Best Guide for Multi-App Kiosk Mode for Corporate-Owned Devices in Intune

Hello everyone. Today, learn about Multi-App Kiosk Mode for Corporate-Owned Devices in Intune. Our previous article discussed the required configurations and Single app mode from Corporate Dedicated Devices.

This article will focus on User experience and Multi-app kiosk Mode for Corporate Dedicated devices. As you have read the article, you know that we can restrict the Corporate devices to a single app usage. What if your organization requires you to run multiple apps on corporate-owned devices?

This is where Intune Multi-app Kiosk Mode helps to achieve it. Intune allows you to have Multi-app Kiosk devices. Some examples of kiosk mode being utilized are devices being used to display PDF designs, maps, and blueprints through a file explorer app by field engineers or devices being used for their 1st party barcode scanning software in combination with 3rd party inventory software in a warehouse.

Deploy Microsoft Home Screen

In Multi-app Kiosk Mode, the device will be locked with multiple apps that are assigned to the device. These apps will be launched from the Managed Home Screen app. Before creating a device configuration profile, we must approve the Managed Home Screen app and assign it to the devices in the Required mode.

Patch My PC
Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 1
Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 1

Under App Type, select Managed Google Play app and click Select. Now, on iFrame, search for Managed Home screen, click Select and click Sync.

Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 2
Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 2

After a few minutes, the app will be synced to Intune and ready for deployment. We must assign the app to the Dynamic group we created based on Token. Search for the app.

Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 3
Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 3

Now click on the app Properties. Click on Edit under Assignments. Under Required mode, click Add Group, Search for the Dynamic group, and select the group. Click on Select and Review and Save it.

Enable Multi-App Kiosk Mode for Corporate-Owned

If you are reading this article first, please refer to our previous article, where we discussed how to create an Enrolment Profile for Enrol Corporate Owned Android Devices, create Azure AD/Entra Dynamic AD Groups, and Deploy Managed Google Play Store Apps. This would be the same for deploying Multi-app Kiosk Devices.

Create a Device Configuration Profile Enable Multi-App Kiosk Mode

Now, let’s create a Multi-app Device configuration. Also, we need to deploy the app as required to the enrolled devices using the Kiosk Mode Enrollment Token. Let’s see how to create the Device Configuration Profile in the below steps.

Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 4
Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 4

Select Platform as Android Enterprise and select the Profile type as Device Restrictions. We need to define the device Experience using Configuration profiles. The device Experience is limited by device restrictions. Click on Create.

Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 5
Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 5

Provide the Name and Description for the configuration Profile on the Basics page and click Next. You can view various restrictions sorted into different categories on the device Restrictions page. As mentioned above, we are focusing mainly on the device Experience category.

Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 6
Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 6

Click on the Device Experience category to see the message “These settings only work for fully” managed and dedicated devices.” These settings are applied to devices enrolled via the Corporate Owned Dedicated device and Corporate Owned Fully Managed device method.

Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 7
Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 7

Click on the Enrollment Profile type to view Fully Managed and Dedicated Device options. Select Dedicated Devices. Once you select the dedicated devices, you will get an option to choose the KIOSK type. Here, we will define whether the device should restricted to a single app or Multiple apps.

Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 8
Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 8

As we are discussing on multi-app Kiosk, select multi-app, we will get the option to either configure the Custom app layout or go with the default one. Click on Enable to configure this. We can define the home screen layout, like defining how many rows and columns to display on the home screen.

To add multiple apps, click on the plus symbol, and it will open the apps list. Select the required apps and click on OK. We can add and position the Multiple apps as per our requirements. Users cannot re-position the apps as these are locked to the home screen.

Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 9
Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 9

Now, Admin has more options. To customize the Home Screen app icons, we can define the Folder icon and App Folder icon as well. As an admin, you can choose the required settings for app icons. We can also choose to fix the screen’s orientation as portrait, Landscape, or auto-rotate. The required settings can be seen in the screenshot below.

Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 10
Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 10

The following important setting we need to configure is “Leave kiosk mode”. When enabled, the user or Admin can exit the Kiosk mode by entering the “Leave kiosk mode code”. As an Intune admin, we must set the code in the Configuration profile. As the device is in lock mode, we can configure Wi-Fi settings to connect when the Wi-Fi is available automatically.

Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 11
Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 11

There are other settings available to be configured, like enabling Bluetooth Settings, Flashlight settings, Media Volume settings and many more, available. I have not configured them as these are of very little importance for now. Admin can configure them as per their requirement.

Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 12
Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 12

There are a few other settings available under Multi-app Kiosk settings that are useful if you are deploying the devices with Microsoft Entra Shared device mode. So, we are skipping them, as these are irrelevant to our discussion. After configuring the required settings, Click on Next.

Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 13
Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 13

On the Scope tags page, add scope tags if you have any and click on the Next to the Assignment page. Now click on add group and add the Dynamic group we have created using the Token, and click Next to Review and save the settings.

Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 14
Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 14

We have completed the required device configurations and are all set to enrol the devices on Multi-App Kiosk mode. Let’s see how we can enrol a device on Multi-app Kiosk mode in the User Experience section.

Note! If your organization require Single-App Kiosk mode and Multi-App Kiosk mode, create two different enrollment profiles for Single app mode and Multi-app mode, as the settings and apps deployed will be deployed using the Dynamic group created using the enrolment profile.

User Experience

To enrol the device to Corporate Owned dedicated device mode, nothing but Kiosk Mode, the device must be either new or, if you have a device that is already in use, we must factory reset the device. Once the device is reset or turned on in the case of the new device, on the Start page of the device, tap on the screen 5-6 times to enable the camera to scan the QR code of the enrolment profile.

There are multiple ways to scan the Enrolment QR code, and we are using the simple and latest way of scanning the QR code. As an Admin, you will be managing the KIOSK devices, so please take a screenshot of the QR code, save it or share it with the helpdesk guys who will be enrolling the devices.

Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 15
Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 15

Once you scan the QR code or the Enrolment profile, the device on the Android OS verifies it and asks you to connect to a Wi-Fi, select the Wi-Fi you are using and connect the device to working Wi-Fi. The Wi-Fi should not have any restrictions or be able to connect to Google Services.

Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 16
Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 16

Once the device is connected to the network, the device starts setting up the device, and Intune will install. The Device Policy Controller app enforces your organization’s security policies on your device to protect corporate data and make it more secure. Click on Continue, and the device will continue to set up your device. This might take a while to proceed further.

Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 17
Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 17

Once the device setup is completed, you will be prompted to accept the permissions for Google Services. Depending on the device model, you need to accept the EULA. In our example, I’m using a Samsung device, so I need to accept the EULA for Samsung, as shown in step 11 above. Once accepted, you will presented with the device’s home screen, and the Microsoft Intune app will be installed.

Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 18
Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 18

The Microsoft Intune app is different from the Company Portal app that is available in Google Play Store. When you open it, it won’t have options. You can use the app to sync the device with Intune. As we have deployed. 3 other apps along with Managed Home Screen in required mode. Intune will make sure to install other apps as well.

After a successful installation of the Managed Home Screen and sync with Intune, the device will be locked to Kiosk mode. The apps are arranged as we set in the custom home screen in Fig 8. You cannot close the apps or view the notifications as the device is in kiosk mode.

Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 19
Multi-App Kiosk Mode for Corporate-Owned Devices in Intune Fig: 19

If you want to exit kiosk mode, tap 10-15 times on the back button. You will be presented with a small menu with different options, as shown in step 16. Click on Exit Kiosk, and You will be prompted to enter the exit code, which we set in Fig 10. An Admin, if the device has any issue, you can use this code to exit the kiosk mode and troubleshoot the issue. An end user cannot exit without the Exit Kiosk Code.

In step 17, you can view the default apps installed on Kiosk mode. We have only a few required apps, like camera, File Manager, and Managed Google Playstore, etc., for users. When you open managed Google PlayStore, you can view only the apps that are assigned to the devices, as shown in step 18. Users cannot install any other apps even if they wish to.

Conclusion

Thus, you can have Multi-app Kiosk mode for your corporate-owned Android devices. You can deploy as many apps as your organization requires. Restrict the number of apps to a max of 4-5. I hope you guys enjoyed reading this article. We will catch up on another day in another post.

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here.

Author

About AuthorNarendra Kumar Malepati (Naren) has 11+ years of experience in IT, working on different MDM tools. Over the last seven years, Naren has been working on various features of Intune, including migration from different MDMs to Intune. Naren mainly focuses on Android, iOS, and MacOS.

6 thoughts on “Best Guide for Multi-App Kiosk Mode for Corporate-Owned Devices in Intune”

  1. Hi Naren,

    I am looking at different options for multi user capability on our corporate android devices & i have a couple of questions I’m hoping you can help with (I’m not a techy so please be gentle with me!).

    1. What are the main differences between Shared Device Mode & Kiosk Multi App Mode?

    2. In Kiosk Multi App Mode is it possible to remove and add apps centrally for all devices or will they have to be re-configured?

    3. Can we use active directory to manage staff logins?

    Thank you.

    Reply
    • 1. Shared devices are associated with users whereas KIOSK devices doesn’t require users to be associated with
      2. Yes, you can remove or add apps from Intune console
      3. For shared devices you can use AD for authentication

      Reply
  2. Do you have any suggestions to using this solution and having to whitelist native android applications to allow specific device functionality? For example, Wi-Fi networks with Captive Portal (CP). CP wont come to focus unless you whitelist specific Android activities, even then its still not flawless and many CP networks wont connect unless you exit Kiosk mode. Do you also have any suggestions as to how a user can locally reinstall the app (If multi app kiosk) should they encounter an error with the app installed? Frictionless app support would be a nice feature to have in these instances.

    Reply
  3. Hello Naren

    I have setup the Corporate owned dedicated devices enrolment profile

    Then configuration profile created( platform: Android Enterprise and Profile Type : Device restrictions)
    Applied to KIOSK device dynamic group
    But in the Device experience step, I could not locate Enrollment profile type : Dedicated deice and Fully managed options, Instead I can see Device experience type is ” Kiosk Mode(Dedicated and fully managed) , Microsoft Launcher(Fully managed only)
    So I selected Kiosk Mode (Dedicated and Fully managed )
    Kiosk Mode : Multi App
    In the Home screen – assigned some apps
    Managed Home screen app is uploaded and assigned to Kiosk devices Dynamic Group
    Leave Kiosk Mode : Enabled
    Leave Kiosk Mode code : I updated 6 digit code is updated

    In General step :
    Factory reset : Block

    Device Password
    Required password type : Numeric Complex
    Minimum Password length : 4
    Number of days until password expires : 180
    Number of password required before user can reuse password : 8
    number of sign in failures before wiping the device : 11

    Now from the cellphone end – Phone has been enrolled via scanning enrolment token which created on Corporate owned dedicated devices (manage device owner enrollments for Kiosk and task devices)

    Result : Phone has been enrolled .. But none of the configuration policy applied to the device

    I can see only 3 apps Microsoft authenticator , company portal.

    None of other apps applied like managed home screen apps , policies and all..

    I am not sure where I did mistakes.. Could you please help me on this.

    Waiting for your valuable response

    Reply
    • Hi Nagaraj,
      To Troubleshoot the issue, verify if the enrolled devices are part of the dynamic group. If the device is part of the group, please wait for a while to apply the policies on the device

      Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.