How to setup an Android Enterprise kiosk device with Microsoft Intune

In my last blog about Android Enterprise I showed how to setup a Corporate-owned dedicated device using Microsoft Intune. To further lock down such a device we can assign additional device restrictions settings to create a single or multi app kiosk-style device.
When creating a single app kiosk device, that device is only allowed to run one Android app. When the device is started, the assigned app is automatically started.
When creating a multi app kiosk device, only the allowed apps are presented on the home screen and accessible, you cannot leave the home screen to access other apps or the settings.

When setting up a kiosk-style device the same configuration steps need to be taken as for a ‘standard’ dedicated device;

  • Intune needs to be connected to your managed Google Play account
  • An enrollment profile is needed
  • A (dynamic) security group is needed
  • A device restrictions policy is needed
  • Android apps need to be assigned as required

But there are some additional steps which we need to take for a kiosk-style device. For both kiosk-style versions we need to add some extra settings to the device restrictions policy. For the multi app kiosk device we also need to approve and assign the Managed Home Screen app to the device as a required app. Let`s go further by locking down the dedicated Android device.

Create a kiosk profile

To configure kiosk mode we use a Device restrictions profile. In the device restrictions profile, we make the choice to create a single app or a multi-app kiosk device.

  1. Sign-in to the Endpoint Manager admin center
  2. Browse to Devices – Android
  3. Browse to Configuration profiles
  4. Click Create profile

  1. Choose Android Enterprise as Platform
  2. Choose Device restrictions under Fully Managed, Dedicated….
  3. Click Create
  1. Give the profile a Name
  2. Enter a Description (Optional)
  3. Click Next
  • Open Device experience
  • Set Enrollment profile type to Dedicated device
  • Choose the Kiosk mode

If we select single app mode, we need to select one app via Select an app to use for kiosk mode tab. Click OK and finish the creation of the profile.
If required you can also set additional settings on the other tabs.

If we selected multi-app mode, we are presented a message we need to approve and assign the Managed Home Screen app.
Select the apps of choice.

Make your choice in the additional settings and click Next.

Finish the profile by assigning the profile to a security group.

Approve and assign Android applications

For the single app kiosk mode we only need to approve and assign one app as required, the app which is allowed to run on the device. For the multi app kiosk mode we need to assign all apps which are allowed and we also need to assign the Managed Home Screen app as required.

  1. Click Client appsApps
  2. Click Add

  1. Choose Managed Google Play as App type
  2. Click the Managed Google Play (Approve) tab
  3. Search for the required app and click on the app, in this case Managed Home Screen

Click the green Approve button (sorry for the Dutch print screens)

Click Approve

Click Save

Click OK

Click Sync

After a few seconds the approved app is available in the list with apps in Intune.

  1. Click the approved app
  2. Click the Assignments tab
  3. Click Add group
  4. Select Required as Assignment type
  5. On the Include tab search for the dynamic security group and select the group
  6. Clik OK twice and click Save

Test the kiosk device

The device enrollment experience is the same as shown in this blog.

When the device is enrolled as multi app kiosk device and the required apps are installed, the Managed Home Screen app is launched and locks the device. On the home screen only the allowed apps are shown and allowed to start. Depending on the additional settings you set in the kiosk (device restrictions) profile also a Managed Settings shortcut is on the home screen, which allows you for example to enter the Wi-Fi settings.

When the device is enrolled as single app kiosk device, after applying the settings and installation of the required app, the required app is launched. At this example the Edge browser is the only app allowed and when you close the app, it is launched again.


    • Intune–>Device Configuration–>Profiles–>[Kiosk Mode Profile]–>Properties–>Settings–>Dedicated Devices–>Virtual Home Button (near the bottom of the page).

  1. We have a kiosk profile which uses the Managed Home Screen app. We deploy 3 apps to the device upon enrollment and they were previously visible on the home screen.

    A week ago, the problem arose where the apps are no longer visible on the home screen. When accessing the diagnostic screen (tapping the back button 15 times) I can see that the apps are actually installed on the device. Performing a re-sync does not alleviate the problem. Exiting Kiosk mode is also not possible as the option to provide a pin is not available.

    The device is visible in the portal.

    What other troubleshooting steps can I take?

    • Hi Warren,

      As everything still looks fine when you have a look at the policy and device from the Device management portal, the only thing I can think of is via the diagnostics as you already described yourselves. From the diagnostics you can view the log file, which should show at LastPolicy the applications (packages) to show.
      Otherwise, I think the only option is to open a supportcase with Microsoft Support.

  2. I have yet to find a way to configure browsers in kiosk mode. I tried app configuration policies for chrome and edge, both said they applied, both seemed to have no effect (Configured home screen, allowed/denied urls and bookmarks). Have you found a way to achieve this?

  3. Hi Peter, thanks for this great post. I will follow these steps to set up a kiosk device in single app mode.

  4. Hi Peter,

    Thank you for the great post! It was of much help for me.
    I was wondering if u could help me with a problem i am having with one of my devices. It is a samsung galaxy tab a6 Android 8.1.0 wich has been previously enrolled into intune and has been functioning fine. Untill now 😉
    The said it got a notification asking him to revert back to factory default and instead of calling me he enrolled back to factory default.
    The problem that i am having now is when i scan the QR code to re-enroll (becaus it lost the connection to the intune portal wipe, reboot etc commands wont work) i am getting this error message “the security policy prevents the creation of a managed device because a custom OS is or has been installed on this device” and it just does not make sense.
    I have searched a lot on the internet and am not able to get a solution, i hope u can help!

    • Hi Roderick,

      I can’t remember I have ever seen that error. So I’m not able to help out.
      If you have solved the issue in the meantime, please let me know as it might be helpful for others.



  5. I have one comment.
    When the app is updated on the Managed google play backend and synchronized in intune and updated on the device. the managed homescreen still shows old application or in single app mode is old version of the app. How this can be updated.
    Thanks for replay

  6. Is the notifications panel (swipe down from the top) gone in android enterprise dedicated mode in normal kode and kiosk mode?

  7. Hi Peter,
    Thank you for the helpfull post!
    How would one be able to setup the powerbutton for rebooting the device?
    I’m using the android kiosk single appl (chrome shortcut) and am not able to use the power button to forcefully reboot the device.

  8. Is there any way to use a line of business app through kiosk mode? I want to setup our devices for barcode scanning using our own apk.

  9. I have the same question as Paul, is that possible? Been trying everything, but I can’t select it in Intune. I can’t add it as a Private App in Google as someone else has added this app.

Leave a Reply

Your email address will not be published.