Shared devices in Intune is something that pop-ups in every project where we move to Intune and Entra Joined devices. When using Intune and available user apps it is enforced by the Company Portal app if you are allowed to install an available app or not based on Primary user of the device. In some scenarios when we push required apps to users they end up on all shared devices as Primary user is only enforced for available apps. This is a huge difference when migrating from Configuration Manager where we have more options. This is important when designing and planning our shared devices strategy.
Intune user targeting cheat sheet | ||
Company portal Available user app | Required User App | |
Primary user | Y | Y |
Non-Primary user | X | Y |
No Primary user in Intune | Y | Y |
Self-deploying | Y | Y |
This means that we maybe don’t necessarily choose to install the Company Portal on shared devices it depends on the scenario.
Shared device design checklist:
Deploying shared devices in Intune requires planning, many things differ from a personal device, for example for a personal device we can still use Microsoft NPS and user based certificate authentication but for a shared device this is a bad experience as we need to wait for the certificate to come down for the user.
– How are apps supposed to be deployed to the shared devices?
– Install the Company Portal or not?
– Filter out required apps that shouldn’t be installed
– Network access, we prefer cable as self-deploying devices requires no hands on in this scenario, in modern offices this is a big challenge
– Network access, device based certificate authentication is prefered as many users need to log on to the device = No Microsoft NPS
– Devices must be imported in Autopilot, deploying the .json file using MDT/SCCM does not work. Windows Autopilot for existing devices | Microsoft Learn
– Devices must have TPM 2.0 and support TPM attestation Windows Autopilot self-deploying mode (Public Preview) | Microsoft Learn
– Deploy security settings and compliance policies to the shared devices
– Exclude from Windows Hello for business policy as only ten users can enroll in WHfB per device, evaluate passwordless for example web-sign in instead. Windows Hello for Business Frequently Asked Questions (FAQ) – Windows Security | Microsoft Learn
To solve required applications we can go about it in two different ways either use a PowerShell script as an application requirement checking if the device is joined to Microsoft Entra using the “autopilot@tenant.onmicrosoft.com” user account. Or we can use a filter to filter out all devices deployed with a self-deploying.
The screenshot below is from a self-deploying Windows 11 device.
Option 1: PowerShell script as an app requirement
The script can be downloaded from Github: https://github.com/Ccmexec/Intune-MEM
# Script to check if the device is deployed as a self-deploying device
# Written by Jörgen Nilsson
# ccmexec.com
function Get-EnrolledUser {
# Get the UPN of the user that enrolled the computer to AAD
$AADInfo = Get-Item "HKLM:/SYSTEM/CurrentControlSet/Control/CloudDomainJoin/JoinInfo"
$guids = $AADInfo.GetSubKeyNames()
foreach ($guid in $guids) {
$guidSubKey = $AADinfo.OpenSubKey($guid);
$UPN = $guidSubKey.GetValue("UserEmail");
}
$UserName = ($UPN -split ("@"))[0]
Write-Output $UserName
}
if (Get-EnrolledUser -eq "autopilot") {
return $true
}
else {
return $false
}
Adding this as a requirement as shown below will make sure it is only installed on “non” self-deploying” devices.
The deployment status shows the result as well
Option 2: Use a filter
Filters are simply great! We can create a filter that includes all our self-deploying devices and then user this to filter out our shared devices when we deploy our applications.
I hope this is useful when planning and deploying shared devices.
1 thought on “Managing shared devices and app deployment in Intune”