In Part 1 of this series, I explained what a Kiosk device is and provided you a list of ingredients required to create an Android Kiosk in Intune. In this installment, I will explain how to prepare the ingredients and in the next part, I will explain how to enroll an Android device.
1. Create a Google account if you don’t have one
To use Android in the enterprise, you need accounts to deploy and manage apps and to provide a curated Google Play store for your organization.
I suggest you have a service type account created. A service account belongs to an application instead of to an individual end user. An application calls Google Application Programmer Interfaces (APIs) on behalf of the service account, where user consent is not required.
- Head on over to the Managed Apps Play store – https://play.google.com/work
- Click the sign in button in the top right
- Click on “Create an account” on the sign in page
- Sign in to Google Play (Work)
2. Link your Managed Google Play Account to Intune
- Sign in to Intune in the Azure portal, choose Device enrollment > Android enrollment > Managed Google Play.
- Choose I agree to grant Microsoft permission to send user and device information to Google.
- Choose Launch Google to connect now to open the Managed Google Play website.
- Sign in using the Google account you just created or exists already.
- Provide your company’s name for Organization name. For Enterprise mobility management (EMM) provider, Microsoft Intune should be displayed.
- Agree to the terms and choose confirm
When Android enterprise device management is enabled on a device, Microsoft Intune establishes a connection with Google and shares user and device information with Google. Before Microsoft Intune can establish a connection, you must create a Google account.
3. Create an Enrollment profile in Intune
You must create an enrollment profile so that you can enroll your kiosk devices.
- In Intune, choose Device enrollment > Android enrollment > Kiosk and task device enrollments
- Choose create profile
- Give your profile a Name, Description and expiry date.
- Click create to save
4. Create an Azure AD Security Group
- Go to the Intune portal and choose Groups > All groups > New group.
- In the Group blade, fill out the required fields as follows:
- Group type: Security
- Group name: Type an intuitive name (like Factory 1 devices)
5. Dynamically populate the security group with devices associated with the enrollment profile
- In the Group blade select Membership type: Dynamic device
- Choose Add dynamic query.
- In the Dynamic membership rules blade, fill out the fields as follows:
- Add dynamic membership rule: Simple rule
- Add devices where: enrollmentProfileName
- In the middle box, choose Match.
- In the last field, enter the enrollment profile name that you created earlier.
- Choose Add query > Create.
Now when devices enrol using the enrollment profile you created in step 3. above, the device will automagically be added to the group.
6. Approve the Microsoft Managed Home Screen application
- Log into https://play.google.com/work with the account you created or use for step 1 above.
- Search for “Managed Home Screen” in the apps section.
- Make sure to select the Microsoft Managed Home screen app and click approve.
7. Create an enrollment profile token QR code.
- Log into https://portal.azure.com and navigate to Intune
- Under Android Enrollment> Kiosk and task device enrollments> click on your enrollment profile you created in 3 above.
- Click on “Token” in the left
- Click “Show token” to reveal the QR code
Now you can print this code out, save it in a document to provide to people that will be provisioning these android kiosk devices.
8. Approve kiosk app or apps in the Managed Google Play store
Use the same method you used in step 6 above to approve the apps for your Kiosk devices in the Managed Google Play store. In my demo, I approved 5 or 6 apps.
9. Assign apps to the device group
In Intune, select Client apps.
- Select Apps.
- In the Apps pane, select the app you want to assign. Make sure you select the app is a “Managed Google Play app” type, and not Android store app.
- In the Manage section of the menu, select Assignments.
- Select Add Group to open the Add group pane that is related to the app.
- For the specific app, select an assignment type: Required
- To select the group of devices, select Included Groups. Select the Device group you created in step 4
- In the Add group pane, select OK.
- In the app Assignments pane, select Save.
10. Assign the Managed Home Screen App to the Device Group.
Using the same procedure used to assign apps to the device group, assign the Managed Home Screen app to the same device group.
11. Create Kiosk Device Configuration Profile
With Intune Kiosk devices, you can configure devices for single or multi-app kiosk mode.
- If a kiosk device’s restriction profile is set to Kiosk mode = single app kiosk, users can only access a single app. When a device configured in this mode starts up, the specific app starts. Users are restricted from opening new apps or from changing the running app.
- If a kiosk device’s restriction profile is set to Kiosk mode = multi-app kiosk, users can only access the limited number of apps that you configure. You can also define a set of web links that users can visit. When the policy is applied, users see icons for the permissible apps on the home screen.
Create a multi-app kiosk profile
- Go to the Intune portal and choose Device configuration > Profiles > Create profile.
- In the Create profile blade, set the following fields:
- Name: type an intuitive name
- Platform: Android enterprise
- Profile type: Device Owner only > Device restrictions
- Choose Settings > Kiosk.
- For Kiosk mode, choose Multi-app kiosk.
- Choose Add and then select the apps or web links that you want available for devices using this profile. Note, you don’t need to assign the Managed Home Screen Application in the Multi-app kiosk mode profile.
- Choose OK > OK > OK > Create.
- Choose the profile you just created > Assignments.
- Under Assign to choose Selected groups.
- Choose Select groups to include > choose the device group that you created for your kiosk devices > Select > Save.
Kiosk mode is just the one setting you have to configure in the device profile for an Android kiosk device, however there are lots of device and security settings that are optional such as blocking external media, preventing factory reset, requiring device pin etc. etc.
In this post, I expanded on the ingredients you need and the method for creating a Kiosk device in Intune. In part 3 I will demonstrate how to enroll an Android device and what the final kiosk looks like.