I'm in the process of setting up Android Enterprise Fully Managed devices specifically as shared devices for first-line workers. Since Dedicated (COSU) isn't an option due to our need for Microsoft Tunnel—which is only compatible with Fully Managed devices—I'm looking for the best practices to make these Fully Managed devices function like shared or dedicated devices. Here are the specific requirements I have:
- Only allow specific apps
- Restrict access to system settings
- Prevent access to a personal Play Store
- Ensure a clean sign-in and sign-out process between users
Is it necessary to create a separate technician or staging account for device enrollment, or is there a better recommended method for the initial Azure Active Directory login? I appreciate any guidance you can provide!
3 Answers
I'm actually using a shared Entra user setup without Microsoft Tunnel. From what I understand, the tunneling isn't mandatory; the authenticator app is sufficient for access. Just double-check if the tunnel is really required for your setup!
For fully managed devices, it’s typically one user per device. However, you can achieve most of your requirements using Microsoft Intune. Just keep in mind that, while Samsung has the Knox Authentication Manager, it’s mainly for kiosk mode, which may not fit your needs perfectly.
You might want to consider the Microsoft Managed Home Screen for your setup, but be cautious since there are several limitations. Additionally, look into shared device mode as well. I had some success with this in the past, but many of the users disliked having to sign in with their Entra ID to use the device, so eventually, we opted to provide each user with their own device.
I interpreted that they do need the Microsoft Tunnel for their devices. By the way, how's your sailing experience going?