none
Microsoft Intune for Education + AAD + MDM

    Question

  • Hi,

    Currently we're using an demo environment with Azure AD + Intune for Education + MDM (Intune).
    We want to enroll multiple devices through MDM and have multiple users with diffrent accounts login on that same device.

    We automaticly enroll devices with an DEM-account (AAD) so that this account can manage those devices.
    The enroll runs flawless and no issues appear during the process.

    But, when a second user (normal user in that AAD/user of the device) logs in on that device:
    - apps won't push;
    - Policies won't apply;
    - No restrictions for that user will apply (this is what we need).

    This happends because the sync of the second account fails:

    1. ERROR CODE: The sync could not be initiated (0x82ac019e)

    2. ERROR CODE: The sync could not be initiated (0x82ac0193)

    We think we also know why this happens:

    The first users of a new device will enroll a device to the organization.
    This user in combination with the device, will become compliant with the domain (apps, policies willy apply).
    The second user can log in with no issues, but will not enroll the device to the domain and the sync fails (no apps, policies and setting)

    Our purpose is:

    1. Bulk enroll devices

    2. Manage those devices with OMA-URI, standard policies, push apps (web/local)

    3. Let multiple users (students) login one device (shared user experience)


    So, does anyone know the problem/solution to our problem? 

    Wednesday, April 12, 2017 8:31 AM

Answers

  • Hi

    good news - it is coming in the april update of Intune - to be working with Windows 10 1703.

    Multi-user support for Windows 10 Creators Update

    We've added support for multi-user management for devices that run the Windows 10 Creators Update and are Azure Active Directory domain-joined. This means that when different standard users log onto the device with their Azure AD credentials, they will receive any apps and policies that were assigned to their user name. Users cannot currently use the Company Portal for self-service scenarios like installing apps.

    https://docs.microsoft.com/en-us/intune-azure/introduction/whats-new?toc=%2fintune%2ftoc.json

    Kind regards
    Per Larsen
    Microsoft MVP - Enterprise Mobility
    Twitter: @PerLarsen1975 | Blog: osddeployment.wordpress.com
    If this post is helpful please vote it as Helpful or click Mark for answer.

    Sunday, April 23, 2017 6:09 AM

All replies

  • Hi

    This is a known issue :-(

    It is only the user that enrolls the device that gets application and policy on the devices.

    The company Portal also comes with a message that the devices is not enrolled.

    Kind regards
    Per Larsen
    Microsoft MVP - Enterprise Mobility
    Twitter: @PerLarsen1975 | Blog: osddeployment.wordpress.com
    If this post is helpful please vote it as Helpful or click Mark for answer.

    Monday, April 17, 2017 7:35 AM
  • Hi Per,

    Thank you for your reply.
    Do you know if Microsoft is currently working to solve this issue?

    Kind regards
    Christiaan Glaser

    Wednesday, April 19, 2017 2:09 PM
  • Wow - is this truly a known bug?

    We're trying to deploy InTune now on Windows 10 with AAD-Join, but having InTune only work for the enrolling user would completely derail our deployment (since our users move & share devices).

    Wednesday, April 19, 2017 5:38 PM
  • It's not a bug, it's a design limitation.

    Bad design? Yes, IMO.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Wednesday, April 19, 2017 8:22 PM
  • Hm, so with Azure AAD-joined machines + Enterprise State Roaming + InTune, there's ... no way to get a Windows Store app to install for a user (even if it's user & device "Required") unless they're the original enroller / "Device Owner"?
    Thursday, April 20, 2017 12:59 AM
  • To my knowledge, yes that's correct. It's not an Intune (little t) issue specifically though, it's a Windows MDM issue -- the capability simply isn't there in the Windows MDM management stack presently to my knowledge.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Thursday, April 20, 2017 1:32 AM
  • Hi

    good news - it is coming in the april update of Intune - to be working with Windows 10 1703.

    Multi-user support for Windows 10 Creators Update

    We've added support for multi-user management for devices that run the Windows 10 Creators Update and are Azure Active Directory domain-joined. This means that when different standard users log onto the device with their Azure AD credentials, they will receive any apps and policies that were assigned to their user name. Users cannot currently use the Company Portal for self-service scenarios like installing apps.

    https://docs.microsoft.com/en-us/intune-azure/introduction/whats-new?toc=%2fintune%2ftoc.json

    Kind regards
    Per Larsen
    Microsoft MVP - Enterprise Mobility
    Twitter: @PerLarsen1975 | Blog: osddeployment.wordpress.com
    If this post is helpful please vote it as Helpful or click Mark for answer.

    Sunday, April 23, 2017 6:09 AM
  • Did anyone test this with the creators update?

    In my test environment with windows 1703 normal users still dont get software & policies applied. 


     
    Thursday, May 11, 2017 10:29 AM
  • hi

    Yes I have tested it with a normal user ' and everything we have testet is working.

    Kind regards
    Per Larsen
    Microsoft MVP - Enterprise Mobility
    Twitter: @PerLarsen1975 | Blog: osddeployment.wordpress.com
    If this post is helpful please vote it as Helpful or click Mark for answer.

    Sunday, May 14, 2017 6:30 AM
  • Hi,

    Is the "normal user" member of the local admin group of the pc?

    If I login as a user with local admin rights, I receive the policy's and apps. But if 
    I login as a standard user (no local admin) I don't get the app's and policy's.

    Monday, May 15, 2017 8:21 AM
  • Hi all,

    Tried with a different tenant and created everything from scratch. It works after that.

    Can deploy settings & MSI to normal users (without admin rights).

    Thanks all.

    Monday, May 15, 2017 11:48 AM