VMware Workspace ONE Announcements Employee Experience Mobile Workspace ONE Unified Endpoint Management

Workspace ONE integrates with Microsoft Azure AD to support conditional access for shared devices

We’re excited to announce that VMware has integrated with Microsoft to extend our VMware Workspace ONE Unified Endpoint Management (UEM) conditional access capabilities for Microsoft Azure Active Directory (AD), with support for shared device mode. With this new integration, IT will be able to provide shared devices with secure, conditional access to Microsoft 365 apps.  

This integration was built specifically with frontline organizations in mind. Frontline workers (or task or service workers) play an essential role in every industry and rely heavily on shared devices to do their job. Despite representing 80% of the global workforce, frontline workers have been underserved by technology, with employers struggling to provide them with user-friendly devices and tools. However, the recent health emergency, high employee turnover, and evolving worker demographics and expectations have changed this, forcing organizations with frontline workers to redefine their digital strategy. To bridge this technology gap, industry leaders — particularly those in the retail sector — are embracing tools that enable new ways of working and improve culture and communications. This includes increased adoption of Microsoft 365 apps, like Microsoft Teams, which frontline organizations are using to improve worker productivity and collaboration, with chat, walkie-talkie, and shift and task management tools. 

Today, customers can enable conditional access on devices assigned to a single employee. However, the device registration process requires the employee to manually register their device with Azure AD. This process isn’t ideal for frontline workers who, depending on the task at hand, may rely on one or more shared devices throughout their shift and need quick, easy, and reliable access to work apps as soon as they check out a device. With support for shared device mode, this registration process is simplified, so workers don’t need to manually register devices they check out during their shift. 

Shared device conditional access with Workspace ONE and Azure AD  

With this new integration, Workspace ONE UEM can register shared devices with Azure AD using Intune’s partner compliance APIs to enable granular, app-level conditional access policies — with minimal user intervention — to ensure security and a positive digital employee experience (DEX). Devices only need to be registered as shared once, during enrollment in UEM. And because shared device mode doesn’t rely on user identity, workers don’t need to take additional steps to verify their identity each time they check out a device. 

Once a device is enrolled, has Microsoft Authenticator, and is registered in shared device mode in Workspace ONE, Azure AD will continuously recognize it as a shared device and grant or deny access to Microsoft 365 apps based on its compliance and management status in Workspace ONE. For example, an organization can choose to create a policy that only grants workers access to Microsoft Teams if the device they’re using is compliant. Under this policy, if a worker launches Microsoft Teams on a device, Workspace ONE will send that device’s management and compliance status to Azure AD via Microsoft Authenticator. If the device is managed and compliant, the worker will be granted access; if not, they’ll be denied.  

Shared device mode
Figure 1. Shared Device Mode: Sample Workflow

Workspace ONE and Azure AD customers will be able to enable shared device conditional access in tech preview starting next month (February 2023), with the feature reaching general availability (GA) later this year. To learn more, check out Microsoft’s blog and product documentation on device compliance partners.