1

With some effort I am weaning my organisation of its addiction to convenient but insecure shared accounts. Everyone now has their own account in AD which syncs to both 365 & Google Apps for business.

Where multiple humans need shared access to the same resources their individual accounts are given access permissions. Users are now expected to login to computers using their own domain credentials. Everything is as it should be. I sleep soundly almost every night.

We are now slowly starting to transition to using more mobile “smart” devices. Mainly this is being driven by teams requiring mobile access to team mailboxes and the most obvious way of accomplishing this is to give them a smartphone - but we are starting to dabble in tablet computing too.

The problem I’m running into is that the policy I wrote prohibits sharing of credentials - which works fine for PCs and laptops but terribly for smart-devices because we can only afford to issue one device per team, rather than one device per user (which is how these devices appear to be designed to be used).

The inability of these devices to properly support multiple users baffles me a bit given that they are based (albeit distantly at this stage I realise) on operating systems which are by definition almost exquisitely multi-user!

So my question is - if you are asking multiple humans to share smart devices how do you provision them? Do you just let your users share credentials for device unlock \ play store \ 365 email etc? Or have you found some way to support multiple, uniquely authenticated users?

Thanks!

2 Spice ups
2

What exactly are they using the mobile device for? Also, mobile OSs were built for one user…because well most people don’t share a phone. You say you have Google Apps…what can they do on a tablet that they can’t do on a $170 Chromebook?

Also, what exactly on the device can’t be shared with multiple users? It sounds like the company isn’t dealing with overly important data considering you’re just moving to individual login credentials!

1 Spice up
3

No such thing as multiple users in iOS devices at least. I guess you could do something close to what you are trying to accomplish with Meraki MDM. You will have a device which you can assign an owner. You can have the mailbox follow the owner. Then you will have to create different profiles and tags for the applications and change owner every time a new users picks up the mobile device. This is too much work, so it will be if you are trying to share documents. The only way I see you could share a device is using the cloud as much as you can. For email 365 web interface, for documents dropbox for example and have them sign in/off. Again, its a security risk but the only way I see you can share a tablet.

1 Spice up
4

Actually in many cases we do want the users to share data, we just don’t want them to share credentials.

These are relatively large, largely computer-illiterate teams working with sensitive & personal data - so we are keen to avoid shared credentials because of the usual problems e.g. someone leaves the team but hangs onto the team credentials or someone changes the shared password, goes off shift and leaves everyone else locked out etc. etc.

I’m now thinking that the choice is probably either a) teams get issued a “dumb” phone and Chromebook or b) they get a smartphone and we just allow them to share credentials in that instance (and try and harden our processes as much as possible).

5

I’m still confused as to what credentials would need to be shared if they are using a Smartphone, if you are setting up Email or Google Drive then the password only needs to be entered once? Go with a Chromebook, they are great for computer-illiterate users.

6

It only needs to be entered once, except when something goes wrong and it needs to be re-entered or when it expires - at which point our policy (which I think is otherwise sensible!) prohibits the “owner” of the account from sharing it anyone so only they can re-enter it, which unfortunately could mean driving hundreds of miles over mountains etc. to re-enter a password (this is where are right now!).

So yeah, looks like its either Chromebooks\real laptops or a policy exception for smartphones and tablets (sigh - but fair enough if it has to be!).

7

is there anything specifically keeping you away from the Windows environment? The OS is now the same across all devices with an emphasis on integration.

8

Mainly the presumption that something like a surface will be too expensive (I could be out of date on that though). Also last time I looked at Win10 devices I was disappointed to realise that though our users have AD & 365 accounts they couldn’t log into their Win10 device without making yet another account. Again I may be out of date on this.

9

yeah, I think it would warrant more research. I am keeping just enough in the “know” to know that it is an option and that this anniversary update this summer should fix many of the Enterprise related concerns. As with anything you can go high end like a surface OR lower end tablets can be picked up cheap and ones like the Toshiba Encore 2 are a proven platform that is nearly 3 years old, fully supported, currently still in production, and can be bought anywhere from $89 for a certified refurbish to just under $200 new for the WT8 and add $60 for the WT10.