Friday 13 July 2018

Intune Android Enterprise Kiosk Devices (COSU)

Android Enterprise (Formerly Android for Work) contains various solution sets which are pertinent to the different use cases of Android mobile devices within the business. The full documentation explaining these can be found here.
Until now the only solution available within Intune was the Work profile solution, which really is designed for BYOD devices. I have been using this for the past 2 years with company owned devices and whilst I can say Microsoft really have drastically improved its integration with Intune, I soon became aware of its limitations, some of which include;
  • A Google account is required, temporarily at least, to download and install the Company Portal app for enrolment
  • There is no way to fully remote wipe then device (we achieved this by creating a Samsung account for all of our A5 devices which is a bit of an admin overhead)
  • There are lots of notifications related to some of the stock apps, which cannot be disabled hampering the user experience
  • There is no way of preventing users from installing apps from the Google play store
In a BYOD scenario, yes the above points are to be expected, also it is relatively simple to ensure company data is secured within the profile itself meaning this is indeed a good solution but in the right application.
Microsoft have now enabled another solution set within Intune called Corporate-Owned Single Use (COSU) which is designed for devices that are used in specific scenarios, like Kiosk browser machines, barcode scanners or inventory machines. Note that these devices do not have user affinity and are not designed to be assigned to a specific user. Microsoft's documentation labels this functionality as enrolment for Android Kiosk style devices. This was announced in the Intune docs for the week commencing the 2nd July and I have been eagerly awaiting one of my tenants to update with the setting, which one did today.
I have to say from what I have seen so far this really is a great solution and I can think of at least two use cases within production where we could use this today.
In this post I am going to show you how to enrol an Android device as a single browser Kiosk, fully locked down so the user cannot access any other settings on the device. I will also deploy the Edge browser App to it. You could further lock down the browser with some app config by restricting browsing only to certain websites.

Create the Enrolment profile and associated dynamic group

This profile is the mechanism for identifying the device as COSU and consists of an enrolment token and QR code. OS support is for Android 6 and later (6 supports the token method only, 7, 8 and 9 support both token and QR code, 9 negates the need to download a QR scanner saving deployment time slightly). Android 5.1 is supported but requires an NFC tag to be create. I will be using an Android 8 Samsung Galaxy A5 2017 for this post.
A dynamic device group is then created referencing the profile. You can create multiple groups of devices populated by different profiles and can target you app and config deployments accordingly

Log in to the Intune portal and navigate to Device Enrolment > Android Enrolment > Kiosk and task device enrolment

Create a profile with a suitable name and select an expiration date

Navigate now to Intune > Groups then create a security group with the following settings, giving it a suitable name for your environment

Create the config and deploy to the group

There are ultimately various settings that can be configured within this profile, however this combination I feel is suitable for the kiosk browser device scenario, it prevents the user from accessing the status bar, including the quick settings, as well as preventing use of the home, back and task manager buttons (On this particular device)

Navigate to Device configuration > Profiles  then create device restrictions profile, ensuring that this is selected under the "Device Owner Only" menu. I should probably explain here that this should be selected because COSU is a subset of the Device Owner Android Enterprise Solution set

Under "General" block "safe boot" and "status bar"

Under "Kiosk" select "single app kiosk" and select edge as the managed Intune app to use for kiosk mode

Now select any required password and power settings for the lock screen timeout, I am going to skip them for the purpose of this demo

Assign the profile to the dynamic device group you created earlier

Navigate to Mobile apps > Apps then assign the edge app to the device group as "required" (note that only required and uninstall are supported for COSU)

Enrol the device

I will be enrolling the device using the QR reader. The following requires a minimum of Android 7

Tap on the first screen you see multiple times on a device that has been factory reset, you will then see the following

Connect to Wifi

The QR reader will then install

Scan the QR code found within the enrolment profile in the Intune portal

Agree the terms and select "Next"

The device will begin to enrol

Agree more terms

The device will now download some updates for Google Play services

If you encounter any issues at this stage you will need to reset the device from here

Or you can opt to retry without a factory reset here (I have found that more often than not this resolves any issues)

Now the device is enrolled

 You will notice that when you access the Google Play store it is fully managed and the only mechanism for apps to install on the device

Wait for the Edge app to be installed

Launch Edge and once the device restrictions are applied you will notice that you cannot access the status bar and hence the settings of the device

And that completes the setup! Many thanks for reading!


  1. Hi Leon, thanks for this gudde, it's really useful! On the Samsung front, for your none Kiosk devices have you tried using Knox Enrollment with Intune? If not I really recommend it because it simplifies the process for us Admins and for users.

    1. Hi Phil. Yes I have used KME and it does indeed help with bulk purchasing and roll out of devices.

  2. Hi Leon
    Have you notice that once the device is enrolled , it never seems to show any evaluation update after the intial setup. i enabled the google device policy app a,d i can manually sync, but it never shows staus update in the portal. all i have is a device with limited information

  3. Hi, a comment about one of the limitations you mention:

    - A Google account is required, temporarily at least, to download and install the Company Portal app for enrolment

    You can download the Intune company portal from:

  4. Hi thank you for a great post. But one can't further lock down the browser with some app config by restricting browsing only to certain websites in Intune Android Enterprise Cosu model.

  5. Great article thank you!
    I’ve set up my test environment like this and it works perfect like described.
    Do you have experience with additional app config policies? They don’t seem to arrive on the device. I’ve configured app config policies for Edge to only allow one specific website and set a homepage to load. These policies never arrive on the device.
    Maybe we have to setup MAM Policies but I’ve read that they only work deployed on users (?)
    Greetings, Chris

    1. Hi Chris. I seem to remember having the same issues when I last worked on this. Let me do some more testing and get back to you

  6. Thats nice, however it seems you can still open an in-private browsing session and browse any site you want regardless of any restirctions