Shared Device Mode with Microsoft Entra


In the evolving realm of enterprise device management, Shared Device Mode Authentication stands out as a strategic solution to simplify access management. This cutting-edge approach integrates Microsoft Entra with Single Sign-On (SSO) capabilities within the 42Gears UEM Agent, striking a fine balance between user convenience and robust security protocols. Its primary goal is to create a secure and efficient device management framework that enhances the user experience in shared device environments.


The integration process begins with a detailed configuration of Microsoft Entra, which is transformed into a powerful Single Sign-On (SSO) tool. The integration then extends seamlessly to the SureMDM application, creating a unified authentication system that not only improves user experience but also strengthens security measures. This holistic approach redefines the management of shared devices, ensuring a secure and cohesive authentication experience in enterprise environments. The following outlines the comprehensive steps of the integration process, ensuring a perfect balance between accessibility and security:

Prerequisites:

A. Configurations to be done on SureMDM Console:

1. Login to the SureMDM web console.

2. Navigate to Account Settings -> Enterprise Integrations -> Office 365

3. Switch to the Conditional Access tab and configure the following settings. 

  • Integrate Microsoft Entra ID (fka. AzureAD) should be checked. 
  • Enter the Tenant ID of the customer's Azure tenant (Entra) in the tenant ID text box. Please click here for details. 
    4. Click on Save. This will navigate you to a consent pop-up in the Microsoft portal. Please grant the requested permissions in the Microsoft Portal.


B. Configurations to be done from the Jobs Section:

  1. Enroll an Android device in fully managed mode using the SureMDM Agent Version to the SureMDM web console.
    Note: This feature is available with SureMDM Agent version 27.40.53 and above. 
  2. Install the Microsoft Authenticator App on the device. You can do this using Profiles.
  3. Once done, create a Run script job using the below-mentioned runscript command and push it on the device. 

Command: 

!#suremdm

m365shareddevicemode(true, "<tenant-id>")

After we push Runscript, the Microsoft Authenticator App will be launched, and the application will be put into Shared Device Mode. Further, the device will be registered with the device Microsoft Entra portal. 

For reference on the device side, please refer to the screenshot below:



For reference on the Microsoft Entra portal, please refer to the screenshot below: