Earlier this year, we announced that VMware had integrated with Microsoft to extend our VMware Workspace ONE Unified Endpoint Management (UEM) conditional access capabilities for Microsoft Entra ID (formerly Microsoft Azure Active Directory) with support for shared device mode. Today, we’re excited to announce the feature has reached general availability (GA) for Android devices. This new integration will allow IT teams to provide shared devices with secure, conditional access to Microsoft 365 apps.
“With this integration, we are excited that customers using Workspace ONE can now easily and securely provide conditional access to Microsoft 365 and other supported apps on shared Android devices.”
— Jason Roszak, Chief Product Officer, Enterprise Management, Microsoft
This integration was built specifically with frontline workers in mind, in industries such as healthcare, hospitality, retail, and the supply chain sector. Frontline organizations are embracing tools that enable new ways of working and improve culture and communications. Until now, frontline customers could only enable conditional access on devices assigned to a single employee. However, the device registration process required the employee to manually register their device with Entra ID. This process isn’t ideal for frontline workers. Depending on the task at hand, frontline workers may rely on one or more shared devices throughout their shift and need quick, easy, and reliable access to work apps as soon as they check out a device. With support for shared device mode, this registration process is simplified, so workers don’t need to manually register devices they check out during their shift.
Shared device mode with Workspace ONE and Entra ID
With this new integration, Workspace ONE UEM can register shared devices with Entra ID to enable granular, app-level conditional access policies — with minimal user intervention — to ensure security and a positive digital employee experience (DEX). Devices only need to be registered as shared once, during enrollment in Workspace ONE UEM. This means workers can get to work immediately after logging into a shared device, without the need to re-register it at the start of every shift.
Once a device is enrolled, has Microsoft Authenticator, and is registered in shared device mode in Workspace ONE, Entra ID will continuously recognize it as a shared device and grant or deny access to Microsoft 365 apps based on its compliance and management status in Workspace ONE. For example, an organization can choose to create a policy that only grants workers access to Microsoft Teams if the device they’re using is compliant. Under this policy, if a worker launches Microsoft Teams on a device, Workspace ONE will send that device’s management and compliance status to Entra ID via Intune’s partner compliance API. If the device is managed and compliant, the worker will be granted access; if not, they’ll be denied.
Workspace ONE and Entra ID customers can enable shared device conditional access for Android devices today, with support for iOS devices coming in future. To learn more, check out Microsoft’s blog.