This blog will be about what options you have when you got a lot of non-managed shared devices that need to run the Teams desktop app.
Imagine the next scenario: Just right before the first Covid19 wave, a company made the decision to transform their organization to a modern zero trust company. Before this decision was made, everyone was working on a remote desktop cluster which was placed inside a datacentre and none of their (shared) on-premise devices were managed.
And like everyone, they immediately wanted to start using teams. Of course, we made sure some of the governance was applied. But what could be the problem? Most of the devices are non-managed shared devices…
So, user A will open teams and enter their credentials accepts the MFA prompt, and teams is logged in. Guess what will happen when user B needs that device?
When user A doesn’t log out of Teams before shutting down the device, the next user has access to user A their Teams account. Of course, this is not proper governance, but it’s very understandable this happens.
So, we have a little bit of a problem now. None of the devices are managed or enrolled right now. How are we going to fix this problem?
There are 6 options:
1. Manually create a guest account on each device and configure all kind of settings so when user A logs out of the device the user profile is wiped
2.Create a PowerShell script, which needs to run at each user logoff. It removes the:
- Credentials with CMDkey
- HKCU Teams folder
3.Configure the sign-in frequency: create a group with these users in it. After the group is created you can create a new Conditional Access policy and target the group you just created.
- Users and groups: Selected users and groups
- Cloud apps: Microsoft Teams
- Device Platform: Windows
- Client Apps: Mobile Apps Desktop Clients
- Device state: Exclude Compliant devices
- Session: Sign in frequency: 1 Hour
4. Only allow the web-based teams app: First, you need to block the Teams Desktop App with A conditional access rule and only allow browser access to Teams. After you configured the first rule, you will need to configure a second Conditional Access rule to prevent a persistent browser.
5. Start enrolling all devices into Intune, apply conditional access rules, and configure a Device Configuration Policy for those devices who need Windows shared device mode.
6. Manually configure shared device mode. Run a PowerShell script (psexec needed) to configure shared device mode with the WMI bridge. You can automate this as I did with the device wiping script. Of course, don’t forget to install the Teams app for all users/machine-wide installer.
$sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC" $sharedPC.EnableSharedPCMode = $True $sharedPC.SetEduPolicies = $True $sharedPC.SetPowerPolicies = $True $sharedPC.MaintenanceStartTime = 0 $sharedPC.SignInOnResume = $True $sharedPC.SleepTimeout = 0 $sharedPC.EnableAccountManager = $True $sharedPC.AccountModel = 2 $sharedPC.DeletionPolicy = 1 $sharedPC.DiskLevelDeletion = 25 $sharedPC.DiskLevelCaching = 50 $sharedPC.RestrictLocalStorage = $False $sharedPC.KioskModeAUMID = "" $sharedPC.KioskModeUserTileDisplayText = "" $sharedPC.InactiveThreshold = 0 Set-CimInstance -CimInstance $sharedPC Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName MDM_SharedPC
So, we have some options to choose from, so which should, or can we pick?
Options 1,2 and 6 will take you a lot of time and you might not always know if you have configured all devices.
Of course, option 5 would be the best. Option 5 will also take you some time, but it has to be done someday, so why not now?
When you don’t have time to spare right now, maybe choosing a solution that is faster to implement.
The best option you have is to deploy conditional access rules. So, we got 2 options left, which one to choose? it depends on if the customer really wants to use the desktop app or could do with just the browser one.
- If the customer is okay to only allow the Teams browser app, you can go for option 4.
- If the customer desperately wants to use the desktop app, you can’t block it and you will need to go for option 3. Don’t forget to require MFA.
Putting up all defenses to block everything is not the way to go but keep in mind it still needs to be secure. In my opinion, the easiest way is to only allow the teams web app but it’s obvious the desktop app has its benefits.