Product Documentation

Shared Devices

Oct 20, 2015

XenMobile MDM Edition enables you to configure devices that can be shared by multiple users. The shared devices feature enables, for example, clinicians in hospitals to use any nearby device to access applications and data rather than having to carry around a specific device.

Shared Device Enrollment

A device only becomes shared when a specific shared device enrollment user enrolls the device with XenMobile. To configure a shared device, you first create the shared device enrollment role and assign the role to a user account. Then, you create a deployment package associated with the shared device enrollment user account. The package you create must contain the configurations and applications that you want to be applied when the shared device enrollment user is signed on. For example, if you plan to allow any users to use the device without signing on, you could include a passcode policy that prevents the device from locking, as well as some basic applications, such as a browser. Finally, you install Worx Home, sign on, and enroll the device with XenMobile using the shared device enrollment user account.

Deployment Packages for Shared Device Users

After enrollment by the shared device enrollment user, any user can use the shared device anonymously without signing on. To apply different configurations or to provide additional applications for authenticated users, you must create a deployment package associated with those users and configure the package to be deployed only to shared devices. You must also ensure that the deployment package removes any configurations and applications deployed for the shared device enrollment user. Similarly, you must update the deployment package associated with the shared device enrollment user account to remove the configurations and applications that you deploy for the authenticated user.

You can configure further deployment packages to provide different resources for two or more user groups. You can, for example, deliver different sets of applications for doctors and nurses. If you do this, ensure that each deployment package, including the package associated with the shared device enrollment user account, is configured to remove the policies and applications delivered by all of the other deployment packages.

Shared Device User Experience

With the above configuration in place, the policies and applications you include in the deployment package associated with the shared device enrollment user are initially applied to the device. Then, when a user signs on to Worx Home, all the configurations and applications available to that user account are deployed to the device. Concurrently, anything applicable only to the shared device enrollment user is removed. When the user signs off, the user's configurations, applications, and data are removed. Then, the configurations and applications associated with the shared device enrollment user are restored. In this way, each user only sees the resources available to them and gets the same experience on every shared device.

Only one user at a time can sign on to Worx Home on a shared device. The previous user must sign off before the next user can sign on. For security reasons, Worx Home does not store user credentials on shared devices, so users must enter their credentials each time they sign on. To ensure that a new user cannot access resources intended for the previous user, Worx Home does not allow new users to sign on while the configurations, applications, and data associated with the previous user are being removed.

Shared Device Requirements

For the optimum user experience, including silent installation and removal of applications, Citrix recommends configuring shared devices on the following platforms.

SharePoint data loss prevention (DLP) configurations are not supported with shared devices. For more information about SharePoint DLP, see Managing SharePoint Configurations.

XenMobile Enterprise Edition does not support shared devices. Configuring a shared device enrollment user automatically disables the connection between Device Manager and App Controller so that application management with App Controller is no longer possible.

To configure a shared device

  1. Create a new access control role to be used to enroll shared devices and give the role Device access and Shared devices enroller permissions.

    For more information about configuring access control roles, see Configuring Role-Based Access Control (RBAC).

  2. Create a new local user and assign the user the shared device enrollment role you created in the previous step.

    Citrix recommends that you make the shared device enrollment user a member of a local group to which the base policies apply, but not other policies. For more information about creating users, see To add, edit, or delete user accounts.

  3. Create a deployment package that contains the configurations and applications that you want to be applied to the device when a user is not signed on and then associate the package with the shared device enrollment user account.

    For more information about creating deployment packages, see To create and deploy a deployment package.

  4. On the device to be shared, install Worx Home and enroll the device with XenMobile using the shared device enrollment user account you created in Step 3.

    You can now view and manage the device through the Device Manager web console. For more information about enrolling devices through Worx Home, see Enrolling iOS and Android Users with Worx Home.

  5. To apply different configurations or provide additional applications for authenticated users, create additional deployment packages associated with those users. Ensure that each deployment package, including the package associated with the shared device enrollment user account, is configured to remove the policies and applications delivered by all of the other deployment packages. When creating the packages, configure deployment rules to ensure that the packages are deployed only to shared devices.

    For more information about deployment rules, see Configuring Deployment Rules.

  6. To stop sharing the device, perform a selective wipe to remove the shared device enrollment user account from the device, along with any policies that were applied.

    For more information about performing a selective wipe, see Selectively Wiping a Device.