The book of Non-Managed Shared Devices

by: rudyoomsPosted on:

Last Updated on December 3, 2021 by rudyooms

This blog will be about what options you have when you got a lot of non-managed shared devices that need to run the Teams desktop app.

Imagine the next scenario:  Just right before the first Covid19 wave, a company made the decision to transform their organization into a modern zero trust company. Before this decision was made, everyone was working on a remote desktop cluster that was placed inside a datacentre and none of their (shared) on-premise devices was managed.

And like everyone, they immediately wanted to start using teams. Of course, we made sure some of the governance was applied.  But what could be the problem? Most of the devices are non-managed shared devices…

So, user A will open teams and enter their credentials accepts the MFA prompt, and teams is logged in. Guess what will happen when user B needs that device?

When user A doesn’t log out of Teams before shutting down the device, the next user has access to user A their Teams account. Of course, this is not proper governance, but it’s very understandable this happens.

So, we have a little bit of a problem now. None of the devices are managed or enrolled right now. How are we going to fix this problem?

There are 6 options:

1. A guest Account

Manually create a guest account on each device and configure all kinds of settings so when user A logs out of the device the user profile is wiped

2. A PowerShell Script

Create a PowerShell script, which needs to run at each user logoff (So schedule it with the Windows task scheduler to run at user logoff). It removes the:

  • $env:APPDATA\Microsoft\teams
  • Credentials with CMDkey
  • HKCU Teams folder

3. Sign In frequency

Configure the sign-in frequency: create a group with these users in it. After the group is created you can create a new Conditional Access policy and target the group you just created.

  • Users and groups: Selected users and groups
  • Cloud apps: Microsoft Teams
  • Conditions:
    • Device Platform: Windows
    • Client Apps: Mobile Apps Desktop Clients
    • Device state: Exclude Compliant  devices
  • Session: Sign in frequency: 1 Hour

4. Only Use Web-Based Teams

Only allow the web-based teams app: First, you need to block the Teams Desktop App with A conditional access rule and only allow browser access to Teams. After you configured the first rule, you will need to configure a second Conditional Access rule to prevent a persistent browser.

5. Enroll them into Intune

Start enrolling all devices into Intune, apply conditional access rules, and configure a Device Configuration Policy for those devices who need Windows shared device mode.

6. Manually enable Shared Device Mode

Manually configure shared device mode. Run a PowerShell script (psexec needed) to configure shared device mode with the WMI bridge. You can automate this as I did with the device wiping script. Of course, don’t forget to install the Teams app for all users/machine-wide installer.

$sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC"
$sharedPC.EnableSharedPCMode = $True
$sharedPC.SetEduPolicies = $True
$sharedPC.SetPowerPolicies = $True
$sharedPC.MaintenanceStartTime = 0
$sharedPC.SignInOnResume = $True
$sharedPC.SleepTimeout = 0
$sharedPC.EnableAccountManager = $True
$sharedPC.AccountModel = 2
$sharedPC.DeletionPolicy = 1
$sharedPC.DiskLevelDeletion = 25
$sharedPC.DiskLevelCaching = 50
$sharedPC.RestrictLocalStorage = $False
$sharedPC.KioskModeAUMID = ""
$sharedPC.KioskModeUserTileDisplayText = ""
$sharedPC.InactiveThreshold = 0
Set-CimInstance -CimInstance $sharedPC
Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName MDM_SharedPC

So, we have some options to choose from, so which should, or can we pick?

Options 1,2 and 6 will take you a lot of time and you might not always know if you have configured all devices.

Of course, option 5 would be the best. Option 5 will also take you some time, but it has to be done someday, so why not now?

When you don’t have time to spare right now, maybe choose a solution that is faster to implement.

The best option you have is to deploy conditional access rules. So, we got 2 options left, which one to choose? it depends on if the customer really wants to use the desktop app or could do with just the browser one.

  • If the customer is okay to only allow the Teams browser app, you can go for option 4.
  • If the customer desperately wants to use the desktop app, you can’t block it and you will need to go for option 3. Don’t forget to require MFA.

Conclusion

Putting up all defences to block everything is not the way to go but keep in mind it still needs to be secure. In my opinion, the easiest way is to only allow the teams web app but it’s obvious the desktop app has its benefits.

LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked *

9  +  1  =