By: Charlotte Maguire – Program Manager | Microsoft Endpoint Manager – Intune
Summary: Intune supports Azure Active Directory (Azure AD) shared device mode for Android Enterprise dedicated devices. Shared device mode allows multiple users to gain single sign-in and single sign-out from applications optimized with Shared device mode. However, not all apps can be optimized to integrate with Shared device mode. For these scenarios, Intune has released a new feature (public preview) that enables local app data clearing for non-optimized apps, which can help to achieve a sign-out, so that your organization can give users access to more applications during their sessions. Read this post to learn more!
In April 2021, we announced that Microsoft Intune, as part of Microsoft Endpoint Manager, supports automatically enrolling Android Enterprise dedicated devices into Azure Active Directory (Azure AD) shared device mode. Shared device mode allows multiple users to gain single sign-on and sign-out across all participating apps on a device.
For an app to participate with Azure AD shared device mode, it must integrate with the Microsoft Authentication Library (MSAL) and leverage specific shared device mode functions. Today, Microsoft apps that participate with Azure AD shared device mode on Android include Microsoft Teams and Microsoft Managed Home Screen. You can also optimize in-house line-of-business (LOB) apps by using MSAL and following the implementation guidelines in Shared device mode for Android devices.
Microsoft recommends integrating apps with shared device mode if you intend to allow sign-in and sign-out for multiple users on the same device. This provides apps control over how and when to clean up app specific data that is associated with each user upon sign-out. However, we understand that some apps on your devices have not yet integrated with shared device mode and that you might not be able to integrate all your LOB apps with shared device mode. Note that throughout this post, we refer to apps that have not integrated with shared device mode as “non-optimized apps.”
For these scenarios, we are excited to announce a new Intune feature in public preview that clears local app data in non-optimized apps when a user signs out from an app optimized with shared device mode. On Android 9 and higher, admins can define a list of non-optimized apps that will leverage Android OS capabilities to clear the apps’ local data. With this functionality, when a user initiates sign-out from a shared device mode app, it will also initiate a local data clearing from apps not optimized for shared device mode. This helps to offer single sign-out even for non-optimized apps. Note that this functionality does not aim to address single sign-in between optimized and non-optimized apps. Important: Application data stored outside of a given application will not be removed.
Here are some considerations for using the data clear setting with non-optimized apps:
- Users cannot initiate sign-out from non-optimized apps and get single sign-out. Instead, users need to initiate sign-out from an app that has been optimized for shared device mode. Microsoft apps that are optimized for Shared device mode on Android include Teams, and Intune’s Managed Home Screen.
- For non-optimized apps, deleting app data is best effort as provided by the platform and only supports clearing storage that is local to the application. Data may be left in other areas of the device (e.g. sdcard) if any information generated in the app is stored externally from the app itself.
- To ensure that your users are notified they are signing out, and that the device is ready for the next user, ensure notifications are enabled for each device. For more information, visit Android Enterprise device settings in Microsoft Intune. Note that sign-in is not prevented while the user is getting signed out. Users should review the notifications to ensure that sign out has completed.
To ensure a full understanding of the data clearing process, we recommend thoroughly testing all non-optimized apps before you add them to shared devices in multi-user scenarios to ensure they work as expected. For example, validate your core scenarios in each app, and verify that the app signs out properly and that all data is sufficiently cleared for your organization’s needs.
To learn more about how to use this new feature, read on!
Configuring local app data clearing in non-optimized applications
Before applying this new setting, make sure to use the Intune-managed Android Enterprise dedicated devices enrolled with Azure AD shared device mode. For help getting your dedicated device enrollment profile(s) and device groups appropriately set up, see Set up Intune enrollment of Android Enterprise dedicated devices.
With Intune’s November (2111) release, when you create or edit a device restrictions policy for dedicated devices, under Applications you will notice a new option: Clear application data in apps not optimized for Shared device mode (public preview).
With this setting, you can add the non-optimized apps to clear local app data for whenever a user initiates sign-out from an optimized app. Note that you will not be able to add the Intune app, Company Portal, Authenticator or optimized apps like Managed Home Screen and Teams to the list. Although you will be able to add any optimized LOB apps, it is not recommended to add any optimized apps to list of applications that should receive a local app data clear.
The following example will sign users out of the Google Chrome browser and clear the applicable user data. As a result, the user on the device will get a sign-out from any web apps launched via Chrome, including Outlook, which is shown in this example.
Review and save your selections to update your device restrictions policy.
User experience
The exact experience your users have will depend on how their devices have been configured, and what apps they are using. For example, if you configure the System notifications and information setting (explained in detail - Android Enterprise device settings in Microsoft Intune) to show notifications, users will have a different experience than if your devices are not configured to allow notifications.
If notifications are enabled, then when users sign out from an app optimized with shared device mode, they will receive a notification that lets them know that a sign-out is underway. This notification is tappable; if tapped, users will be taken to a full screen experience with a loading spinner that will automatically close when local data of non-optimized apps has been cleared. If the user does not tap the notification, then it will persist on the device with a progress bar until app-clearing processes are completed. Once completed, devices will receive another non-persistent notification letting the user know that they have been signed out and the device is ready for the next user.
If notifications are disabled, the user will not see any indication that app clearing is taking place. This does not stop the app-clearing process, but it does introduce a risk that a different user will sign in before the previous user’s app data is fully cleared.
The following GIF is an example of the sign-out experience. In this example, notifications are enabled, and the device is set up with Managed Home Screen with optional sign-in configurations specific to shared device mode. Additionally, the user is accessing Teams and Outlook as a web app launched via Chrome.
Frequently asked questions (FAQ)
Q: Can I use this feature on any of my dedicated devices enrolled with shared device mode?
A: No. This feature is only available on devices running OS version 9 and higher.
Q: Can I use this feature on my dedicated devices that are not enrolled with Shared device mode?
A: No. To use this feature, you must be using an Intune managed dedicated device enrolled with shared device mode. You must also have a mix of apps that have been optimized for shared mode and apps that have not been optimized for shared mode.
Q: Do I need to enable notifications on my devices to use this feature?
A: No, if notifications are disabled on your devices, the specified apps will still get cleared. However, without notification, users will not get notified that sign-out is complete, nor will they get notified if any errors occurred. As such, we highly recommend that you enable notifications when using this feature.
Q: Can I use this feature for any non-optimized app? For example, my organization uses non-optimized native Microsoft 365 Android apps that support multiple accounts. Is there anything we should consider before trying to clear local application data for these apps?
A: We suggest that all non-optimized apps, regardless of publisher, be thoroughly tested before being used in multi-user scenarios on shared devices to ensure that they work in a way that meets your organization’s needs. Non-optimized apps that provide support for multiple accounts could exhibit patterns that are difficult to predict or determine and will benefit from thorough testing. For Microsoft 365 apps that support multiple accounts, in the cases where the native app does not meet your needs, we suggest using these apps as a web app launched via Google Chrome.
Q: When will Microsoft apps other than Teams and Managed Home Screen be optimized to support shared device mode on Android?
A: We are actively working to optimize Microsoft 365 apps with Shared device mode, but do not currently have public timelines to share. Stay tuned for updates on this blog post, and feel free to let us know which apps you’d most love to see optimized for shared device mode by commenting on this post or reaching out to @IntuneSuppTeam on Twitter.
Q: Is it a requirement to use multi-app kiosk mode with Managed Home Screen to leverage app data clear?
A: No. Managed Home Screen is an optional companion app on Intune Android Enterprise dedicated devices, regardless of whether you use shared device mode or not. When using shared device mode, you can still choose to use no kiosk mode, single-app kiosk mode, or multi-app kiosk mode with Managed Home Screen. We do recommend Managed Home Screen for scenarios where you want your users to have access to multiple apps in a customized, locked-down fashion. Additionally, Managed Home Screen offers optional sign-in configurations that add a lot of value for scenarios where you want your users to have a streamlined sign-in and sign-out experience. App data clear is only applicable to dedicated devices using Shared device mode.
Q: Am I required to make apps that I want to have cleared visible to my users?
A: No. Your users do not need to see or interact with the apps that you choose to have cleared.
We hope you take advantage of this new feature on your shared Android Enterprise dedicated devices and look forward to your feedback. If you have questions or comments for the Intune team, reply to this post or reach out to @IntuneSuppTeam on Twitter.
Posted at https://sl.advdat.com/31JhvP5