Tag Archives: IOS

Fix the iTunes Sign-In Prompt on Intune-Managed iPhones: iOS Store App vs VPP Device Licensing

Posted on by
Reply

You manage a fleet of corporate iPhones through Microsoft Intune. Enrollment is automated through Apple Business Manager (ABM), apps deploy silently through the Volume Purchase Program (VPP), and users never see an App Store login. Then one day, your service desk starts getting tickets:

“Sign in to iTunes Store. Sign in to allow Contoso A/S to manage and install apps.”

A handful of devices show the prompt at first. A few days later, dozens. Users tap Cancel, the dialog disappears, and a few hours later it reappears. Some users sign in with personal Apple IDs to make it go away, which is exactly what you do not want on a corporate device.

This is one of those issues that looks like an Apple ID, ABM, or enrollment problem – but almost never is. In every case I have worked, the root cause was the same: somewhere in the tenant, an app was added as an iOS Store App when it should have been added as an iOS Volume Purchase Program app. This post walks through why those two app types behave so differently, how to confirm which one is causing the prompt, and how to fix the issue across a large device estate without disrupting users.

Why iOS Devices Ask for an Apple ID in the First Place

Intune offers several iOS app types in the admin center. Two of them install the same app from the same App Store listing, but they have completely different licensing and installation behavior:

  • iOS Store App – A direct link to a public App Store listing. The app installs into the user’s iCloud account. The device must be signed in to the App Store with a personal or managed Apple ID for the install to complete. There is no concept of device-based licensing.
  • iOS Volume Purchase Program app (VPP) – An app license that your organization owns through Apple Business Manager. With Device licensing, the license is assigned to the device itself – no Apple ID is required on the device for the install. The app simply appears.

The two app types look almost identical in the admin center. Both can point to the same App Store URL. Both can be assigned as Required, Available, or Uninstall. The difference is invisible until a device tries to install the app and discovers it has no Apple ID signed in.

When an iOS Store App is assigned as Required to a supervised device with no Apple ID, iOS does what it is told – it prompts the user to sign in so the install can proceed. That is the prompt your users are seeing.

Why You May Not Have Seen This Before

A fresh ABM enrollment with VPP apps assigned through Device licensing never triggers an Apple ID prompt because no app on the device needs one. The issue surfaces when somebody adds the same app a second time – as an iOS Store App – usually because they pasted the App Store URL into the wrong “Add app” wizard. The VPP version may still be present, but the iOS Store App duplicate is now competing for the same slot on the device, and only one of them can win.

How to Confirm This Is Your Issue

Before you start changing assignments, confirm the diagnosis. Three quick checks usually settle it.

Check 1: List All iOS Apps with Required Assignments

In the Intune admin center, go to Apps > iOS/iPadOS and filter the list. Look at every app where the App type column shows iOS store app. For each one, open the app and check Properties > Assignments.

Any iOS Store App with a Required assignment is a candidate for the prompt. iOS Store Apps assigned only as Available or Uninstall do not trigger the prompt – they sit quietly in the company portal or only act when the user actively removes the app.

Check 2: Cross-Reference with VPP

For each suspect iOS Store App, search for a VPP version of the same app. The naming will be similar but not identical – the VPP version typically shows the publisher and a different icon variant. If both versions exist, the iOS Store App is almost certainly redundant.

Check 3: Look at the Audit Log

Intune’s audit log will tell you exactly when each app was added and by which admin account. Go to Tenant administration > Audit logs and filter on the Mobile App category. Search for the app name and check the Create entries. In one recent case, an admin had bulk-added a dozen iOS Store App duplicates within a 20-minute window – clearly someone working through a list using the wrong wizard.

If checks 1 and 2 confirm the duplication and check 3 confirms when it happened, you have your root cause.

Why You Cannot Just Delete the iOS Store App

The natural reaction is to delete the iOS Store App duplicate and be done with it. Resist that urge until you have a rollout plan, because three things can go wrong:

  1. Users still see the prompt until iOS finishes its install queue. iOS does not automatically discard a pending install when its source is removed. The user has to Cancel the prompt at least once – sometimes more than once – before the MDM channel processes the change.
  2. Required and available install intent on a managed device is sticky. If the VPP version is not already assigned and licensed at the device level, removing the iOS Store App leaves users with no app at all.
  3. Filters and groups can overlap in non-obvious ways. If the iOS Store App is assigned to a broad group and the VPP version is assigned to a different broad group, deleting one may pull the app from devices that should still have it.

The safe sequence is: assign the VPP version with Device licensing first, validate on a single device, then remove the iOS Store App.

The Pilot Approach: Validate on One Device Using Assignment Filters

Before you touch a production assignment, prove the fix on one device. Intune’s Assignment Filters make this clean.

Step 1: Create a Single-Device Filter

In the Intune admin center, go to Tenant administration > Filters > Create.

  • Platform: iOS/iPadOS
  • Name: Something obvious like Pilot-iPhone-XYZ123-only
  • Rule syntax:
(device.deviceName -eq "XYZ123")

Replace XYZ123 with the actual device name from Devices > iOS/iPadOS devices. Use Edit in advanced mode if you prefer to write the rule directly.

Step 2: Exclude the Pilot Device from the iOS Store App Assignment

Open the problematic iOS Store App in Intune. Go to Properties > Assignments > Edit. On the existing Required assignment, click Filter and set:

  • Filter mode: Exclude
  • Filter: Pilot-iPhone-XYZ123-only

This tells Intune to apply the iOS Store App’s Required assignment to everyone except the pilot device. The pilot device is now isolated from the prompt – existing prompts may still need to be dismissed once, but no new ones will queue.

Step 3: Assign the VPP Version with Device Licensing to the Pilot Device

Open the VPP version of the same app. If it does not yet have a Required assignment to the same target group, create one:

  • Assignment type: Required
  • Group: The same group the iOS Store App was assigned to
  • License type: Device
  • Filter: Pilot-iPhone-XYZ123-only
  • Filter mode: Include

This is the inverse of Step 2 – the VPP assignment now applies only to the pilot device. The rest of your estate still gets the (about to be removed) iOS Store App version; the pilot device gets the VPP version with a device-bound license.

Step 4: Have the Pilot User Dismiss the Prompt and Sync

Walk the pilot user through these exact steps:

  1. When the iTunes sign-in prompt appears, tap Cancel.
  2. Open Settings > General > VPN & Device Management > the MDM profile.
  3. Tap Sync to force a check-in.

Within a minute or two, the VPP version of the app installs silently. No Apple ID prompt. The app shows the small organisation marker indicating it was installed by MDM.

If the install fails or the prompt comes back, stop and investigate before going further – usually the cause is a missing VPP license assignment or an expired VPP token (more on tokens below).

Rolling Out the Fix to the Rest of the Estate

Once the pilot is green, the rollout is mechanical. For each affected app:

  1. On the VPP version, remove the Pilot-XYZ123-only filter so the Required + Device-licensing assignment applies to the full target group.
  2. On the iOS Store App version, remove the existing Required assignment entirely. Do this before deleting the app to avoid an Intune sync that might re-prompt users.
  3. Delete the iOS Store App entirely once no devices reference it. This also makes sure nobody re-uses it accidentally later.

If you have several apps to fix, work through them one at a time. iOS handles MDM commands serially, so a batch change can produce more prompts than you would expect.

What Users Should Expect

Communicate clearly to end users before you flip the assignment. A short email along these lines works well:

Over the next 24 hours, you may see a sign-in prompt on your work iPhone asking you to log in to iTunes or the App Store. Please tap Cancel. Do not enter any Apple ID. The app you are missing will install automatically within a few minutes after you cancel the prompt.

The behaviour is non-obvious: iOS only processes the next MDM command after the current prompt is dismissed. Until the user taps Cancel, the device is effectively stuck waiting for the user.

Cleanup: Filters, Duplicates, and Audit Trail

After the rollout is complete, do not leave the scaffolding in place:

  • Delete the pilot assignment filter (Pilot-iPhone-XYZ123-only) so it does not get reused accidentally.
  • Confirm both iOS Store App duplicates are deleted – keeping them around “just in case” invites the same mistake again next quarter.
  • Document what happened in your change log so future admins know the difference between iOS Store App and VPP and which to use.
  • Run a tenant-wide review of remaining iOS Store Apps. Any iOS Store App with only Uninstall or Available (without enrollment) assignments is safe. Any iOS Store App with a Required assignment to a device group should be evaluated.

A Quick Reference: iOS Store App vs VPP at a Glance

AspectiOS Store AppiOS VPP App (Device licensing)
SourcePublic App Store URLApple Business Manager (purchased)
Requires Apple ID on deviceYesNo
Required-install on supervised devicesTriggers iTunes sign-in promptInstalls silently
License consumedNone tracked by MDMOne per device
Revoke licenseNot possibleYes, from Intune
Update behaviorSame as App StoreSame as App Store
CostFree apps only (in practice)Free and paid apps
Recommended for managed iOSNoYes

The short version: on a corporate-owned iOS device managed through Apple Business Manager, VPP with Device licensing is the only app type that should appear as Required for first-party and approved third-party apps.

How to Prevent This from Happening Again

The root cause is almost always procedural – an admin selected the wrong app type from the Intune wizard. A few controls reduce the chance of recurrence:

  • Document the standard. Add a one-line rule to your Intune operations doc: “All Required iOS apps must be added as iOS Volume Purchase Program apps. iOS Store Apps may only be used for Available or Uninstall assignments.”
  • Restrict app creation with RBAC. Use scope tags and Intune’s role-based access control to limit app creation to a small group of admins who know the difference. The principle of least privilege applies to MDM tenants too.
  • Use audit log alerts. Microsoft Graph + a small Logic App can email you whenever a new iOS Store App is created. Quick to set up, quick to react.
  • Check the VPP token expiry. A frequent secondary cause is an expired VPP token. When a token expires, Intune cannot create or renew Device licenses, and admins reach for “iOS Store App” as a workaround that turns into a permanent footgun. Renew the token annually and set a calendar reminder a month in advance.

Healthy VPP Token Practices

A VPP token has a 12-month validity. When it is close to expiry, Intune shows a banner in the Tenant administration > Connectors and tokens > Apple VPP Tokens view. After expiry:

  • Existing licensed apps continue to function.
  • New licenses cannot be assigned.
  • Token renewal requires a new .vpptoken file from Apple Business Manager.

If your token has just been renewed and apps are stuck in Failed state, revoke and re-assign licenses one app at a time. Bulk re-assignment occasionally fails for individual apps, and the only way to clear the failed state is a manual revoke + reassign cycle.

Troubleshooting: When the Prompt Will Not Go Away

If you have applied the fix and a specific device is still prompting, work through these in order:

  1. Has the user tapped Cancel at least once? iOS sometimes queues multiple install commands – the user may need to dismiss two or three prompts before the queue drains.
  2. Force a sync. From the device: Settings > General > VPN & Device Management > MDM profile > Sync. From Intune: Devices > select device > Sync.
  3. Confirm the device is licensed for the VPP version. Open the VPP app in Intune > Device install status. The device should be listed with Installed or Pending. If it is Not applicable, the assignment is not reaching the device – check group membership and filters.
  4. Check the VPP token health. Tenant administration > Connectors and tokens > Apple VPP Tokens. If the token shows any warning, address that first.
  5. Reboot the device. Last resort, but occasionally clears a stuck MDM channel.

If you have exhausted these, look at the device’s Managed Apps report. An app that should be VPP-licensed but appears under iOS Store App lineage indicates the old assignment is still active somewhere – usually a forgotten filter or a duplicate group assignment.

FAQ

Will users lose any data when I switch from iOS Store App to VPP?

No. The App Store install and the VPP install are the same app binary from the same listing. Local data and settings are preserved across the transition because iOS treats them as the same bundle ID.

Do I need a managed Apple ID for VPP with Device licensing?

No. Device licensing is the entire point – the license is bound to the device hardware identity, not to any Apple ID. The device can have no Apple ID signed in at all, and VPP apps will still install.

Can I keep using iOS Store Apps for some apps?

For apps you want to make optionally available to users through the Company Portal, yes – assign them as Available. For Required deployment to corporate-owned devices, no. Switch them to VPP.

What about iPadOS devices?

The same rules apply. iPadOS uses the same MDM commands and the same VPP licensing model as iOS. If you have iPads in the same affected group, they will exhibit the same prompt behaviour and be fixed by the same approach.

It can be. A token renewal sometimes leaves individual app licenses in a Failed state until they are re-assigned. This is a separate issue from the iOS Store App vs VPP problem, but you may encounter both at once if the same admin tried to “work around” the failed VPP state by adding iOS Store App versions. Treat the VPP licensing failures as a separate workstream once the prompt is gone.

Summary

If iOS devices managed by Microsoft Intune are showing an iTunes or App Store sign-in prompt, do not start with Apple ID configuration, ABM enrollment, or DEP profiles. Start with your app inventory. Look for iOS Store Apps with Required assignments that overlap with VPP versions of the same app. Fix one device first using assignment filters, then roll the change out to the rest of the estate, and finish by deleting the iOS Store App duplicates entirely.

The technical fix is simple. The harder part is preventing the next admin from making the same selection in the same wizard – so document the standard, restrict who can add apps, and keep your VPP token healthy. Your users will never see another iTunes prompt, and your service desk will get its mornings back.

References

Managed Home Screen: What Your Should Know

Posted on by
1

It doesn’t take too long as you go through the latest tech news and updates to realize just how badly lax security could affect your organization. All nefarious actors need is a small opportunity. And your business may end up paying dearly. This is where Managed Home Screen comes into play.

Hence the need to implement the best possible security measures that you can. And when you use platforms such as Managed Home Screen (MHS), you’ll get excellent features that will help you enhance your overall security.

The platform will give your organization the ability to customize and control Android Enterprise dedicated devices. This allow for restricted access to only what a user may require. As we continue our deep dive into Managed Home Screen, we will end up with a clearer idea of how this platform can best serve your interests.

What to know about general availability

In a previous article, we discussed the updated features that Microsoft introduced to the Managed Home Screen experience. There are a few things that businesses should know about general availability.

To begin, you should be aware that with the general availability of the updated MHS experience, all previous MHS workflows will be obsolete. Not only that, but support will no longer be available for these previous workflows. The new updated features will not be added to previous workflows, as well.

However, admins can still move to the updated experience by setting Enable updated user experience to “true” for 90 days. But, after the 90 days, the app configuration will be removed, and all devices will need to start using the updated MHS experience.

Below are some of the new capabilities recently added for the updated experience:

  • Brightness Slider and Adaptive Brightness – with this tool, IT admins will be able to expose a setting that enables users to access a brightness slider to adjust the device screen brightness. Moreover, IT admins can also expose a setting that allows users to turn adaptive brightness on and off on the device.
  • Autorotation – this next tool helps IT admins expose a setting that is designed to enable users to turn on and off the device’s autorotation.
  • Domain-less Login and Custom Login Hint Text – another feature coming to the updated experience will be support for domain-less sign-in. Admins can configure domain names which will then be automatically added to usernames when signing in. In addition, MHS will begin providing users with a custom login hint string on the sign-in screen.
  • Session PIN Inactivity Timer – in scenarios where a device has been inactive for a specified period of time, IT admins can leverage this feature to demand users to enter their session PIN to resume activity on Managed Home Screen.

Why is Managed Home Screen making changes?

With the updates that have been made to Managed Home Screen, one may be wondering what’s behind all the changes. And the simple reality is that the new features were needed. Applications need to keep improving if they are to meet the ever-evolving needs of businesses.

It goes without saying, but the competition among players in the tech space is brutal. A new application or service can be introduced to the market, and if it can do the job far more efficiently, then you may find yourself losing clients.

Moreover, organizations are now acutely aware that there are nefarious actors constantly looking for vulnerabilities in their systems and if they find any it can be catastrophic for their businesses. Updates can address any existing performance issues and vulnerabilities that may potentially exist.

In addition, new features will also address productivity issues that your business has to deal with. As technology continues to evolve, organizations like yours will be looking to improve their products and services. Updates allow you to harness the latest and very best features for your applications. This will also give your team a better user experience overall. And ultimately, your business can operate more efficiently.

Furthermore, newer updates can help you get even better performances from your devices. At one point or another, we’ve all probably had the frustrating experience of an app crashing. It’s never a pleasant experience and can result in some lost work progress. By updating your applications, you can significantly reduce the chances of these occurrences.

Benefits of Managed Home Screen’s new features

The improvements that Managed Home Screen has made will have benefits for both IT admins as well as end users. These advantages include:

  • Closing the security gap – enhancing your security features means that you reduce potential attack areas. Also, it’s significantly harder for hackers to carry out successful attacks. This is something that will complete by requiring end users to enter their session PIN to resume activity on Managed Home Screen. This is after the device has been inactive for a specified period. Having this feature reduces the risk of unauthorized personnel gaining access to a device when the user is not using it. To set it up, you need to set the “Minimum inactive time before session PIN is required” setting to the number of seconds the device is inactive before the end user must input their session PIN.
  • Quicker resolution of issues – if the troubleshooting process is ineffective, it can cause endless downtime and that’s not good for business. MHS improved that process by introducing a feature that will give users access to a debug menu. This includes the pages for Get Help, Exit Kiosk Mode, and About. What this does is give users the ability to go to the Get Help page and easily upload logs. Moreover, users will be able to view Management Resources. It allows them to launch adjacent management apps whenever necessary. With the appropriate support available, your organization can quickly address any performance issues. You can also ensure productivity levels remain optimal.
  • Improve ease of use – one of the best ways to help users work more efficiently is to enable them to have the option to customize certain settings to their liking. Undoubtedly, the immediate concern would be about the risk of increasing vulnerabilities. But, the solution to that is to restrict what users can customize. This provides that they still get the benefits of personalized apps and devices while maintaining high security standards. One of those settings that users can now change is device screen brightness.

Additional benefits of Managed Home Screen

With the updated features, you can expose settings in the Managed Home Screen app to adjust screen brightness for Android Enterprise devices. You’ll have the option of exposing a setting in the app to allow end users to access a convenient brightness slider to adjust the device screen brightness. Furthermore, you’ll now also be able to expose a setting to allow end users to toggle adaptive brightness.

  • Simplified setup – few things can help users be more productive than using an application with a clean look and access to everything you need. This is what MHS is aiming for with the addition of a top bar. Users will now have quick access to device-identifying information. You get the option to configure this top bar as you see fit. And there will be two descriptive elements available for display. IT admins get to select between serial number, device name, and tenant name for the top and bottom elements in situations where the device is not configured with sign-in.

The top bar will also give quick access to settings as well as the sign-out button. The settings wheel icon sits in the upper right-hand of the top bar. And tapping this icon will display the settings that the IT administrator has selected to reveal to users within MHS settings. Another advantage you can expect is that this settings icon will be located on the top bar by default. And to avoid compromising security, IT admins still get to pick which settings a user can configure. Or they can disable it altogether by enabling or disabling the configuration key “Show managed settings”.

Enhanced security measures for dedicated devices

As we know by now, Managed Home Screen works on devices enrolled into Intune as Android Enterprise dedicated devices. With the increasing sophistication of today’s cyber attacks, organizations need to ensure that their security is of the highest standard.

Bearing that in mind, in this section, let’s take a look at some of the settings that can improve security for fully managed, dedicated, and corporate-owned work profile devices.

Screen capture (work profile-level)

Enabling “Block” will not only stop you from taking screenshots, but will also prevent content from being shown on display devices without a secure video output. However, you should be aware that this setting is set to “Not configured” by default, and Intune doesn’t modify it. You should also know that if the default settings allow, the OS might let users capture the screen contents as an image.

Camera (work profile-level)

Enabling “Block” will prevent access to the device’s camera. Again, you should note that this setting is set to “Not configured” by default and Intune doesn’t change it. Another thing that is important for security is that Intune only manages camera access but doesn’t have access to pictures or videos. The OS may also, by default, allow access to the camera.

Default permission policy (work profile-level)

The objective of this setting is to define the default permission policy for requests for runtime permissions, and the options you have are the following:

  • Default (default) – Use the device’s default setting.
  • Prompt – Users see a prompt to approve the permission.
  • Auto grant – Permissions grant automatically.
  • Auto deny – Permissions are automatically denied.

Date and Time changes

Enabling “Block” will stop users from manually setting the date and time. Additionally, you should note that this setting is set to “Not configured” by default, and Intune doesn’t change it. This will also mean that if the OS default settings permit, users may be able to set the date and time.

Roaming data services

Enabling “Block” will prevent data roaming over the cellular network. And as before, this setting defaults to “Not configured,” and Intune doesn’t change it.

Wi-Fi access point configuration

Enabling “Block” will stop users from creating or changing any Wi-Fi configurations. Additionally, you should note that this setting defaults to “Not configured” and Intune doesn’t change it. As we’ve also seen before, if the OS default settings permit, users may be able to change the Wi-Fi settings on the device.

Bluetooth configuration

Enabling “Block” will stop users from configuring Bluetooth on the device. Additionally, you should note that this setting defaults to “Not configured,” and Intune doesn’t change it. As we’ve also seen before, if the OS default settings permit, using Bluetooth on the device may be possible.

Tethering and access to hotspots

Enabling “Block” will prevent tethering and access to portable hotspots. And again, this setting defaults to “Not configured,” and Intune doesn’t change or update it. Take note that the OS might allow tethering and access to portable hotspots by default.

USB file transfer

Enabling “Block” will prevent transferring files over USB. And again, this setting defaults to “Not configured,” and Intune doesn’t change or update it.

External media

Enabling “Block” will prevent using or connecting any external media on the device. And again, this setting defaults to “Not configured,” and Intune doesn’t change or update it. Take note that the OS might allow file transfers by default.

Beam data using NFC (work-profile level)

Enabling “Block” is going to prevent the use of Near Field Communication (NFC) technology to beam data from apps. On the other hand, if set to “Not configured“, which is the default setting, Intune will not change or update the setting. However, you should not forget that the OS might allow using NFC to share data between devices by default.

Developer settings

Enabling “Allow” will let users access developer settings on the device. On the other hand, if set to “Not configured,” which is the default setting, Intune will not change or update the setting.

Microphone adjustment

Enabling “Block” will stop users from unmuting the microphone and adjusting the microphone volume. However, if set to “Not configured,” which is the default setting, Intune will not change or update the setting.

Factory reset protection emails

You need to select Google account email addresses. Then, you need to provide the email addresses of device admins who can unlock the device after it’s wiped. When entering the email addresses, make sure to separate them with a semi-colon e.g., [email protected];[email protected]. Note that these emails will only apply in scenarios during a non-user factory reset, like running a factory reset using the recovery menu. And as with previous settings, if set to “Not configured,” which is the default setting, Intune will not change or update the setting.

System update

To determine how the device handles over-the-air updates, you’ll need to pick from the following options:

  • Device Default (default) – stick to the device’s default setting, meaning that when the device connects to Wi-Fi, is charging, and is idle, the OS updates automatically. For app updates, the OS first checks that the app is not running in the foreground.
  • Automatic – implements an automatic update process without user involvement.
  • Postponed – updates postpone for a period of 30 days, at the end of which users receive a prompt to install the update. For critical security updates, however, device manufacturers or carriers may block their postponement.
  • Maintenance Window – also provides an automatic update process but that occurs during a daily maintenance window that you set in Intune. If the installation tries and fails for 30 days, you will subsequently see a prompt to perform the installation. This setting will apply to OS and Play Store app updates.

Freeze periods for system updates

This one is optional. If you are going to set the System update setting to Automatic, Postponed, or the Maintenance window, then you must use this setting to create a freeze period:

  • Start date – provide a start date using the MM/DD format and it can be up to 90 days long.
  • End date – provide an end date using the same MM/DD format and it can be up to 90 days long.

Take note that all incoming system updates and security patches will be blocked during the freeze period. And this also includes manually checking for updates.

Location

Enabling “Block” will disable the Location setting on the device and prevent users from turning it on. However, it’s worth noting that disabling this setting will affect every setting that also relies on device location. This includes the Locate device remote action that admins use. On the other hand, if set to “Not configured,” which is the default setting, Intune will not change or update the setting.

When to enroll devices as dedicated devices

One of the things that may have a lot of people wondering is the issue of when exactly you should be looking at enrolling a device as a dedicated device. According to the information available from Microsoft, Intune’s Android Enterprise dedicated device solution is for clients who want their Android devices enrolled with no user-affinity.

On top of that, this device solution requires that the device runs Android OS 8+ and should be able to connect directly to Google Mobile Services (GMS). Below are the three main scenarios that Intune envisions for dedicated devices:

AS A DIGITAL SIGN

Typically locked into one application that shows viewers desired information. A good example of this would be the train schedules or flight schedules that you may see at the train station or airport respectively. In these particular situations, there will be zero-to-minimal physical user interaction.

TASK-BASED DEVICES

In this case, we’ll be looking at a situation of locked into a single application or multiple applications and used for specific tasks. What you then have is a setup where the device is not privy to who is using it or where. We can see an example of how this would work with package delivery drivers.

As they clock into their shift, the delivery driver receives a device. This devices helps to navigate to their location, scan packages, and complete other role-based tasks. Once the driver completes their tasks, the device can then be returned for the next delivery driver to use.

MULTI-USER, TASK DEVICES

In the third scenario, we’re looking at locked into a single app or a set of apps, and used for specific tasks. Users need to sign in on at least a single application on the device and unlike the previous scenario, the apps in this case will need to know who is using the device and when.

The general recommendation for this scenario is to enable Shared Device mode. For instance, you can look at a factory setup where a device may used by multiple people, such as shift workers, maintenance staff, delivery drivers, etc.

So, every individual using the device will get the same apps and policies, but the key difference is that the relevant information displayed by the apps will vary from person to person, depending on their sign-in information.

Wrap up

As a business, it’s crucially important to always be on the lookout for applications and services that can give you an advantage. Something that can improve the quality of what your organization is producing by enhancing worker efficiency. For Managed Home Screen clients, the platform improvements can offer such benefits.

You get features that help you maintain high security standards by allowing IT admins to put in place any necessary restrictions. But, even with these restrictions, end users will still get quicker access to what they need, faster resolution of issues, and a more streamlined workflow.