Workspace ONE integrates with Microsoft Entra ID to support conditional access for shared devices

Omnissa has integrated with Microsoft to extend our Workspace ONE Unified Endpoint Management (UEM) conditional access capabilities for Microsoft Entra ID with support for shared device mode on Android devices. This integration allows IT teams to provide shared devices with secure, conditional access to Microsoft 365 apps. 

This integration was built specifically with frontline workers in mind, in industries such as healthcare, hospitality, retail, and the supply chain sector. Previously, frontline organizations could only enable conditional access on devices assigned to a single employee. Employees were also required to manually register their devices with Entra ID. That process isn’t ideal for frontline workers. Depending on the task at hand, workers may rely on one or more shared devices throughout their shift and need quick, easy, and reliable access to apps. With support for shared device mode, this registration process is simplified, so workers don’t need to manually register devices they check out during their shift. 

Shared device mode with Workspace ONE and Entra ID 

With this integration, Workspace ONE UEM can register shared devices with Entra ID to enable granular, app-level conditional access policies — with minimal user intervention — to ensure security and a positive digital employee experience (DEX). Devices only need to be registered as shared once, during enrollment in Workspace ONE UEM. This means workers can get to work immediately after logging into a shared device, without the need to re-register it at the start of every shift.

Once a device is enrolled, has Microsoft Authenticator, and is registered in shared device mode in Workspace ONE, Entra ID will continuously recognize it as a shared device and grant or deny access to Microsoft 365 apps based on its compliance and management status in Workspace ONE. For example, an organization can choose to create a policy that only grants workers access to Microsoft Teams if the device they’re using is compliant. Under this policy, if a worker launches Microsoft Teams on a device, Workspace ONE will send that device’s management and compliance status to Entra ID via Intune’s partner compliance API. If the device is managed and compliant, the worker will be granted access; if not, they’ll be denied. 

Workspace ONE and Entra ID customers can enable shared device conditional access for Android devices today, with support for iOS devices coming in future.  

There are additional benefits of using Microsoft Authenticator.  By integrating with the Microsoft Authentication Library (MSAL), Workspace ONE UEM provides a streamlined single sign-in/sign-out experience for MSAL-enabled applications on shared  Examples of applications supporting this SSO method include Microsoft Teams, Edge, and other first-party Microsoft apps listed here. Once the user ends their session with Workspace ONE UEM, they are signed out of these apps. 

To learn more about Shared Device mode with Workspace ONE, check out our article on Omnissa Documentation.