Front-line workers such as retail associates, warehouse staff, and healthcare aides often share iOS devices during shifts. Without proper configuration, each user must sign in and out of Outlook manually, wasting time and risking data exposure. Microsoft provides Shared Device Mode for iOS to solve this by allowing one device to serve multiple users with automatic sign-in and sign-out. This article explains what Shared Device Mode is, how to enable it using Microsoft Intune, and what limitations to expect.
Key Takeaways: Enabling Outlook for iOS Shared Device Mode
- Microsoft Intune > Devices > iOS/iPadOS > Configuration profiles > Shared device: Create a profile that enables Shared Device Mode for managed iOS devices.
- Microsoft Entra ID > App registrations > Outlook for iOS > Authentication > Allow public client flows: Set to Yes to let the app use the Microsoft Authentication Library (MSAL) for shared sign-in.
- Intune > Apps > App configuration policies > Outlook for iOS > Shared Device Mode: Set the policy key
shared_device_modetotrueto force Outlook into shared mode.
What Is Shared Device Mode for Outlook on iOS?
Shared Device Mode is a feature of the Microsoft Authentication Library (MSAL) integrated into Outlook for iOS. When enabled, the device operates in a mode that allows multiple users to sign in one at a time without leaving cached credentials behind. Each time a user signs out, the device clears all app data, cookies, and tokens. This prevents the next user from accessing the previous user’s email, calendar, or files.
The feature is designed specifically for front-line workers who do not have personal devices. Instead, they pick up a shared iPhone or iPad at the start of a shift, sign in with their work account, use Outlook, and sign out when the shift ends. The device remains locked to a single user session until sign-out occurs.
Shared Device Mode works with any iOS app that has been updated to support MSAL and the shared device flow. Outlook for iOS version 4.0 or later includes this support. The feature does not require a specific version of iOS beyond iOS 13.0.
Prerequisites for Enabling Shared Device Mode
Before you start, confirm you have these items ready:
- A Microsoft Intune subscription with device management rights.
- iOS devices enrolled in Intune as supervised devices using Apple Business Manager or Apple Configurator.
- Outlook for iOS deployed to the devices via Intune as a managed app.
- Microsoft Entra ID (formerly Azure AD) with app registrations enabled.
- Global Administrator or Intune Administrator role in Microsoft 365.
Steps to Enable Shared Device Mode for Outlook on iOS
The setup requires three configuration stages. Complete them in this order.
Stage 1: Register the Microsoft Authentication Library App in Microsoft Entra ID
- Sign in to the Microsoft Entra admin center
Go tohttps://entra.microsoft.comand sign in with a Global Administrator account. - Open App registrations
In the left menu, select Identity > Applications > App registrations. - Register a new application for MSAL
Click New registration. Enter a name such as “Outlook iOS Shared Device App.” For Supported account types, choose “Accounts in this organizational directory only.” Leave the Redirect URI blank for now. Click Register. - Note the Application (client) ID
Copy the Application ID from the Overview page. You will need this in Stage 2. - Enable public client flows
In the left menu, select Authentication. Under Advanced settings, set Allow public client flows to Yes. Click Save. - Add the iOS redirect URI
Still on the Authentication page, under Redirect URIs, click Add URI. Entermsauth.com.microsoft.office.outlook://auth. Click Save.
Stage 2: Create an Intune Configuration Profile for Shared Device Mode
- Sign in to the Microsoft Intune admin center
Go tohttps://intune.microsoft.comand sign in with an Intune Administrator account. - Create a device configuration profile
Select Devices > Configuration profiles > Create profile. For Platform, choose iOS/iPadOS. For Profile type, choose Templates > Shared device configuration. Click Create. - Configure shared device settings
In the Configuration settings tab, set Enable shared iPad to Yes. This setting activates Shared Device Mode on the device. Do not change other settings unless your organization requires them. - Assign the profile to device groups
In the Assignments tab, select the device groups that contain the shared iOS devices. Click Next and then Create.
Stage 3: Create an Intune App Configuration Policy for Outlook
- Go to App configuration policies
In Intune, select Apps > App configuration policies > Add > Managed devices. - Select Outlook for iOS
For Device enrollment type, choose Managed devices. Click Select app and choose Microsoft Outlook for iOS. Click Select. - Add the shared device configuration key
Under Configuration settings, select Use configuration designer. Add a new key with the nameshared_device_modeand the valuetrue. The key type is String. - Assign the policy
In the Assignments tab, select the same device groups used in Stage 2. Click Next and then Create.
Common Issues When Enabling Shared Device Mode
Outlook Does Not Show the Sign-Out Button
If the Outlook app does not display the sign-out option after configuration, the device may not be supervised. Shared Device Mode requires supervised devices enrolled via Apple Business Manager or Apple Configurator. Check the device enrollment type in Intune under Devices > iOS/iPadOS > iOS enrollment. If the device is not supervised, re-enroll it using the correct method.
Users Cannot Sign In After Enabling Shared Device Mode
This typically occurs when the MSAL app registration is missing the public client flow setting. Return to the Microsoft Entra admin center, open the app registration you created, and confirm that Allow public client flows is set to Yes. Also verify the redirect URI msauth.com.microsoft.office.outlook://auth is present.
App Configuration Policy Does Not Apply
If the policy shows a status of “Not applicable” on the device, the Outlook app may not be installed as a managed app. Ensure Outlook is deployed through Intune as a Required or Available app. Uninstall and reinstall Outlook through Intune to force the policy to apply.
Shared Device Mode vs Standard Sign-In: Key Differences
| Item | Shared Device Mode | Standard Sign-In |
|---|---|---|
| User data retention | Cleared on sign-out | Persists until manual removal |
| Number of users per session | One user at a time | Multiple accounts possible |
| Device enrollment requirement | Supervised iOS device | No supervision needed |
| Sign-out behavior | Wipes all app data | Only removes account |
| Supported Outlook version | 4.0 or later | Any version |
Conclusion
You can now enable Shared Device Mode for Outlook on iOS using Microsoft Intune and Microsoft Entra ID. The feature ensures that front-line workers sign in and out securely without leaving data behind. After setup, test the configuration on one device by signing in with a test account, closing Outlook, and signing in with a different account to confirm data separation. For advanced control, combine Shared Device Mode with Intune app protection policies to prevent data transfer to unmanaged apps.