Saturday 8 December 2018

New Intune Android Enterprise Kiosk Settings

I have been testing the recently released additions to the Android Enterprise Kiosk profile settings and thought I would just write a quick post to show you how these new settings improve the solution.
Before I start, I just wanted to clarify some terminology - this Android Enterprise solution set is now called the "Dedicated Device" solution by Google and no longer "Corporately Owned, Single-Use" as per their documentation. I have submitted a request so that this is reflected in the Microsoft Intune Documentation to try and avoid some confusion later on down the line

To follow the steps in this post, please initially refer to my previous one which details how to deploy a single app kiosk. In addition to this configuration, this time though I have selected a multiple app kiosk, specifying the Microsoft Edge and Teamviewer Apps;

Also in addition, ensure that both the Teamviewer and Managed Home Screen apps are synced from the Managed Google Play store and deployed to the appropriate Azure AD group / users.

Now for the new settings, in the M365 Device Management portal navigate to Device Configuration > Profiles > Locate your kiosk profile and select it > Properties > Settings > Kiosk. Scroll down and you will now see the new settings available

Virtual home button
This enables the user to switch between the managed home screen app and the other apps that are specified in multiple app kiosk. Particularly useful when devices are not able to use their back button when enrolled in Kiosk mode. The documentation states that for some handsets in order to access the virtual home scree button the user will need to swipe up, as I had to with the device I tested with (Samsung Galaxy A5 2016)

Launch the Edge browser, then swipe from the bottom of the screen up to see the virtual home button;

Leave Kiosk Mode
This provides a method for an administrator to exit kiosk mode for troubleshooting or additional configuration purposes, like installing software updates.

Tap the back button multiple times to reveal the menu, then select "Exit kiosk"

Enter the PIN

You can now access the settings and other apps on the device

To enter kiosk mode again, simply launch the Managed Home Screen app from apps menu

Set custom background
You can now set a custom wallpaper based on a URL in order to add some company branding to the device. 

Some useful additions to the solution I feel, also it shouldn't be too long before the Android Enterprise Fully Managed Device solution set (formerly COBO - Corporately Owned, Business Only) will be available as a public preview.

Stay tuned for some more Android Enterprise related posts! Thanks for reading!

Saturday 1 December 2018

Intune Windows 10 1809 Edge Kiosk

The release of Windows 10 1809 introduced the ability to configure the Edge browser using assigned access with a local account on a device. This post will show you how to configure a single app public kiosk browser using the required custom settings within Intune

Configuring this will give you significant benefits in additional functionality over that of the Intune Kiosk Browser app, a feature comparison can be found here

In this example I enrolled the device within Intune during the setup wizard. I then created a local standard user account on the device, also I would recommend at this stage ensuring the device has a suitable hostname. Make sure that you have logged into the device at least once with the local account.

Now in the M365 Device Management portal navigate to Device Configuration > Profiles then create a new Windows 10 Custom Profile.

In this example I will be adding the following custom OMA-URI settings to the profile;

Assigned access configuration - this specifies the app to run in kiosk mode along with local user account that should apply the setting. Note that the local user account in this example should be substituted with your own, and prefixed with the device's hostname

OMA-URI; ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp
Data type; String
Value; {"Account":"KIOSK\\Kiosk User","AUMID":"Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge"}

Set Kiosk Mode Type - Sets the display mode to a public browsing kiosk

OMA-URI; ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode
Data type; Integer
Value; 1

Configure Edge Timeout settings - This reset's the users session after a specified number of minutes of inactivity. The time you want (values are valid for 1-1440 minutes)

OMA-URI; ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout
Data type; Integer
Value; 15

Set start pages - Specify the URL(s) that load when the browser launches for the first time

OMA-URI; ./Vendor/MSFT/Policy/Config/Browser/HomePages
Data type; String
Value; Website URL's in chevrons - <><>

So the settings will now look like this under the single profile

Save the profile and then deploy it to a group which contains the Kiosk device.

Carry out a sync on the device and then restart.

Ensure that the settings have applied to the device by viewing the device install status within the properties of the profile

Now log in and you will see Edge launch in kiosk mode, with your default start pages, all tabs launching in InPrivate mode, you will also notice the sessions timeout after the specified time period.

You could also add other supported CSP's to further develop the kiosk solution as required - give it a try! 

Tuesday 7 August 2018

Samsung Knox Mobile Enrolment (KME)

If you are in an organisation with Intune and you are wanting an easy way of bulk enrolling Samsung devices then you should know that at the time of writing the only way of doing this is via KME. Samsung is not one of the supported OEM partners for Android Zero-Touch Enrolment, it would appear that, like with the "unification" of the Android Enterprise Work Profile and the Samsung Knox Workspace, Samsung have gone it alone. Interesting. See one of my previous blog posts here to understand more about the challenges I have experienced with the latter.

I will also point out that disappointingly, only the legacy (Device Admin) Android enrolment method is supported at this time in Intune, however it was announced on the release of KME that Android Enterprise support was to follow.

Anyhow I thought I would test KME as in our current organisation we have decided to standardise on Samsung devices.

Some prerequisites;
  • Samsung devices must have Knox 2.4 or newer
  • You will need to register for a Samsung account, log in and then submit an application for KME, which will need to be approved.
  • You must purchase your devices through a Samsung authorised reseller and register them in your KME portal so that your devices can be uploaded when purchased. Note that you are able to upload devices using the Knox Deployment App, however the process for doing this is probably not feasible for large numbers of devices
Log in to the KME Portal, select MDM Profiles > Add

Select "Server URI not required for my MDM" then "Next"

Enter a suitable name for the profile then select "Add MDM Applications"

Enter the following URL. Select "Save"

The remaining options are not mandatory and the defaults are fine so save the changes

At this stage we need to add devices to the portal and as mentioned to do this you need to download and install the Knox Deployment App from the Google Play Store on a master device. Login to the app with your Samsung account credentials

Take the device you wish to add to the portal, connect it to a wifi network and then skip through the rest of the start up wizard until you are at the home screen

On the master device, select a profile and mode, in this example I am using NFC to enrol. Select "Start Deployment"

Gently tap another device to the back of the master device, when you hear a tone, tap the screen

On the device to be uploaded you will see a prompt to update the Knox Enrolment Service, select "Update"


The device will now enrol in KME and automatically download the Intune Company Portal.

The device will now appear in the KME portal. At this point it should now be factory reset to provide the improved enrolment experience when the device is next powered on.

As you can see this is less than ideal for a large number of devices and is probably recommended wherever possible to have you devices purchased through an authorised reseller and they will upload them to the portal for you.

So now the experience is as follows;

Start the wizard, connect to Wi-Fi then accept the terms and conditions

The KME welcome screen is then presented and you can proceed with enrolment.

Remember - KME  does not support Android Enterprise at the moment and it would appear that there is nothing to stop you attempting to enrol a device.

Thanks for taking the time to read this and happy to take any comments!

Friday 13 July 2018

Intune Android Enterprise Kiosk Devices (COSU)

Android Enterprise (Formerly Android for Work) contains various solution sets which are pertinent to the different use cases of Android mobile devices within the business. The full documentation explaining these can be found here.
Until now the only solution available within Intune was the Work profile solution, which really is designed for BYOD devices. I have been using this for the past 2 years with company owned devices and whilst I can say Microsoft really have drastically improved its integration with Intune, I soon became aware of its limitations, some of which include;
  • A Google account is required, temporarily at least, to download and install the Company Portal app for enrolment
  • There is no way to fully remote wipe then device (we achieved this by creating a Samsung account for all of our A5 devices which is a bit of an admin overhead)
  • There are lots of notifications related to some of the stock apps, which cannot be disabled hampering the user experience
  • There is no way of preventing users from installing apps from the Google play store
In a BYOD scenario, yes the above points are to be expected, also it is relatively simple to ensure company data is secured within the profile itself meaning this is indeed a good solution but in the right application.
Microsoft have now enabled another solution set within Intune called Corporate-Owned Single Use (COSU) which is designed for devices that are used in specific scenarios, like Kiosk browser machines, barcode scanners or inventory machines. Note that these devices do not have user affinity and are not designed to be assigned to a specific user. Microsoft's documentation labels this functionality as enrolment for Android Kiosk style devices. This was announced in the Intune docs for the week commencing the 2nd July and I have been eagerly awaiting one of my tenants to update with the setting, which one did today.
I have to say from what I have seen so far this really is a great solution and I can think of at least two use cases within production where we could use this today.
In this post I am going to show you how to enrol an Android device as a single browser Kiosk, fully locked down so the user cannot access any other settings on the device. I will also deploy the Edge browser App to it. You could further lock down the browser with some app config by restricting browsing only to certain websites.

Create the Enrolment profile and associated dynamic group

This profile is the mechanism for identifying the device as COSU and consists of an enrolment token and QR code. OS support is for Android 6 and later (6 supports the token method only, 7, 8 and 9 support both token and QR code, 9 negates the need to download a QR scanner saving deployment time slightly). Android 5.1 is supported but requires an NFC tag to be create. I will be using an Android 8 Samsung Galaxy A5 2017 for this post.
A dynamic device group is then created referencing the profile. You can create multiple groups of devices populated by different profiles and can target you app and config deployments accordingly

Log in to the Intune portal and navigate to Device Enrolment > Android Enrolment > Kiosk and task device enrolment

Create a profile with a suitable name and select an expiration date

Navigate now to Intune > Groups then create a security group with the following settings, giving it a suitable name for your environment

Create the config and deploy to the group

There are ultimately various settings that can be configured within this profile, however this combination I feel is suitable for the kiosk browser device scenario, it prevents the user from accessing the status bar, including the quick settings, as well as preventing use of the home, back and task manager buttons (On this particular device)

Navigate to Device configuration > Profiles  then create device restrictions profile, ensuring that this is selected under the "Device Owner Only" menu. I should probably explain here that this should be selected because COSU is a subset of the Device Owner Android Enterprise Solution set

Under "General" block "safe boot" and "status bar"

Under "Kiosk" select "single app kiosk" and select edge as the managed Intune app to use for kiosk mode

Now select any required password and power settings for the lock screen timeout, I am going to skip them for the purpose of this demo

Assign the profile to the dynamic device group you created earlier

Navigate to Mobile apps > Apps then assign the edge app to the device group as "required" (note that only required and uninstall are supported for COSU)

Enrol the device

I will be enrolling the device using the QR reader. The following requires a minimum of Android 7

Tap on the first screen you see multiple times on a device that has been factory reset, you will then see the following

Connect to Wifi

The QR reader will then install

Scan the QR code found within the enrolment profile in the Intune portal

Agree the terms and select "Next"

The device will begin to enrol

Agree more terms

The device will now download some updates for Google Play services

If you encounter any issues at this stage you will need to reset the device from here

Or you can opt to retry without a factory reset here (I have found that more often than not this resolves any issues)

Now the device is enrolled

 You will notice that when you access the Google Play store it is fully managed and the only mechanism for apps to install on the device

Wait for the Edge app to be installed

Launch Edge and once the device restrictions are applied you will notice that you cannot access the status bar and hence the settings of the device

And that completes the setup! Many thanks for reading!