Since Microsoft launched Active Directory (AD) more than two decades ago, it’s been possible for users to log in to a Windows domain-joined PC with any of their AD user accounts, and the PC would be tailored to their needs. Group policy objects (GPOs) made this possible because they target both the computers and the users. In cases involving shift workers — or shared office PCs — this allowed employee device use to be flexible. GPOs also supported different users sharing the same device, because the device would be personalized upon login.
With the introduction of Windows 10, Microsoft embedded the Open Mobile Alliance Device Management (OMA-DM) protocol into the operating system. This change allowed Windows to be managed like a mobile device, over the air, which is called Mobile Device Management (MDM). This has become the standard to manage Windows with cloud solutions like VMware Workspace ONE Unified Endpoint Management.
However, this OMA-DM protocol dates back to the early 2000s, and it was initially designed for mobile phones. Because those are typically personal devices, the shared-device use case was not built into this protocol.
That means that a Windows device managed with Workspace ONE UEM or Intune — or another MDM product — no longer supports shared device mode. In effect, every user could still log on to a Windows device, but the MDM solution would only manage the computer, not the user. Therefore, the user would not get a personalized experience, and security policies targeted toward the user would not be applied, potentially leaving the device in an unsecured state. The user would also miss his or her personal settings and would need to manually configure the email client, for example. Not the best user experience.
How Workspace ONE UEM now supports multi-user scenarios
With the release of Workspace ONE UEM 23.02, this has changed. We now support shared PCs and multi-user scenarios, allowing shift workers to use shared Windows devices. Upon user login, the device will install any user-targeted profiles, policies, applications, and settings, which ensures the device is personalized and secure. For example, Outlook will be pre-configured, an SSO user certificate will be installed, the wallpaper will be set, a VPN client will be configured, and much more.
Workspace ONE UEM users have been asking for this feature, and we’re proud to announce that it is now available in the 23.02 release — and it is unique in the market.
This means we can now support shift workers, schools, frontline workers, and shared office spaces — and all other use cases involving PC sharing!
The diagram above shows an example of how this functionality works. The Windows device will be managed by Workspace ONE UEM, device-targeted profiles and apps will be shared across users, and at logon each user will have their own personal user-targeted profile and applications installed.
This functionality has been one of the most requested features for Windows modern management for a while. But because the OMA-DM protocol lacks support for it, this feature required more effort to build because the solution needed to be able to support true Windows multi-user functionality with modern management. We needed to include support for enrollment, user switch, device profiles, user profiles, compliance, app entitlements, and more.
To explain how this functionality works, I have added the below architecture overview. This diagram shows how a Windows desktop is managed with Workspace ONE UEM. As you can see, next to the OMA-DM protocol, we have added a second channel to communicate with the devices. This is the AirWatch Cloud Messaging (AWCM) service that communicates with the Workspace ONE Intelligent Hub agent. We have already added lots of powerful functions through Intelligent Hub, and now multi-user support is another unique offering in the market for modern management of Windows devices.
The current multi-user support is just phase one of the release, and we intend to extend the functionality in the future. In the current release, applications installed for specific users will remain on the device and can be used by anybody who logs on to the PC. The recommendation is to assign applications at device level to prevent unwanted access to applications.
The current release supports Azure AD user accounts only. Those can be user accounts that are synchronized from an on-premises AD to Azure AD, but the login name should be the Azure AD username. And devices need to be pre-registered in the Workspace ONE UEM console using the serial number, either manually or through the API for batch processing.
The future of multi-user support for Workspace ONE
For the next phase of multi-user support, we intend to extend the functionality to support on-premises AD, hybrid, and Azure AD users. Also, the enrollment as a multi-user device will be completed using the Intelligent Hub, removing the requirement to pre-register devices. We’ll also add support for baselines, scripts, sensors, and Freestyle Orchestrator workflows.
That means the future looks very bright. As excited as we are for this current functionality, we’re also looking forward to providing even more updates in the future.
Right now, with this release we have been able to bridge a huge gap to meet the needs of many customers who have been waiting patiently. If you want to test out this functionality, reach out to support, because currently the feature is not enabled by default for all customers. I encourage you all to give this a try, and please share your feedback with us, so we can make it even better. Check out this document for more information.