Back to top
Home / Knox Manage / Quickstart guides /

Shared Android device quickstart

Last updated April 9th, 2025

Normally, Android devices only support one user account, and don’t provide a sign-in system. However, there are many cases in an enterprise’s activities where a device would be more fit for purpose if it could support multiple identities, such as a device that’s transferred to a different employee during each work shift, a freely-accessible device in a common room, or a shared device for visitors and guests.

Knox Manage allows you to enroll Android devices in a special shared mode, which supports the authentication of multiple assigned users through the sign-in screen on the Knox Manage agent. You can configure a shared device so that when a user signs in, it applies settings and a profile that is either generic or unique to that user, allowing varying levels of user access and permissions depending on the user’s role and needs.

To better isolate data between user accounts on the device, there are two types of shared device:

Shared device type Purpose
Temporary For guests and visitors. Data and installed apps on the device are deleted when the device user signs out, meaning no locally stored information is shared between users or between sessions.
Persistent For shift workers. Data and installed apps on the device are retained when the device user signs out, meaning locally stored information is shared between users and between sessions.

For this shared device type, a maximum of seven different users can be created on a device.

Supported devices

The following devices can be enrolled in shared mode:

  • Samsung Galaxy Tab devices running Android 11 or higher
  • Non-Samsung devices running Android 11 or higher

Set up a shared Android device

The process to set up a shared device has the following stages:

  1. Create a staging user
  2. Configure a staging user profile
  3. Enroll the device

Register a staging user

Since Android can’t operate without at least one active user, shared devices require a staging user between regular user sessions. The staging user is an account with a supervisory scope that carries the basic device configuration and settings, and hosts a base session in the operating system that provides the sign-in screen to device users.

When a device is being prepared to enter shared mode, it must be provisioned with the staging user.

To create a staging user:

  1. Go to User, then click Add.
  2. Fill in the basic and required user account information. For more detailed instructions, see Register a single user.
  3. Set Staging user to Yes.
  4. Make sure Using Type is set to Shared Device.
  5. Set Shared device type to Temporary or Persistent according to your deployment needs.
  6. Click Save and confirm.

You can activate a shared device with this staging user account. Alternately, you can use a staging user profile to activate multiple devices.

Configure a staging user profile

Next, create and configure a profile for the staging user. You can configure multiple staging devices by applying this profile to staging users.

To configure a staging user profile:

  1. Go to Profile > click the intended profile > Modify Policy.

  2. On the Set Policy page, open the Android Enterprise > Staging policy category.

  3. Set the Staging Device Settings policy to Apply. Sub-policies appear on the page.

    Configuring Staging policies

  4. To grant the staging user access to Android utilities (such as the System Status Bar), set Utilities Settings to Allow, then proceed to allow or disallow specific utilities for the staging user. Available utilities are:

    • Power
    • System Status Bar
    • Notification Bar
    • Key Guard

  5. To grant the staging user access to Android device settings (on the Settings app), set Device Settings to Allow, then proceed to allow or disallow specific settings under the Settings sub-policy. Options are:

    • Select All
    • Wi-Fi
    • Bluetooth
    • NFC
    • Mobile Data
    • Mobile Networks
    • Hotspot
    • Location

    If you enabled Wi-Fi, you can configure a Wi-Fi access point for the user from Android Enterprise > Wi-Fi.

  6. To restrict the number of times the staging user can attempt to exit Staging Mode, set Exit Staging Mode Attempt Limit to a value between 1 and 10. Then, if needed, set the Take Action if Attempts Are Exceeded sub-policy to prevent the staging user from re-entering their exit code for a certain period. Available options are:

    • Prevent re-entering code for 10 mins
    • Prevent re-entering code for 30 mins

  7. Click Save & Assign to save the configuration and assign it to the staging user’s profile.

Enroll the device

Lastly, after configuring the staging user and settings, enroll the device and activate shared mode:

  1. Go to User and copy the staging user’s ID.

  2. Enroll the device with the staging user through one of these methods:

    Regardless of the method you choose, make sure you enter the staging user ID you copied in step 1 — or the device won’t enroll in shared mode.

  3. After enrollment, go to Device, then search for and find the device. If it successfully enrolled as a shared device, its value in the Platform & Management Type column is Shared followed by the type (Temporary or Persistent).

    A device on the Device page with the Android Shared (Persistent) label.

Kiosks are not supported for secondary users on shared devices. We therefore recommend not setting up a kiosk for the staging user.

For access to new Staging Mode features, staging settings defined prior to Knox Manage 23.12 must be updated using the Staging Device Settings policy. See Configure a staging user profile for steps.

Device user check-in

When the shared device is enrolled and deployed, it shows the check-in screen if there is no active user session. A device user starts a session by checking in with their Knox Manage account credentials.

  • Samsung devices used as shared devices are automatically activated when a user first checks in.
  • For non-Samsung devices, the device user must activate the device by manually running the Knox Manage agent when they first check in to the device. The device user can launch the Knox Manage app or tap the Knox Manage notification to run the agent.

Due to Google’s Android API limitations, secondary users on shared devices cannot make phone calls or send SMS messages after checking in. They can only make emergency calls.

Starting with 25.04, Knox Manage supports web-based IdP authentication for secondary user check-ins. Shared Android devices can have up to seven secondary users per device. However, the exact limit may vary depending on the device model and manufacturer. If a shared device exceeds the maximum number of secondary users it can support, additional check-in attempts result in a KMA_E1001 shared device error, and access is denied.

Web-based IdP authentication for secondary user on a shared device

When the device user has finished their activities, they can end their session by tapping Check Out in the Knox notification.

  • If it’s a Temporary shared device, the app and user data on the device is erased.
  • On Persistent shared devices:
    • Apps common to staging users and device users are cached, and are available to device users when they check in.
    • User-specific apps are automatically downloaded and installed when the appropriate device user checks in.

Policies and device commands for shared devices

Shared devices can receive device commands and policies that are compatible with work profiles. Policies designed for fully managed mode won’t take effect.

When you apply an Android Enterprise profile to a shared device, it applies to both the staging users and device users.

Exit shared mode

In case of emergencies or issues with the shared device mode, the device user can run the Exit Shared Device Mode action on the device to exit shared mode. Once they submit the action, the device user enters a passcode issued to them by an admin.

Use Knox Remote Support

You can perform a remote support session on a shared device with Knox Remote Support, provided the Knox Remote Support agent is first installed on the device.

In order for the agent to be functional and accessible, it must be:

  1. Installed to the personal or primary profile of the device.
  2. Accessed during a staging user session, not a temporary or persistent user session.

To install the Knox Remote Support agent on a shared device, the staging user must:

  1. Open the Knox Manage agent, then select Service Desk on the sign-in screen or in the navigation bar.
  2. Select Download Remote Support app. The Knox Remote Support agent downloads and installs.

Once installed, the agent launches and shows a remote support access code, indicating that it’s ready for a remote session.

See also

On this page

Is this page helpful?