Multi-User Devices

Multi-User Devices allow an administrator to provision devices intended to be used by more than one user. A tool for Multi-User Devices is Device Enrollment Manager (short DEM).

DEM is an Intune permission that can be applied to an Azure Active Directory user account and lets the user enroll up to 1,000 devices. A DEM account is useful for scenarios where devices are enrolled and prepared before handing them out to the users of the devices.

Licenses

Devices enrolled by DEM accounts need to be licensed. Therefore, each DEM account needs an Intune user or device license assigned.

Example:

Enterprise Mobility + Security (user license) or
A simple device license

Preparations

Before you can start with a device enrollment you have to do some preparations.

Create DEM User

Create a generic user account that is not assigned to a real person. Please make sure that this account never gets deleted. In that case, enrolled devices will not stay under management anymore. Assign a suitable Intune license as described before.

Create User Group for DEM Accounts

A new user group is necessary that contains all DEM users. Ad one (e.g. CFG - All multi-user device accounts DEM) and assign the previously created user.

Prepare Group

In Intune the following actions are necessary for that group:

Assign compliance policies and device configurations (that should apply for these devices)
Assign Intune distributed apps (e. g. RealmJoin Installer)
Check if DEM group can enroll and register new devices in Tune/Azure AD (e. g. enrollment restrictions and Azure AD Join)

The following steps must be done in RealmJoin

Add RealmJoin configuration policies to that group
Add Software packages (that should be installed when the device is set up by DEM account)
Let Glück & Kanja mark this group as Primary Users (obtain Azure AD Object ID)