Workspace ONE UEM Windows Multiuser

Overview

Windows Multiuser functionality enables Workspace ONE UEM management of Windows devices for multiple users on a single physical or virtual device, including Horizon persistent pools.  Windows Multiuser addresses not only technical and security requirements for shared Windows devices, but it can also decrease the number of physical and/or virtual devices deployed, resulting in cost savings.

This document will walk through the following topics:

• What is Windows Multiuser?
• Technical requirements
• Settings and options
• User experience
• Validating Multiuser configuration

What is Windows Multiuser?

Workspace ONE Windows Multiuser functionality allows two or more users to share a single device asynchronously, each with their own unique login experience.  Whether the Windows endpoint is accessed as a physical kiosk-type device, virtual endpoint within a call center, manufacturing shop, or other shared environment, each user can log in and out without impacting subsequent users. 

Figure 1: Multiple users can access the same physical or virtual desktop.

Important: the new Workspace ONE Windows Multiuser functionality implies multiple users logging into the same device at distinct times.  Multiuser is not the same as multisession, wherein multiple users access the same virtual desktop at the same time.Within the example above, Tom’s desktop is likely different than Jack’s desktop due to permissions, applications, and other settings, but they can each log onto the same device with a distinct logon experience. 

To clarify, Single user and Multiuser are defined as follows:

• Single user: The user who is enrolled on the device.  The enrolled user will not be updated if another user signs into Windows.
• Multiuser: Enrolled user of the device will be updated based on the current logged in Windows user. 

 Use Cases

Some ideal use cases for Windows Multiuser include:

• Horizon VDI
• Call centers
• Preferred-seating office space
• Manufacturing shop shift workers

Windows Multiuser is suitable within any environment wherein multiple users need to asynchronously access a specific device.

Technical Requirements

The technical requirements for Windows Multiuser are:

• Workspace ONE UEM version 2406 or later
• Workspace ONE UEM Modern Architecture
• Workspace ONE UEM Intelligent Hub 2404 or later

Figure 2: Technical requirements for Windows Multiuser.

 Workspace ONE version 2406

Workspace ONE version 2406 was made available in August 2024, and this release automatically enables Multiuser functionality.  However, Workspace ONE version 2406 is not the sole requirement. 

 Workspace ONE UEM Modern Architecture

The new Workspace ONE UEM Modern Architecture is also a requirement for Multiuser.  As part of this new underlying architecture, the feature flag for Windows Multiuser will automatically be enabled. 

Workspace ONE SaaS customers will be upgraded to the Modern Architecture platform starting in August 2024, with rollout extending several months. 

 Workspace ONE Intelligent Hub version 2404

Lastly, Workspace ONE Intelligent Hub version 2404 or later is required.

Multiuser Settings and Options

This section will provide detailed information about Multiuser-related setting and options, as well as recommendations, and will be broken down into the following subsections:

• Device enrollment
• Shared device settings
• Multiuser mode settings
• User attributes
• Resource assignment, including profiles and applications

For basic Windows Multiuser step-by-step configuration instructions, see Omnissa Docs.

Device Enrollment

Several options exist for Windows device enrollment.  Once the technical requirements are met, Windows Multiuser mode is enabled and becomes the default for all new Workspace ONE managed Windows devices.
Which method you use to enroll devices may impact Multiuser steps and options.  Enrollment flow options and steps:

Figure 3: OOBE configuration.

• Out-of-Box Experience: Devices enrolled via the Microsoft Out-of-Box Experience using Autopilot are supported.  Ensure that "Publish Intelligent Hub" option is selected in System Settings. 
• Agent Enrollment: No additional configuration is required.
• Workspace Enrollment: Ensure that “Publish Intelligent Hub” option is selected in system settings.
• Dropship Provisioning (online and offline): No additional configuration is required.
• Staging Enrollment Flows: Any user can now become a Staging User.  Administrators are no longer required to pre-configure a user to be a dedicated Staging User.  If common resources are created in the device context and assignments are configured for all users of the device, resources will not be re-installed.  

Shared Device Settings

The Shared Device Grouping setting controls how to map a device to the right Organization Group.  Specifically, the Group Assignment Mode option under Groups & Settings > All Settings > Devices and Users > General > Shared Device > Grouping setting defaults to Prompt User for Organization Group. 

Figure 4: Shared Device > Grouping Setting

If this setting is not changed, the user will be prompted to enter the Organization Group ID. It is recommended to change this setting to “Fixed Organization Group” so that user re-assignment is silent. The device will remain in the current Organization Group.

Multiuser Mode Setting

Device mode status can be viewed and modified from the Devices > Devices screen.  All Windows devices enrolled prior to the enablement of the technical requirements remain as Single user and may then be transitioned to Multiuser. 

Similarly, Multiuser devices, whether initially or subsequently enabled, may later be reconfigured as Single user, as shown in Figure 5.  

Note that there are two options for transitioning to Multiuser.  The distinction between these two options is as follows:

• Migrate to Multiuser: Switch from the previous Single user framework to the new Multiuser framework.
• Change to Multiuser: Switch between Single user and Multiuser when the device is on the new framework.

Figure 5: Multiuser and Single user options.

From the Device List View, one to 100 devices can be selected for mode transition at the same time.  If it is necessary to transition more than 100 devices at a time, the API method should be used.  For example, to transition a large bulk of devices to Multiuser, the migration can be triggered with the following POST URL:

Multiuser Mode Example

For example, prior to your environment becoming fully compliant with the technical requirements, you had 5,000 Windows endpoints.  Now, you add 200 Windows endpoints; these are automatically enabled for Multiuser functionality.  Next week, you decide to migrate all Single user devices to Multiuser.  The graphic below reflects your Windows inventory at three points in time.

Figure 6: Single user vs. Multiuser devices

Transitioning the existing Single user devices to Multiuser is configured via the Migrate to Multiuser option to align with the description above. 

 Multiuser Checkout Restrictions

When a device is functioning in Multiuser mode, it may be useful to restrict specific users or groups from device enrollment, such as HelpDesk employees that may need to sign in to troubleshoot an issue.  By enabling Multiuser checkout restrictions, device enrollment won’t flip to a user or group, such as HelpDesk, that only sporadically requires access to that Windows device.

Figure 7: Restrict Multiuser checkout for HelpDesk or others.

In addition, device reassignment can be paused and resumed from the Devices screen.  If there is a need to temporarily pause the User Reassignment, one or multiple devices can be selected in the console to pause or resume User Reassignment.

Figure 8: Pause/Resume User Reassignment.

If User Reassignment is paused, the enrollment user will not change to any new logged in users. This can be also used for Single user devices if they might be enabled to use Multiuser capabilities in the future without re-enrollment of the device.  After the User Reassignment is resumed, every user change will change the enrollment user of the device.

Pause and Resume can also be triggered with the following POST URL:

This command can be used to resume the reassignment:

Unique Identifier Attributes

To identify the currently logged in user and match to a user object in the UEM console, it is necessary to set up the attributes used for the matching.

• In the Windows Intelligent Hub settings, administrators should pick the appropriate pair from the possible UEM User Attributes and the four attributes that the Intelligent Hub can gather from the device. 
• Under the Attributes for Unique Identifier, select the UEM User Attribute that aligns with the desired Client User Attribute.   By default, the unique identifier is set to Object Identifier / Object GUID. The recommendation is to use UPN / UPN for the majority of use cases
• To configure, go to: Groups & Settings > All Settings > Devices & Users > Microsoft > Windows > Intelligent Hub Settings.

Figure 9: User Attribute matching selection.

Resource Assignment, Including Applications

Applications and profiles can be created in the User or Device Context. When you create an app or profile in the User Context, it will be written to the current enrollment user's Windows profile. This resource will only be available for that User. Other users on the device will not have access to that resource. An App or Profile created in the device context will be available for all users on the device.

• User Context resources will be installed for each user that signed into a device. These will be separate, distinct installs based on the user.
• Device Context resources will only be installed once. Each user will access the same installation regardless of user login.

The Install Context, i.e., User or Device, can be selected within the Deployment Options screen.

Figure 10: Selecting Device or User Context.

Profile context works similar in that device level configurations are installed using Device Profiles and affect all users on a device.  User profiles are then used to install user specific resources like identity certificates or customizations.

 Horizon VDI Example

Multiuser can also be used to increase the ROI of Horizon persistent pools that are managed by Workspace ONE.  Because these endpoints are virtual, the location of the physical device is not a limiting factor.

Figure 11: Windows Multiuser enables tailoring applications based on User Context and/or Device Context.

In the example above, Lea, Chris, and Rick work distinct shifts at a manufacturing facility, and all three access Virtual Desktop #101.  Because all users need Application A, it can be installed in device context, while all other apps are enabled in user context and made available based on specific user logon.

Alternatively, App Volumes could be used to enable Apps B, C, and D on the Horizon virtual desktop based on individual logged in users, depending on administrator preference and requirements. 

 Assignment Groups

Workspace ONE leverages Assignment Groups to assign resources to devices. If a user does not have an assignment to a resource, that resource will be uninstalled. It is crucial that all users be assigned to common resources on a shared workstation. For example: An application that will be used by all users.

For all resources required, check the assignment groups that have been designated.  If you leverage User Groups, make sure they include all users; if you use Smart Groups, check if user groups are part of the criteria and whether any user exclusions are applied.

 Workflows

Workflows, with all included resources, are fully supported on Multiuser devices. The behavior of assigned Workflows is different than profiles or applications.

Workflows will be re-executed and re-evaluated with every user switch to ascertain that user context resources are applied to the currently enrolled user.  Applications and profiles that are already installed on the device will not be reinstalled.

 Certificates

User and Device certificates can be designated on a Multiuser device. Assigned Device Certificates are available for all users, while User Certificates are only available for the currently enrolled user.

If a user logs in the first time to the device, the User Certificate(s) will be requested and installed for the enrollment user. If the user logs in to the device again, the certificate is already installed and there will be no new certificate request generated.

User Experience

Multiuser was designed to be as seamless to the end user as possible. To reassign the device to a new user, simply sign out of Windows and sign in with a different corporate user.

On domain-joined devices (Active Directory, hybrid join, or EntraID), the user reassignment will be performed silently. To confirm that re-assignment was successful, the end user will see a Windows notification after login.

If the first attempt to sign into a domain-joined device fails, Workspace ONE will wait two minutes before trying again. This will be repeated three times. If Workspace ONE is unable to silently checkout the device, the Intelligent Hub will then prompt the user to enter credentials, and the device will subsequently be reassigned.

On Workgroup-joined devices, Workspace ONE is unable to lookup the required attributes needed to silently reassign the device. On those devices, the Intelligent Hub will prompt the end user to authenticate using their corporate credentials. After successful login, the user will see a notification indicating their user is now connected to Workspace ONE and that the device has been properly reassigned.

Sign out vs. Switch User

To perform user reassignment, the current user must sign out of Windows. Performing a User Switch is not supported. It is recommended to leverage a policy to block User Switching on devices that will be frequently switching users.

Validating Multiuser Configuration

Once Multiuser functionality has been enabled, the Workspace ONE UEM console shows the user mode status within the Devices > List View screen. Where Multiuser is shown, this indicates that the device is enrolled with the Multiuser capable agent and that Multiuser is active. 

Administrators can optionally select to filter devices based on the following: 

• Single user 
• Multiuser 
• Multiuser capable 
• User reassignment paused 

Figure 11: Device list view showing User Mode.

If for any reason the assignment is not working even though all prerequisites are in place, initially check the device reassignment logs of the Hub agent. Logs can be found here:  

C:\ProgramData\AirWatch\UnifiedAgent\Logs\DeviceReassignment-YYYYMMDD.log 

This log will show entries for calls to the user switch endpoint together with the unique identifier configured in the settings. Check whether the user attribute matches the logged- in user and attributes synchronized to UEM. 

Summary and Additional Resources

Windows Multiuser functionality enables enterprises to securely manage endpoints that are accessed by multiple users.  Individual user permissions, applications, and other settings can be customized and have no impact on other users that access that same device.  

For Windows Multiuser step-by-step configuration instructions, see Omnissa Docs.

Additional Resources

• Workspace ONE UEM Windows Baselines and Profiles Tutorial
• Troubleshooting Windows Devices Operational Tutorial

Changelog

The following updates were made to this guide:

Date	Description of Changes
2024/08/26	Document creation

About the Author and Contributors

Author

• Jo Harder is a Senior Technical Marketing Architect at Omnissa, focusing on Workspace ONE UEM Windows and Security technologies.  She has been an EUC nerd for 25 years and also holds CISSP certification.

Contributors and Reviewers

• Josh Burris, Director of Product Management
• Grischa Ernst, Product Manager
• Camille Debay, Product Manager

Feedback

Your feedback is valuable. To comment on this paper, either use the feedback button or contact us at tech_content_feedback@omnissa.com.