Authenticate to Microsoft Apps on iOS Devices with GroundControl

Created: Modified: Knowledge Base

NOTE: This topic applies to iOS devices. To configure authentication to Microsoft apps on Android devices, see this topic.

Imprivata GroundControl integrates with Microsoft in several ways to streamline sign in and out:

  • Two-tap sign-in: eliminate dozens of key presses at the start of each shift, skip realm discovery, seed the users’ email addresses, and autofill passwords
  • Automatic sign-out: Cleanly close all apps supporting MSAL and shared device mode

These benefits save significant time for your workers each day, increase mobile adoption, and remove private data once no longer needed. As a secondary benefit, password management allows your organization to increase password complexity, and increase security, without creating additional burden on your staff.

There are strict requirements, which may limit when this feature may be used:

  • Microsoft’s apps must be aware of Microsoft’s Shared Device Mode
    • Supported apps:
      • Microsoft Teams (in public preview)
      • Microsoft Power BI Mobile (in public preview)

NOTE: At the time of writing, some of these apps are part of Microsoft’s public preview, and will launch for general availability in the future. See your Microsoft documentation for more information.

  • Devices must be in Microsoft’s “shared device mode,” which typically requires touching each device to authenticate once as an Azure admin user. If using Intune, the process is streamlined significantly, however you will need to erase and re-provision each device.
Expected Behavior
  1. On device check out, users will see the standard white Check Out screen with their name. However, this screen now includes a blue button to continue to sign into Microsoft’s authentication system.
  2. Users may swipe up to skip Microsoft authentication, in which case they will be prompted when opening their first Microsoft app. If they do tap the button, they will be presented with a standard Microsoft authentication screen, with your organization’s branding.
  3. Note that GroundControl has already added the user’s UPN (email address) so the system skips this initial screen and routes directly to password entry. Users may then use GroundControl’s Password AutoFill to enter their password with a single tap. TIP: Use Azure Conditional Access to disable MFA for shared devices.
  4. Users will then open the Teams app to complete Teams sign-in. Teams will not recognize the login until the app is opened once. When opened, Teams does not prompt for a login.
  5. When the device is returned to the Launchpad, GroundControl automatically signs out of Teams and the Microsoft authentication system with no prompt and no action required by the user.

There are several tasks required to set up this behavior. The tasks are detailed below.

Microsoft’s Shared Device Mode

Unlike most apps, Microsoft uses device-wide authentication, saving an authentication token to an iPhone’s keychain. This way, a single sign-in can be shared among multiple apps. Similarly, a single sign-out should cause all apps in the group to be signed out. But Microsoft’s authentication system is generally optimized for 1:1 mobile devices.

To modify these behaviors for shared use, Microsoft has introduced what it calls shared device mode. Microsoft’s shared device mode modifies the Microsoft sign-in workflow to be more suitable for shared devices. In addition, apps can be built to be aware of Microsoft’s shared device mode, and can modify their behavior to be optimized for shared device workflows.

(Intune Only) Create a DEP Profile for Shared Mode

You may streamline Microsoft Shared Device Mode if you use a preview feature of Microsoft Intune. Microsoft has built streamlined enrollment as a specialized iOS enrollment profile. This is available only for DEP devices.

    1. Open Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment program tokens > (token name) > Profiles. Create a new profile for iOS/iPadOS.
    2. Enter a name for the profile, such as “Shared Mode.” If you are using the preview, you will see the User Affinity option of Enroll with Microsoft Entra shared mode.
    3. You must also set Sync with computers to Allow Apple Configurator by certificate and upload your GroundControl supervision identity here. Remember to rename the supervision identity from “.crt” to “.cer”.
    4. Assign your shared iOS devices to this new enrollment profile. Then erase and re-provision your devices. Intune will push the required configuration to the Authenticator app to enable shared device mode.

TIP: In Devices > Filters, create a filter based on device.enrollmentProfileName to easily assign configurations to your shared devices. Intune filters are more efficient than device groups for enrollment-time configurations. You may then use this filter below to assign:

  • The Authenticator app
  • The shared mode configuration for Authenticator
  • The Enterprise SSO profile
  • Other configurations specific to shared devices
Install and Configure Microsoft Authenticator

Microsoft requires its Authenticator app to be installed to enable shared device mode. The app should be “purchased” (for free) using Apple Business Manager and distributed to all your shared devices.

For the pool of shared devices, you must create an app configuration (AppConfig) for Microsoft Authenticator, with a single key/value pair to enable Microsoft’s shared device mode. For most MDMs this has the following form:

sharedDeviceMode               (Boolean)            true

  • Workspace ONE: Change “Boolean” to another type then change it back to work around a UI bug. “True” should be uppercase.
  • Jamf Pro: Jamf Pro does not have a GUI for application config, so use the following:
(Non-Intune) Authorize Microsoft Authenticator

NOTE: Skip this step if you use Microsoft Intune as your MDM.

Open the Authenticator app on each iPhone. Authenticator prompts you to Set up Shared Device Mode and will request an Organization email and password. These credentials must be for a user with Azure Cloud Device administrator privileges.

You must enter these credentials once, on every phone, but the registration persists until you erase the phone. This is an important step that can not be automated at this time.

Create the Enterprise SSO Profile

For all MDMs, you must create and deploy a specialized configuration profile to enable in-app authentication. This profile will intercept the standard Microsoft authentication workflow, and substitute an authentication extension embedded in the Microsoft Authenticator app. This step is required for the shared device SSO experience.


Visit Devices > iOS/iPadOS > Configuration Profiles. Create a new Profile of type “Templates” and then select Device features. Enter a profile name such as “Shared Mode SSO Extension”.

On the next screen, scroll down to Single sign-on app extension. Select an SSO app extension type of Microsoft Entra ID and enable shared device mode.

In the Additional configuration section, add a key:

device_registration     String            {{DEVICEREGISTRATION}}

Assign this profile to your group of shared devices (the filter described above can help here).

Other MDMs

For other MDMs, there is a little more work to create the profile, but the work is straightforward. Microsoft has documented the generic requirements.

For example, here’s a screenshot of the proper configuration in VMware Workspace ONE.

After you create the profile, assign it to all your shared devices.

Enable Azure for GroundControl Integration

In Azure, create an App Registration to allow GroundControl API access.

NOTE: If you have already integrated Intune with GroundControl, you may reuse the app you previously created. Just be sure to add the permission User.Read to the app.

1. Log into your Azure tenant at

2. Search for the service App registrations.

3. Create a new registration.

4. Name the application “GroundControl API Access” or something similar.

5. Select the most limited account type.

6. In the Redirect URI box, type

7. Click OK to create the application.

8. In the vertical navigation bar, select API permissions.

9. Select the Microsoft Graph API.

10. Select Delegated permissions.

  1. Add Delegated permissions for:
  • User.Read
  1. Click Add Permissions.
  2. Now that you have created the application, you need to grant permissions to it. At the top of the permission list is an action Grant admin consent for <company name>.

14. Consent to allow the application to access your Microsoft Entra ID registered devices.

15. In the vertical navigation bar, click Overview.

16. Copy both the Application (client) ID and the Directory (tenant) IDs to a safe place. You will use these in the next step.

Configure Imprivata Locker iOS

Add a Locker Custom Option with the Azure keys for the Imprivata Locker iOS app.

  1. In the GroundControl server admin console, navigate to Admin > Check Out > Locker Custom Options, click Configure.
  2. In the Locker Custom Options field, enter the Azure key/value pairs in JSON format and click Save.

NOTE: Beginning in GroundControl 6.4, by default, the Imprivata Locker app automatically populates the user’s email address from Imprivata OneSign and Password Autofill populates the password.
Alternatively, you can define a custom email string by defining the key AzurePrimaryDomain; this key will override the user’s email address retrieved from Imprivata OneSign.

JSON Syntax

"AzureClientID": "<yourAzureApplicationID>"
"AzureTenantID": "<yourAzureDirectoryID>"
"AzureGraphEndpoint": ""
"AzurePrimaryDomain": "<yourDomain>"
"AzureSignInEnabled": true
"AzureSignOutDelay": 10
"AzureSignOutEnabled": true


  • <yourAzureApplicationID> is the Azure application ID you recorded in the previous step
  • <yourAzureDirectoryID> is the Azure directory ID you recorded in the previous step
  • <yourDomain> is the domain to append to all usernames to create the UPN


"AzureClientID": "9999999-abcd-1234-1111111"
"AzureTenantID": "8888888-2222-3333-5555"
"AzureGraphEndpoint": ""
"AzurePrimaryDomain": ""
"AzureSignInEnabled": true
"AzureSignOutDelay": 10
"AzureSignOutEnabled": true