How to setup an Android Enterprise kiosk device with Microsoft Intune

In my last blog about Android Enterprise I showed how to setup a Corporate-owned dedicated device using Microsoft Intune. To further lock down such a device we can assign additional device restrictions settings to create a single or multi app kiosk-style device.
When creating a single app kiosk device, that device is only allowed to run one Android app. When the device is started, the assigned app is automatically started.
When creating a multi app kiosk device, only the allowed apps are presented on the home screen and accessible, you cannot leave the home screen to access other apps or the settings.

When setting up a kiosk-style device the same configuration steps need to be taken as for a ‘standard’ dedicated device;

  • Intune needs to be connected to your managed Google Play account
  • An enrollment profile is needed
  • A (dynamic) security group is needed
  • A device restrictions policy is needed
  • Android apps need to be assigned as required

But there are some additional steps which we need to take for a kiosk-style device. For both kiosk-style versions we need to add some extra settings to the device restrictions policy. For the multi app kiosk device we also need to approve and assign the Managed Home Screen app to the device as a required app. Let`s go further by locking down the dedicated Android device.

Create a kiosk profile

  1. Open the Device Management Portal
  2. click Device configurationProfiles
  3. Click Create profile

  1. Give the profile a Name
  2. Give the profile a Description (Optional)
  3. Choose Android Enterprise as Platform
  4. Choose Device owner onlyDevice restrictions as Profile type

On the Dedicated devices tab we need to select a kiosk mode; single app or multi app.

If we select single app mode, we need to select one app on the Select a managed app tab. Click OK three times and click Create.
If required you can also set additional settings on the other tabs.

If we selected multi app mode, we are presented a message we need to assign the Managed Home Screen app.
We also get some additional settings we can use to customize our device. Select your apps and click OK. If required set additional settings, click OK twice and click Create.

  1. Click the Assignments tab
  2. Search for the dynamic security group (which we created in the previous blog)
  3. Click Save

Approve and assign Android applications

For the single app kiosk mode we only need to approve and assign one app as required, the app which is allowed to run on the device. For the multi app kiosk mode we need to assign all apps which are allowed and we also need to assign the Managed Home Screen app as required.

  1. Click Client appsApps
  2. Click Add

  1. Choose Managed Google Play as App type
  2. Click the Managed Google Play (Approve) tab
  3. Search for the required app and click on the app, in this case Managed Home Screen

Click the green Approve button (sorry for the Dutch print screens)

Click Approve

Click Save

Click OK

Click Sync

After a few seconds the approved app is available in the list with apps in Intune.

  1. Click the approved app
  2. Click the Assignments tab
  3. Click Add group
  4. Select Required as Assignment type
  5. On the Include tab search for the dynamic security group and select the group
  6. Clik OK twice and click Save

Test the kiosk device

The device enrollment experience is the same as shown in this blog.

When the device is enrolled as multi app kiosk device and the required apps are installed, the Managed Home Screen app is launched and locks the device. On the home screen only the allowed apps are shown and allowed to start. Depending on the additional settings you set in the kiosk (device restrictions) profile also a Managed Settings shortcut is on the home screen, which allows you for example to enter the Wi-Fi settings.

When the device is enrolled as single app kiosk device, after applying the settings and installation of the required app, the required app is launched. At this example the Edge browser is the only app allowed and when you close the app, it is launched again.


    • Intune–>Device Configuration–>Profiles–>[Kiosk Mode Profile]–>Properties–>Settings–>Dedicated Devices–>Virtual Home Button (near the bottom of the page).

  1. We have a kiosk profile which uses the Managed Home Screen app. We deploy 3 apps to the device upon enrollment and they were previously visible on the home screen.

    A week ago, the problem arose where the apps are no longer visible on the home screen. When accessing the diagnostic screen (tapping the back button 15 times) I can see that the apps are actually installed on the device. Performing a re-sync does not alleviate the problem. Exiting Kiosk mode is also not possible as the option to provide a pin is not available.

    The device is visible in the portal.

    What other troubleshooting steps can I take?

    • Hi Warren,

      As everything still looks fine when you have a look at the policy and device from the Device management portal, the only thing I can think of is via the diagnostics as you already described yourselves. From the diagnostics you can view the log file, which should show at LastPolicy the applications (packages) to show.
      Otherwise, I think the only option is to open a supportcase with Microsoft Support.

  2. I have yet to find a way to configure browsers in kiosk mode. I tried app configuration policies for chrome and edge, both said they applied, both seemed to have no effect (Configured home screen, allowed/denied urls and bookmarks). Have you found a way to achieve this?

Leave a Reply

Your email address will not be published.