User Based Profile switching on Windows Devices
  • 12 Jun 2024
  • 6 Minutes to read
  • PDF

User Based Profile switching on Windows Devices

  • PDF

Article summary

Desktop machines are multi-user machines, which can have either local accounts or domain joined accounts. This makes it a shared machine by default. Multiple users can use the same machine with profiles and policies applied specific to each user, when they sign in on the machine. Scalefusion identifies the user group to which this username/user belongs and attaches the new profile accordingly. 

Shared devices can be found in a variety of settings, such as educational institutions, corporate workplaces, healthcare facilities, and public spaces like libraries, shopping malls, etc., where these shared devices may be used to provide access to specific apps or services that are needed by multiple users.

There are several advantages to organizations using Shared devices, such as Cost effectiveness, Improved Productivity, Easier maintenance, and Greater accessibility, to name a few. Leveraging Scalefusion's User Group Management and User Authenticated Enrollment features, IT Admins can prioritize user-based devices and utilize their AD integrations for better management.

Before You Begin

  1. Latest version of Scalefusion MDM agent (agent app for Windows) should be installed on devices
  2. Windows Device Profile should be created
  3. Supported OS: Windows 10, 11 (Pro and Home editions)

How it works

In a nutshell, the following is an overview of the steps involved in configuring a Windows device as a shared device:

  1. Add users to User Management
  2. Create User Group(s)
  3. Configure Settings for Shared Devices
  4. Create QR Code Configuration
  5. Enroll the devices
  6. Dashboard view of Shared Devices

These are explained in detail below.

Step 1: Adding users to User Management

  1. Navigate to Enrollment Configurations > User Enrollment.
  2. You can either use the Add a User button to add the users or upload a list of users in the form of a CSV file.
  3. In case the account is a OneIDP, G Suite or O365 account, you can import the users from the respective G Suite/O365 consoles.
    1. Refer to the Import Users and User Group guide to know more about importing G Suite/O365 users.
  4. Once the user details are added, the user or the list of users will now show on the dashboard.
  5. Unlike BYOD enrollment, you will not need to send an invite to these users.
  6. The next step will be to create a QR Code Configuration to set up the User Authenticated Enrollment mode.
    You can also use AAD, PingOne, Okta, and Google Workspace for the authentication of users.

Step 2: Creating User Group(s)

  1. Navigate to Groups > User Groups and click on the Create New Group button.
  2. This will open the group creation wizard and select the Users who will be sharing the devices in this User Group from the list of users that have already been added or imported as per Step 1.
  3. Once users are selected, select a Windows Device Profile in the Choose Windows Device Profile tab on the next screen.

  4. Click on the Next button to go to the Add Admin tab or directly click on the Add Admin tab and click on the Create User Group button to finish creating the User group for Shared Company-Owned devices.

Step 3: Configure Shared Device Settings

  1. Once the User Group is created, click on View Details to configure the Shared Devices Settings.

  2. Navigate to Settings tabScroll down and configure following settings under Configure Shared Device settings:
    1. Allow Windows & macOS devices to be Shared between Users in this Group: All the users added to this group will be allowed to share devices and login to the same machine. If disabled, a user from this group trying to login will be logged off. The device should be online for this setting to be applied.
    2. Auto Sign Off the Signed user after configured hours:You will be able to set a time (in hours), after which the signed user will be automatically signed out.
      1. Configure Alert message before Signing out: You can add a custom message that will be shown to signed-in users on the shared devices 5 minutes before they are to be automatically signed out.

  3. Once the settings are configured, click on the Save Settings button to save them.
  4. On the device, the alert for auto logoff will display like this (as shown below)

Step 4: Creating a QR Code Configuration

  1. Navigate to Enrollment Configurations > QR Code Configurations > click on the Create button.
  2. Choose Enrollment Type: Select either Kiosk/Agent or BYOD
  3. In case of Kiosk/Agent as Enrollment Type, you need to choose enrollment mode. If you select
    1. Userless Enrollment: You will not be able to select the user group under Group/Profile and hence cannot make a shared device at this point of time. 
    2. User Authenticated Enrollment: You can select the User Group which you want to assign to the user. This is a recommended option.
  4. You will see a pop-up message as shown below, click on OK and click on Next to Choose the User Group created as per Step 3.

  5. In the Group/Profile section, select a user group (you have configured with Windows Profile and shared device settings) from the User Groups dropdown.

  6. You can configure the Device configuration settings to allow users to add device details at the enrollment itself.

  7. Configure the Optional Settings and click on the Save button.

  8. Now you can enroll your Windows devices and make them shared.

Dashboard View of Shared Devices

  1. On the dashboard, under User Groups > Users, you will be able to see the details of which user has logged into which device and at what date and time.

  2. In the Devices tab, you will be able to see which user is currently signed in or signed out from the concerned device.

  3. In the Profile & Policies tab, you will see the Windows tab will show the Device Profile assigned to Devices, or you can assign a Device Profile.

  4. You can also set Global-level Settings for the Shared Devices which will apply to all User Groups. This can be done by clicking on the Settings button on the User Group homepage.
    1. Allow Users to Sign in from Multiple Devices: Enable this option to allow users to sign in from multiple devices using their email IDs.
    2. Allow Users from different groups to sign in on the same device: Enable this option to allow users belonging to different User Groups to sign in on a Shared Device. By default, only users in the same User Group can sign in if sharing has been enabled.
    3. Allow Ungrouped users to sign in to Windows/macOS devices: Enable this setting to allow users not in a user group, to sign in to devices. Disabling will send a logoff command if the device is online and reports a login event.
    4. Configure Force Log-Off/Restart message: Configure a message that will be displayed to the users when they get force logged off from the device.

      Following is an example of how the prompt will display on the device in case any of the conditions are not met for a normal user:

If the user is a OneId user, following prompt will be displayed if the conditions are not met:

Make a non-user Authenticated device a Shared device

If you have devices that are already registered with Scalefusion in Kiosk mode but were not enrolled via User-based authentication and want to use them as Shared devices or assign a user to them, you can do so by following these steps:

  1. Navigate to the Devices section and click on View Details for the concerned device(s).

  2. Click on the Gear icon and scroll down to the Assign User option.

  3. Select the user in the new window and click on Save.

  4. You will be able to see the device in the User Group section under the users created for the Shared Devices.
  5. As soon as user is assigned to the device, you will see the device will reflect under that user in user group.
  6. Thus, the device will become a Shared device, and the users that are part of the User Group will be able to use the device.

Known Behavior

  • In case device is enrolled via Modern Management in Single App Mode or Multi-app Kiosk mode, the force log off prompt will not display but users will get logged out after 2 minutes if they are not allowed to login onto the device.

Was this article helpful?