Android Enterprise Dedicated device Multi-App KIOSK deployment with MEM Intune

This blog post focuses on Android Enterprise Dedicated device, Multi-App Kiosk deployment with Intune (a.k.a Microsoft Endpoint Manager).

As I have done with each post of this series before, let’s start with a short introduction, understanding the use-case of Android Dedicated devices.

Android Enterprise Dedicated device management mode

Dedicated devices (also referred to as Corporate-Owned Single-Use, or COSU) are fully managed devices that serves a specific purpose, such as

• Run the device in an immersive, kiosk-like fashion where devices are locked to run only admin defined set of apps.
• Share a device between multiple users (such as shift workers or public-kiosk users)

Such devices are mostly used in the below scenarios

Employee-facing	Inventory management, field service management, transport, and logistics
Customer-facing	Kiosks, digital signage, hospitality check-in

Post #3 as listed above already covers the use-case scenarios for the different Android Enterprise management modes available. Check it out!

With the 2010 Service Release of Microsoft Intune, you get options to create separate unique enrollment tokens within the Dedicated devices category thereby enabling you to provision dedicated devices either for

• Single purpose use as in Kiosk/Terminal devices, or
• Azure AD Shared device mode

Read my blog on Azure AD Shared Device mode with Android Enterprise Dedicated Devices to learn more about it.

As mentioned earlier, today’s post will cover the 1st option, i.e. setting up a dedicated device for single-purpose use as in kiosk/terminal devices.

When setting up KIOSK, depending on the requirement, you can either set it up to run in either

• Single App Kiosk mode, or
• Multi-App KIOSK mode.

In this article, we will be doing the Multi-App Kiosk setup, locking the device to run only two browsers – Microsoft Edge and Google Chrome.

So let’s get started.

Pre-requisite check – Managed Google Play binding with MEM tenant

Managed Google Play binding with MEM tenant is a pre-requisite step before you would be able to onboard and manage Android devices in Intune with the different Android Enterprise management modes available.

The binding allows Intune as an EMM to create obfuscated accounts (Managed Google Play accounts) on the fly which are actually used to provision the devices (or work profile). Intune maps the obfuscated account to the real user identity in Azure AD and this mapping is not visible or made available to Google.

Android Enterprise Multi-App Kiosk Device Provisioning with Intune

Create the Android Enterprise Dedicated Device Enrollment Token

Login to MEM Admin Center and navigate to Devices > Android > Android Enrollment and click on Corporate Owned Dedicated devices.

Click on Create Profile and fill up the details. Choose Token type as Corporate-owned dedicated device (default).

Click on Next and then Create. The Enrollment profile will get created and you would be returned to the landing page which will have your newly created enrollment profile listed. Click on the 3 horizontal dots on the extreme right which will get two options –  View enrollment token and Delete.

You would see the Enrollment Token and QR Code displayed on the fly-out window on the right side.

Or, you can also click to open the Enrollment profile created and click on Token to view the QR Code or Token.

This QR Code or Token can be shared (via email, print-out, etc.) with the end-users or local IT support teams responsible for setting up the device and then handing it over to the end-users.

Create Dynamic Device group to contain Android Enterprise Dedicated Devices for easy profile targeting

Create a dynamic device group in Azure to contain the devices enrolled using the above enrollment profile. The dynamic rule is quite simple as device.enrollmentProfileName -eq “Enrollment Profile Name”

You can create from the MEM Admin Center by navigating to Groups and then clicking on New group.

Group type	Security
Azure AD roles can be assigned to the group (Preview)	No
Membership type	Dynamic Device
Dynamic membership rule	device.enrollmentProfileName -eq “Multi-App Kiosk”

Deploy Apps from Managed Google Play

As mentioned earlier, the device to be provisioned in Multi-App KIOSK mode will run only two browsers – Edge and Chrome, for the purpose of this post. And we will also require the Managed Home Screen app as it acts as the launcher for other approved apps to run on top of it in Multi-App Kiosk setup.

In MEM Admin Center, navigate to Apps > All apps and click on Add and choose App type as Managed Google Play app and click on Select.

Managed Google Play will be displayed within the MEM Admin Center portal.

Previously IT Admins had to manually go to Managed Google Play portal to Approve apps that appeared in Intune console post a Sync operation. Search for Chrome and click on Approve.

Note: IT Admin can see if the App supports managed configuration and the app availability across locations.

It will display a pop-up to ask for admin consent for the app permissions.

Select the option that suits the environment and click on Done.

You will now see the app as Approved. Click on Sync to complete the transaction.

The app will be added to Intune app list with Assigned set to No. [We have only approved the app but have not made any active assignment yet!]

Click to open the App and from Properties click on Edit beside Properties to make an Active Assignment.

Click on Add group under Assignment type Required and select the Dynamic Device Group as created earlier.

Save the changes and the App will now reflect with Assigned status as Yes.

Repeat the same process for Edge and Managed Home Screen app [or the apps that you want to use for your scenario]

Create Multi-App KIOSK device configuration profile

In MEM Admin Center, navigate to Devices > Configuration profiles, click on Create profile. Select Android Enterprise as the Platform and Profile type Device restrictions from under Fully Managed, Dedicated, and Corporate-Owned Work Profile category and click on Create button below.

Give an appropriate Profile name as per the standard naming convention followed in your environment and proceed to configuration settings. Under Device experience, select Enrollment profile type as Dedicated device and then select the Kiosk mode to Multi-app.

Once you do that, you would get a plethora of settings to configure the Kiosk experience.

The first thing we need to do is select the apps that would be allowed to run in Multi-App Kiosk mode. Here I selected the two browsers, Edge and Chrome we approved and deployed earlier.

You can configure the rest of the settings as per your requirement. My sample configuration is below

You can choose to configure settings under the other categories as per requirement. Once done, make the assignment to the same Dynamic Device group as created earlier.

At this point, we are almost done configuring from the Admin perspective for Android Enterprise Multi-App Kiosk device provisioning with Intune.

As an additional (optional), you being an IT Admin can choose to configure app configurations profiles if the apps selected to run within Multi-App kiosk supports managed app configurations.

[Optional] Create Intune App Configuration Profiles

Provisioning an Android Enterprise Dedicated device to run in Multi-app KIOSK mode, if the apps in context support managed configurations, you would probably want to configure a few settings for the same.

In MEM Admin Center portal, navigate to Apps > App configuration policies and click on Add and select Managed devices.

Here I am only showing how to create an App Configuration profile for Google Chrome to achieve the sample requirements like

• Block specific URLs – Facebook.com, Youtube.com
• Disable Incognito mode

Give a suitable Name. Choose

Platform	Android Enterprise
Profile Type	Fully Managed, Dedicated, and Corporate-Owned Work Profile Only
Targeted app	Google Chrome

In the next screen, you can choose Add custom permissions. Note that the permissions added here override the “Default app permissions” for the selected app.

For the purpose of this post, here we will only add configuration settings. You can either add configurations by entering JSON data or use the Configuration designer to configure the settings using the UI.

Note: Not all managed settings are always available via the Configuration designer for all apps. The developer of the app defines the configuration options made available and as such, you should always refer to the developer guides of the app to understand the available managed configuration settings.

Here I have gone forward with the Configuration designer and configured the settings as required to achieve the requirements.

Click on Next and make the Assignment.

Use the Select groups to include button and select the same Dynamic Device Group as created earlier to contain the devices.

NOTE: Repeat the same process for the other apps that you would want to configure and use in your Multi-App Kiosk setup. If you want to configure the settings of the Managed Home Screen app, refer to this Microsoft document.

Here I have created two other app configuration profiles, one for Edge which is similar to the Chrome configuration profile I created above.

And another one for the Managed Home Screen app.

All three profiles are assigned to the same dynamic device group as created earlier.

Note: For other apps, you have to note that the app itself must support managed configuration to be targeted using an App configuration profile from Intune. Documentation from the application vendor should be reviewed to see if an app supports configuration and what configurations are available.

That’s all that is required from the Admin end.

End-User Device Provisioning and Usage Experience

As with any Android Enterprise corporate-owned management mode, device provisioning needs to be triggered during the initial device setup. Thus new devices can start with the provisioning out-of-the-box, whereas existing devices would require a factory reset to get provisioned.

Connect to Wi-Fi and continue with the guided setup flow.

Notice that the setup does not asks for user sign-in since Android Enterprise Dedicated device provisioning is a Without User Affinity scenario. As such, the device in MEM Admin Center comes up as below.

It takes some time before the Multi-App Kiosk policy (device configuration) and the Apps (along with the app configuration profiles) are enforced on the device. This lag is due to the time taken by Azure AD to make the newly enrolled device member of the dynamic device group (created to contain devices enrolled with a particular enrollment profile) to which all the policies and apps are targeted. Usually, this does not take more than 5-10 minutes as I tested.

Once the policies take effect, you would see the Managed Home Screen app launching itself as the Multi-app KIOSK launcher. However, I have seen it prompting to give consent to location and overlay permissions as below.

Once you are done with the above, this will be what the final device state will look like.

And what about the app configs we did to control/manage browser features. Here is an example snap for Google Chrome.

Trying to access facbook.com gets blocked as required. The option to open the New Incognito tab is grayed out as configured. You can actually see all the policies applied to Chrome by searching for chrome://policy in the URL bar.

Facing issues – Quick checks on the device

Based on your configuration, you can access the Managed Home Screen’s debug screen

• by clicking the back button until the debug screen is displayed (click the back button 15 times or more).
• using Quick access to Device Information (if you have it enabled it) 

From this debug screen, you can tap on Open Android Device Policy link or Launch Android Device Policy app to get the Device Policy screen which shows you the current enforced policies and Apps.

You can also check the current applied configuration to Managed Home Screen app by using the Logs option. 

Last but not the least…

Android Enterprise Dedicated devices are not subjected to compliance evaluation due to no user affinity.

Hence, such devices will get blocked by the Conditional Access policy if the Grant access parameter of your configured CA policy requires device compliance to meet the access criteria. Considering the use-case of Dedicated devices which is primarily customer-facing like device to run as Kiosks, Digital Signage, Hospitality check-in, etc., such devices should not be forced to go through Conditional Access.

If your use-case of Dedicated devices is Employee facing like the same device to be shared between multiple users across shifts where employees will require to sign-in and access corporate resources via approved apps, that is served by the Dedicated device Azure AD Shared mode. Read more here.