- **If you manage your domain's Microsoft records at your DNS hosting provider**, you don't have to worry about the steps in this topic. Your website stays where it is and people can still get to it.

- **If Microsoft manages your DNS records**, to route traffic to an existing public website hosted outside of Microsoft, after you add your domain to Microsoft, do the following:

-1. Select **+ Add record** and enter the following:

- - For **IP Address**, type the static IP address for your website where it's currently hosted (for example, 172.16.140.1).

- This must be a *static* IP address for the website, not a *dynamic* IP address. Check with site where your website is hosted to make sure you can get a static IP address for your public website.

-1. Select **Save**.

-1. Select **+ Add record** and enter the following:

- - For **Points to address**, type the fully qualified domain name (FQDN) for your website (for example, contoso.com).

-2. Select **Save**.

-[Update your domain's NS records](../setup/add-domain.md) to point to Microsoft.

-Save time by starting your service request online. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>, choose **Support** \> **New service request**.

-## 1. Prepare for Directory Synchronization

- 2. Under **Sign-in and security**, select **Add or sync users to your Microsoft account**.

-> There are some additional steps for password writeback beyond the check box in Microsoft Entra Connect. For more information, see [How-to: configure password writeback](/azure/active-directory/authentication/howto-sspr-writeback).

-# Add staff to Bookings

-The Staff page in Bookings is where you create your staffing list and manage staff member details such as name, phone number, and email address. You can also set working hours for each staff member from here.

-1. From the Bookings home page, choose your calendar from the homepage.

- - **Team member** can manage bookings on their own calendar and their availability in the booking mailbox. When adding or editing a booking in their calendar, they'll be assigned as staff.

- - **Scheduler** can manage bookings on the calendar and customer details. They have read-only access to settings, staff, and services.

- - **Viewer** can see all the bookings on the calendar, but they canΓÇÖt modify or delete them. They have read-only access to settings.

- - **Guest** can be assigned to bookings, but they canΓÇÖt open the booking mailbox.

-6. Select **Events on Microsoft 365 calendar affect availability** if you want the free/busy information from staff membersΓÇÖ calendars to impact availability for bookings services through Bookings.

- > We highly recommend leaving this setting on (it is turned on by default) to avoid double-bookings and to optimize the availability of your staff members.

- Bookings is a time management solution that provides a simple and powerful scheduling page with seamless integration with outlook. It lets people schedule a meeting or appointment with you through a booking page that integrates with the free/busy information from your Outlook calendar. You can create custom meeting types to share with others so they can easily schedule time with you based on your availability and preferences. You both get an email confirmation and attendees can update or cancel scheduled meetings with you from your Personal Bookings page.

-Bookings with me is an ideal solution for enterprise, small business, and users in education to schedule 1:1 meetings with those outside and inside their organizations. Below are a few examples of how you can use Bookings with me.

-### End users

-Personal Bookings needs the **Microsoft Bookings App (service plan)** assigned to users for them to be able to access Bookings. This service plan can be enabled/disabled by tenant admins. So, if **Microsoft Bookings** isn't assigned to them, Bookings access will be denied to users even if they are in one of the previously listed SKUs.

-### What is the difference between Bookings and Bookings with me?

-Bookings with me integrates with your Outlook calendar and can only be used for 1:1 meetings. Bookings with me is intended for scheduling meeting times with individual users. Bookings is intended for managing scheduling for a group of people.

-Also, Bookings with me won't create a new mailbox for each Bookings with me page. Note that Bookings with me and Personal Bookings are terms used interchangeably.

-Public meeting types can be accessed by anyone that has your Bookings with me page address. You decide who you share your Bookings with me page address with.

-Meeting types can be public or private. Public meeting types are available to anyone that you share your Bookings page link with. Private meeting types are only available to people that you share the individual private meeting type with.

-No. Anyone or any attendee can schedule time with you using your Bookings with me page, even if they don't have a Microsoft account. You, as an organizer, need a Bookings license to create a Bookings with me page.

-### Where is Bookings with me data stored?

-Bookings with me is a feature of Outlook powered by Bookings. All data is stored within the Microsoft 365 platform and in Exchange. Bookings with me follows data storage policies set by Microsoft, which are the same policies that all apps in Microsoft 365 follow. All customer data (including information provided by attendees when booking) is captured in Bookings and is stored within Exchange. For more information, check out [Privacy: It's all about you](https://www.microsoft.com/trust-center/privacy).

-# Define your service offerings in Bookings

-When you define your service offerings in Microsoft Bookings, you set a service name, description, location (choose whether you want to meet in person or have an online meeting), duration, default reminders to customers and staff, internal notes about the service, and pricing. You can also tag the employees who are qualified to provide the service. Then, when customers come to your business web site to book an appointment, they can see exactly what types of appointments are available, choose the person they want to provide the service, and how much their service will cost.

-Here are the steps to add a new service.

-1. In Microsoft 365, select the App launcher, and then select **Bookings**.

-1. Under **Shared booking pages**, either select the page for which you want to create a new service, or create a new booking page and then select it from the available pages.

-1. On the shared booking page, select **Services**, and then select **Add new service**.

- The number of services should be limited to 50.

- **Service name**: enter the name of your service. This is the name that will appear in the drop-down menu on the Calendar page. This name will also appear when anyone manually adds an appointment on the Calendar page, and it will appear as a tile on the Self-service page.

- The time will be blocked on the staffΓÇÖs calendar and impact free/busy information. This means if an appointment ends at 3:00 pm and 10 minutes of buffer time has been added to the end of the meeting, the staffΓÇÖs calendar will show as busy and nonbookable until 3:10pm. This can be useful if your staff needs time before a meeting to prepare, such as a doctor reviewing a patientΓÇÖs chart, or a financial advisor preparing relevant account information. It can also be useful after a meeting, such as when someone needs time to travel to another location.

- **Price not set**: Select the price options that will display on the Self-Service page. If **Price not set** is selected, then no price or reference to cost or pricing will appear.

- **Maximum attendees per event**: This setting allows you to create services that require the ability for multiple people to book the same appointment time and the same staff (such as a fitness class). The appointment time slot for the selected service, staff, and time will be available to book until the maximum number of attendees, specified by you, has been reached. Current appointment capacity and attendees can be viewed in the Calendar tab in the Bookings Web app. We refer to this as 1:N booking service.

- **Let customers manage their appointment when it was booked by you or your staff on their behalf**: This setting determines whether or not the customer can modify or cancel their booking, provided it was booked through the Calendar tab on the Bookings Web app.

- - Enabled:

- The **Manage Booking** button appears on the customer confirmation email. When this button is selected by the customer, three options appear:

- - **Reschedule** Selecting this option brings the user to a service-specific Self-Service page, where they can select a new time and/or date for the same service and same staff member from the original booking. Note that even though the original staff member is attached to the rescheduled booking by default, the user does have the option of changing the staff member as well.

- - **Cancel booking** This cancels the booking and removes it from the staff's calendar.

- - **New booking** This option brings the user to the Self-Service page with all services and staff listed, for scheduling a new booking.

- :::image type="content" source="media/bookings-manage-booking-button.jpg" alt-text="The Manage Bookings button in Bookings.":::

- We only recommend leaving this setting enabled if you're comfortable with customers accessing the Self-Service page.

- - Disabled:

- The user will have no ability to reschedule or cancel their booking when they book through the Calendar tab on the Bookings Web app. When booking through the Self-Service page, however, customers will still have the **Manage Booking** button and all of its options, even when this setting is disabled.

- We recommend disabling this setting if you want to limit access to the Self-Service page. Additionally, we suggest adding text to your confirmation and reminder emails that tells your customers how to make changes to their booking through other means, such as by calling the office or emailing the help desk.

- Customer email, phone number, address, and notes are nonremovable fields, but you can make them optional by deselecting **Required** beside each field.

- Opt-in box on the manual booking and Self-Service Page:

- - **Publishing options** Choose whether to have this service appear as bookable on the Self-Service page, or to make the service bookable only on the Calendar tab within the Bookings Web app.

-# Enter your business information in Microsoft Bookings

-In Microsoft Bookings, the Business Information page within the web app contains all the details that you'd typically find on a business' "About us" page. These details include a relevant name, address, phone number, web site URL, privacy policy URL, logo, and business hours.

-1. In Microsoft 365, select the App launcher, and then select **Bookings**.

-1. In the navigation pane, select **Your calendar** > **Business information** in the left pane.

-description: "Learn how to secure Microsoft Copilot for Microsoft 365 Business Standard and Microsoft 365 Business Premium."

-# Secure Microsoft Copilot for Microsoft 365 in Microsoft 365 Business Standard and Microsoft 365 Business Premium

-This article explains the differences in security and compliance controls between Copilot for Microsoft 365 in Microsoft 365 Business Standard and Microsoft 365 Business Premium. This article doesn't attempt to describe the full capabilities of Copilot for Microsoft 365, or the full security and compliance features in Business Standard and Business Premium.

-The following sections contain scenarios to help you better understand how security features in Business Standard and Business Premium can help protect you when you're using Copilot for Microsoft 365.

- The following capabilities in **Business Standard** lead to these results:

-The available security and compliance features related to Copilot for Microsoft 365 in Business Standard and Business Premium is summarized in the following tables:

- |Scenario|Business<br/>Standard|Business<br/>Premium|

- ||::|::|

- |Sign in to Copilot for Microsoft 365 with a single identity|Γ£ö|Γ£ö|

- |Enforce MFA when accessing Microsoft 365 to use Copilot|Γ£ö|Γ£ö|

- |Enable end-user password reset, change, and unlock when accessing Microsoft 365|Cloud users|Γ£ö|

- |Implement Conditional Access policies based on identity, device, and location when accessing Microsoft 365 to use Copilot||Γ£ö|

- |Enable near real-time access policies enforcement, evaluate critical events, and immediately revoke access to Microsoft 365||Γ£ö|

- |Require employees or guests to accept terms of use policy before getting access||Γ£ö|

- |Scenario|Business<br/>Standard|Business<br/>Premium|

- ||::|::|

- |Push/deploy Microsoft 365 apps to devices and grant access to Copilot in those apps||Γ£ö|

- |Manage Microsoft 365 app updates||Γ£ö|

- |Restrict the use of Microsoft 365 apps and Teams (and Copilot in those apps) on personal devices||Γ£ö|

- |Prevent saving files (including files generated by Copilot) to unprotected apps||Γ£ö|

- |Wipe all work content (including content generated by Copilot) if a device is lost, stolen, or compromised|Γ£ö|Γ£ö|

- |Revoke work access on noncompliant devices|iOS, Android|Γ£ö|

- |Scenario|Business<br/>Standard|Business<br/>Premium|

- ||::|::|

- |Search for Copilot generated data and interactions with eDiscovery capabilities|Search and export results|+ Case management and legal hold|

- |Audit logs for Copilot interactions|Audit (Standard)|Audit (Standard)|

- |Apply a manual retention policy for Copilot interactions|Γ£ö|Γ£ö|

- |Data loss prevention (DLP) policies to protect sensitive data generated by Copilot and saved in Microsoft 365 locations from exfiltration||Files and email|

- |Manually label and protect Microsoft 365 content used by Copilot||Files and email|

- |Inherit sensitivity labels and cite sensitivity labels in output and references in Copilot||Γ£ö|

- |Prohibit Copilot from including sensitive data that users have no extract permissions for|Γ£ö|Γ£ö|

- |Exclude sensitive files that users have no permission to view from being processed by Copilot|Γ£ö|Γ£ö|

-There are several architecture approaches for mergers, acquisitions, divestitures, and other scenarios that might lead you to migrate an existing Microsoft 365 tenant to a new tenant. Most customers work with Microsoft Consulting Services or a Microsoft partner to migrate tenants, including using third-party tools to migrate content.

-[](https://download.microsoft.com/download/b/a/1/ba19dfe7-96e2-4983-8783-4dcff9cebe7b/microsoft-365-tenant-to-tenant-migration.pdf)

-description: Get an overview of managing mobile shared and BYOD devices for frontline workers in your organization.

-# Manage devices for frontline workers

-Across every industry, frontline workers make up a large segment of the workforce. Frontline worker roles include retail associates, factory workers, field and service technicians, healthcare personnel, and many more.

-ItΓÇÖs important to set a secure, compliant baseline to manage devices for your workforce, whether theyΓÇÖre shared devices or workersΓÇÖ own devices. This article gives you an overview of common frontline worker device scenarios and management capabilities to help empower your workforce while safeguarding company data.

-## Device types

-Shared, bring-your-own, and kiosk devices are the most common device types used by frontline workers.

-|Device type|Description|Why to use|Deployment considerations|

-|--|--|-|--|

-|Shared devices |Devices are owned and managed by your organization. Employees access devices while at work. |Worker productivity and customer experience are a top priority. <br><br> Workers can't access organization resources while not at work. <br><br> Local laws may prevent personal devices from being used for business purposes. |Sign in/out can add friction to worker experience. <br><br> Potential for inadvertent sharing of sensitive data. |

-|Bring-your-own devices (BYOD) |Personal devices are owned by the user and managed by your organization. |Your existing mobile device management (MDM) solution prevents your organization from adopting a shared devices model. <br><br>Shared devices or dedicated devices may be impractical from a cost or business-readiness perspective. |Support complexity may not be feasible in field locations. <br><br> Personal devices vary in OS, storage, and connectivity. <br><br> Some workers may not have reliable access to a personal mobile device. <br><br> You could incur potential liability for wages if workers access resources while not clocked in. <br><br> Personal device use may be against union rules or government regulations. |

-|Kiosk devices |Devices are owned and managed by your organization. Users don't need to sign in or out. |Device has a dedicated purpose. <br><br> Use case doesn't require user authentication.|Collaboration, communication, task, and workflow applications need a user identity to function. <br><br> Not possible to audit user activity. <br><br> Unable to use some security capabilities including multifactor authentication. |

-Shared devices and BYOD are commonly adopted in frontline deployments. You can use capabilities discussed in subsequent sections of this article may resolve or mitigate your organizationΓÇÖs concerns over user experience, unauthorized worker access to data, and resources and ability to deploy and manage devices at scale.

-> [!NOTE]

-> Kiosk device deployments arenΓÇÖt recommended because they donΓÇÖt allow user auditing and user-based security capabilities like multifactor authentication. [Learn more about kiosk devices](/windows/configuration/kiosk-methods).

-### Shared devices

-Many frontline workers use shared mobile devices to do work. Shared devices are company-owned devices that are shared between employees across tasks, shifts, or locations.

-HereΓÇÖs an example of a typical scenario. An organization has a pool of devices in charging cradles to be shared across all employees. At the start of a shift, an employee picks up a device from the pool, and signs in to Teams and other business apps essential to their role. At the end of their shift, they sign out and return the device to the pool. Even within the same shift, a worker might return a device when they finish a task or clock out for lunch, and then pick up a different one when they clock back in.

-Shared devices present unique security challenges. For example, employees may have access to company or customer data that shouldnΓÇÖt be available to others on the same device.

-### Personal devices (BYOD)

-Some organizations use a bring-your-own-device (BYOD) model where frontline workers use their own mobile devices to access Teams and other business apps. Here's an overview of some ways to manage access and compliance on personal devices.

-The deployment model you select will partly determine the device operating systems you support. For example, if you implement a BYOD model, youΓÇÖll need to support both Android and iOS devices. If you implement a shared devices model, the device OS you choose will determine the capabilities available. For example, Windows devices natively support the ability to store multiple user profiles for automated sign-on and easy authentication with Windows Hello. With Android and iOS, more steps and pre-requisites apply.

-|Windows |Native support for storing multiple user profiles on the device. <br> Supports Windows Hello for passwordless authentication. <br> Simplified deployment and management capabilities when used with Microsoft Intune. |

-|Android |[Limited native capabilities](https://source.android.com/docs/devices/admin/multi-user) for storing multiple user profiles on devices. <br> Android devices can be enrolled in shared device mode to automate single sign-on and sign out. <br> Robust management of controls and APIs. <br> Existing ecosystem of devices built for frontline use. |

-|iOS and iPadOS |iOS devices can be enrolled in shared device mode to automate single sign-on and sign out. <br> Storing multiple user profiles on iPadOS devices is possible with Shared iPad for Business. Conditional access isn't available with Shared iPad for Business because of the way Apple partitions user profiles. |

-In a shared devices deployment, the ability to store multiple user profiles on a device to simplify user sign on and the ability to clear app data from the previous user (single sign out) are practical requirements for frontline deployments. These capabilities are native on Windows devices and iPads using Shared iPad for Business.

-## User identity

-Microsoft 365 for frontline workers uses Microsoft Entra ID as the underlying identity service for delivering and securing all applications and resources. Users must have an identity that exists in Microsoft Entra ID to access Microsoft 365 cloud applications.

-If you choose to manage frontline user identities with Active Directory Domain Services (AD DS) or a third-party identity provider, youΓÇÖll need to federate these identities to Microsoft Entra ID. [Learn how to integrate your third-party service with Microsoft Entra ID](flw-setup-microsoft-365.md#provision-users).

-The possible implementation patterns for managing frontline identities include:

-### HR-driven user provisioning

-Automating user provisioning is a practical need for organizations that want frontline employees to be able to access applications and resources on day one. From a security perspective, itΓÇÖs also important to automate deprovisioning during employee offboarding to ensure that previous employees donΓÇÖt retain access to company resources.

-Microsoft Entra user provisioning service integrates with cloud-based and on-premises HR applications, such as Workday and SAP SuccessFactors. You can configure the service to automate user provisioning and deprovisioning when an employee is created or disabled in the HR system.

-### My Staff

-With the [My Staff](/azure/active-directory/roles/my-staff-configure) feature in Microsoft Entra ID, you can delegate common user management tasks to frontline managers through the My Staff portal. Frontline managers can perform password resets or manage phone numbers for frontline workers directly from the store or factory floor, without having to route the requests to helpdesk, operations, or IT.

-My Staff also enables frontline managers to register their team members' phone numbers for SMS sign-in. If [SMS-based authentication](/azure/active-directory/authentication/howto-authentication-sms-signin) is enabled in your organization, frontline workers can sign in to Teams and other apps using only their phone numbers and a one-time passcode sent via SMS. This makes signing in for frontline workers simple, secure, and fast.

-## Mobile device management

-Mobile device management (MDM) solutions can simplify deployment, management and monitoring of devices. Microsoft Intune natively supports features important for deploying shared devices to frontline workers. These capabilities include:

-If youΓÇÖre using a third-party MDM solution for your shared devices deployment, such as VMwareΓÇÖs Workspace ONE or SOTI MobiControl, itΓÇÖs important to understand the associated capabilities, limitations and available workarounds.

-Some third-party MDMs can clear app data when a global sign out occurs on an Android device. However, app data clearing can miss data that is stored in a shared location, delete app settings, or cause first-run experiences to reappear. Android devices enrolled in shared device mode can selectively clear the necessary application data during device check-in or when the new user logs in to the device. [Learn more about authentication in shared device mode](#authentication).

-You can manually configure shared device mode in third-party MDM solutions for iOS and Android devices, however, manual configuration steps donΓÇÖt mark the device compliant in Microsoft Entra ID, which means conditional access isnΓÇÖt supported in this scenario. If you choose to manually configure devices in shared device mode, youΓÇÖll need to take additional steps to re-enroll Android devices in shared device mode with zero-touch provisioning to get conditional access support when third-party MDM support is available by uninstalling and reinstalling Authenticator from the device.

-A device can only be enrolled in one MDM solution, but you can use multiple MDM solutions to manage separate pools of devices. For example, you could use Workspace ONE for shared devices and Intune for BYOD. If you use multiple MDM solutions, keep in mind that some users may not be able to access shared devices because of a mismatch in conditional access policies.

-|MDM solution |Single sign out|Zero touch provisioning|Microsoft Entra Conditional Access|

-|-||--||

-|Intune (Microsoft) |Supported for Android and iOS devices enrolled in shared device mode |Supported for Android and iOS devices enrolled in shared device mode |Supported for Android and iOS devices enrolled in shared device mode |

-|Workspace ONE (VMware) |Supported with [Clear Android app data](https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/iOS_Platform/GUID-SharedDevicesOverview.html) capabilities. Unavailable for iOS |Currently unavailable for Android and iOS. |Currently unavailable for Android and iOS. |

-|MobiControl (SOTI) |Supported with [Wipe program data](https://www.soti.net/mc/help/v14.4/en/console/applications/wipe_app_data.html) capabilities. Unavailable for iOS. |Currently unavailable for Android and iOS. |Currently unavailable for Android and iOS. |

-Windows devices enrolled in Intune support single sign out, zero touch provisioning, and Microsoft Entra Conditional Access. You donΓÇÖt need to configure shared device mode on Windows devices.

-Intune is recommended for BYOD scenarios because it provides the best support and functionality out-of-the-box across device types.

-### Enroll Android and iOS personal devices

-In addition to your company-owned devices, you can [enroll](/mem/intune/enrollment/device-enrollment) users' personally owned devices into management in Intune. For BYOD enrollment, you add device users in the Microsoft Intune admin center, configure their enrollment experience, and set up Intune policies. Users complete enrollment themselves in the Intune Company Portal app that's installed on their device.

-In some cases, users may be reluctant to enroll their personal devices into management. If device enrollment isn't an option, you can choose a mobile application management (MAM) approach and use [app protection policies](/mem/intune/apps/app-protection-policies) to manage apps that contain corporate data. For example, you can apply app protection policies to Teams and Office mobile apps to prevent company data from being copied to personal apps on the device.

-To learn more, see ["Personal devices vs Organization-owned devices" in the Intune planning guide](/mem/intune/fundamentals/intune-planning-guide#personal-devices-vs-organization-owned-devices) and [Deployment guidance: Enroll devices in Microsoft Intune](/mem/intune/fundamentals/deployment-guide-enrollment).

-## Authentication

-Authentication features control who or what uses an account to gain access to applications, data, and resources. Organizations deploying shared devices to frontline workers need authentication controls that donΓÇÖt impede worker productivity while preventing unauthorized or unintended access to applications and data when devices are transferred between authenticated users.

-MicrosoftΓÇÖs frontline solution is delivered from the cloud and utilizes Microsoft Entra ID as the underlying identity service for securing Microsoft 365 applications and resources. These authentication features in Microsoft Entra ID address the unique considerations for shared devices deployments: automatic single sign-on, single sign out, and other strong authentication methods.

-[Shared device mode](/azure/active-directory/develop/msal-shared-devices) is a feature of Microsoft Entra ID that enables you to configure devices to be shared by employees. This feature enables single sign-on (SSO) and device-wide sign out for Microsoft Teams and all other apps that support shared device mode. You can integrate this capability into your line-of-business (LOB) apps using the Microsoft Authentication Library (MSAL). Once a device is in shared device mode, applications that leverage Microsoft Authentication Library (MSAL) can detect that theyΓÇÖre running on a shared device and determine who the current active user is. With this information, applications can accomplish these authentication controls:

-Here's how shared device mode works, using Teams as an example. When an employee signs in to Teams at the start of their shift, theyΓÇÖre automatically signed in to all other apps that support shared device mode on the device. At the end of their shift, when they sign out of Teams, they're signed out globally from all other apps that support shared device mode. After sign out, the employee's data and company data in Teams (including apps hosted within it) and in all other apps that support shared device mode can no longer be accessed. The device is ready for the next employee and can be safely handed off.

-Shared device mode is an improvement to the app data clear functionality for Android because it allows application developers to selectively clear personal user data without impacting app settings or cached data. With shared device mode, the flags that allow an application to remember if a first run experience is shown aren't deleted so users donΓÇÖt see a first run experience every time they sign-on.

-Shared device mode also allows a device to be enrolled into Microsoft Entra ID once for all users so that you can easily create profiles that secure app and data usage on the shared device. This allows you to support conditional access without having to re-enroll the device every time a new user authenticates into the device.

-You use a mobile device management (MDM) solution like Microsoft Intune or Microsoft Configuration Manager to prepare a device to be shared by installing the [Microsoft Authenticator app](https://support.microsoft.com/account-billing/how-to-use-the-microsoft-authenticator-app-9783c865-0308-42fb-a519-8cf666fe0acc) and turning on shared mode. Teams and all other apps that support shared device mode use the shared mode setting to manage users on the device. The MDM solution you use should also perform a device cleanup when sign out occurs.

-> [!NOTE]

-> Shared device mode isnΓÇÖt a full data loss prevention solution. Shared device mode should be used in conjunction with Microsoft Application Manager (MAM) policies to ensure that data doesnΓÇÖt leak to areas of the device that arenΓÇÖt leveraging shared device mode (e.g., local file storage).

-#### Prerequisites and considerations

-YouΓÇÖll need to meet the following prerequisites to use shared device mode.

-MAM policies are required to prevent data from moving from shared device mode enabled applications to non-shared device mode enabled applications.

-Currently, zero-touch provisioning of shared device mode is only available with Intune. If youΓÇÖre using a third-party MDM solution, devices must be enrolled in shared device mode using the [manual configuration steps](/azure/active-directory/develop/tutorial-v2-shared-device-mode#set-up-an-android-device-in-shared-mode).

-> [!NOTE]

-> Conditional access isnΓÇÖt fully supported for devices that are configured manually.

-Some Microsoft 365 applications donΓÇÖt currently support shared device mode. The table below summarizes what is available. If the application you need lacks shared device mode integration, itΓÇÖs recommended that you run a web-based version of your application in either Microsoft Teams or Microsoft Edge to get the benefits of shared device mode.

-Shared device mode is currently supported on Android devices. Here's some resources to help you get started.

-#### Enroll Android devices into shared device mode

-To manage and enroll Android devices into shared device mode using Intune, devices must be running Android OS version 8.0 or later, and have Google Mobile Services (GMS) connectivity. To learn more, see:

-You can also choose to deploy the Microsoft Managed Home Screen app to tailor the experience for users on their Intune-enrolled Android dedicated devices. Managed Home Screen acts as a launcher for other approved apps to run on top of it, and lets you customize devices and restrict what employees can access. For example, you can define how apps appear on the home screen, add your company logo, set custom wallpaper, and allow employees to set a session PIN. You can even configure sign out to happen automatically after a specified period of inactivity. To learn more, see:

-#### For developers creating apps for shared device mode

-If you're a developer, see the following resources for more information about how to integrate your app with shared device mode:

-### Multifactor authentication

-Microsoft Entra ID supports several forms of multifactor authentication with the Authenticator app, FIDO2 keys, SMS, voice calls, and more.

-Due to higher cost and legal restrictions, the most secure authentication methods may not be practical for many organizations. For example, FIDO2 security keys are typically considered too expensive, biometric tools like Windows Hello may run against existing regulations or union rules, and SMS sign in may not be possible if frontline workers arenΓÇÖt permitted to bring their personal devices to work.

-multifactor authentication provides a high level of security for applications and data but adds ongoing friction to user sign-on. For organizations that choose BYOD deployments, multifactor authentication may or may not be a practical option. It's highly recommended that business and technical teams validate the user experience with multifactor authentication before broad rollout so that the user impact can be properly considered in change management and readiness efforts.

-If multifactor authentication isn't feasible for your organization or deployment model, you should plan to leverage robust conditional access policies to reduce security risk.

-#### Passwordless authentication

-To further simplify access for your frontline workforce, you can leverage passwordless authentication methods so that workers donΓÇÖt need to remember or type in their passwords. Passwordless authentication methods are also typically more secure, and many can satisfy MFA requirements if necessary.

-Before proceeding with a passwordless authentication method, youΓÇÖll need to determine if it can work in your existing environment. Considerations like cost, OS support, personal device requirement, and MFA support can impact whether an authentication method would work for your needs. For example, FIDO2 security keys are currently considered too expensive, and SMS and Authenticator sign in may not be possible if frontline workers aren't permitted to bring their personal devices to work.

-Refer to the table to assess passwordless authentication methods for your frontline scenario.

-|Method|OS support|Requires personal device|Supports multifactor authentication |

-||-||-|

-|Microsoft Authenticator |All |Yes |Yes |

-|FIDO2 Key |Windows |No |Yes |

-If you're deploying with shared devices and the previous passwordless options aren't feasible, you can opt to disable strong password requirements so that users can provide simpler passwords while logging into managed devices. If you choose to disable strong password requirements, you should consider adding these strategies to your implementation plan.

-## Authorization

-Authorization features control what an authenticated user can do or access. In Microsoft 365, this is achieved through a combination of Microsoft Entra Conditional Access policies and application protection policies.

-Implementing robust authorization controls is a critical component of securing a frontline shared devices deployment, particularly if it isn't possible to implement strong authentication methods like multifactor authentication (MFA) for cost or practicality reasons.

-<a name='azure-ad-conditional-access'></a>

-### Microsoft Entra Conditional Access

-With conditional access, you can create rules that limit access based on the following signals:

-Conditional access policies can be used to block access when a user is on a non-compliant device or while theyΓÇÖre on an untrusted network. For example, you may want to use conditional access to prevent users from accessing an inventory application when they arenΓÇÖt on the work network or are using an unmanaged device, depending on your organizationΓÇÖs analysis of applicable laws.

-For BYOD scenarios where it makes sense to access data outside of work, such as HR-related information or non-business-related applications, you may choose to implement more permissive conditional access policies alongside strong authentication methods like multifactor authentication.

-Conditional access is supported for:

-Conditional access **not** supported for:

-> [!NOTE]

-> Conditional access for Android devices managed with select third-party MDM solutions is coming soon.

-For more information on conditional access, see the [Microsoft Entra Conditional Access documentation](/azure/active-directory/conditional-access/).

-### App protection policies

-With MAM from Intune, you can use app protection policies (APP) with applications that have integrated with IntuneΓÇÖs [APP SDK](/mem/intune/developer/app-sdk-get-started). This allows you to further protect your organization's data within an application.

-With app protection policies you can add access control safeguards, such as:

-You can also use APPs to ensure that data doesnΓÇÖt leak to applications that don't support shared device mode. To prevent data loss, the following APPs must be enabled on shared devices:

-APPs are helpful in BYOD scenarios because they allow you to protect your data at the app level without having to manage the entire device. This is important in scenarios where employees may have a device managed by another tenant (for example, a university or another employer) and can't be managed by another company.

-## Application management

-Your deployment plan should include an inventory and assessment of the applications that frontline workers will need to do their jobs. This section covers considerations and necessary steps to ensure that users have access to required applications and that the experience is optimized in the context of your frontline implementation.

-For the purposes of this assessment, applications are categorized in three groups:

-The applications that frontline users access meet these requirements (as applicable) for global single-in and single sign out to be enabled.

-Once youΓÇÖve successfully validated your applications, you can deploy them to managed devices using your MDM solution. This allows you to preinstall all the necessary applications during device enrollment so that users have everything they need on day one.

-### App launchers for Android devices

-On Android devices, the best way of providing a focused experience as soon as an employee opens a device is to provide a customized launch screen. With a customized launch screen, you can show only the relevant applications an employee needs to use and widgets that highlight key information.

-Most MDM solutions provide their own app launcher that can be used. For example, Microsoft provides Managed Home Screen. If you want to build your own custom app launcher for shared devices, youΓÇÖll need to integrate it with shared device mode so that single sign-on and single sign out works on your devices. The following table highlights some of the most common app launchers available today by Microsoft and third-party developers.

-|App launcher |Capabilities|

-|-||

-|Managed Home Screen |Use Managed Home Screen when you want your end users to have access to a specific set of applications on your Intune-enrolled dedicated devices. Because Managed Home Screen can be automatically launched as the default home screen on the device and appears to the end user as the only home screen, it's useful in shared devices scenarios when a locked down experience is required. |

-|Microsoft Launcher |Microsoft Launcher lets users personalize their phone, stay organized on the go, and transfer work from their phone to their PC. Microsoft Launcher differs from Managed Home Screen because it allows the end user access to their standard home screen. Microsoft Launcher is therefore useful in BYOD scenarios. |

-|VMware Workspace ONE Launcher |For customers using VMware, the Workspace ONE Launcher is he best tool to curate a set of applications that your frontline workforce needs access to. The sign out option from this launcher is also what enables Android App Data Clear for single sign out on VMware devices. VMware Workspace ONE Launcher doesn't currently support shared device mode. |

-|Custom app launcher |If you want a fully customized experience, you can build out your own custom app launcher. You can integrate your launcher with shared device mode so that your users only need to sign in and out once. |