From the frontlines: Frontline worker management with Microsoft Intune
So, here we are. You’ve been asked to start managing frontline devices for your organization with Intune. You may be a pro with Intune management - with experience managing Windows devices, personal mobile devices, or corporate-owned productivity user based mobile devices. Maybe you just completed your migration efforts from another product to Intune for some portion of your device estate. Or this may be your first interaction with Intune. Regardless of where you’re starting from, managing frontline worker devices in Intune is simple, and you can even leverage existing Intune policies you already configured. So, get out that rugged bar code scanner, Android tablet, kiosk device, shared iPad, wearable device, or any other frontline worker device and let’s get started! My name is Dan Andersen, Principal PM Manager at Microsoft. My team partners directly with engineering to assist in product development and our worldwide team has assisted over 1,800 enterprises successfully onboard their device scenarios into Intune. In this post I’m introducing a blog series focused on frontline worker (FLW) device management. Why focus on FLW? This space represents a multitude of devices and use-cases that have enabled frontline workers, and we’ve worked with others like you to craft great FLW solutions. We will use this series to share these solutions and options with you and hopefully make your FLW journey with Intune seamless and exciting. Before getting into the series, if you’re looking for some background on FLW usage examples, check out the Microsoft Intune Blog: Microsoft Intune empowers frontline workers in retail and beyond. Throughout this year we’ll deliver monthly blogs delving into FLW use-cases and how to manage these devices. We’ll dive into key scenarios and explain how to approach them and at times, specifically how to configure them. Instead of rewriting product documentation, we’ll include links to more details when applicable, and keep the posts focused on enabling success. Each blog post will be published here in the Microsoft Intune Customer Success blog and include “From the Frontlines:” in the title for easy searching. For quick reference, we’ll keep this table updated as we publish the series, so stay tuned here or follow us @IntuneSuppTeam on X for more in the coming months! Blog Topics Publish date From the frontlines: Revolutionizing healthcare worker experience February 28, 2025 From the frontlines: Accelerating retail worker shared device experience (Part one) March 25, 2025 From the frontlines: Accelerating retail worker shared device experience (Part two) April 23, 2025 From the frontlines: Delivering great dedicated device experiences for retail workers May 28, 2025 From the frontlines: Managing warehouse devices with Microsoft Intune July 01, 2025 From the frontlines: Managing common kiosk scenarios in your business August 28, 2025From the frontlines: Managing warehouse devices with Microsoft Intune
By: Peter Egerton – FastTrack Subject Matter Expert | Microsoft Intune Warehouses rely on a wide range of specialized devices to keep goods moving - from vehicle-mounted scanners to rugged handhelds used by engineers and associates. Each role has specific device requirements, and IT teams need a way to securely configure, manage, and support them at scale. The following examples show how Microsoft Intune supports Android-based industrial devices commonly used in warehouses, mapped to key roles: the maintenance engineer, the equipment operator, and the warehouse associate. Role-based configurations - such as work profile enrollment, kiosk modes, and OEMConfig profiles - enable secure, task-specific setups that empower frontline workers while giving IT full visibility and control. I’m Peter Egerton, I work in Microsoft FastTrack assisting a multitude of different organizations with onboarding and getting the most out of their investment in Microsoft Intune. In this article, part of our “From the frontlines” series, we look at some examples of how Intune can be used to support typical frontline workers in the world’s continuously operating warehouses. The maintenance engineer The maintenance engineer role is as critical as any in a warehouse. They keep vital equipment functioning including conveyors, specialist machinery, and materials handling equipment. Generally, the person in this role moves from task to task during the working day but still needs to stay in touch with employee communications and call or support others using their mobile device. In addition, this person may be expected to participate in an on-call schedule requiring contact outside of typical working hours. Figure 1. – A maintenance engineer checking equipment. For this role we’d recommend using an Android device enrolled as a Corporate-owned device with a work profile. This allows the worker to take their mobile device with them wherever they go, including away from the warehouse when on-call. These devices would often be ruggedized, due to the environmental conditions of the warehouse. Using this enrollment type means our engineer can switch the work profile on and off as needed, such as when the engineer is off-duty or needs to focus without the distraction of work notifications. Importantly, the IT admin retains overall ownership of the device in case they need to run remote actions such as wipe, remove apps and configuration, or find a lost device. Figure 2. – Remote actions for Corporate owned device with work profile. The device may also be capable of scanning barcodes. As part of their responsibilities the maintenance engineer can scan the unique barcode of each piece of machinery checked as part of their proactive maintenance, and upload that into their maintenance tracking app. With Intune, the device can be configured based on the original equipment manufacturers (OEM) specific capabilities to further meet the engineer’s needs. OEMConfig is a standard for the Android Enterprise platform that enables OEM and enterprise mobility management (EMM) providers to build, configure and support OEM-specific features in a standardized way on Android Enterprise devices. The first step for creating an OEMConfig profile is to add the appropriate OEMConfig application into Intune. A list of supported OEMConfig apps is provided and the app must be in the application list prior to creation of the profile. When creating OEMConfig profiles in Intune you choose the supported OEMConfig app of the devices that you will target. This enables manufacturer specific features available for configuration in the Intune admin center alongside the rest of your device configurations. The warehouse equipment operator In logistics and manufacturing locations, parts and products are often moved around with a forklift-truck or other type of materials handling equipment. With a vehicle mounted device, operators gain real-time access to warehouse management systems. Intune enables you to configure an Android Enterprise vehicle-mounted device operating in dedicated mode, where a single warehousing application is utilized by the operator. This scenario is referred to as a single-app kiosk. Each worker logs into the application for identification and uses a barcode scanner on the device when checking in or moving goods. You can configure this in Intune with a device restrictions profile. In this profile type, you list the package ID of the app to use for kiosk mode. Figure 3. – An example configuration for a single-app kiosk device. In single-app kiosk mode, only the app selected for kiosk mode is launched. In the example depicted in the following screenshots, we see the Microsoft Warehouse Management mobile app. This Warehouse Management app is used by organizations to complete warehouse tasks using a mobile device. The app enables workers to complete material handling, receiving, picking, put away, cycle counting, and production tasks from the warehouse floor. Figure 4. – An example of a single-app kiosk device using the Microsoft Warehouse Management app. Figure 5. – An example of a single-app kiosk device using the Microsoft Warehouse Management app. You can further configure the device to meet the needs of the task, for example disabling or enabling a camera or setting app permissions. Using an OEMConfig profile, you can additionally configure the OEM specific capabilities of the device such as the barcode scanner, keyboard mappings, sensors, or software updates. If the device has been misplaced or lost, you can remotely locate the device, play the lost device sound and even remotely wipe the device. Figure 6. – Intune remote actions for Android dedicated devices. Furthermore, using the additional capabilities of Remote Help from Microsoft Intune Suite an Intune IT admin can offer the device operator remote assistance should they run into any problems. You can use Remote Help when a user is actively using the device, or when no user is using the device. These are respectively called attended and unattended mode. For guidance on implementing Remote Help refer to: Use Remote Help on Android to assist users authenticated by your organization. The warehouse associate No warehouse is complete without associates who typically perform a variety of tasks to support the day-to-day operations of a warehouse or factory. For this role, we recommend using Android devices configured as a single-app kiosk which we’ll focus on in this blog, or even a multi-app kiosk if the role requires a number of different applications. In previous “From the frontlines” series of articles, we’ve covered some examples of using multi-app kiosk we’d recommend reviewing those for a better understanding of those use cases. Figure 7. – A warehouse associate scanning items. Many industrial or rugged devices include customisable physical buttons provided by the device manufacturer. Utilizing Intune allows us to leverage the benefits of OEMConfig profiles once more to configure the capabilities of these buttons, leverage extended hardware capabilities and enhance the users experience. As an example, for greater efficiency, you can use a configurable button by mapping these buttons to launch or activate alternate apps or hardware capabilities. For example, to enable Microsoft Teams Walkie Talkie push-to-talk (PTT) experience to help workers communicate easily with each other and resolve queries quickly. A step-by-step guide for configuring this is available in a previous blog: How to enable Microsoft Teams push-to-talk (PTT) capabilities on Samsung XCover Pro with Intune. Figure 8. – Microsoft Teams PTT functionality highlighting the location of the hardware button on a Samsung XCover Pro device. (Source:How to use Microsoft Teams Walkie Talkie on your Galaxy XCover Pro | (samsung.com)). You can also configure the device to align with standard corporate compliance policies and configuration requirements. Additionally, you can configure a simple lock screen message in a device restriction profile to let people know where the device belongs. Figure 9. – Adding a lock screen message in a device restrictions profile. As you can see, there are whole host of options for the eco-system of industrial devices that are often used in warehousing environments. Intune helps empower your frontline workers and integrates seamlessly with OEM device functionality through a supported OEMConfig app. As soon as an OEM updates their app with new features, those are also available to configure with Intune right away. I hope this blog helps you to envision some use cases in your own organization to get the most out of Intune. Refer to the documentation for more guidance: For information on how to set up shared Android devices refer to: Enroll Android Enterprise dedicated, fully managed, or corporate-owned work profile devices in Intune To learn more about using OEMConfig with Intune refer to: Use OEMConfig on Android Enterprise devices in Microsoft Intune If you want to know more about the remote actions you can perform with Intune, refer to: Run remote actions on devices with Microsoft Intune To learn more about Remote Help from Intune Suite, refer to: Use Remote Help to assist users authenticated by your organization For information about Teams push-to-talk capabilities with Intune refer to: How to enable Microsoft Teams push-to-talk (PTT) capabilities on Samsung XCover Pro with Intune. Let us know how you’re using Intune in your frontline worker scenarios or if you have questions by leaving a comment below or reaching out to us on X @IntuneSuppTeam or @MSIntune. You can also connect with us on LinkedIn. Stay tuned for the next post in our series of “From the frontlines” articles or catch up by reviewing: From the frontlines: Frontline worker management with Microsoft Intune.From the frontlines: Revolutionizing healthcare workers experience
I'm Catarina Rodrigues and recently, I've had the opportunity to have several conversations with healthcare customers on how Intune can effectively manage devices in frontline critical environments. In this “From the frontlines” blog, I want to share with you some of my learnings. Technology has revolutionized the healthcare sector, where hospitals are replacing paper with digital systems to ensure patient information is securely stored and easily accessible. Doctors can now check patient files and statuses on the go as they move around the hospital. Nurses can check their patients’ exams digitally and first responders in ambulances get access to essential information that helps save lives. As shared in From the frontlines: Frontline worker management with Microsoft Intune , Intune allows healthcare organizations to secure mobile devices and manage data access, while ensuring a great user experience. Intune supports multiple platforms, making it the ideal solution for unified endpoint management. It allows for the configuration of devices to meet specific needs, whether for individual users, shared devices, or dedicated use. Let's look at an example of how Intune can enhance healthcare operations and patient care: The Nurses station in the Hospital’s ICU Nurses in the Intensive Care Unit (ICU) manage some of the most complex patient cases within the hospital and are typically responsible for multiple patient beds on the same floor. They typically have a short time window to act, need access to patient records and must easily communicate with other departments in the hospital. To modernize workflows and improve patient care, IT admins of a hospital are looking at ways to implement the use of Android tablets in the nurses’ station of the ICU. With this device, they are hoping to provide the nurses access to essential information, such as a live feed of patient rooms, vital signs and recent exam results, allowing them to monitor significant changes in their patient’s health. To build such a reliable and safe solution, IT admins need to consider the following requirements: These Android devices are shared by different people throughout the day, as nurses work in shifts. Users must sign in using their credentials to ensure they are verified and authorized hospital staff. New versions of essential applications need to be tested before moving to production. System and application updates need to happen during a specified maintenance window. This device is used to communicate with other hospital services via message or voice. This device can only connect to approved networks. Considering these requirements, we can set up these devices as Android Enterprise Dedicated with Microsoft Entra Shared Device Mode (Fig. 1) to enable nurses to use them even as shifts change. Fig. 1 – Setting up a Corporate-Owned Android Enterprise Dedicated with Microsoft Entra shared mode enrolment profile. Nurses must sign in and authenticate to access this information, thereby protecting their patients' personal information. With Managed Home Screen, nurses will see a login screen that they can use to authenticate once (Fig. 2). From that point onward, during their shift, they’re signed in to all applications seamlessly and can trigger access using a PIN. IT admins work with the developers of essential applications to enable phased deployments of new application versions using testing tracks in assignments. IT admins can use application configuration policies to manage settings of essential applications. System and applications updates can be scheduled to occur during a maintenance window to avoid disruption in the critical ICU department. Lastly, by utilizing Intune configuration profiles, IT admins can set up Microsoft Teams to function as a walkie-talkie, enabling the voice feature. For security measures, Wi-Fi connectivity is limited to the hospital's network. These profiles can also be used to set up a custom wallpaper with hospital branding or even a widget to display weather conditions. This is just an example of how Intune can assist healthcare organizations in managing their FLW devices. Other examples include doctors being able to check patient files and calendars on their managed corporate iPhones, or hospitals having an admission system at the entrance that allows patients to check-in easily upon arrival for their consultation. This blog is part of a series: “From the frontlines:”. We’ll publish additional blogs on other healthcare scenarios and industries, such as retail and airlines, in the upcoming months. Check out From the frontlines: Frontline worker management with Microsoft Intune to see all other “From the frontlines:” blogs! Stay tuned! Please refer to the documentation here for more guidance: For information on how to set up shared Android devices refer to: Enroll Android Enterprise dedicated, fully managed, or corporate-owned work profile devices in Intune You can find more information on Managed Home Screen and how it can improve the user experience refer to: Configure the Microsoft Managed Home Screen app If you’d like to learn more about how Microsoft Entra Shared Device Mode can help your users easily sign in and sign out leveraging single sign-on review: Shared Device Mode overview - Microsoft identity platform To learn about how to setup maintenance windows and define application update conditions refer to: Corporate-owned Android Enterprise device restriction settings in Microsoft Intune Let us know if you have any questions by leaving a comment on this post or reaching out on X @IntuneSuppTeam.From the frontlines: Accelerating retail worker shared device experience (Part two)
By: Vignesh Mitsume – Sr Product Manager | Microsoft Intune Welcome to part two of "Accelerating retail worker shared device experience." In Part one, we explored how Intune empowers frontline workers by enabling shared device usage among associates in a 24/7 retail business environment, with enhanced productivity and security. Now, we'll dive into how Intune optimizes the management of devices running multiple apps, that are utilized by both associates and customers. I'm Vignesh Mitsume, and in my previous roles, I’ve had the privilege of working with leading companies in the beverage and other retail industries. In these roles, I collaborated closely with sales and marketing teams, addressing their system, infrastructure, and reporting requirements as they interacted with supermarkets and convenience stores. In this blog, I'll be sharing some of my experiences with customer scenarios. Technology's evolution in retail: The rise of shared devices The retail industry has undergone a significant digital transformation, with technology playing a pivotal role in streamlining operations and enhancing customer experiences. Historically, retail operations were fragmented, with separate systems for employees and customers. Today, modern kiosks, tablets, and smart screens are bridging this gap, enabling self-service ordering, inventory tracking, and real-time assistance—all from a single device. Whether it's self-checkout stations in grocery stores, smart fitting rooms in fashion retail, or digital vending machines in the beverage industry, shared devices have become the backbone of efficient retail operations. Many of these devices operate on either the Android or iOS platform. Today, we'll explore how Contoso Eateries and Contoso Pastries, which are competitors in integrating technology into their business practices, are Intune to efficiently manage their dedicated devices by enabling multi-app kiosk modes for both platforms. This strategy aids their frontline workers in effectively managing business operations. Scenario 1 – Contoso Eateries Contoso Eateries is a chain of eateries that aims to deploy Android tablets in their stores. Each store will have one tablet used as a point of sales (POS) device for billing customers, managing inventory, and placing restock orders from the central distribution warehouse by the store manager. The IT admin team wants to manage these devices centrally and restrict access to any other apps. To achieve this, the IT admin team first creates a Microsoft Entra security group for grouping and targeting the devices and leveraging enrollment time grouping (new for Android in our April 2025 release). Once the assignment group is ready they create Android Enterprise dedicated devices with the default token type, corporate-owned dedicated device (Fig. 1), which enrolls the device without any user affinity. Note: Microsoft Entra security dynamic device groups can be created based on the enrollment profile name; however, static groups that use enrollment time grouping will expedite app and policy provisioning during device enrollment. Fig. 1 – Setting up an Android Enterprise corporate-owned dedicated device. Next, they add the POS and organization specific inventory management applications from the Managed Google Play Store, along with the Microsoft Managed Home Screen application. These apps are assigned to the groups created earlier specifically for the devices enrolled using the Android enterprise dedicated device enrollment profile (Fig. 1). After the applications are added and assigned, they restrict the device functionality to allow only the use of POS and organization specific inventory management applications. This is done by creating a device restriction configuration profile to setup the device into multi-app kiosk mode (Fig. 2), which ensures users can only access the applications placed in the Microsoft Managed Home Screen. This configuration profile is then assigned to the Microsoft Entra device group previously created. Fig. 2 – Configuration profile to restrict device as dedicated multi-app kiosk devices. In addition to the mandatory configuration, Contoso Eateries wants to customize their Managed Home Screen experience. Therefore, they also create an app configuration policy for their Managed Home Screen. Result: The device is restricted to POS and organization specific inventory management applications within the managed home screen (Fig. 3). Contoso Eateries will keep the POS application open for customer self-checkout, while using the organization specific inventory management application to replenish stocks during non-business hours. Fig. 3 – Personalized user experience on an Android device. Scenario 2 – Contoso Pastries Contoso Pastries aims to provide a similar experience for their frontline workers and customers as Contoso Eateries, but with iPads instead of Android tablets. The Contoso Pastries IT admin team wants to manage these devices centrally and restrict access to any other apps. Contoso Pastries gets all their iPads from an Apple Authorized Reseller, ensuring that all devices are added to their Apple Business Manager (ABM) account by the reseller, with supervised mode enabled by default. Note: If ABM is not available, then Apple configurator can also be used to enable supervise mode to achieve the requirements. To comply with Contoso Pastries’ requirements, the HQ IT team creates an enrollment profile to enroll the devices without user affinity. Then, they create a device filter (Fig. 4) to filter for devices enrolled using this profile. Fig. 4 – Device filter for specified enrollment profile. Next, they add their line-of-business POS app and organization specific inventory management applications to Intune and assign to all devices using the above created device filters (Fig. 5). This avoids the processing delay of dynamic device groups and reduces management overhead associated with creating and maintaining multiple security groups. Fig. 5 – Assigning to all devices along with device filters For iOS/iPadOS devices, they’ll configure the entire device to function like a managed home screen by removing unwanted apps and retaining only the required ones. As a first step, they allow only the Contoso POS and organization specific inventory management applications by configuring device restriction profile (Fig. 6). Fig. 6 – Device restriction profile. To further customize the home screen appearance and dock configuration, the admin creates a device features configuration profile and adds the necessary apps accordingly (Fig. 7) Fig. 7 – Device features configuration profile in the Microsoft Intune admin center. Result: Once the device is dispatched to the stores and the store manager turns it on, the device is enrolled into Intune with all the specified configurations applied. The device is then restricted to POS and organization-specific inventory management applications (Fig. 8). This setup ensures that the POS application remains open for customer self-checkout, while the organization-specific inventory management application is used for stock replenishment during non-business hours. Fig. 8 – Personalized user experience on an iPad. With Intune, frontline worker scenarios in the retail industry can be managed effectively, ensuring that both associates and customers benefit from streamlined operations and enhanced user experiences. As demonstrated by Contoso Eateries and Contoso Pastries, Intune's capabilities in managing dedicated devices, whether on Android or iOS/iPadOS platforms, provide a robust solution for modern retail environments. By leveraging features such as multi-app kiosk modes and customized home screen configurations, businesses can maintain control over their devices while empowering their frontline workers to perform their tasks efficiently. By adopting Intune, organizations can ensure that their frontline workers are equipped with the right tools to handle business operations seamlessly, ultimately driving productivity and customer satisfaction. Please refer to the following documentation for more guidance: For information on how to set up Android dedicated devices refer to: Enroll Android Enterprise dedicated devices in Intune To find more information on Managed Home Screen and how it can improve the user experience refer to: Configure the Microsoft Managed Home Screen app If you’d like to learn more about enrolling iOS/iPadOS using Apple Business Manager refer to: Set up automated device enrollment (ADE) for iOS/iPadOS To learn about filters refer to: Using Filters in Intune Stay tuned for more interesting contents in this blog series, we’re keeping the initial blog updated with each posting for your reference: From the frontlines: Frontline worker management with Microsoft Intune . If you have any questions or want to share how you’re using frontline devices in Intune, leave a comment below or reach out to us on X @IntuneSuppTeam or @MSIntune. You can also connect with us on LinkedIn: aka.ms/IntuneLinked
Deploying PKCS Device Certificate on Android Device Administrator Enrolled Devices
Is it possible to deploy PKCS Device Certificates to Android Device Administrator enrolled devices utilizing AD CS and the Microsoft Intune Certificate Connector? I got it working with iOS/iPad devices, but our Honeywell devices are all Device Administrator enrolled (I've been told that they don't support Android Enterprise enrollment deployment configurations), and we are trying to deploy PAN GlobalProtect using device certificates for authentication. While trying to configure the PKCS certificate device configuration profile in Intune it appears to be missing the option for the certificate type (User vs Device). All the "Subject name format" and "Subject alternative name" options appear to be related to user certificates; Does this mean that we are only able to deploy PKCS User Certificates for Android Device Administrator enrolled devices? Does anyone happen to know if GlobalProtect would be able to use a user certificate for authentication? I understand that the device administrator enrollment method has been getting depreciated for a while, but I don't understand the reasoning behind this particular limitation. Reference: https://docs.microsoft.com/en-us/mem/intune/protect/certificates-pfx-configure#create-a-pkcs-certificate-profile
