How to setup Microsoft Managed Home Screen on Dedicated devices in multi-app kiosk mode
Published May 14 2020 04:13 PM 97.7K Views

By: Charlotte Maguire | Sr Product Manager & Abigail Stein | Product Manager – Microsoft Intune

 

To deliver a multi-app, kiosk-style scenario on your Android Enterprise dedicated devices, Microsoft Intune uses Microsoft’s Managed Home Screen. This blog post explains what Managed Home Screen is, when to use it, and how to set it up. We walk you through step-by step how to enroll your devices with Managed Home Screen and answer common questions.

 

What is a “dedicated device”?

Intune customers have the option to enroll their Android devices as Android Enterprise dedicated devices. These are corporate-owned devices that are not associated with a particular user and are often leveraged to complete specific tasks. To understand more about dedicated devices, please refer to the FAQ at the end of this post.

The Managed Home Screen app provides even more functionality to the dedicated device solution by limiting the set of apps available and preventing users from making changes to the device. Managed Home Screen also enables organizations to further customize, restrict, and troubleshoot their Intune-managed dedicated devices. Note that Managed Home Screen is intended only for Intune-managed devices enrolled as an Android Enterprise dedicated device. If you are looking for a similar solution on your Intune-managed Android Enterprise fully-managed devices, see Microsoft Launcher for Enterprise.

 

What is Microsoft Managed Home Screen?

Frame 110.png

 

Managed Home Screen is an Android application available for use through Managed Google Play.

 

Use Managed Home Screen when you want your users to have access to a specific set of applications on your Intune-enrolled dedicated devices. When configured in multi-app kiosk mode in Intune, Managed Home Screen is automatically launched as the default home screen on the device and appears to the user as the only home screen. This prevents devices from being misused and allows you to completely customize the home screen experience. Regardless of what is already installed on the device, you can pick which apps and system settings you want your users to access from Managed Home Screen to ensure the content they access is relevant to their tasks. Managed Home Screen gives you the flexibility to empower your users. Learn more by reading on!


Customization allows you to completely redesign how the home screen looks and feels:

  • Set a custom wallpaper to show off your branding or use it as a visual indicator to differentiate between your devices.
  • Position your apps on the home screen to make more important and frequently used apps easier to access, as well as create a consistent and familiar setup for your users between devices.
  • Categorize your apps into folders to reduce cognitive overload, especially if you have a lot of apps on the home screen.
  • Customize the size of how apps and folders appear on the home screen to accommodate various screen sizes.
  • Add custom widgets to the home screen to get quick access to vital app data.
  • Set a screen saver image to hide the home screen when the device is inactive.
  • Configure sign-in and sign-out capabilities in Managed Home Screen when a device is set up with Azure AD shared device mode.

 

Not only will Managed Home Screen enable you to make your organization’s devices visually appealing, but it’s also practical and streamlines the debugging process when something goes wrong on a device. With Managed Home Screen you can:

  • Intuitively access device information, such as the device’s serial number and its Intune enrollment name, to locate a problematic device in the Endpoint Manager admin center.
  • Access admin-related apps to upload logs or sync policies, such as Microsoft Intune app or the Android Device Policy app.
  • Access MHS logs to confirm what configurations are currently set on the device to check against what was pushed from Intune.
  • Access a temporary exit out of the Managed Home Screen app and return to the device’s original home screen to gain full access to the system settings, provided you have access to the admin-specified exit PIN.

These customizations are only accessible by using Managed Home Screen. Depending on your needs, you can use single-app kiosk mode to lock your devices into any other application or leave kiosk mode not configured. If you leave kiosk mode not configured, you will have limited control over the user experience. The chart below provides a visual summary of what you can accomplish with and without kiosk mode, as well as Managed Home Screen capabilities.

 

User experience without MHS VS with MHS for multi-app kiosk mode

Customizations 

Without kiosk mode 

With single app kiosk mode 

With MHS for multi-app kiosk mode 

Add public, private, and web-based Managed Google Play applications to the home screen. 

 

 

 

“Lock” user into one application with no home screen. The application will always be launched, with no exit path. 

 

 

 

Set a custom wallpaper for the home screen. 

 

 

 

Categorize apps into folders. 

 

 

 

Customize how apps and folders look on the home screen. 

 

 

 

Add widgets to the home screen. 

 

 

 

Add a screen saver image. 

 

 

 

Order items on the home screen. 

 

 

 

Enable a virtual home button. 

 

 

 

*Pick whether users can access notifications and device status bar. 

 

 

 

*Pick whether users can access the device’s native home and overview buttons. 

 

 

 

*Pick whether users can access the device’s power menu.  

 

 

 

Enable a virtual battery and signal strength indicator on the home screen.  

 

 

 

“Lock” the home screen so a user can’t add, move, or remove anything. Users will only have access to the items you have explicitly made available. 

 

 

 

Pick which system settings to expose for user access. 

 

 

 

Device debugging (MHS log collection, device information, easy access to Intune and Android device policy app sync, ability to exit to OEM home screen). 

 

 

 

Create a custom sign-in experience with Azure AD.   

 

 

 

 

Allow users to create a local session pin to resume a session using Azure shared device mode.  

 

 

 

Create customer facing folders, which can be accessed when frontline worker enters a pin on shared device mode.  

 

 

 

Automatic sign out after inactivity for users signed in through shared device mode. 

 

 

 

*Control over user access to notifications, navigation buttons, power menu & status bar are only configurable on devices running Android OS 9 or later.

 

How do I set it up?

Let’s go step-by-step to set up your device with Managed Home Screen configurations.

 

Before we begin, make sure you have an Android device that is capable of enrolling into Intune as an Android Enterprise dedicated device. Not sure if your device meets the requirements? Check the “Device requirements” section of Android Enterprise dedicated device enrollment | Microsoft Learn.

 

Step #1 – Setup your Intune enrollment profile and device group.

Create an enrollment profile to generate an enrollment token and attach it to a device group. Note that this step assumes you have already set Intune as your MDM authority and that you have connected your Intune account to your Managed Google Play account.

 

In the Endpoint Manager admin center, navigate to Devices > Android > Android enrollment > Corporate-owned dedicated devices.

 

01AndroidEnrollment.png

 

Choose Create profile.
02CreateProfile.png

Fill in the Name and, if desired, a Description. You can also choose when you would like your token to expire. As of December 2022, the max expiry is 90 days from the day the token was created. This will soon be extended to 65 years.

 

Select the Type. If you anticipate that your devices will now, or in the future, require users to access M365 applications, App Protection Policies, or Conditional Access policies, select Corporate owned dedicated device with Azure AD shared mode. Otherwise, select Corporate owned dedicated device. Learn more about shared device mode in the blog post Enroll Android Enterprise dedicated devices into Azure AD shared device mode.


When you’re ready, click Create. Tip: Remember the profile name, as we will be using it next.

03ProfileNameDescription.png

 

 

04ReviewProfile.png

 

Step #2 – Create a device group

Navigate to Groups > All groups > New group.

 

05NewGroup.png

Create a Group name and, if desired, a Group description. Verify that the Group type is set to “security".


Change Membership type to Dynamic device. And then Add a dynamic query. Use dynamic queries so that your device is automatically added to a group based on the property of your choice. This way, you don’t need to manually add devices to groups post-enrollment. If you prefer to add members manually, change the Membership type to Assigned.

Picture6.png

 

In this example, we’re adding devices to this user group whenever a device enrolls with the newly made profile. To do that, we make the dynamic query add a device any time the Property “enrollmentProfileName” is equal to the name of your Android Enterprise dedicated device enrollment profile from Step 1.

 

Configure the dynamic query by changing:

  • Property to “enrollmentProfileName”
  • Operator to “Equals”
  • Value to <your enrollment profile name>

picture7.png

 

Save the query and return the New group page. Review your group’s properties and click Create when you’re ready. Confirm your device group was created in the All groups page.

 

Picture8.png

 

Step #3 – Approve and assign Managed Home Screen and other Managed Google Play apps

This step ensures that the Managed Home Screen is downloaded and installed on your enrolled devices and is automatically launched.


Once you have linked your Intune and Managed Google Play accounts, you’ll notice that you already have Managed Home Screen synced in the console when you navigate to Apps > All apps.

 

Click on “Managed Home Screen” and choose Properties > Assignments (edit), add your device group from Step 2 to the Required assignments, and then save.

 

06MHSAssignments.png

 

To add public, private or web applications, stay in Apps > All apps and choose “add.”

 

07AddApps.png

 

Under Select app type choose Managed Google Play app.

 

08AppType.png

 

You should see something like the image below:

 

Picture12.png

 

Notice the Play Store icon, a lock icon, and a globe icon on the left of the screen. To add public applications, keep the Play Store icon selected. To add private applications or web applications, choose the lock and globe icons, respectively.


In this example, we'll illustrate adding Microsoft Edge.

Search for “Microsoft Edge” using the search bar and then select the Microsoft Edge icon.

Picture12.1.png
Picture13.png

 

Choose Approve which will generate a pop-up like the one below.

 

Picture14.png

 

Click Approve once more and follow the instructions on the next pop-up regarding app permission requests. Click Done when you are ready.

Picture15.png

 

Notice the app will now be marked as “Approved” underneath its listing.

 

Picture16.png

Repeat the above steps for all the public applications you would like to add to the store. Reference Add Managed Google Play apps to Android Enterprise devices with Intune | Microsoft Learn if you would like to add private applications or web apps. The same link calls out the steps we have illustrated above for public applications, for a quick reference.

When you are done adding Managed Play Store applications, click the Sync button in the top left corner. The following banner will appear in your application list:

 

Picture17.png

 

Once the applications have successfully synced into your list, repeat the steps we described for Managed Home Screen to assign the apps as “Required” to the device group you made in Step 2.

 

Step #4 – Manage Android Enterprise system apps

In addition to Managed Play Store applications, we often get questions about how to add system applications to dedicated devices that are using Managed Home Screen. System applications are the apps that ship on a device by a certain Original Equipment Manufacturer (OEM), and are not published to the Play Store. These apps are often disabled by default upon enrollment, so you will need to follow these steps to enable them and show the icon on the device. To accomplish this, navigate back to Apps > All apps in Intune and choose Add in the top left corner.

 

Picture18.png

 

Choose Select and then fill out the App information, and assign as “Required” or “Uninstall” to the group we made in Step 2. Choose required if you would like the application available on the device or uninstall if you would like the application to always be hidden on the device. If you’re not interested in making any changes to the system apps on your devices, you may skip this step.

 

09AddSystemApp.png

 

Please note that Microsoft does not maintain a list of OEM’s system applications. If you are having trouble locating the correct package names for your device, please work with your device OEM(s).

 

Step #5 – Create a device configuration profile

In this step, we walk through creating a device configuration profile for your dedicated devices. This profile will allow you to configure device-level behavior and will also allow you to configure kiosk mode, which is how your device(s) will know to launch Managed Home Screen automatically. Additionally, this is where you add applications to Managed Home Screen and can configure some Managed Home Screen-specific features.

 

Navigate to Devices > Configuration profiles > Create profile.

 

10NewConfigurationProfile.png

 

Under Platform, select “Android Enterprise.” Under Profile select “Device restrictions” beneath “Fully Managed, Dedicated, and Corporate-Owned Work Profile.”

 

11ConfigurationProfileType.png

 

Choose Create, provide a Name for your profile and, if desired, a Description.

 

12ConfigurationProfileDetails.png

 

When you’re ready, choose Next. Use the available categories to configure any settings that are applicable to your scenario. For this tutorial, we will focus only on showing you how to set up Managed Home Screen under the Dedicated devices category.

 

13DedicatedExperience.png

 

Toggle the Kiosk mode setting to “Multi-app,” as shown below. This will ensure your devices targeted with this profile are locked into Managed Home Screen, which you already set as a required application in Step 3. Additionally, it will show you a list of settings that are directly applicable to Managed Home Screen.

 

14MultiAppProfile.png

 

In the top section, choose Add to select any Android Enterprise applications you have added to the console, which we also did in Step 3. These are the applications that will appear to your users when they use Managed Home Screen.

 

Picture25.png

 

Underneath the app selection setting, configure any of the settings that you like. You can use the tooltips to better understand what these settings do, or refer to Android Enterprise device settings list to allow or restrict features on corporate-owned devices usi....

 

When configuring, consider settings that impact the user experience of the device. For example, you can configure whether you want a user to be able to easily access the debug menu, see the number of notifications they have per-app, see basic device information, and more. If you have selected to enroll devices with Azure shared device mode, you may also choose to leverage Managed Home Screen’s integration with shared device mode by enabling Managed Home Screen sign-in to customize sign-in and sign-out experiences for your users.

 

Once you’re ready to move on from configuring settings, choose Next, assign the profile to your device group, review your changes to make sure everything looks correct, and then click Create.

At this point, you can enroll your devices into Intune and expect them to download any of the apps you targeted, receive applied settings and other policies, and automatically lock into and launch Managed Home Screen. Find the details in Step 7.

To take full advantage of all the settings that Managed Home Screen has to offer, you can create an app configuration policy, since many of the customizations are not yet available in the Device configuration profile. We walk you through this in the next step. Below is a summary of which customizations are exclusive to app configuration policy at this point in time.

 

 

Available in 

Device Configuration 

Available in 

App Configuration 

To customize the home screen’s appearance, consider these features: 

Set a custom wallpaper 

X 

X 

Set app icon size 

X 

X 

Set app folder icon 

X 

X 

Set screen orientation 

X 

X 

Create a folder 

 

X 

Add a widget 

 

X 

To customize screen saver mode, consider these features: 

Enable screen saver mode 

X 

X 

Set a screen saver image 

X 

X 

Set the number of seconds the device shows the screen saver before turning the screen off 

X 

X 

Set the number of seconds a device is inactive for before showing the screen saver 

X 

X 

Set whether playing media should be considered when counting inactivity time 

X 

X 

Choose which settings you want to expose in MHS by picking from this list: 

Enable a virtual home button 

X 

X 

Set the type of virtual home button (floating or accessing by swiping up) 

X 

X 

Show managed setting 

X 

X 

Enable Wi-Fi configuration to see available networks 

X 

X 

Enable a Wi-Fi allow-list to limit networks 

X 

X 

Set the Wi-Fi allow-list if enabled 

X 

X 

Enable Bluetooth configuration to see available networks 

X 

X 

Enable Flashlight toggle (if the hardware supports it) 

X 

X 

Enable a media volume slider 

X 

X 

Enable a Device Information tab to see information around device model, manufacturer, and serial number 

X 

X 

Enable notifications badge on applications 

X 

X 

Enable the battery and signal strength indicators on the home screen’s status bar 

 

X 

To set the order of items on the home screen you’ll need all these features: 

Set grid size 

 

X 

Lock home screen 

 

X 

Enable application order 

 

X 

Set the application orders (can use to order applications, weblinks, widgets and folders) 

 

X 

To utilize shared device mode, consider these features: 

Enable sign in 

X 

X 

Set wallpaper for sign in 

X 

X 

Enable organization logo on sign in page 

X 

X 

Set organization logo on sign in page 

X 

X 

Enable session pin 

X 

X 

Complexity of session PIN 

X* 

X 

Minimum length for session PIN 

 

X 

Maximum number of attempts for session PIN 

 

X 

Customer facing folder 

 

X 

Require PIN after returning from screen saver 

X 

X 

Enable auto sign-out based on user inactivity 

X 

X 

Enable auto sign-out based on fixed time since user sign-in 

 

X 

Countdown time on auto sign-out dialog 

X 

X 

Privacy statement title 

 

X 

Privacy statement link 

 

X 

Enable extra debugging features from these features: 

Enable Exit Kiosk mode 

X 

X 

Set Exit Kiosk mode PIN 

X 

X 

Enable easy access to the debug menu 

X 

X 

Enable maximum inactive time outside of MHS 

 

X 

Set maximum inactive time outside of MHS 

 

X 

Enable maximum time outside of MHS 

 

X 

Set maximum time outside of MHS 

 

X 

*Currently, only some complexities available in Device Configuration.

 

Step #6 – (Optional) Create an app configuration profile

As mentioned above, if you have completed steps 1-5, you are all set to enroll your devices. This step is optional, and should be used if you want to learn how to leverage all of the Managed Home Screen features available today, either pre- or post-enrollment.

This step will allow you to configure the complete list of features Managed Home Screen has to offer today. Additionally, any time Managed Home Screen publishes an update to the Google Play store with new features, the settings become instantly available via app configuration.

Please note, we strongly suggest using device configuration to set the Managed Home Screen settings. For the Managed Home Screen settings not yet available in device configuration, use App configuration. Let’s get started!

In the Endpoint Manager admin center, navigate to Apps > App configuration policies > Add > Managed devices

 

15AppConfigAdd.png

 

Fill in the Name and, if desired, a Description. For platform, choose Android Enterprise, for profile type, select Fully Managed, Dedicated and Corporate-Owned Work Profile Only, and for targeted app, select Managed Home Screen. Choose Next when you’re ready to continue.

16AppConfigDetails.png

 

On the top half of the screen are Permissions assignments. For this tutorial, we use the default permissions, and won’t make any adjustments here. However, feel free to make changes as you see fit.

On the bottom half of the screen are Configuration settings.

 

Picture28.png

 

You can choose to use configuration designer or JSON data to configure your settings.

 

Picture29.png

Picture30.png

 

Configuration designer will show you all available configurations for features within Managed Home Screen the instant a new update is released on the Managed Google Play Store. However, some configuration keys will only be configurable through JSON format. We will briefly show you how to use Configuration settings format > Use configuration designer to add Managed Home Screen features, but will use Enter JSON data format to achieve our scenario.

 

6.A Using configuration designer to setup Managed Home Screen features

From the Configuration settings format drop-down menu, select Use configuration designer and choose Add to open a panel with all the available Managed Home Screen configuration keys.

Picture31.png

 

Select the configuration keys you want to edit in the right panel and then click OK.

 

Picture32.png

 

After selecting the configuration keys, you’ll see that they have default values.

Picture33.png

 

To make a configuration value changes, hover over and interact with each row under the “Configuration value” column.

Picture34.png

 

Once your changes have been made, click Next.

 

Picture35.png

 

Note: Values at this point are not saved. If you want to switch configuration formats from “Use configuration designer” to “Enter JSON data,” you’ll need to delete additional example configurations in the JSON block. Finish and save this policy before switching to “Enter JSON data.”

On the Assignments page under Included groups, choose Select groups to include and pick the device group you created in Step 2. Click Next to review and, when you’re ready, click Create.

 

Picture36.png

 

6.B Using JSON data to setup Managed Home Screen features

Finish configuring the home screen by using JSON to create folders, add widgets, and order items.

 

You can edit your existing app configuration profile by clicking on the policy you just made in Apps > App configuration policies.

 

Picture37.png

 

Then select Properties > Settings (Edit)

Picture38.png

 

Use the Configuration settings format drop-down menu to select Enter JSON data. Notice all of your existing configurations in JSON format.

Picture39.png

 

Your JSON should always begin and end with the following:

 

 

 

 

{
    "kind": "androidenterprise#managedConfiguration",
    "productId": "app:com.microsoft.launcher.enterprise",
    "managedProperty": [
//FEATURE CONFIGURATIONS GO HERE
    ]
}

 

 

 

6.B.1 Add a managed folder to your home screen

Want to add a bit of organization to your home screen? Create a folder managed by you. This can only be done via JSON data format in an app configuration policy.

 

Add the following JSON snippet in where feature configurations go.

  • Replace “PLACEHOLDER_FOLDER-NAME” with the name you wish to give your folder.
  • Replace “PLACEHOLDER_APP-PACKAGE-NAME” with the package name of the app you wish to place inside your folder. In this instance, there are two apps within the folder. You can add as many apps as you wish. An app package name would look something like “com.example.myapp.” As an example, the Microsoft Teams app for Android has a package name of “com.microsoft.teams.”

 

 

 

 

{
"key": "managed_folders",
"valueBundleArray": [
{
"managedProperty": [
{
"key": "folder_name",
"valueString": "PLACEHOLDER_FOLDER-NAME"
},
{
"key": "applications",
"valueBundleArray": [
{
"managedProperty": [
                        {
                            "key": "package",
                            "valueString": "PLACEHOLDER_APP-PACKAGE-NAME"
                        }
]
},
{
"managedProperty": [
                        {
                            "key": "package",
                            "valueString": "PLACEHOLDER_APP-PACKAGE-NAME"
                        }
]
}
]
}
                ]
}
]
}

 

 

 

6.B.2 Configure custom ordering of items on the home screen

To create a custom ordering of items on the home screen you will need to have:

  • Already added your apps, widgets, and folders to your home screen allow-list.
  • Locked the home screen so that a user cannot make changes by moving things around themselves.
  • Set a grid size for your home screen pages.
  • Enabled app ordering mode.

 

You will now be able to set the position of an item to assigned grid position. Positions read from smallest to largest from left-to-right and then top-to-bottom. Below, the illustration is set to a grid size of “3;7” which is 3 columns and 7 rows. This grid size will contain at maximum 21 items on each page. Note that custom widgets can take up more than one space depending on its size.

 

Device Grid.png

 

The following JSON snippet will show an example of putting the Microsoft Teams, Yammer, and SharePoint apps in positions 16, 17, and 18. To customize this JSON for your own use, simply replace the app package names and position numbers to match your customization.

 

 

 

 

{
    "key": "app_order_enabled",
    "valueBool": true
},
{
    "key": "grid_size",
    "valueString": "4;3"
},
{
    "key": "lock_home_screen",
    "valueBool": true
},
{
    "key": "app_orders",
    "valueBundleArray": [
        {
            "managedProperty": [
                {
                    "key": "type",
                    "valueString": "application"
                },
                {
                    "key": "package",
                    "valueString": "com.microsoft.teams"
                },
                {
                    "key": "position",
                    "valueInteger": 17
                }
            ]
        },
        {
            "managedProperty": [
                {
                    "key": "type",
                    "valueString": "application"
                },
                {
                    "key": "package",
                    "valueString": "com.microsoft.yammerv1"
                },
                {
                    "key": "position",
                    "valueInteger": 18
                }
            ]
        },
        {
            "managedProperty": [
                {
                    "key": "type",
                    "valueString": "application "
                },
                {
                    "key": "package ",
                    "valueString": "com.microsoft.sharepoint"
                },
                {
                    "key": "position",
                    "valueInteger": 19
                }
            ]
        }  
    ]       
}       

 

 

 

Step #7 – Enroll your devices

Make sure your device is running Android OS 8+ and runs with Google Mobile Services (GMS). Once you have your device ready, you can enroll it from a factory-reset state using Near Field Communication (NFC), token entry, QR code scanning, Google’s Zero Touch enrollment or Samsung’s Knox Mobile Enrollment. Since there is no user associated with Android Enterprise dedicated devices, user credentials will not be required during enrollment or provisioning. Choose which enrollment type you’d like to use and follow the appropriate instructions found in Enroll your Android Enterprise dedicated, fully managed, or corporate-owned with work profile device....

Once enrollment has been initiated on your device, you’ll need to follow simple instructions on the screen to complete the enrollment process.

 

Step #8 – Setup done

Once enrollment is complete, you’ll land on the device’s home screen. The device will sync policies with Intune. Once policies are synced, apps will begin to download and install on your device. Once Managed Home Screen is installed, it will auto-launch and show all your configurations. Your device is ready for use!

 

Next Steps

We are excited to share the robust capabilities that Managed Home Screen can provide to help you deliver a superior and consistent user experience on all your Intune-managed dedicated devices. As we continue to innovate on the Managed Home Screen, we look forward to your ongoing usage and feedback. Have feedback? Need help? Please fill out this form, and note that additional fields will become available based on selection. We’re always eager to learn more about what we can do better for you! While you’re welcome to comment back on this post, we’re taking specific service feedback on this feature in the form.

 

FAQ

  1. Dedicated devices are new to me. When should I choose to enroll a device as a dedicated device?
    1. Intune’s Android Enterprise dedicated device solution is intended for use by customers that want their Android devices enrolled with no user-affinity. Intune’s Android Enterprise dedicated device solution requires that the device runs Android OS 8+ and can connect to Google Mobile Services (GMS). The three main scenarios Intune sees for dedicated devices are as follows, in no particular order:
      • Intune’s Android Enterprise dedicated device solution is intended for use by customers that want their Android devices enrolled with no user-affinity. Intune’s Android Enterprise dedicated device solution requires that the device runs Android OS 8+ and can connect to Google Mobile Services (GMS). The three main scenarios Intune sees for dedicated devices are as follows, in no particular order:
      • As a digital sign – typically locked into one application that shows viewers desired information. Consider the train schedules you might see at a subway stop, or in an airport. There is zero-to-minimal physical user interaction in this scenario.
      • Task-based devices – typically locked into one application or multiple applications, and used for specific tasks. The device has no knowledge of who is using it or when.  Example: package delivery drivers who pick up a device at the beginning of their shift and use it to navigate to their location, scan packages, complete other role-based tasks and then drop the device back off when they're done for the next delivery driver to use.
      • Multi-user, task devices – locked into one app or a set of apps, and used for specific tasks. At least one application on the device requires users to sign-in, and those apps need to have knowledge of who is using it and when. For this scenario, we generally recommend leveraging Shared device mode. Example: A device that is used in a factory by a maintenance person, shift worker and delivery driver. While the device’s apps and policies are the same per-user, applications on device display relevant information to each person based on sign-in information.
  2. When I create a token to enroll my dedicated devices, it forces me to expire it in 90 days or less, how can I get around this?
    1. Historically, Google enforced a maximum of 90 days for token expiration. However, this restriction has recently been lifted and Intune is working to support an enrollment token lifetime of 65 years. This work is in development and is expected to be available to Intune customers by January of 2023. Do note that any expiration date selected with an enrollment token only impacts new enrollments. Existing devices enrolled on a particular token will stay enrolled until they are wiped or factory reset, agnostic of the token’s expiration date. Additionally, there is no limit to how many devices you can enroll on a specific token. If you’re interested in learning how to get around manually updating your tokens each time they expire, see the article Automatically renew Android enrollment tokens using Power Automate.
  3. I want to enable system apps on my dedicated device and am having trouble locating the package names. Does Microsoft maintain a list of packages for different devices?
    1. Device manufacturers choose what system applications ship with their devices, and this can vary both by make and model. As such, Microsoft does not maintain any list of system packages for device manufacturers. Please work with your manufacturer or use debugging tools to find the package names of the system applications on your device(s).
  4. When should I be using Intune’s single-app kiosk mode versus multi-app kiosk mode?
    1. Single-app kiosk mode is intended for use by customers who want their devices locked into any particular application. Devices running in single-app kiosk mode are locked down into just one selected application, disabling user access to the rest of the device. This is most useful in cases when you want to limit user interaction significantly and is particularly useful for customers who know that one app will satisfy all of their use cases at all times. Example: A digital sign at a subway stop set up to only display that day’s train schedules or a device serving as a public kiosk. Note: Although you can choose to use single-app kiosk mode with Managed Home Screen, we recommend using multi-app kiosk mode, which takes care of placing Managed Home Screen into single-app kiosk mode behind the scenes, and exposes additional settings to configure.
    2. Multi-app kiosk mode is intended for customers looking to use Managed Home Screen to optimize workflows by streamlining the user experience. This is done by limiting app access, restricting device navigation, and enabling only specific device capabilities. This mode is particularly useful for customers that require access to multiple apps but want to limit overall device access. Example: A device that is used on a factory floor to complete a few distinct functions.
  5. If I use a device configuration profile and an app configuration profile to set up Managed Home Screen, do I need to worry about conflicts?
    1. It is completely appropriate to use a device configuration profile and an app configuration profile to set up Managed Home Screen. We recommend doing this only if there are Managed Home Screen settings that you would like to configure that are not yet available in device configuration. If you don’t set the same features in both places, there will be no conflicts to worry about.


Quick links

The links provided below include all the documentation you need to set up your Android Enterprise dedicated devices with Managed Home Screen in Intune.

  1. Set the mobile device management authority
  2. Connect your Intune account to your Managed Google Play account
  3. Set up Intune enrollment of Android Enterprise dedicated devices
  4. Enroll your dedicated devices
    1. You can enroll your devices at any point after creating an enrollment profile and device group. In this blog post, we enrolled the devices after setting up apps a device configuration profile, but it is equally reasonable to deploy policies post-enrollment.
  5. Add Managed Google Play apps
  6. Add Android Enterprise system apps
  7. Assign apps to your groups
    1. Choose “required” for Managed Google Play apps and Android Enterprise system apps that you want accessible on your dedicated devices.
    2. Choose “uninstall” for Android Enterprise system apps that you want hidden on your dedicated devices.
  8. Apply device configuration settings
    1. Device restrictions
    2. OEMConfig
    3. Wi-Fi profiles
    4. Certificates
  9. Apply app configuration policies to managed Android Enterprise devices
    1. Full list of features you can configure with Managed Home Screen

 

Blog post updates:

  • 12/9/22: Updated to include additional features that have been released along with minor content updates. 
  • 7/29/20: Updated the chart to include new device configuration support for a number of Managed Home Screen items.
34 Comments
Steel Contributor

Thank you very much for putting the time into this! Very helpful. 

Copper Contributor

This is excellent work, and so very detailed. Thank you. I've linked this to a post from my LinkedIn account.

Copper Contributor

Excellent thanks for sharing

Copper Contributor

Completely skips over how to add widgets...

Hi @tmorrice, we're currently working with the team to add additional documentation around widgets and will update this post once they're live. Thank you for the feedback!

Copper Contributor

Hi,

 

We need guidance on installing and using widgets, this was released a year ago....

Brass Contributor

Has anyone noticed slowness of the device when using the managed home screen

 

Hi @Adrian Bishop, there hasn't been any recent incidents around this behavior, but if you're still experiencing this, could you message us with additional details about the issue for further investigation? Thanks!

Copper Contributor

Is there a way to enforce a PIN number on MHS devices?

Copper Contributor
i would also like to know how to add widgets. is there now an instruction?
Copper Contributor

Is there any chance to have multi user support with Azure AD?

Copper Contributor

Hi,

Thanks for putting the article is really helpful , I have 2 question below for MHS :-

 

1.On android devices MHS blocks Notification Bar, Status Bar is there a way we can enable that in MHS.

2. Can we collect logs from MHS in case there is a issue or need to contact MS for same.

 

Also can you share any document for MHS global sign-in feature 

Copper Contributor

I'm asking here, because I can't find a better place to do it.

 

In your documentation, Teams is clearly a featured App. I have followed this and other documents with the intent of supplying a number of mobile devices to our hospitality staff, specifically for Teams. As such, we had opted to go with the Samsung Galaxy XCover Pro, for it's Walkie Talkie/PTT button feature.

 

Here is what I've encountered. Device is configured Dedicated with AAD Shared Auth (understand it's Preview).

 

Any help or could you point me to the arena to have this discussion?

 

Additional note on the Galaxy XCover:

  • Use of PTT button requires a subscription to Samsung's Knox Config Platform.
    • I get this is a 3rd party hardware requirement, but MSFT is advertising this device as if it works OOB.

@Rakib_Rahman, Yes! We have released a public preview to enroll dedicated devices into Intune with Azure AD shared device mode automatically configured. You can also use new Managed Home Screen configurations tailored specifically to this scenario. You can learn more in our post here: Intune Public Preview – Enroll Android Enterprise dedicated devices into Azure AD Shared device mode.

Hi @Hospy, thanks for your feedback!

 
  1. By default, notifications and status bar are blocked by the OS when using kiosk mode. With our most recent [November 2020] release, we now support the capability to allow the status bar and notifications to appear while running in kiosk mode, whether you are locked into Managed Home Screen or another application. You will need to use device configuration settings in Intune to use these features. Please learn more about them here: Android Enterprise device settings for dedicated devices
  2. You can collect logs from MHS by using the debug menu. You can access this by swiping down if you have enabled the easy access to debug menu feature, or you can access this by clicking your device's "back" button about 15 times. You will see an option to choose "logs" and you can upload them. Please save the ID to share with MSFT support, or for your own reference.
Here is some documentation on the public preview of Azure AD shared device mode, which leverages global sign-in and sign out: Intune Public Preview – Enroll Android Enterprise dedicated devices into Azure AD Shared device mode. Additionally, we have documented all of the MHS capabilities, inclusive of the global sign-in features, here: Configure the Microsoft Managed Home Screen app for Android Enterprise | Microsoft Docs.

Hi @Michael Hines,

 

Thank you for your post and feedback!
 
  • With our November 2020 release of Intune, we now support the capability to surface notifications while using kiosk mode. Please find documentation on these settings here: Android Enterprise device settings for dedicated devicesDo let us know if this does not solve the issues you're running into with receiving calls via Teams.
  • Managed Home Screen sign-in leverages AAD's Shared device mode. If your device is enrolled as a dedicated device and configured with Azure AD shared device mode, then all of the sign-in capabilities supported by Azure AD shared device mode apply to signing in with MHS, including SMS sign-in. There are some steps you will need to take to enable users with SMS sign-in capabilities. Please find documentation on that here: SMS-based user sign in for Azure Active Directory | Microsoft Docs.
  • We do not have any recent incidents around the behavior you're experiencing with Office and Office apps, but if you're still running into this, could you message us with additional details about the issue(s) for further investigation? Thanks!
 
Thanks for your note on the Galaxy XCover. This device is not specifically covered in this help article, though if you have specific documents to point to that you feel are misleading we would be happy to take that feedback.
Copper Contributor

@Intune_Support_Team the biggest issue is calling, so we'll circle back to test that and see if the other issues persist.

Copper Contributor

@Intune_Support_Team the complaint about the XCover side button is here, because I'm not sure where else to make it. Microsoft was very excited to announce the Walkie-Talkie feature in Teams, and featured this particular device. I suppose the aspect that does tie it back to Intune/Endpoint, is that regardless of the requirement to purchase Samsung's configuration service, you still have to use Endpoint to deploy the configuration. This seems like something that Microsoft and Samsung could have coordinated on, as opposed to expecting consumers to purchase an additional service for a single purpose.

Brass Contributor

@Michael Hines 

 

The key mapping feature for the x-cover device in oemconfig, was until recently i believe a free feature and didn't require a Knox premium license

I don't see how that is a fault of Microsoft if Samsung have changed that policy

 

You can still change manually though

Copper Contributor

@Adrian Bishop 

 

From everything I have read, the ability to use the button for PTT in Teams was a joint effort between Samsung and Microsoft. And if in fact the ability to use it was previously free, then I’m that much more irritated. I understand that MS does not have control over Samsung’s policies, however they do have control over setting hardware requirements and what they are featuring/promoting.

 

Also, I am not aware of a way to set the button manually. In the phones setting, the only thing we could change was whether the button launched Teams, not activate PTT.

 

IMO, as I drift further off-topic, Microsoft has repeatedly dangled carrots with “exciting new features” for Teams, that either aren’t as promised or take much longer to deliver than advertised. This is just another “gotcha” moment in a long line.

 

Even this simple example above of new config options that should be available in our Endpoint console not being there, is eroding my patience. I’m a lifelong Microsoft Super Fan, but I’m having a hard time defending these speedbumps with other partners, that are jumping ship for these very reasons.

Copper Contributor

Hi there,

 

Great article but the JSON and screen shots relate to  'Launcher' rather than  'Home' which product should be used?

 

CW

Copper Contributor

Since the November release, the managed home screen app configuration policy has shown me a conflict with other policies, e.g. Google Chrome and Microsoft Edge configuration policy.

Copper Contributor

Hi there,

 

How to add to MHS Android Enterprise system app on screen?? I was able to add stock camera app, but now its not possible, because all Android Enterprise system apps not available to choose it... :sad:

Copper Contributor

I have to say great content - thank you.

I do have one question, working with the Managed Home Screen app. and wanted to know how to exit MHS. I've enabled exit kiosk mode with a set pin, but not sure how to initiate the pin prompt.

This is on a Samsung 8 device, but will eventually be used on a Sonim device....is the exit method dependent on the device or the MHS app?

 

thank you for your help in advance.

Copper Contributor

Hello,

 

I tried following the guide but my view looks quite different from what you show in the guide, for instance I have no such ("Device Owner Only") subsection under Devices > Configuration Profile?

prntscrn_intune_android_config-policy_201221.PNG

Please see this for more info:
(2) Setting up "Microsoft Managed Home Screen" for Android (COPE) devices; "Device owner only" missi...

 

Update:

Devices > Configuration profiles > Create profile >
Platform: Android Enterprise
Profile type: Device restrictions (under "Fully Managed, Dedicated and Corporate-Owned Work Profile")
then under "Device experience" set "Enrollment profile type" to "Dedicated device" and now I can see the "Kiosk mode"-setting.

 

Thanks to "TimmyIT" on Reddit, Microsoft please update your guide!

Copper Contributor

Hello, on some of my devices configured in multi app, one of the applications pushed into the KIOSK has disappeared.
while outside the kiosk, the application is still present on the device
.Have you ever had this behavior?portement ? 

Copper Contributor

Hi When we create Dynamic Profile we create query but if we have multiple Android Devices ,how can we differentiate that those should go in two separate policy, i mean if i have requirement where i need to create policies for two or more than two types of kiosks.

Copper Contributor

I hope someone could enlighten me. We use the kiosk mode (Manage home screen / multi-apps) with 4 applications installed. Currently when we open one of them it is impossible to switch to the home screen to open another app. Is it because the multi-apps mode allows yes to have several applications but as soon as one of them is opened. We are then locked into it? I can't find any information related to this.

The apps in question are: 

  1. Forticlient
  2. Teamviewer
  3. Kompanion! 
Iron Contributor

@Intune_Support_Team Just experienced issue with 6 devices that updated to Android v 12. All no longer show apps in MHS managed home Kiosk home screen. Checking debug logs shows no settings for apps or any other policy settings applied.  Also, when I try to exit Kiosk Mode app response stating no policy applied that allows exit with passcode. Which I know has been applied to the device. 

Are you aware of any known issues for using MHS managed Home Screen app for kiosk mode on Android 12? 

Hi @BrandonDBC thanks for sharing the info, and sorry to hear your running into issues. We'd suggest opening a support case to further investigate the issue: aka.ms/IntuneSupport. Once created, feel free to DM us the support request number for us to keep an eye on!

Iron Contributor

@Intune_Support_Team Issue resolved after the Intune engineer team updated source code related to known issue for devices not pulling policies after recent code change. 

Iron Contributor

Android 13, Samsung Tablets, running MHS does not allow the user to switch WiFi.

When the user take home the device and tries to connect to a WiFi at home, they can select the WiFi from the list but it will never connect.

There is most likley a grant permission issue here.

 

The below does not work. This is clearly a bug.

If the Device is reestarted the user will get a new screen saying connect to a temporary WiFi, but this screen only lasts for a couple of seconds and then disapears. 

 

memdocs/app-configuration-managed-home-screen-app.md at main · MicrosoftDocs/memdocs (github.com)

 

[!IMPORTANT] The Managed Home Screen app has been updated at the API level to better adhere with the Google Play Store's requirements. In doing so, there were some changes to how Wi-Fi configuration works from Managed Home Screen. The changes include the following:

Being unable to change (enable or disable) the Wi-Fi connection for the device. Users will be able to switch between networks, but will not be able to turn on/off Wi-Fi. (NOT WORKING)
Being unable to automatically connect to a configured Wi-Fi network that requires a password for the first time. The configured network will automatically connect after you enter the password the first time.

Copper Contributor

Regarding Topic #3 in FAQ:

I want to enable system apps on my dedicated device and am having trouble locating the package names. Does Microsoft maintain a list of packages for different devices?

  1. Device manufacturers choose what system applications ship with their devices, and this can vary both by make and model. As such, Microsoft does not maintain any list of system packages for device manufacturers. Please work with your manufacturer or use debugging tools to find the package names of the system applications on your device(s).

Install Package Name Viewer app on a test device to list the names of system (and all other) applications. Kudos for this tip goes to Peter Klapwijk.

Copper Contributor

Really useful. Thanks a lot!

Version history
Last update:
‎Nov 30 2023 03:55 PM
Updated by: