One thing I was requested to do for a particular scenario was to provide the ability to be able to allow a particular group of users to have an Android Enterprise device which locked them into a single app for a specific need. They did not need to be able to access anything other than this app and where possible the setup had to be simple for the end user or IT person on site.
For this I looked into what was available in Intune and quickly saw the “Corporate Owned Dedicated Devices” enrollment profile type would fit the need perfectly.
This would allow us to have the end user scan a QR code which would kick off a self deploying profile to enroll the device into Intune, then by using a dynamic device group we would then be able to automatically install a required app and assign the kiosk profile to the devices at the same time.
Lets go through what you need to do in order to get this running.
Creating the Android Enrollment profile in Intune
Open up Intune aka MEM https://aka.ms/memac
Under Device Enrollment click Enroll device and then select Android enrollment
Within here you should have various options, we want to use the “Corporate-owned dedicated devices” option
Please note if these options are greyed out you likely have not set up a Managed Google Play account and can do this by using the option above those in the prerequisites section
Within this new menu click on the Create Profile button
Then name the profile something meaningful, add a description if needed and select the Token Type. You can also set the Token expiration here but the maximum token age can be 90 days and is limited to that by Google.
Verify the information you entered is correct then click on Create which will complete the profile. You can go into the profile and view the QR code, replace or revoke the token. (Don’t worry this QR code below will be revoked before publishing!)
So we have the enrollment profile created and the QR code which will enroll the device into Intune but won’t do a great deal else for us. We need to be able to group these devices together to be able to assign apps, restrictions and other related settings to.
Creating a Dynamic Device group
We must create a dynamic device group which again will help to make this as automated as possible, we don’t want to be having to add devices into these groups so lets see what we can do to get this up and running.
Go into the groups area and select “New Group”
Then populate all the required information related to the group and for membership type make sure to select Dynamic Device
Click Add Dynamic query to load the configure rules page and what we want to specify here is the property of “enrollmentProfileName” must equal the name of our earlier created enrollment profile of “AndroidDedicated” like below
What this will do is any device that is enrolled using the QR code created earlier will be automatically populated into the dynamic group reducing the need for any further involvement in adding any devices to the group.
What can we now do with this group?
Now the possibilities are more down to what you need to acheive as part of your particular deployment but thinking about it you can set up a device restrictions profile to lock the device right down, setup single or multi app kiosk devices, install specific applications required on the device. I will show below an example of creating a single app kiosk similar to what I needed to do for my particular scenario.
Assigning an App as required
First things first we will assign an application as required to the devices. Assuming you have some applications synced to Intune from the Managed Google Play Store this is going to be straight forward.
In Intune go to the Apps blade, then Android Apps and here you will see the apps available to you.
In this example I will just install Chrome as the required app so will go into the Chrome app and then in the “Required” assignments area I will add the AndroidDedicatedDevices group we created earlier. This will ensure the application is installed on all devices in that group.
That is the application side taken care of.
Creating the Configuration profile for setting up the Kiosk
Now we want to control how the device works so we will need to create a Configuration profile. In the Devices blade, click Android and then Configuration Profiles. Then click on the Create Profile button.
As you can see there are so many options that can be configured in here but we want to select Android Enterprise as the Platform and for the Profile Type we want “Device Restrictions” from the area which has Dedicated devices in the title. Then click create.
Name the profile and give it a description and click next
In order to set the device up as a Kiosk we now need to go to the Device Experience sub area select the “Dedicated Device” as the enrollment profile type, set the Kiosk mode to Single App and then use the clickable link to select Chrome as the Kiosk app.
You can go as far as you want in this menu area so there are options to block factory reset so you prevent the users being able to reset the device and take it away, set up Android updates amongst so many other things. You really need to look through all the options in order to get what you need out of it.
In order for that profile to be assigned to the devices we again just assign that profile to the same Dynamic Group we created earlier and complete the profile creation.
How does the end result work?
So after all of the above is created you can open up a new Android device and usually by pressing on the screen six times or so on the welcome screen a QR reader should be launched.
Scan the QR code (making sure you have connected to a network first) and the self deploying profile should then kick in.
The device will enroll into Intune, install the required app and deploy any policies you configured as part of the process.
As we configured a Single App Kiosk using Chrome, the Chrome browser will launch as the only app available to the user. If they attempt to close the app it will re-launch itself.