1. Home
  2. Device management
  3. Support & Features
  4. Intune guidance for JML and multi-organisation staff
Searching...

Intune guidance for JML and multi-organisation staff

Contents

Intune device management and JML

Devices enrolled in the NHSmail central tenant via Intune must be enrolled on a per-organisation basis (using ODS codes). This ensures they are correctly assigned to the appropriate organisation groups and the correct configuration policies are applied.

Scenarios

When people move between NHS local organisations, their User Identity is managed via a JML process where the user identity and licenses are sometimes ‘held’ by the originating organisation until ‘released’ to the new one.  Changes are not committed in Entra ID, licensing and Intune device management until the user account is migrated to inherit a new ODS attribute.

 

During this time, a managed device may contain apps and configurations that ‘belong’ to the originating organisation, whereas the user has already started with the destination organisation.  In this scenario, USER-assigned configurations and applications from the originating organisation may persist on the device unless ‘un-configured’.  This can lead to un-desirable behaviors for devices where two local organisation are effectively attempting to manage a common device.

This article outlines some of the options and mitigations to allow new joiners (with their originating organisation device) to continue working until:

  1. The JML process for their identity is complete
  2. Their intended new or re-configured device can be enrolled and used with the new organisation

The following guidance applies for users from organisations that are already on-boarded to the NHSmail Intune platform (both originating and destination organisations)

  1. Ensure all configs and apps should be DEVICE-targeted by Intune to avoid devices inheriting apps and config from the originating organization.  Use Shared mobile devices if possible.
  2. For the originating organisation, apps and configurations should be un-assigned to prevent overlap and conflicts on the device as it passed to the destination organisation use.
  3. If possible, (Until JML is complete) new, designated devices presented to joiners are staged with Device-targeting only as above.
  4. If transferring a mobile device, users can or follow the guidance of administrators to enroll using the standard profile / shared device for the destination organisation. All the required apps and config should be targeted via existing groups
  5. For Windows devices, it may be practical to adopt the NHSmail Windows 365 platform to enable a simple Cloud PC desktop (managed by the destination org) that can be accessed with any physical laptop that may still ‘belong’ to the originating organisation.
Recommendation / Recommended Use

Windows 365 Licenses are provided without cost (up to 350 users) on the NHSMail tenant until at least March 2025 – please contact the team for further information, by raising a ticket from Helpdesk Self-Service -> Service request-> Windows 365 Request-> and selecting License Information option.

Further tips

Organisations can and should collaborate during the ownership transition of the user’s identity to:

  • (Originating Org) Exclude users from assignments of specific apps
  • Test the amendment the scope tag of a device to match the destination organisation
  • Apply destination organisation configuration profiles to devices
  • Maintain device-targeting (rather than user-targeting) of apps as a contingency measure
  • Explore the efficacy of shared mobile devices as a contingency measure until JML is completed

Multi-organisation User Support

In many cases, staff may work across a few organisations on behalf of a ‘parent’ entity.  For example, Locums may work across many GP surgeries but will not ‘belong’ to any of them from an organizational / management perspective.

The NHSmail Intune platform provides methods to account this type of scenario by way of ‘Parent/Child’ configuration models via ODS codes.

Users may need to use apps or systems in each organisation but NOT have a device configuration for each of them

Devices enrolled onto the NHSMail Intune tenant are intrinsically linked to their ODS code and so staff must use a device that is managed by their (ODS) organisation, or a parent ODS organisation with administrative scope.  As such, organisations should:

  • For Mobile Devices, use shared devices where possible where device targeting of apps and resources is straightforward.
  • For Windows Devices used across organizations (with an agnostic physical device), the NHSmail Windows 365 platform can be adopted to provide a ‘bridge VDI’ device that can be used to provide access to multi-organisation resources.

For more information on managing devices across multiple organisations, please refer to section 3.5 of the NHSmail Intune Operations guide .  This guide provides the options for managing all sub-organisation devices centrally or alternatively providing a delegation model to component ‘child’ organisations.

Future capability

The NHSMail platform is investigating capabilities to streamline device handling during NHS employee moves and changes as part of NHS.net Connect.

Work is on-going to streamline the handling of devices through the JML process for NHS organisations and solution details will be disclosed in due course.

Last Reviewed Date 24/09/2024
Updated on 25/09/2024
Tagged:

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top