By: Vignesh Mitsume – Sr Product Manager | Microsoft Intune
Welcome to part two of "Accelerating retail worker shared device experience." In Part one, we explored how Intune empowers frontline workers by enabling shared device usage among associates in a 24/7 retail business environment, with enhanced productivity and security. Now, we'll dive into how Intune optimizes the management of devices running multiple apps, that are utilized by both associates and customers.
I'm Vignesh Mitsume, and in my previous roles, I’ve had the privilege of working with leading companies in the beverage and other retail industries. In these roles, I collaborated closely with sales and marketing teams, addressing their system, infrastructure, and reporting requirements as they interacted with supermarkets and convenience stores. In this blog, I'll be sharing some of my experiences with customer scenarios.
Technology's evolution in retail: The rise of shared devices
The retail industry has undergone a significant digital transformation, with technology playing a pivotal role in streamlining operations and enhancing customer experiences. Historically, retail operations were fragmented, with separate systems for employees and customers. Today, modern kiosks, tablets, and smart screens are bridging this gap, enabling self-service ordering, inventory tracking, and real-time assistance—all from a single device. Whether it's self-checkout stations in grocery stores, smart fitting rooms in fashion retail, or digital vending machines in the beverage industry, shared devices have become the backbone of efficient retail operations.
Many of these devices operate on either the Android or iOS platform. Today, we'll explore how Contoso Eateries and Contoso Pastries, which are competitors in integrating technology into their business practices, are Intune to efficiently manage their dedicated devices by enabling multi-app kiosk modes for both platforms. This strategy aids their frontline workers in effectively managing business operations.
Scenario 1 – Contoso Eateries
Contoso Eateries is a chain of eateries that aims to deploy Android tablets in their stores. Each store will have one tablet used as a point of sales (POS) device for billing customers, managing inventory, and placing restock orders from the central distribution warehouse by the store manager. The IT admin team wants to manage these devices centrally and restrict access to any other apps.
To achieve this, the IT admin team first creates a Microsoft Entra security group for grouping and targeting the devices and leveraging enrollment time grouping (new for Android in our April 2025 release). Once the assignment group is ready they create Android Enterprise dedicated devices with the default token type, corporate-owned dedicated device (Fig. 1), which enrolls the device without any user affinity.
Note: Microsoft Entra security dynamic device groups can be created based on the enrollment profile name; however, static groups that use enrollment time grouping will expedite app and policy provisioning during device enrollment.
Fig. 1 – Setting up an Android Enterprise corporate-owned dedicated device.
Next, they add the POS and organization specific inventory management applications from the Managed Google Play Store, along with the Microsoft Managed Home Screen application. These apps are assigned to the groups created earlier specifically for the devices enrolled using the Android enterprise dedicated device enrollment profile (Fig. 1). After the applications are added and assigned, they restrict the device functionality to allow only the use of POS and organization specific inventory management applications. This is done by creating a device restriction configuration profile to setup the device into multi-app kiosk mode (Fig. 2), which ensures users can only access the applications placed in the Microsoft Managed Home Screen. This configuration profile is then assigned to the Microsoft Entra device group previously created.
Fig. 2 – Configuration profile to restrict device as dedicated multi-app kiosk devices.
In addition to the mandatory configuration, Contoso Eateries wants to customize their Managed Home Screen experience. Therefore, they also create an app configuration policy for their Managed Home Screen.
Result:
The device is restricted to POS and organization specific inventory management applications within the managed home screen (Fig. 3). Contoso Eateries will keep the POS application open for customer self-checkout, while using the organization specific inventory management application to replenish stocks during non-business hours.
Fig. 3 – Personalized user experience on an Android device.
Scenario 2 – Contoso Pastries
Contoso Pastries aims to provide a similar experience for their frontline workers and customers as Contoso Eateries, but with iPads instead of Android tablets. The Contoso Pastries IT admin team wants to manage these devices centrally and restrict access to any other apps.
Contoso Pastries gets all their iPads from an Apple Authorized Reseller, ensuring that all devices are added to their Apple Business Manager (ABM) account by the reseller, with supervised mode enabled by default.
Note: If ABM is not available, then Apple configurator can also be used to enable supervise mode to achieve the requirements.
To comply with Contoso Pastries’ requirements, the HQ IT team creates an enrollment profile to enroll the devices without user affinity. Then, they create a device filter (Fig. 4) to filter for devices enrolled using this profile.
Fig. 4 – Device filter for specified enrollment profile.
Next, they add their line-of-business POS app and organization specific inventory management applications to Intune and assign to all devices using the above created device filters (Fig. 5). This avoids the processing delay of dynamic device groups and reduces management overhead associated with creating and maintaining multiple security groups.
Fig. 5 – Assigning to all devices along with device filters
For iOS/iPadOS devices, they’ll configure the entire device to function like a managed home screen by removing unwanted apps and retaining only the required ones. As a first step, they allow only the Contoso POS and organization specific inventory management applications by configuring device restriction profile (Fig. 6).
Fig. 6 – Device restriction profile.
To further customize the home screen appearance and dock configuration, the admin creates a device features configuration profile and adds the necessary apps accordingly (Fig. 7)
Fig. 7 – Device features configuration profile in the Microsoft Intune admin center.
Result:
Once the device is dispatched to the stores and the store manager turns it on, the device is enrolled into Intune with all the specified configurations applied. The device is then restricted to POS and organization-specific inventory management applications (Fig. 8). This setup ensures that the POS application remains open for customer self-checkout, while the organization-specific inventory management application is used for stock replenishment during non-business hours.
Fig. 8 – Personalized user experience on an iPad.
With Intune, frontline worker scenarios in the retail industry can be managed effectively, ensuring that both associates and customers benefit from streamlined operations and enhanced user experiences. As demonstrated by Contoso Eateries and Contoso Pastries, Intune's capabilities in managing dedicated devices, whether on Android or iOS/iPadOS platforms, provide a robust solution for modern retail environments. By leveraging features such as multi-app kiosk modes and customized home screen configurations, businesses can maintain control over their devices while empowering their frontline workers to perform their tasks efficiently. By adopting Intune, organizations can ensure that their frontline workers are equipped with the right tools to handle business operations seamlessly, ultimately driving productivity and customer satisfaction.
Please refer to the following documentation for more guidance:
- For information on how to set up Android dedicated devices refer to: Enroll Android Enterprise dedicated devices in Intune
- To find more information on Managed Home Screen and how it can improve the user experience refer to: Configure the Microsoft Managed Home Screen app
- If you’d like to learn more about enrolling iOS/iPadOS using Apple Business Manager refer to: Set up automated device enrollment (ADE) for iOS/iPadOS
- To learn about filters refer to: Using Filters in Intune
Stay tuned for more interesting contents in this blog series, we’re keeping the initial blog updated with each posting for your reference: From the frontlines: Frontline worker management with Microsoft Intune .
If you have any questions or want to share how you’re using frontline devices in Intune, leave a comment below or reach out to us on X @IntuneSuppTeam or @MSIntune. You can also connect with us on LinkedIn: aka.ms/IntuneLinked
