Hola Guys……. Hope you are doing? Today, learn to “Enrol Corporate Owned Android devices into Kiosk Mode using Intune“. In one of the posts, we discussed and learned how to Enrol Corporate Owned Android devices into fully Managed devices using Intune.
As per Google, Kiosk software is the system and user interface software designed for an interactive kiosk or Internet kiosk, enclosing the system in a way that prevents user interaction and activities on the device outside the scope of execution of the software.
In simple terms, Kiosk mode is something where we restrict a device to use only a specific application or multiple applications as per organizational requirements. This will turn the device into a single-purpose device, preventing user interaction and activities on the device outside the scope of execution of the allowed applications.
These devices are used in Shopping complexes where you want to allow them for public use but restrict them to single or multiple applications, sales POS devices, and warehouses for inventory management. I recently visited one of the multiplex chains, where they had Digital Displays displaying current shows and upcoming movies. Users can interact with the tablet but cannot modify the device’s settings.
- Enforce Users to Enroll Devices with Intune Conditional Access Policies
- Enrol Android Devices to Android for Work in Intune
Prerequisites for Enabling KIOSK Mode in Intune
Microsoft allows us to enable KIOSK mode for Android devices, and they call it Corporate Owned Dedicated devices. There are a few prerequisites for enabling KIOSK mode. Let’s see below.
- Android devices must be running on Android 8.0 and above
- Devices should support Google Mobile Services(GMS) and be able to connect to GMS on the given network.
- Devices must be Factory reset before enrolling into KIOSK mode
- Connect your Intune tenant with Managed Google Playstore
Smartphones and tablets that support Android Enterprise can be used as Android kiosks by locking down devices to run a single app or a specific set of apps using Android Kiosk Mode.
Create an Enrolment Profile for Enrol Corporate Owned Android Devices or KIOSK Mode
From here on, I will use corporate-owned dedicated devices, as this is the actual name used in Intune. We must create an Enrollment profile first to enable admins to enrol a device to dedicated mode. Let’s see below the steps to create an Enrollment profile.
- Login to Microsoft Intune Admin Center
- Click Devices > Enroll devices > Android Enrollment
- Click on Corporate-owned dedicated devices
Now click on Create Profile. On the basics page, provide the Name and Description for the profile, and under Token Type, select Corporate Owned Dedicated devices for KIOSK mode. In this mode, the device will be enrolled as a Corporate-Owned Dedicated device without any user associated with the device.
If you choose a Corporate-owned dedicated device with Azure AD shared mode, the device enrols as a Corporate-owned dedicated device, but while enrolling the device, Intune will install the Microsoft Authenticator app, which will be used for single sign-on and single sign-out across apps on the device that is integrated with the Azure AD Microsoft Authentication Library and global sign-in/sign-out calls by the users.
Now select the Token expiration date for the token. We can set a maximum of 65 years. The token will expire on the selected expiry day at 12:59:59 PM in the time zone it was created. Select the required expiry date for the token and click on Next to Create the enrollment token.
Click on Create. We can access the token by navigating to Devices > Enroll devices > Android Enrollment > Corporate-owned dedicated devices > Select the token created > Token. The token will show a 20-character string and QR code. We can use either to enrol the device in KIOSK mode.
Now that we have created the enrollment token, we must create a Dynamic Group to assign the profiles to Corporate-owned dedicated devices mode devices.
Create Azure/Entra Dynamic AD Groups
Azure/Entra Dynamic AD groups are smart groups containing members per our security configurations. In simple terms, we can create groups based on certain rules. If any user or device matches, the rule will be a member of that dynamic group.
We will create an Entra Dynamic AD group based on the enrollment profile name for our discussion. Once the device enrols, using the enrollment profile, you will be a member of this group. To create a Dynamic group, please follow the below steps.
- Login to Microsoft Entra Admin Center
- Click on Groups > All Groups
- Click on New Group
Now Select the Group type as Security, and Provide the Name and Description for the group. Now, select the Membership type as Dynamic device and click on Add dynamic query to add the dynamic query.
Under Property, select enrollmentProfileName, set Operator to Equals, and provide the enrollment profile name we created under Value, as shown in the screenshot below. Once done, click on Save. Now click on Create. This will create a Dynamic group. The Dynamic query looks like this: “(device.enrollmentProfileName -eq “KIOSK_Mode_HTMD”)“.
We will use this group to assign the device profiles and applications. Thus, whenever a device enrolls with the KIOSK enrollment profile, it will be part of this Dynamic group and get the Profiles and apps assigned to it. Now, let us create a Device Profile to force the device into KIOSK Mode.
Deploy Managed Google Play Store App
We have created an Enrolment Profile, Dynamic Group, based on the Enrolment profile. The third step would be assigning an app that can be used in KIOSK mode. I’m using a Managed Google PlayStore app, Microsoft Edge, for our discussion.
We have created an article on deploying Managed Google Play store apps and refer to the Deploy Apps to Users section to add apps to Intune. Once the app is added, we need to assign the app in Required mode to the Dynamic group we created above.
- Login to Microsoft Intune Admin Center
- Click on Apps > All Apps
- Search for Microsoft Edge Browser
Select the app, click on Properties, and scroll to the bottom for the Assignments section. Click on Edit next to Assignments to edit the assignments.
On the assignment page, under the Required section, click Add group, select the dynamic group we created, and click Select at the bottom. Now click on Review and save to save the assignments.
Enrol Corporate Owned Android devices into Kiosk Mode/ Corporate Owned Dedicated devices using Intune – Part 1 Fig: 1
Once the device syncs with Intune, the Microsoft Edge browser will be installed on the devices enrolled with the KIOSK token. This is the app to which the device gets locked. After installing the app, users can use only this app.
Create Device Configuration Profile
As the fourth and final step, we must create a Device Configuration Profile. In this device configuration profile, we will define the device Device Experience. We can configure other settings but will focus only on the device Experience section as we discuss KIOSK mode.
- Login to Microsoft Intune Admin Center
- Click on Devices > Android
- Click on Configuration Profiles
- Click on Create Profile
As we create a profile for Android for Enterprise devices, select Platform as Android Enterprise and select the Profile type as Device Restrictions, the device Experience is defined by device restrictions. Click on Create
Provide the Name and Description for the configuration Profile on the Basics page and click Next. You can view various restrictions sorted into different categories on the device Restrictions page. We are now just focusing on the Device Experience category.
Click on the Device Experience category to see the message “These settings only work for fully managed and dedicated devices.” This means the settings are applied to devices enrolled via the Corporate Owned Dedicated device and Corporate Owned Fully Managed device method.
Click on the Enrollment Profile type to view Fully Managed and Dedicated Device options. Select Dedicated Devices. Once you select the dedicated devices, you will get an option to select the KIOSK type. Here, we will define whether the device should restricted to a single app or Multiple apps.
When I select Single App, I can choose the app that needs to be installed and the device locked to that app. Click on Select an app for kiosk mode, and select the Microsoft Edge browser, as we wanted the Edge browser available for the KIOSK device.
If you select Multi-apps, we must configure Microsoft’s Managed Home Screen app, which will act as a launcher for multi-apps. I chose a single app for this article. We will discuss Multiple apps and other settings in another article.
We can configure different device configurations for KIOSK devices as per your organizational requirements. For now, I’m skipping other settings. Click on Next to assign any scope tags if you have. Click Next on the Assignment page and add the Dynamic group we created.
We have completed all the required steps to enroll a device in Corporate-Owned Dedicated Devices Mode. We are ready to enrol a device on KIOSK mode. To do that, we need to Factory reset the device if it is already in use, or we can use a brand-new device. In another post, we will discuss the enrollment part and multi-apps KIOSK mode.
I hope this article helps you prepare to deploy corporate-owned dedicated devices(KIOSK mode Android) in your organization. Please let me know how you like the post in the comments below. I’ll be back with new and interesting articles on Intune. Til then, have happy learning.
About Author – Narendra Kumar Malepati (Naren) has 11+ years of experience in IT, working on different MDM tools. Over the last seven years, Naren has been working on various features of Intune, including migration from different MDMs to Intune. Naren mainly focuses on Android, iOS, and MacOS.