In my last blog about Android Enterprise I showed how to setup a Corporate-owned dedicated device using Microsoft Intune. To further lock down such a device we can assign additional device restrictions settings to create a single or multi app kiosk-style device.
When creating a single app kiosk device, that device is only allowed to run one Android app. When the device is started, the assigned app is automatically started.
When creating a multi app kiosk device, only the allowed apps are presented on the home screen and accessible, you cannot leave the home screen to access other apps or the settings.
When setting up a kiosk-style device the same configuration steps need to be taken as for a ‘standard’ dedicated device;
- Intune needs to be connected to your managed Google Play account
- An enrollment profile is needed
- A (dynamic) security group is needed
- A device restrictions policy is needed
- Android apps need to be assigned as required
But there are some additional steps which we need to take for a kiosk-style device. For both kiosk-style versions we need to add some extra settings to the device restrictions policy. For the multi app kiosk device we also need to approve and assign the Managed Home Screen app to the device as a required app. Let`s go further by locking down the dedicated Android device.
Create a kiosk profile
- Open the Device Management Portal
- click Device configuration – Profiles
- Click Create profile
- Give the profile a Name
- Give the profile a Description (Optional)
- Choose Android Enterprise as Platform
- Choose Device owner only – Device restrictions as Profile type
On the Dedicated devices tab we need to select a kiosk mode; single app or multi app.
If we select single app mode, we need to select one app on the Select a managed app tab. Click OK three times and click Create.
If required you can also set additional settings on the other tabs.
If we selected multi app mode, we are presented a message we need to assign the Managed Home Screen app.
We also get some additional settings we can use to customize our device. Select your apps and click OK. If required set additional settings, click OK twice and click Create.
- Click the Assignments tab
- Search for the dynamic security group (which we created in the previous blog)
- Click Save
Approve and assign Android applications
For the single app kiosk mode we only need to approve and assign one app as required, the app which is allowed to run on the device. For the multi app kiosk mode we need to assign all apps which are allowed and we also need to assign the Managed Home Screen app as required.
- Click Client apps – Apps
- Click Add
- Choose Managed Google Play as App type
- Click the Managed Google Play (Approve) tab
- Search for the required app and click on the app, in this case Managed Home Screen
Click the green Approve button (sorry for the Dutch print screens)
After a few seconds the approved app is available in the list with apps in Intune.
- Click the approved app
- Click the Assignments tab
- Click Add group
- Select Required as Assignment type
- On the Include tab search for the dynamic security group and select the group
- Clik OK twice and click Save
Test the kiosk device
The device enrollment experience is the same as shown in this blog.
When the device is enrolled as multi app kiosk device and the required apps are installed, the Managed Home Screen app is launched and locks the device. On the home screen only the allowed apps are shown and allowed to start. Depending on the additional settings you set in the kiosk (device restrictions) profile also a Managed Settings shortcut is on the home screen, which allows you for example to enter the Wi-Fi settings.
When the device is enrolled as single app kiosk device, after applying the settings and installation of the required app, the required app is launched. At this example the Edge browser is the only app allowed and when you close the app, it is launched again.