First published on CloudBlogs on Jul 10, 2018
We are excited to announce support for Android enterprise purpose-built device management. This scenario targets task-based use cases, such as unattended guest kiosk experiences, inventory tracking, mobile ticketing, point-of-sale devices, digital signage, and other cases where devices need to be tightly managed and heavily locked down. Microsoft Intune’s enterprise mobility management delivers a secure and reliable management experience for these devices. Devices managed in this way enroll into Intune using popular new enrollment methods, such as scanning a QR code or Android zero touch enrollment, without needing to have user account credentials on the device. IT admins configure these corporate-owned devices to be used in locked-down environments, allowing only the app or apps necessary to complete the task, while preventing users from accessing settings, installing apps, or changing other device functions that could interfere with reliable operation. This Android enterprise capability is supported on a wide range of devices throughout the Android ecosystem and affords customers great flexibility in choosing devices that are best suited to the task at hand. Android enterprise solutions are standards-based, so you can count on consistency and completeness of support across a broad set of device manufacturers. IT organizations can use Intune to streamline remote management to deliver a consistent set of device settings capabilities across device manufacturers and leverage the flexibility and reach of the managed Google Play Store to deploy and configure apps. Intune provides reliable, high-performance device management, increasing the uptime for applications that drive your business and ensure high levels of user satisfaction. Microsoft Intune empowers organizations to achieve more on Android with:
  • Streamlined remote device management and modern provisioning.
  • Simplified app distribution and robust app security.
  • A customizable, user-friendly home screen experience.

Streamlined remote device management and modern provisioning

Purpose-built devices are typically deployed at remote locations and provisioned at scale, such as to all the branches of a store or remote sites where technical staff may not be available. IT requires a robust solution where devices can be shipped thousands of miles away, be plugged in by line-of-business staff, and start working without any on-site technical support. With Intune, these devices are easy to provision and configure remotely. Other key advantages for a modern kiosk experience include:
  • Wider range of device choices —Support for Android enterprise capabilities allows customers to take advantage of great choice in price point, customizations, ruggedization options, and form factors from different device manufacturers—offering a consistent feature-set across the entire ecosystem.
  • Streamlined onboarding —Purpose-built device enrollment can be initiated in multiple ways. Depending on the infrastructure, devices may be enrolled by scanning a QR code with the built-in camera, by entering a special enrollment token string, or by taking advantage of the Google Zero Touch provisioning system. Rapid onboarding is possible because there is no need to enter a username and password. It is easy to bring up several new devices without user input at the remote site.

Use enrollment profiles to generate QR codes for enrollment.

Simplified app distribution and robust app security

Intune makes it easy to turn a standard, corporate-owned Android enterprise device into a purpose-built device by remotely configuring only the apps and device-features necessary to do the job. The app distribution capabilities on Android enterprise devices come from Intune’s integration with the managed Google Play Store. Key benefits include:
  • Unattended app installation and updates —IT admins can silently push “required” app installations with no user intervention.
  • Managed app configuration —For apps in the Google Play Store, which support managed configuration options, you can use Intune to browse, specify, and manage configuration settings as well as runtime permissions.
  • Device-based targeting —As these devices are not associated with user identity, targeting of apps and policies is done using device groups. Azure Active Directory customers may use dynamic device groups to further simplify the automation to target apps and policies based on a device’s enrollment profile.

Customized home screen experience

You can configure the device experience to specific apps or specific web links with the Managed Home Screen app. Based off the popular Microsoft Launcher consumer app, Managed Home Screen allows Intune to deliver a highly productive, single use experience—whether limited to a single app (kiosk mode), or a set of mobile and web apps. This enterprise app—deployed by admins to managed Android enterprise devices for this scenario—brings the highly-rated consumer experience to locked-down, purpose-built devices.

Devices may be locked down to one or more apps, or specific websites determined by the organization.

Get started with your Android deployment with Intune documentation . We look forward to hearing your stories of Android adoption in the comments! This capability will be deployed on a rolling basis throughout the production environment. We expect it to be enabled for all tenants by the end of the week. If you don’t see it today, check back soon.
Senior Member

Hi there, the documentation does jump around quite a bit and I found it hard to follow, especially as a first time Android Kiosk Admin. I consider myself quite proficient in Intune app deployments, MAM, MDM etc but I struggled to understand what was required of an organisation to be able to use Intune to deploy and manage Kiosk devices. Having said that, I have managed to get it to work in both single-app and multi-app mode.


My question however, is how does one allow a device to still make calls or SMS using GSM when the Managed Home Screen only displays the deployed apps? I have tried assigning and deploying the Google LLC Phone and Messaging apps but that doesn't seem to be the right solution. Also can one modify the Home Screen in terms of where the app icons are located? I couldn't find any documentation on configuring the Managed Home Screen.


We have a client that requires a Kiosk device to have their LOB app, make calls, SMS, use location information and scan barcodes. They also need the device to be encrypted, but I imagine that would be a separate Intune Device compliance policy.

Occasional Visitor

I tried it for a few days.  Determining what to setup and where the APKs needed to be in Intune was hard.  But that could be just newness to Intune and its object structure.  The provisioning of a device was straight forward.  The visibility on the device that it had been provisioned was obvious.  But when it came to updating the APKs I found that it took hours before a device would be updated.  Seemed odd.  This was just play time and once time was up I had to move on to other tasks so I'm not sure if there was something configured wrong that caused the delay.  Regardless I'll come back for more play time in the future.


It would be great to see support added for Android zero-touch enrollment with Android Work profiles. This would provide organizations a comparable automated enrollment solution for both iOS and Android, with the option of user-based and device-based enrollment for both platforms. Looking forward to new features in 2019!


I've had to set this up a couple of times now and the Intune documentation is a little could use some work compared to what we can from Airwatch and MI.  I am in the process of moving my company onto intune, and solving the problem for our 800 android devices is very important.


You are adding so much though, keep it coming!

Senior Member

This mode is great and will work wonders as soon as it supports pushing certificates to the device in this mode.