On this page

Shared Device Configuration

Shared device configuration establishes secure multi-user access on tablets, laptops, and mobile devices used by multiple staff members in field operations. This task covers platform-specific setup for shared device modes, user session management, data separation between users, and automatic cleanup procedures that prevent data leakage between sessions.

Field contexts frequently require device sharing due to equipment constraints, mobile team operations, or distribution point workflows where dedicated devices per user are impractical. Shared devices introduce security risks absent from single-user deployments: residual data from previous sessions, cached credentials, and the potential for one user to access another’s information. Proper configuration mitigates these risks while maintaining usability for staff who need rapid access without complex authentication ceremonies.

Prerequisites

Verify the following requirements before beginning shared device configuration.

Requirement	Detail	Verification
MDM platform	Intune, Jamf, or SOTI MobiControl enrolled	Device appears in MDM console with check-in within 24 hours
Identity provider	Entra ID, Okta, or Google Workspace with device-scoped policies	IdP admin access to create shared device policies
Device platform	iOS 15+, iPadOS 15+, Android 10+, or Windows 10 21H2+	Settings > About confirms OS version
Device ownership	Organisation-owned (not BYOD)	Asset register confirms ownership
Network access	Connectivity to MDM and IdP during setup	Device can reach `login.microsoftonline.com` or equivalent
Admin credentials	MDM administrator role	Can create configuration profiles in MDM console

BYOD exclusion

Shared device mode requires organisation-owned devices. Personal devices cannot be configured for shared use due to privacy and data separation limitations.

Gather the following information before proceeding:

The user population determines session timeout and cleanup aggressiveness. Devices shared among 3-5 known team members can retain more state between sessions than devices used at distribution points by dozens of beneficiaries daily.

The use case affects kiosk mode decisions. Data collection at a single application requires kiosk lockdown; general-purpose shared laptops for field staff need full desktop access.

The connectivity profile influences authentication caching. Devices operating offline for extended periods need longer credential cache validity than devices with consistent connectivity.

Procedure

iOS and iPadOS Shared iPad Configuration

Apple’s Shared iPad feature provides multi-user capability with local data separation. Each user receives a dedicated partition with separate app data, documents, and settings. The device caches credentials for a configurable number of users, enabling rapid sign-in without network dependency after initial authentication.

Create a Shared iPad configuration profile in your MDM. In Intune, navigate to Devices > Configuration profiles > Create profile. Select iOS/iPadOS as the platform and Templates > Device features as the profile type.
Configure the Shared iPad settings:

   Enable Shared iPad: Yes
   Maximum cached users: 10
   Maximum seconds of inactivity before user logout: 300
   Maximum seconds after screen lock before logout: 120
   Require Shared iPad temporary session only: No

The Maximum cached users value determines how many user partitions the device retains. Set this to match your expected concurrent user count plus a buffer. A 256GB iPad supports approximately 24 cached users with 10GB per partition; a 64GB iPad supports 6 users comfortably.

Assign the profile to a device group containing your shared iPads. Create a dynamic group in Entra ID using the query:

   (device.devicePhysicalIds -any _ -contains "[OrderID]:SharediPad")

This matches devices tagged during Apple Business Manager enrolment with the OrderID prefix SharediPad.

Configure user assignment for the shared devices. In Apple Business Manager, navigate to Devices and select your shared iPad fleet. Under User Assignment, select “Shared iPad” as the device type.
Enrol the device through Apple Configurator or Automated Device Enrolment. During Setup Assistant, the device recognises the Shared iPad configuration and formats storage with user partitioning. This process takes 10-20 minutes depending on storage size.
Verify Shared iPad activation by checking the lock screen. A properly configured Shared iPad displays “Press Home to Unlock” with a user icon, not the standard “Press Home to Open” message.
Test user sign-in with a pilot user account. The first sign-in requires network connectivity and takes 2-3 minutes as the device creates the user partition. Subsequent cached user sign-ins complete in 10-15 seconds even offline.
Configure app deployment for shared mode. In Intune, set app assignments to “Available for enrolled devices” rather than user-targeted deployment. Device-licensed apps from Apple Business Manager work across all user sessions without per-user licence consumption.

+-------------------------------------------------------------------+
|                      SHARED iPAD ARCHITECTURE                      |
+--------------------------------------------------------------------+
|                                                                    |
|  +------------------------+    +------------------------+          |
|  |    DEVICE PARTITION    |    |    DEVICE PARTITION    |          |
|  |       (System)         |    |      (Shared Apps)     |          |
|  |                        |    |                        |          |
|  |  iOS Operating System  |    |  Device-licensed apps  |          |
|  |  MDM Agent             |    |  Configuration         |          |
|  |  System Apps           |    |  profiles              |          |
|  +------------------------+    +------------------------+          |
|                                                                    |
|  +------------------+  +------------------+  +------------------+  |
|  |  USER PARTITION  |  |  USER PARTITION  |  |  USER PARTITION  |  |
|  |     (User A)     |  |     (User B)     |  |     (User C)     |  |
|  |                  |  |                  |  |                  |  |
|  |  App data        |  |  App data        |  |  App data        |  |
|  |  Documents       |  |  Documents       |  |  Documents       |  |
|  |  Cached creds    |  |  Cached creds    |  |  Cached creds    |  |
|  |  Settings        |  |  Settings        |  |  Settings        |  |
|  +------------------+  +------------------+  +------------------+  |
|                                                                    |
|  +-------------------------------------------------------------+   |
|  |                    TEMPORARY SESSION                        |   |
|  |  (No persistent data - cleared on logout)                   |   |
|  +-------------------------------------------------------------+   |
|                                                                    |
+--------------------------------------------------------------------+

Figure 1: Shared iPad storage architecture showing system, shared app, and user partitions

Android Shared Device Mode

Android Enterprise provides dedicated device mode with multi-user support through work profiles. Unlike Shared iPad’s user-partitioned storage, Android shared devices use session-based isolation where the work profile clears between users.

Configure your MDM for Android Enterprise dedicated device enrolment. In Intune, navigate to Devices > Enrol devices > Android enrolment > Corporate-owned dedicated devices. Create an enrolment profile with:

   Enrolment mode: Corporate-owned dedicated device
   Device sharing: Multiple users can sign in
   Maximum users on device: 10

Create a device configuration profile for shared device settings. Select Android Enterprise > Device restrictions (Dedicated devices):

   Device experience:
     Enrolment profile type: Dedicated device
     User can share a device: Allow

   Users and Accounts:
     Add and remove accounts: Allow
     Account changes: Allow

   System security:
     Factory reset: Block
     Safe boot: Block

Generate an enrolment token or QR code from the MDM console. The token encodes your organisation’s managed Google Play account and device policy.
Factory reset the Android device and proceed through initial setup. At the “Copy apps & data” screen, tap “Next” without restoring. At the Google sign-in screen, enter afw#setup to initiate Android Enterprise enrolment.
Scan the enrolment QR code or enter the token manually. The device downloads the MDM agent and applies the dedicated device configuration. This process requires network connectivity and takes 5-15 minutes.
Verify multi-user mode activation. Navigate to Settings > System > Multiple users. The setting should show “On” with options to add users. If this setting is absent or disabled, re-verify the MDM configuration profile assignment.
Test session switching by tapping the user icon in the quick settings panel. Create a new user session and verify that apps and data from the previous session are not accessible.
Configure session cleanup by creating a device compliance policy:

   Session inactivity timeout: 300 seconds
   Session cleanup: Delete all user data
   Retain device policies: Yes

Samsung Knox shared device mode

Samsung devices with Knox 3.0+ support enhanced shared device features including faster session switching and hardware-backed user isolation. Configure Knox Shared Device Mode through Samsung Knox Suite in addition to standard Android Enterprise settings for Samsung hardware.

Windows Shared PC Mode

Windows Shared PC mode transforms a standard Windows installation into a multi-user environment with automatic account management, storage optimisation, and session cleanup. The feature manages local account creation, temporary profile cleanup, and disk space recovery without administrator intervention.

Create a Windows configuration profile in Intune. Navigate to Devices > Configuration profiles > Create profile. Select Windows 10 and later as the platform and Settings catalog as the profile type.
Add the SharedPC settings category and configure:

   Enable shared PC mode: Enabled
   Account management:
     Account deletion policy: Delete at disk space threshold and inactive threshold
     Disk level deletion: 25
     Disk level caching: 50
     Inactive threshold: 30
     Cache accounts above disk level: Enabled

   Maintenance:
     Maintenance start time: 0 (midnight)
     Sign in on resume: Enabled

   Power policies:
     Sleep timeout on AC: 60
     Sleep timeout on battery: 30

   Education:
     Set education environment: Disabled

The Disk level deletion of 25 means Windows deletes cached accounts when free disk space falls below 25%. The Disk level caching of 50 means Windows stops creating new cached accounts when free space falls below 50%. Setting Inactive threshold to 30 deletes accounts unused for 30 days.

Configure user sign-in restrictions. In the same profile, add Windows sign-in options:

   Sign-in options:
     Only allow approved users to sign in: Enabled
     Approved user list: field-staff-shared-pc@example.org

The approved user list references an Entra ID group. Only members of this group can sign in to shared PCs.

Deploy the profile to your shared PC device group. Allow 1-2 hours for policy sync and device restart to apply Shared PC mode.
Verify Shared PC mode activation. Open Registry Editor and navigate to:

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedPC

Confirm EnableSharedPCMode equals 1 and AccountManagement equals 1.

Test account lifecycle by signing in with a test user. Sign out and observe the temporary profile cleanup in Event Viewer under Applications and Services Logs > Microsoft > Windows > SharedAccess > Operational. Events 2001 and 2002 confirm account caching and cleanup operations.
Configure BitLocker for shared PC scenarios. Shared PCs require network unlock or PIN authentication since TPM-only protection does not prompt on account switch:

   Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin (ConvertTo-SecureString "123456" -AsPlainText -Force) -TPMandPinProtector

For devices with network unlock configured, the PIN prompt does not appear when connected to the organisational network.

+------------------------------------------------------------------+
|                    WINDOWS SHARED PC SESSION FLOW                |
+------------------------------------------------------------------+
                                |
                        +-------v-------+
                        |  Lock Screen  |
                        |  (Ctrl+Alt+   |
                        |   Del or tap) |
                        +-------+-------+
                                |
                +---------------+---------------+
                |                               |
       +--------v--------+             +--------v--------+
       | Existing cached |             | New user        |
       | user sign-in    |             | (Entra ID auth) |
       +--------+--------+             +--------+--------+
                |                               |
                |                      +--------v--------+
                |                      | Create local    |
                |                      | profile         |
                |                      | (2-5 minutes)   |
                |                      +--------+--------+
                |                               |
                +---------------+---------------+
                                |
                        +-------v-------+
                        |   Desktop     |
                        |   Session     |
                        +-------+-------+
                                |
                        +-------v-------+
                        |   Sign Out    |
                        +-------+-------+
                                |
                +---------------+---------------+
                |                               |
       +--------v--------+             +--------v--------+
       | Keep cached     |             | Delete profile  |
       | profile         |             | (disk pressure  |
       | (recent user)   |             |  or inactive)   |
       +--------+--------+             +--------+--------+
                |                               |
                +---------------+---------------+
                                |
                        +-------v-------+
                        |  Return to    |
                        |  Lock Screen  |
                        +---------------+

Figure 2: Windows Shared PC session lifecycle showing account caching and cleanup decisions

Kiosk Mode Configuration

Kiosk mode locks a device to a single application or limited set of applications. This configuration suits data collection scenarios, information displays, or controlled access points where users should not access the full device interface.

Determine your kiosk type. Single-app kiosk restricts the device to one application with no access to device settings or other apps. Multi-app kiosk presents a launcher with 2-10 approved applications. Decide based on your use case:

Use case	Kiosk type	Platform support
Data collection (KoboToolbox, ODK)	Single-app	iOS, Android, Windows
Distribution point registration	Single-app	iOS, Android
Field office shared workstation	Multi-app	Windows, Android
Information display	Single-app	All platforms

For iOS single-app kiosk, create an App Lock payload in your MDM. In Intune, create a device configuration profile with Device restrictions > App Lock enabled:

   App Lock:
     Enabled: Yes
     App: com.example.datacollection (bundle ID)
     Disable touch: No
     Disable auto-lock: Yes
     Disable device rotation: No
     Disable volume buttons: No

Supervised iOS devices enter Guided Access mode, locking to the specified application. Exit requires the MDM admin to remove the App Lock payload.

For Android kiosk mode, configure dedicated device with lock task mode. In the device restrictions profile:

   Kiosk mode:
     Kiosk mode type: Single app or Multi-app

   Single app settings:
     Managed home screen app: com.microsoft.launcher.enterprise
     Lock task mode apps: com.example.datacollection

   Multi-app settings:
     Managed home screen app: com.microsoft.launcher.enterprise
     Lock task mode apps:
       - com.example.datacollection
       - com.example.camera
       - com.example.calculator

For Windows kiosk mode, create an assigned access configuration. Use the Settings catalog to configure:

   Assigned access:
     Configuration type: Single app kiosk or Multi-app kiosk

   Single app:
     Account name: KioskUser
     Application type: Win32 app
     Application path: C:\Program Files\DataCollection\collect.exe

   Multi-app:
     Kiosk profile:
       Account: SharedKiosk
       Applications:
         - Microsoft Edge
         - File Explorer (restricted)
         - Data Collection App
       Start layout: Custom (specify XML)

Test kiosk mode by restarting the device and verifying it boots directly into the kiosk application or launcher. Verify that standard escape methods (Ctrl+Alt+Del on Windows, five-finger tap on iOS) do not exit kiosk mode.
Configure a break-out mechanism for administrators. On Windows, create a local admin account excluded from assigned access. On iOS and Android, MDM removal commands can exit kiosk mode for maintenance.

Data Separation Configuration

Data separation prevents information leakage between user sessions. The mechanism varies by platform: iOS uses partitioned storage, Android uses work profile isolation, and Windows uses separate user profiles. Additional configuration strengthens separation beyond platform defaults.

Configure browser data handling. Shared devices accumulate browsing data including cached pages, cookies, saved passwords, and form autofill. Create a browser configuration policy:
For Microsoft Edge (all platforms):

   {
     "ClearBrowsingDataOnExit": true,
     "BrowserSignin": 2,
     "SyncDisabled": true,
     "PasswordManagerEnabled": false,
     "AutofillAddressEnabled": false,
     "AutofillCreditCardEnabled": false,
     "ClearCachedImagesAndFilesOnExit": true
   }

The ClearBrowsingDataOnExit setting removes all browsing data when the user closes Edge, not when they sign out of the device. Configure the app to close on session end for complete cleanup.

Configure application data cleanup. Some applications cache user data outside the standard profile location. Create a script or management extension to clear known cache locations on sign-out:
Windows sign-out script (cleanup.ps1):

   # Clear common application caches
   $cachePaths = @(
       "$env:LOCALAPPDATA\Microsoft\Teams\Cache",
       "$env:LOCALAPPDATA\Microsoft\Teams\blob_storage",
       "$env:LOCALAPPDATA\Microsoft\Teams\databases",
       "$env:LOCALAPPDATA\Packages\*\LocalCache",
       "$env:TEMP\*"
   )

   foreach ($path in $cachePaths) {
       if (Test-Path $path) {
           Remove-Item -Path $path -Recurse -Force -ErrorAction SilentlyContinue
       }
   }

Deploy via Group Policy logoff script or Intune Proactive Remediation.

Disable clipboard sharing and universal clipboard features that persist across sessions:
Windows:

   Clipboard history: Disabled
   Sync across devices: Disabled

iOS (via MDM restrictions):

   Allow Handoff: No
   Allow iCloud Keychain sync: No

Configure print queue cleanup. Print jobs queued by previous users may contain sensitive information:
Windows:

   # Add to cleanup script
   Stop-Service -Name Spooler -Force
   Remove-Item -Path "$env:SystemRoot\System32\spool\PRINTERS\*" -Force
   Start-Service -Name Spooler

Verify data separation by creating test data in one user session (documents, browser bookmarks, application settings), signing out, signing in as a different user, and confirming no access to the previous user’s data.

+------------------------------------------------------------------+
|                    DATA SEPARATION VERIFICATION                  |
+------------------------------------------------------------------+
|                                                                  |
|  USER A SESSION                      USER B SESSION              |
|  +------------------+                +------------------+        |
|  | Creates:         |                | Should NOT see:  |        |
|  | - Document.docx  |   Sign out     | - Document.docx  |        |
|  | - Browser prefs  +--------------->| - Browser prefs  |        |
|  | - App settings   |   Sign in      | - App settings   |        |
|  | - Cached creds   |   as User B    | - Cached creds   |        |
|  +------------------+                +------------------+        |
|                                                                  |
|  VERIFICATION POINTS:                                            |
|  +----------------------------------------------------------+    |
|  | 1. Documents folder empty or shows only User B content   |    |
|  | 2. Browser shows default homepage, no bookmarks          |    |
|  | 3. Applications require fresh login                      |    |
|  | 4. Recent files list empty                               |    |
|  | 5. Clipboard empty                                       |    |
|  | 6. No WiFi passwords from User A session                 |    |
|  +----------------------------------------------------------+    |
|                                                                  |
+------------------------------------------------------------------+

Figure 3: Data separation verification checklist between user sessions

Physical Security Configuration

Physical security settings protect shared devices from tampering, theft, and unauthorised access when unattended. These settings complement data separation by preventing bypass of session isolation through physical device access.

Configure automatic screen lock with aggressive timeouts. Shared devices in public or semi-public locations should lock after 60 seconds of inactivity; those in controlled environments can extend to 300 seconds:

   iOS/iPadOS:
     Auto-Lock: 1 minute (or 2 minutes minimum for Shared iPad)
     Require passcode: Immediately

   Android:
     Screen timeout: 60 seconds
     Lock after timeout: Immediately

   Windows:
     Screen saver timeout: 60 seconds
     Require password on wake: Yes

Disable USB access to prevent data exfiltration or malware introduction:
Windows (via MDM or Group Policy):

   Removable storage access:
     All removable storage classes: Deny all access
     CD and DVD: Deny write access

iOS (via MDM restrictions):

   Allow USB connections when locked: No

Android (via device restrictions):

   USB file transfer: Block
   USB tethering: Block

Enable firmware and boot protection where available:
Windows:

   Secure Boot: Enabled
   UEFI password: Set (store securely)
   Boot from USB: Disabled

iOS and Android devices with recent hardware enforce secure boot by default.

Configure device tracking and remote management capabilities:
iOS:

   Find My: Enabled (organisation-controlled)
   Activation Lock: Organisation bypass configured
   Lost Mode: Available to MDM administrators

Android:

   Google Find My Device: Enabled
   Factory reset protection: Organisation account

Windows:

   Find My Device: Enabled
   BitLocker recovery: Escrowed to Entra ID

Attach physical security devices for high-risk locations. Cable locks for laptops and tablet enclosures or stands for iPads reduce opportunistic theft.

Session Monitoring Configuration

Session monitoring provides visibility into shared device usage patterns, security events, and potential misuse. Configure logging and alerting to detect anomalous behaviour while respecting user privacy.

Enable sign-in event logging. Configure your identity provider to log shared device authentication events:
Entra ID: Navigate to Entra ID > Monitoring > Diagnostic settings. Create a setting to send SignInLogs to your SIEM or Log Analytics workspace. Filter for shared device sign-ins using device compliance state or device group membership.
Create alerts for anomalous usage patterns:

   Alert: Excessive sign-in failures on shared device
   Condition: > 5 failed sign-ins within 15 minutes
   Severity: Medium
   Action: Notify IT support

   Alert: Sign-in outside operating hours
   Condition: Successful sign-in between 22:00-06:00 local time
   Severity: Low (informational)
   Action: Log for review

   Alert: Unfamiliar user on shared device
   Condition: Sign-in by user not in approved group
   Severity: High
   Action: Notify security team, consider device wipe

Configure device compliance reporting. Schedule weekly reports showing:
- Devices not checking in (potential theft or loss)
- Compliance policy failures
- Users accessing shared devices
- Session duration statistics
Respect privacy boundaries. Shared device monitoring should focus on device security and usage patterns, not individual user behaviour. Avoid:
- Application usage tracking beyond security-relevant apps
- Keystroke logging
- Screenshot capture
- Location tracking beyond device recovery needs
Inform users that shared device usage is logged for security purposes per your acceptable use policy.

Verification

After completing shared device configuration, verify correct operation through these tests.

Execute each verification step with a non-administrator test account to confirm the end-user experience.

Session creation and isolation:

Sign in as User A and create a test document in the Documents folder. Note the document name and content.
Sign out completely (not switch user, but full sign-out).
Sign in as User B and navigate to Documents. The folder should be empty or contain only User B’s existing files.
Create a different document as User B.
Sign out and sign back in as User A. Only User A’s original document should be visible.

Automatic session cleanup:

Sign in as a test user.
Leave the device idle beyond the configured timeout (wait 5+ minutes for a 300-second timeout).
Verify the device has locked and requires re-authentication.
For Windows Shared PC, verify temporary profile cleanup by checking Event Viewer after a second user signs in.

Kiosk mode enforcement (if configured):

Restart the device and verify it boots into the kiosk application.
Attempt standard escape methods:
- Windows: Ctrl+Alt+Del, Win key, Alt+F4
- iOS: Five-finger gesture, Home button triple-click
- Android: Recent apps button, Home button long-press
Confirm escape methods are blocked or require administrator credentials.

Data separation verification:

Sign in as User A and save credentials in an application.
Sign out and sign in as User B.
Open the same application and verify it prompts for credentials rather than using User A’s saved credentials.
Repeat for browser bookmarks, WiFi passwords (if applicable), and clipboard content.

Physical security:

Lock the screen and verify correct timeout behaviour.
Connect a USB drive and verify access is blocked per configuration.
Verify Find My Device shows the correct device location.

Troubleshooting

Symptom	Cause	Resolution
Shared iPad shows single-user lock screen instead of multi-user	Shared iPad configuration profile not applied or device not supervised	Verify profile assignment in MDM; confirm device supervision status in Settings > General > About; re-enrol if necessary
User sign-in takes over 5 minutes on Shared iPad	Slow network during user partition creation; large app deployment	First sign-in requires network for partition setup; ensure stable connectivity; reduce per-user app deployments
Cached user limit reached; oldest user evicted unexpectedly	`Maximum cached users` set too low for actual usage	Increase cached user count in MDM profile; consider higher capacity device storage
Windows Shared PC not cleaning up profiles	Maintenance window not occurring; disk thresholds not reached	Check maintenance start time setting; manually trigger cleanup with `cleanmgr /sageset:1`; verify SharedPC registry settings
Android session data persists between users	Work profile not clearing; app stores data outside managed context	Verify dedicated device mode is active; check that apps are deployed as managed Play apps; create compliance policy to clear work profile on sign-out
Kiosk mode exits unexpectedly	Lock task mode not properly configured; app crash	Verify lock task mode app list includes all required app package names; check app logs for crashes; ensure app handles exceptions gracefully
Browser retains previous user’s data	`ClearBrowsingDataOnExit` not enforced; browser not fully closing	Verify browser policy application via `edge://policy`; configure session end to force browser closure; check for multiple browser profiles
User cannot sign in; “This device is not shared” error	Shared device configuration not applied to this specific device	Verify device group membership; check MDM profile assignment; force device sync with MDM
Device stuck on “Preparing your device” during sign-in	Network timeout during profile creation; Azure AD connectivity issue	Verify network connectivity to `login.microsoftonline.com`; check firewall rules; increase connection timeouts in MDM
Physical security features disabled after sign-in	User policy overriding device policy; conflicting configuration profiles	Review policy precedence; ensure device-level policies cannot be overridden by user-level settings; check for conflicting profiles
Session timeout not working	Conflicting power settings; display never sleeping	Verify power policy assignments; check that screen saver settings align with lock timeout; disable user ability to change power settings
USB access working despite block policy	Policy not applying to all USB classes; driver-level bypass	Verify removable storage policy covers all classes; check for BitLocker To Go policy conflicts; use device installation restrictions as backup

Advanced Troubleshooting

Shared iPad diagnostic collection:

# On Mac with Apple Configurator 2
cfgutil -v get SharedDeviceConfiguration
cfgutil -v get SharedDeviceConfiguration-UsersInfo

This outputs current shared device state including cached user count and partition allocation.

Windows Shared PC event analysis:

# View SharedAccess events
Get-WinEvent -LogName "Microsoft-Windows-SharedAccess/Operational" |
    Select-Object TimeCreated, Id, Message |
    Format-Table -AutoSize

# Event ID reference:
# 2001 - Account added to cache
# 2002 - Account removed from cache
# 2003 - Maintenance started
# 2004 - Maintenance completed

Android Enterprise dedicated device verification:

# Via ADB (requires USB debugging enabled)
adb shell dumpsys device_policy | grep -A5 "Dedicated Device"

Output confirms dedicated device mode activation and policy application.

User Training Requirements

Shared device deployment requires user training to ensure correct session handling and security compliance. Cover these topics in user briefings:

Sign-out procedures: Users must sign out completely, not merely lock the screen. Demonstrate the difference between locking (session remains active) and signing out (session ends, data cleared). Emphasise that failure to sign out exposes their data to the next user.

Data storage limitations: Explain that documents saved locally may be deleted during cleanup. Direct users to save work to cloud storage (SharePoint, OneDrive, Google Drive) rather than local device storage.

Application sessions: Some applications maintain their own sessions independent of device sign-out. Train users to sign out of applications (especially email, messaging, and financial systems) before signing out of the device.

Reporting procedures: Users should report suspected data leakage, unusual device behaviour, or inability to sign in. Provide a clear escalation path to IT support.