# Multi User Devices

Multi-User Devices allow an administrator to provision devices intended to be used by more than one user. A tool for Multi-User Devices is **Device Enrollment Manager** (short DEM).

DEM is an Intune permission that can be applied to an Azure Active Directory user account and lets the user enroll up to 1,000 devices. A DEM account is useful for scenarios where devices are enrolled and prepared before handing them out to the users of the devices.

RealmJoin Client can be used to allow self-service software installations on Multi-User Devices.

## Licenses

Devices enrolled by DEM accounts need to be licensed. Therefore, each DEM account needs an Intune user or device license assigned.

Example:

* Enterprise Mobility + Security (user license) or
* A simple device license

![](https://2868468309-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MkrcM7cKOpXKri1kVrh%2Fuploads%2FVKJV6oNw5AE7yQdfu3dz%2Fspaces_-LoFsqW9gZ0AjMnSuPaT_uploads_git-blob-47c2a54892a3e4fa7b50f6cc14d1c3fb376dcefb_dem1%20\(1\).png?alt=media\&token=cb3112a8-e03b-4fae-bc1d-82f0464cf83c)

## Preparations

Before you can start with a device enrollment you have to do some preparations.

### Create DEM User

Create a generic user account that is not assigned to a real person. Please make sure that this account never gets deleted. In that case, enrolled devices will not stay under management anymore. Assign a suitable Intune license as described before.

![](https://2868468309-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MkrcM7cKOpXKri1kVrh%2Fuploads%2FqHZz6xTlijC7ALj7YzAp%2Fspaces_-LoFsqW9gZ0AjMnSuPaT_uploads_git-blob-d9ea0b7aef42bb8e641fd934ae909a57f19a7b92_dem2%20\(1\).png?alt=media\&token=a2908c36-1f1c-4fac-acbe-1440615f10fe)

### Create User Group for DEM Accounts

A new user group is necessary that contains all DEM users. Ad one (e.g. **CFG - All multi-user device accounts DEM**) and assign the previously created user.

![](https://2868468309-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MkrcM7cKOpXKri1kVrh%2Fuploads%2Fj7N67n4Dbb0C6p52Akl2%2Fspaces_-LoFsqW9gZ0AjMnSuPaT_uploads_git-blob-aa7ab331b291cec2a175fc45db6c7d114c817fa7_dem3%20\(1\)%20\(1\).png?alt=media\&token=999c92bb-aa30-4178-91be-34387e7f735a)

### Prepare Group

In **Intune** the following actions are necessary for that group:

* Assign compliance policies and device configurations (that should apply for these devices)
* Assign Intune distributed apps (e. g. RealmJoin Installer)
* Check if DEM group can enroll and register new devices in Intune/Entra ID (e. g. enrollment restrictions and Entra ID Join)

The following steps must be done in **RealmJoin**

* Add RealmJoin configuration policies to that group
* Add Software packages (that should be installed when the device is set up by DEM account)
* Let RealmJoin mark this group as **Primary Users** (obtain Entra ID Object ID)

## Device Setup

A new and clean device will be set up with the DEM user account created before:

![](https://2868468309-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MkrcM7cKOpXKri1kVrh%2Fuploads%2FVqSIOXxpqw4LAlKObAw5%2Fspaces_-LoFsqW9gZ0AjMnSuPaT_uploads_git-blob-578ad5cd4ba355fca1a666221331513599318cfa_dem5%20\(1\).png?alt=media\&token=7214fd74-c59f-4ecd-aad6-a45e96ba50a0)

Depending on configuration second factor authentication will be enforced:

![](https://2868468309-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MkrcM7cKOpXKri1kVrh%2Fuploads%2FbAbX93GwafnFaVS07zrr%2Fspaces_-LoFsqW9gZ0AjMnSuPaT_uploads_git-blob-02a403937e7746d021079b8e52cef29d6145c65c_dem6%20\(1\).png?alt=media\&token=dbca42b8-46f7-447f-81bd-154fdbef1b65)

Device enrollment and provisioning will start:

![](https://2868468309-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MkrcM7cKOpXKri1kVrh%2Fuploads%2FCQbSjX1tt7DDMNrKoGz3%2Fspaces_-LoFsqW9gZ0AjMnSuPaT_uploads_git-blob-ee84cba5c366ade4e57c27b5f0c868d7968dae9e_dem7%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\).png?alt=media\&token=a7a1c62c-c484-4ddc-8857-bf76015246cd)

Prompt for Windows Hello setup appears (depending on configuration):

![](https://2868468309-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MkrcM7cKOpXKri1kVrh%2Fuploads%2FitKoJ20PbKkDpEjek0VA%2Fspaces_-LoFsqW9gZ0AjMnSuPaT_uploads_git-blob-d2f944ba10dc06d977c35583d9c123b972fa1265_dem8%20\(1\)%20\(1\).png?alt=media\&token=e5112e43-29c9-4e8f-845e-b6d444812e08)

After that, RealmJoin will start and install the defined set of software for the DEM account:

![](https://2868468309-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MkrcM7cKOpXKri1kVrh%2Fuploads%2F8iEaGpoRoaL3hYskxHDa%2Fspaces_-LoFsqW9gZ0AjMnSuPaT_uploads_git-blob-db3e50950cdc154e9a54dd6f26280cee04d69a3e_dem9%20\(1\).png?alt=media\&token=84774799-8aad-4c1d-aede-c25440ec9a75)

When logging in via DEM account (primary user) the software should be installed:

![](https://2868468309-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MkrcM7cKOpXKri1kVrh%2Fuploads%2FZY6KO9XkfBUUAYx8maq1%2Fspaces_-LoFsqW9gZ0AjMnSuPaT_uploads_git-blob-f59dd6e4b4073ec8485a48bb7a23bb0266f0f0ed_dem10%20\(1\).png?alt=media\&token=6809abf0-4e42-4b4e-9761-04b9d240609a)

## Secondary User Experience

Secondary users are now able to log in:

![](https://2868468309-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MkrcM7cKOpXKri1kVrh%2Fuploads%2FoylJzbQsThw5cI4qhZD8%2Fspaces_-LoFsqW9gZ0AjMnSuPaT_uploads_git-blob-5bae77229a33711fec36d362ca64e15572695694_dem11%20\(1\).png?alt=media\&token=f1d5d810-bd58-4c30-a852-c951b5fbf90f)

Software assigned and installed by DEM account should be available

Additional software can be installed by this secondary user:

![](https://2868468309-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MkrcM7cKOpXKri1kVrh%2Fuploads%2Fh3s3ZCsexp2UPAYK2FLg%2Fspaces_-LoFsqW9gZ0AjMnSuPaT_uploads_git-blob-00a6e4efde40c57f2ac2d4694ce3e3139fd21c11_dem13%20\(1\).png?alt=media\&token=4c0434b8-87ea-4ef5-89f1-eaa3f7c92ba1)

![](https://2868468309-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MkrcM7cKOpXKri1kVrh%2Fuploads%2F4SKlgQcVPLImfhS1EFMt%2Fspaces_-LoFsqW9gZ0AjMnSuPaT_uploads_git-blob-3e07ce7d949c749c80ed39867bf0f030fc5a5d63_dem14%20\(1\).png?alt=media\&token=ec3fbfd2-b4e0-4324-929e-82ed0834dd51)

![](https://2868468309-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MkrcM7cKOpXKri1kVrh%2Fuploads%2FiUfcD3HZOPUmZMq6iPU2%2Fspaces_-LoFsqW9gZ0AjMnSuPaT_uploads_git-blob-c83bb44f418d491bbe9ea18e1675b8efeb872148_dem15%20\(1\).png?alt=media\&token=c36900a9-4db0-4abc-8f3c-fad0ddc6c385)