Until now the only solution available within Intune was the Work profile solution, which really is designed for BYOD devices. I have been using this for the past 2 years with company owned devices and whilst I can say Microsoft really have drastically improved its integration with Intune, I soon became aware of its limitations, some of which include;
- A Google account is required, temporarily at least, to download and install the Company Portal app for enrolment
- There is no way to fully remote wipe then device (we achieved this by creating a Samsung account for all of our A5 devices which is a bit of an admin overhead)
- There are lots of notifications related to some of the stock apps, which cannot be disabled hampering the user experience
- There is no way of preventing users from installing apps from the Google play store
Microsoft have now enabled another solution set within Intune called Corporate-Owned Single Use (COSU) which is designed for devices that are used in specific scenarios, like Kiosk browser machines, barcode scanners or inventory machines. Note that these devices do not have user affinity and are not designed to be assigned to a specific user. Microsoft's documentation labels this functionality as enrolment for Android Kiosk style devices. This was announced in the Intune docs for the week commencing the 2nd July and I have been eagerly awaiting one of my tenants to update with the setting, which one did today.
I have to say from what I have seen so far this really is a great solution and I can think of at least two use cases within production where we could use this today.
In this post I am going to show you how to enrol an Android device as a single browser Kiosk, fully locked down so the user cannot access any other settings on the device. I will also deploy the Edge browser App to it. You could further lock down the browser with some app config by restricting browsing only to certain websites.
Create the Enrolment profile and associated dynamic group
This profile is the mechanism for identifying the device as COSU and consists of an enrolment token and QR code. OS support is for Android 6 and later (6 supports the token method only, 7, 8 and 9 support both token and QR code, 9 negates the need to download a QR scanner saving deployment time slightly). Android 5.1 is supported but requires an NFC tag to be create. I will be using an Android 8 Samsung Galaxy A5 2017 for this post.
A dynamic device group is then created referencing the profile. You can create multiple groups of devices populated by different profiles and can target you app and config deployments accordingly
Log in to the Intune portal and navigate to Device Enrolment > Android Enrolment > Kiosk and task device enrolment
Create a profile with a suitable name and select an expiration date
Navigate now to Intune > Groups then create a security group with the following settings, giving it a suitable name for your environment
Create the config and deploy to the group
There are ultimately various settings that can be configured within this profile, however this combination I feel is suitable for the kiosk browser device scenario, it prevents the user from accessing the status bar, including the quick settings, as well as preventing use of the home, back and task manager buttons (On this particular device)
Navigate to Device configuration > Profiles then create device restrictions profile, ensuring that this is selected under the "Device Owner Only" menu. I should probably explain here that this should be selected because COSU is a subset of the Device Owner Android Enterprise Solution set
Under "General" block "safe boot" and "status bar"
Under "Kiosk" select "single app kiosk" and select edge as the managed Intune app to use for kiosk mode
Now select any required password and power settings for the lock screen timeout, I am going to skip them for the purpose of this demo
Assign the profile to the dynamic device group you created earlier
Navigate to Mobile apps > Apps then assign the edge app to the device group as "required" (note that only required and uninstall are supported for COSU)
Enrol the device
I will be enrolling the device using the QR reader. The following requires a minimum of Android 7
Tap on the first screen you see multiple times on a device that has been factory reset, you will then see the following
Connect to Wifi
The QR reader will then install
Scan the QR code found within the enrolment profile in the Intune portal
Agree the terms and select "Next"
The device will begin to enrol
Agree more terms
The device will now download some updates for Google Play services
If you encounter any issues at this stage you will need to reset the device from here
Or you can opt to retry without a factory reset here (I have found that more often than not this resolves any issues)
Now the device is enrolled
Wait for the Edge app to be installed
Launch Edge and once the device restrictions are applied you will notice that you cannot access the status bar and hence the settings of the device
And that completes the setup! Many thanks for reading!
Hi Leon, thanks for this gudde, it's really useful! On the Samsung front, for your none Kiosk devices have you tried using Knox Enrollment with Intune? If not I really recommend it because it simplifies the process for us Admins and for users.
ReplyDeleteHi Phil. Yes I have used KME and it does indeed help with bulk purchasing and roll out of devices.
DeleteHi Leon
ReplyDeleteHave you notice that once the device is enrolled , it never seems to show any evaluation update after the intial setup. i enabled the google device policy app a,d i can manually sync, but it never shows staus update in the portal. all i have is a device with limited information
Hi, a comment about one of the limitations you mention:
ReplyDelete- A Google account is required, temporarily at least, to download and install the Company Portal app for enrolment
You can download the Intune company portal from: https://www.microsoft.com/en-us/download/details.aspx?id=49140
Hi thank you for a great post. But one can't further lock down the browser with some app config by restricting browsing only to certain websites in Intune Android Enterprise Cosu model.
ReplyDeleteGreat article thank you!
ReplyDeleteI’ve set up my test environment like this and it works perfect like described.
Do you have experience with additional app config policies? They don’t seem to arrive on the device. I’ve configured app config policies for Edge to only allow one specific website and set a homepage to load. These policies never arrive on the device.
Maybe we have to setup MAM Policies but I’ve read that they only work deployed on users (?)
Greetings, Chris
Hi Chris. I seem to remember having the same issues when I last worked on this. Let me do some more testing and get back to you
DeleteThats nice, however it seems you can still open an in-private browsing session and browse any site you want regardless of any restirctions
ReplyDelete