup via MDM, the device should be managed by an MDM that supports shared device mode such as Microsoft Intune.
Zero-touch setup via Intune
Microsoft Intune supports zero-touch provisioning for devices in Microsoft Entra shared device mode (SDM), which means that the device can be set up and enrolled in Intune with minimal interaction from the frontline worker.
To set up device in shared device mode when using Microsoft Intune as the MDM, first step is to enroll the shared device into Intune and install Authenticator app with SDM enabled. For more information on how to set up the SDM using Microsoft Intune, see Set up Intune enrollment for Android Enterprise dedicated devices
Once enrolled, switch on the device to initiate standard Android device setup, which automatically triggers device registration with Microsoft Entra ID and get it ready for use.
Supported third-party MDMs for zero-touch setup
The following third-party Mobile Device Management (MDM) tools support Microsoft Entra shared device mode
- VMware Workspace ONE - VMware supports conditional access capabilities but currently doesn’t support global sign-in and global sign-out with shared device mode.
- SOTI MobiControl
Note
If your MDM doesn’t support setting the device in shared device mode, reach out to your MDM provider to request support for this feature. Additionally, you can manually put devices in shared device mode for testing if your MDM doesn’t support shared device mode.
Manual setup with the Microsoft Authenticator app
To complete manual setup using the Microsoft Authenticator app, you require a cloud device administrator account. Follow these steps to complete the setup process:
Launch the Authenticator App and navigate to main account page where you can see the Add Account option, as shown:
Go to the Settings pane using the right-hand menu bar. Select Device Registration under Work & School accounts.
When you select Device Registration, you're asked to authorize access to device contacts. This is due to Android's account integration on the device. Choose Allow.
Enter your organizational email under Or register as a shared device. Then select the Register as shared device button, and enter their credentials.
The device is now in shared mode.
Any sign-in and sign-out instances on the device are global, and apply to all apps that are integrated with MSAL and Microsoft Authenticator on the device. You can now deploy applications to the device that use shared-device mode features.
View the shared device
Once you set up a device in shared-mode, it becomes known to your organization and is tracked in your organizational tenant. You can view your shared devices by looking at the Join Type.