In my last blog about Android Enterprise I showed how to setup a Corporate-owned dedicated device using Microsoft Intune. To further lock down such a device we can assign additional device restrictions settings to create a single or multi app kiosk-style device.
When creating a single app kiosk device, that device is only allowed to run one Android app. When the device is started, the assigned app is automatically started.
When creating a multi app kiosk device, only the allowed apps are presented on the home screen and accessible, you cannot leave the home screen to access other apps or the settings.
When setting up a kiosk-style device the same configuration steps need to be taken as for a ‘standard’ dedicated device;
- Intune needs to be connected to your managed Google Play account
- An enrollment profile is needed
- A (dynamic) security group is needed
- A device restrictions policy is needed
- Android apps need to be assigned as required
But there are some additional steps which we need to take for a kiosk-style device. For both kiosk-style versions we need to add some extra settings to the device restrictions policy. For the multi app kiosk device we also need to approve and assign the Managed Home Screen app to the device as a required app. Let`s go further by locking down the dedicated Android device.
Create a kiosk profile
To configure kiosk mode we use a Device restrictions profile. In the device restrictions profile, we make the choice to create a single app or a multi-app kiosk device.
- Sign-in to the Endpoint Manager admin center
- Browse to Devices – Android
- Browse to Configuration profiles
- Click Create profile
- Choose Android Enterprise as Platform
- Choose Device restrictions under Fully Managed, Dedicated….
- Click Create
- Give the profile a Name
- Enter a Description (Optional)
- Click Next
- Open Device experience
- Set Enrollment profile type to Dedicated device
- Choose the Kiosk mode
If we select single app mode, we need to select one app via Select an app to use for kiosk mode tab. Click OK and finish the creation of the profile.
If required you can also set additional settings on the other tabs.
If we selected multi-app mode, we are presented a message we need to approve and assign the Managed Home Screen app.
Select the apps of choice.
Make your choice in the additional settings and click Next.
Finish the profile by assigning the profile to a security group.
Approve and assign Android applications
For the single app kiosk mode we only need to approve and assign one app as required, the app which is allowed to run on the device. For the multi app kiosk mode we need to assign all apps which are allowed and we also need to assign the Managed Home Screen app as required.
- Click Client apps – Apps
- Click Add
- Choose Managed Google Play as App type
- Click the Managed Google Play (Approve) tab
- Search for the required app and click on the app, in this case Managed Home Screen
Click the green Approve button (sorry for the Dutch print screens)
After a few seconds the approved app is available in the list with apps in Intune.
- Click the approved app
- Click the Assignments tab
- Click Add group
- Select Required as Assignment type
- On the Include tab search for the dynamic security group and select the group
- Clik OK twice and click Save
Test the kiosk device
The device enrollment experience is the same as shown in this blog.
When the device is enrolled as multi app kiosk device and the required apps are installed, the Managed Home Screen app is launched and locks the device. On the home screen only the allowed apps are shown and allowed to start. Depending on the additional settings you set in the kiosk (device restrictions) profile also a Managed Settings shortcut is on the home screen, which allows you for example to enter the Wi-Fi settings.
When the device is enrolled as single app kiosk device, after applying the settings and installation of the required app, the required app is launched. At this example the Edge browser is the only app allowed and when you close the app, it is launched again.