COSU Configuration and Enrollment using the QR code enrollment method

J.C. Hornbeck · ‎Oct 30 2018

First published on TechNet on Oct 08, 2018
Hi everyone, Matt Butcher here. I’m a Support Escalation Engineer on the Intune team and today I wanted to take a minute to go through the steps to configure and enroll COSU (corporate owned single use) Android enterprise devices using the popular QR code method.

To give you a little background, back in July we announced support for Android enterprise purpose-built device management, where we can target task-based usage cases such as unattended guest kiosk experiences, inventory tracking, mobile ticketing, point-of-sale devices, etc. Devices managed in this way can enroll into Intune using a few different enrollment methods, such as scanning a QR code, which is what we’ll be discussing here. The benefit with this is that administrators can enroll these devices without needing to have user account credentials on the device. IT admins can then configure these corporate-owned devices to be used in locked-down environments, allowing only the app or apps necessary to complete the task while preventing users from accessing settings, installing other apps, or changing any device functions that might interfere with reliable operation.

For the purposes of this example, you’ll need a device running Android 7 or later that you can factory reset, and an open wi-fi network. Once you have that, just follow the steps below.

1. If you haven't done this already, start by connecting your Intune account to your Android enterprise account .

2. Next, approve any applications from the Managed Play Store that you need to be in the Managed Home Screen experience (including the Managed Home Screen & Android Device Policy ).

3. Now we need to sync those apps to Intune. Open a browser and go to the Intune portal , then navigate to Client Apps - > Setup – Managed Google Play and click Sync .

4. Once the sync is complete, we need to create an Assigned or Dynamic device group that will be used for the deployment. If using a Dynamic device group, set the membership rule to Add devices where / enrollmentProfileName / Equals / < InsertCOSUEnrollmentProfileNameHere > . I’ll be using a Dynamic device group named COSU_Dynamic_Device_Group so my rule will be Add devices where / enrollmentProfileName / Equals / COSU_Enrollment_Profile as shown below.

5. Now we need to create our COSU Enrollment Profile. From the Intune portal , navigate to Intune - > Android Enrollment - > Kiosk and Task Device Enrollments - > Create. Name the profile what you chose in your Dynamic Membership Criteria, which in our example was COSU_Enrollment_Profile .

6. Once that’s done, we’ll now create our Kiosk Profile. From the Intune portal , navigate to Device Configuration - > Profiles - > Create Profile. And configure the profile accordingly:

a. Name: Whatever you like
b. Platform: Android Enterprise
c. Profile Type: Device Owner Only – Device Restrictions
d. Navigate to the Kiosk node and select Multi-app kiosk
e. Click Add . The list of all your apps will appear on the right
f. Add your apps but do not add the Managed Home Screen.
g. If you have Web Apps, be sure to include a browser

I also recommend adding a password just to see what happens with the Android Device Policy app.

7. Deploy all your apps as Required to your Dynamic device group. Note that if you have Web Apps, you do not need to deploy them.

8. Factory Reset your Android device.

9. Wait for OOBE to begin, then tap the white space until you’re prompted to download QR Reader .

10. Connect to your open Wi-Fi network and wait for the QR reader to be installed (your screen will just be a camera).

11. Use QR Reader to scan the QR code attached to your COSU Enrollment Profile. As the device enrolls, wait until the Managed Home Screen experience begins. If you required a PIN, manually set it before the Managed Home Screen experience begins. If you fail to do this the policy will show as failed. This is important because the PIN requirement does not present a toast notification to the user however the settings are still enforced.

That’s it! Now your device is enrolled and ready to use.

Key Notes

Don't add the Managed Home Screen app to the Multi-App Kiosk profile.

If using web links, you do not need to deploy these to the device groups. Only store apps are required to be deployed.

If requiring a PIN, the user will not be prompted. The setting is enforced and you will need to configure the PIN manually.

To get out of the Managed Home Screen experience, all you need to do is remove the Managed Home Screen app deployment. You can adjust the Multi-App Kiosk Mode profile as needed, and then redeploy the Managed Home Screen app.

To get out of COSU, you will need to factory reset the device.

When troubleshooting, It is recommended to include the Android Device Policy app in your Multi-App Kiosk profile. This will allow you to verify what policies Google is sending to the device.

There is no direct communication between Intune and devices enrolled using this method. Intune sends policy information to Google which then manages policy delivery.

Device names will look like this: 30a97bfb2327b18d_AndroidEnterprise_10/2/2018_10:34 PM . Currently this cannot be changed.

Compliance will show as Not Evaluated because COSU does not support compliance policies.

In this scenario, you cannot deploy certificate profiles, and wi-fi profiles are limited to open authentication or pre-shared key

Matthew Butcher
Intune Support Escalation Engineer
Microsoft CSS

Thom McKiernan · ‎Nov 09 2018

Hi, we are really excited about using this to control some of our in-store single-use tablets.

I've been testing it on a few devices and it's brilliant how quickly it works (especially compared to the legacy Android method in Intune)

I've got a few n00b questions that hopefully you can clarify

Is there any requirement to push the Intune Company Portal app? I don't believe so as we have it working without it but in your screenshot you have it there.
Enforcing device PIN - this doesn't seem to work, it would be great to have a video seeing how this happens
Web links - We deployed the Microsoft Edge Browser to allow web apps to open, however it nags the end user to sign in with a work account and has unecessary UI (we don't want them to add new tabs or browse other sites). Are you able to control/hide this, perhaps with an Intune App Configuration Policy?
On our test devices, when using the multi-app kiosk mode, it doesn't have a "home" or "app-switch" button. The only button they get is the "back" one. This makes it very troublesome to get back to the home screen or move between apps. Is that the as-designed behaviour or have I set something wrong?
Is the"Kiosk mode" flexible? I can't find any documentation specifically about what restrictions get enforced or if they can be customised (change wallpaper, allow status bar etc)
I'm a bit confused on what you say about exiting the Kiosk mode. I take it their is no secret process, e.g. tap somewhere 3 times to enter an "admin unlock" code. If the store manager needed to get to the settings screen to modify something (especially during our early testing phases) is that possible. You say "all you need to do is remove the Managed Home Screen app deployment" but we didn't deploy the app, we just sync'd it and used the kiosk profile to utilise it. Same question if you are only in "single app" mode.

Matthew Butcher · ‎Nov 14 2018

Hi Thom,

Thanks for all your great questions! I'll do my best to address them all individually. See my responses in bold.

Is there any requirement to push the Intune Company Portal app? I don't believe so as we have it working without it but in your screenshot you have it there.

You will not need to deploy the Company Portal app in this scenario. The apps on the left of the screenshot are the apps that I’ve chosen to be included in the Kiosk profile while the apps on the right are all of the approved Managed Play Apps and web links that are in the “All Apps” list.

Enforcing device PIN - this doesn't seem to work, it would be great to have a video seeing how this happens

I understand the feedback here, however I can confirm the enforcement does work. The user experience at this time is that you will not receive any type of prompt to set a PIN, but when manually navigating to set a PIN, you will see the requirements are there and you won’t be able to set a swipe or pattern as your password.

Web links - We deployed the Microsoft Edge Browser to allow web apps to open, however it nags the end user to sign in with a work account and has unnecessary UI (we don't want them to add new tabs or browse other sites). Are you able to control/hide this, perhaps with an Intune App Configuration Policy?

I am not currently aware of a workaround/solution to this behavior. Intune App Configuration Policies can only apply to Work Profile apps so unfortunately that wouldn’t be possible. We’d like to hear more from you on this so please feel free to open a support case so we can look for a better solution for you.

On our test devices, when using the multi-app kiosk mode, it doesn't have a "home" or "app-switch" button. The only button they get is the "back" one. This makes it very troublesome to get back to the home screen or move between apps. Is that the as-designed behaviour or have I set something wrong?

This is an intentional design choice from Google to heavily lock down the available actions a user can take on the device. Feel free to read about App Pinning and Lock task mode here: https://developer.android.com/work/cosu#pinning

Is the "Kiosk mode" flexible? I can't find any documentation specifically about what restrictions get enforced or if they can be customized (change wallpaper, allow status bar etc)

Not at this time, there are new features yet to come. Stay tuned!

I'm a bit confused on what you say about exiting the Kiosk mode. I take it there is no secret process, e.g. tap somewhere 3 times to enter an "admin unlock" code. If the store manager needed to get to the settings screen to modify something (especially during our early testing phases) is that possible. You say "all you need to do is remove the Managed Home Screen app deployment" but we didn't deploy the app, we just sync'd it and used the kiosk profile to utilize it. Same question if you are only in "single app" mode.

The Managed Home Screen needs to be deployed as Required to your device group for the Kiosk experience to take place. By removing the deployment, the targeted devices will be removed from the Kiosk experience and will allow you to make any changes needed.

Thom McKiernan · ‎Nov 15 2018

Thanks for the feedback Matthew. That's cleared it up for me.

One little follow up question :) ...

I've targeted all app/profile deployments to a dynamic AAD group based on the enrollment profile (as described in the docs)

That works great but now we are in the position that we need to exclude some devices to troubleshoot them. So, from what you've said above I should change the Managed Home Screen app to "not required" and we should then be able to get the device's Android Settings.

However, if I do that it will remove it for all devices so I need to allow exceptions in the dynamic group membership rules. I've tried doing this based on device id and name but the profile/apps still seem to be applying

Example of the dynamic rule I'm trying to exclude 2 different devices:

(device.enrollmentProfileName -eq "Contoso Kiosks 01") -and (device.deviceid -ne "j2dj2e2-51d3-4d5f-8ace-153a35718256" -or device.displayName -notcontains "3131k5afff157h23_AndroidEnterprise_11/1/1111_4:07 PM")

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

COSU Configuration and Enrollment using the QR code enrollment method