by In part 2 of The Android Tales, I went through the configuration for Android Corporate-owned Dedicated devices in Kiosk mode (single-app and multi-app), and in this part, I will take you through Shared mode for Android Corporate-owned Dedicated devices.
For the difference between Kiosk and Shared, please refer to my previous section on Dedicated devices. You can find that one here.
Android Enterprise Dedicated Devices – Shared Mode
Android Enterprise Corporate-owned Dedicated devices are Android devices locked into a specific set of apps and configurations, typically used for business purposes. When configured in Shared Mode, these devices can be used by multiple users, each signing in with their own credentials (usually via Microsoft Entra ID). Some advantages are:
- Multi-user support: Enables different users to access their work environment on the same device securely.
- Streamlined experience: Users get a personalized session with access to their apps and data, while the device remains locked down.
- Security and compliance: Each session is isolated, reducing data leakage risks and supporting compliance requirements.
- Cost-effective: Reduces hardware costs by allowing shared use of devices in shift-based or frontline scenarios.
- Centralized management: Easily managed via Microsoft Intune, allowing IT to enforce policies, deploy apps, and monitor usage.
For example, in healthcare environments, shared Android devices are used by multiple clinicians, nurses, or support staff across shifts. These devices are configured in Shared Mode via Microsoft Intune and Microsoft Entra ID, allowing users to sign in securely and access their personalized apps and data.
Requirements
The requirements for Android Enterprise Corporate-owned dedicated devices in Shared mode are practically the same as for Kiosk devices:
- A compatible Android device with a supported OS version
- An enrollment profile for Android Enterprise dedicated devices
- An assigned device group for Enrollment Time Grouping
- An application
- A compliance policy
- A configuration profile
Configuration
Microsoft Entra ID group
As with our Kiosk mode devices, this group is also for Enrollment Time Grouping. More information can be found in my previous part here.
Go to Microsoft Entra admin center | Groups and choose New group. Create a group with the following settings and choose Create.
- Group type: Security
- Group Name: AND – DVC – Android Dedicated Devices – Shared
- Group Description: Android Dedicated Devices in Shared Mode
- Microsoft Entra roles can be assigned to the group: No
- Membership type: Assigned
- Owner: Intune Provisioning Client (f1346770-5b25-470b-88bd-d5744ab7952c)
Once the group is created, it is ready for use in our enrollment profile.
Enrollment Profile
First thing is to create the enrollment profile, and as discussed earlier, for this section, we are going for the Corporate-owned dedicated device.
Go to Microsoft Intune admin center | Devices | Android | Enrollment and select under Enrollment Profiles for Corporate-owned dedicated devices.
Choose Create policy and create a policy as shown below, and choose Next.
- Name: AND – Corporate-Owned Devices – Shared
- Description: Enrollment token for Android Dedicated Devices in Shared Mode
- Token type: Corporate-owned dedicated device with Microsoft Entra shared mode
- Token expiration date: Choose a date 90 days from today (recommended)
- Apply device name template: No
On the Device group screen, choose Microsoft Entra group and select our newly created group, then choose Next.
Review your settings and choose Create.
Our enrollment token is now ready for use. Next up, we will create a Compliance and Configuration policy (for single-app and for multi-app) to get our enrollment ready.
Compliance Policy
For our compliance policy, we can use the same one as was created for our Kiosk devices. You can find the steps here. Make sure you assign your Microsoft Entra group to the policy.
Managed Google Play – Apps
Before we can start with our configuration, we also need applications to add to our Shared configuration. In the previous part, I described how to add an app from the Managed Google Play in Microsoft Intune and assign it to your group. You can find the steps here.
The recommended app to be assigned, as in Multi-App mode, is the Managed Home Screen. Make sure our group is assigned to this.
For our Shared device, we will assign our dedicated Microsoft Entra Group to the following applications: Microsoft Edge, Microsoft Outlook, Microsoft Teams, Authenticator, and Microsoft OneDrive. Make sure you do this for all the applications you need in your configuration.
IMPORTANT: The apps you want to deploy to an Android Enterprise Corporate-owned Dedicated device in Shared mode need to support Shared Mode. More information can be found here.
Configuration Profile
There are two ways to deploy a configuration: with a Configuration Policy or an App Configuration for the Managed Home Screen (as we did for Kiosk devices). For Shared devices, I will do this with a Configuration Policy.
INFORMATION: During testing, I noticed you can do a combination of a Configuration Policy and an App Protection because some Managed Home Screen settings aren’t available in the Configuration Policies. So I created an additional App Configuration (be aware of conflicts when using the same settings) with the following settings.
Go to Microsoft Intune admin center | Devices | Android | Configuration and choose Create and then New Policy. Choose the following:
- Platform: Android Enterprise
- Profile type: Templates
Choose Device restrictions underneath the Fully Managed, Dedicated, and Corporate-Owned Work Profile template.
Give the Configuration Profile a name and description, and select Next:
- Name: AND – Shared – Managed Home Screen Settings
- Description: This policy will set and configure the Managed Home Screen for Shared devices
Now this is a confusing bit to be honest, in this section we are actually going to have to put our device in Multi-App Kiosk mode. In the Configuration settings, go to Device Experience and configure the following settings, and choose Next.
Assign our newly created group to the policy and choose Next. Review your configuration and choose Create.
Our Configuration Policy is now ready to go.
In this last part, I’ll show you how to enroll your device and show the end-user experience for Android Shared Deives.
Enrollment
Boot your device and tap the Welcome screen 6 times on the device screen. Select your language, then scan the QR code you created in the Enrollment profile. Choose your Wi-Fi connection and start deploying.
When you get the screen This device belongs to your organisation, choose Next. Now follow all the steps until you get to the This [model device] isn’t private screen and choose Next.
On the Your work checklist screen, choose Install for the work apps. Once you are through this, choose Done. We are now in the final stage before our device is ready. Now choose Set up on the Register shared device screen. In the following screen, choose Next to start registering the device. Once the device is registered, choose Done.
Accept the Google Services and agree to the Privacy policy by choosing Next.
Once you’re on the Home Screen, you will get a Permissions required (3) notification, choose Grant. Now, Grant Permission to all. Once you’ve granted the required permission, you will see the home screen with the sign-in option.
User Experience
For our end-users, fill in the username and choose Sign in, this will redirect you to the Microsoft 365 login page where you need to enter your password, enter your password and choose Sign in. You will now be directed to your Home Screen, where all the apps are available.
Conclusion
Android Corporate-owned Dedicated Devices in Shared Mode configured with Microsoft Intune offer a streamlined and secure solution for scenarios where multiple users need access to a single device. This configuration is ideal for frontline workers, retail environments, healthcare settings, and logistics operations, where devices are used interchangeably across shifts or tasks.
