android enterprise
47 TopicsMigrating frontline mobile devices: A frontline-first approach to moving to Microsoft Intune
Frontline organizations consistently tell us that unified management is the goal but the challenge is getting there without disrupting day-to-day operations. Smartphones, Android handhelds, rugged scanners, and shared tablets now sit at the center of how retail stores run, how clinicians deliver care, how supply chains move, and how field workers’ complete work. These devices are mission critical, and any disruption is immediately felt on the ground. To strengthen security, reduce costs, and simplify operations, many IT architects and administrators are now evaluating or planning to move to Intune. This new series, “Migrating Frontline Mobile Devices - is designed to help. We’ve worked side by side with frontline customers, observing what works, where projects stall, and how small decisions early on can dramatically improve outcomes later. The articles in this series distil those lessons into practical guidance for teams who are considering, planning, or actively migrating devices. Frontline devices serve different needs and follow different operational rhythms than knowledge worker devices. Frontline migrations aren’t the same as standard knowledge-worker migrations and treating them as such often leads to operational problems or rollout delays. This article explains what the difference means in practice and how it shapes planning for successful frontline migrations. Why failures hurt more on the frontline A failed knowledge worker enrollment is an inconvenience. A failed frontline device enrollment or non-functioning device can affect revenue, disrupt essential services, and in some industries compromise safety. When a device is unavailable, critical work halts immediately: Pickers can’t complete scanning tasks Cashiers can’t take payments Health practitioners can’t document or prescribe care Drivers can’t dispatch Production lines stop Workers can’t perform required safety or compliance actions What we’ve learned: Frontline migrations must be coordinated with business and operational leaders; store managers, shift supervisors, clinical leads, and supply chain teams because they decide what is required and when devices can be taken offline. Why mobile frontline device migrations are different The operational impact of failure is higher on the frontline because frontline devices operate in very different environments to knowledge worker devices. Knowledge worker devices usually run in stable, well understood environments with known device catalogues, predictable lifecycles, assigned users, and steady connectivity. Frontline devices operate in conditions that introduce unique design and migration challenges. The environments they run in directly affect how and when a device can be enrolled or updated. Devices may run in low bandwidth or intermittent connectivity environments, making enrollment flows and policy delivery harder to complete reliably. Some operate in high-risk industrial or clinical settings where devices can only be taken offline during narrow operational windows. Others return to charging racks between shifts, meaning migrations must align with shift changes rather than user availability. Many run in kiosk or locked task modes tied to a single workflow, so even small configuration changes can disrupt critical tasks if not planned carefully. These environmental and operational realities show up across the entire device lifecycle from provisioning to updates to support. To make the differences clearer, here’s a concise comparison of frontline and knowledge worker devices: Category Frontline devices Knowledge worker devices Devices Smartphones, handhelds, rugged devices, scanners, wearables, tablets Laptops, desktops, smartphones OS and patch posture Often older versions; inconsistent patch levels due to operational constraints Typically, current OS or N-1; regular security patching cycles Ownership Shared, shift-based or individually assigned depending on role Individually assigned Network conditions Variable, often constrained Generally stable Provisioning Zero-touch essential User-led viable Updates Highly controlled Standard update cycles Apps Task-specific, time-sensitive updates Broad, less time critical updates Workflow impact Operationally critical Productivity-focused Typical usage scenarios Point-of-sale, healthcare, barcode scanning, delivery routing, inventory checks Email, productivity tools, collaboration, creative workflows Failure impact Immediate operational issues Localized user disruption Standard knowledge worker migrations are designed for predictable conditions such as consistent users, steady connectivity, current OS levels, and a governed device lifecycle. Frontline fleets rarely match this baseline, so their migrations require planning and design that reflects actual device state and use. A migration is a design moment, not just a technical step A migration offers an opportunity to reassess business needs, tighten governance, simplify and modernize app delivery, and confirm assumptions about how devices are used. It’s also a chance to raise your frontline security, aligning devices with Zero Trust principles. In successful frontline migrations: Teams build in time for design, evaluation, and piloting. Early alignment across stakeholders supports smoother execution and reduces the risk of disruptive rework later. Understand your estate before designing the migration Frontline migration projects always reveal something unexpected. Common patterns include: Mixed iOS/Android versions and multiple original equipment manufacturers (OEM) such as Samsung, Zebra, Honeywell, Apple and more. Devices running outdated OS versions or custom OEM images. Devices that haven’t checked in for months, often sitting unused in cabinets. App delivery paths reliant on sideloading or site specific packages with no update mechanism. Multiple active mobile device management (MDM) systems inherited through acquisitions or decentralized teams. Most migration issues that appear later in the project can be traced back to decisions made before anyone understood what existed in the field, how devices were being used, or what the business needed them to do in the future. What we’ve learned: Migration success improves dramatically when teams validate device inventory, usage patterns, and business requirements before choosing an enrollment method and designing configuration profiles. Real-world data turns assumptions into facts and avoids costly rework. Plan for identity – even if devices don’t use it today Many frontline devices run with shared logins or no user at all. Intune fully supports these scenarios, but identity gaps - shared credentials, app only authentication, and managed access patterns - often emerge over years of organic growth. These gaps can show up during migrations as both user experience issues and security risks. What we’ve learned: Even if you’re not ready to modernize frontline identity or introduce Microsoft 365 tools for workers, consider laying out the foundation. Mapping which users or roles should have identities, simplifying and securing access, and aligning devices to Microsoft Entra foundations will future proof your estate. What’s coming next in the series This series will explore the areas that consistently shape successful frontline mobile migrations the steps, patterns, and design decisions that matter most in real frontline environments. Over the coming weeks we’ll cover themes such as: Understanding your frontline estate - what exists today, how devices are used, and the realities that shape migration decisions Designing for frontline conditions - identity foundations, shared device patterns, kiosk considerations, and reliable enrolment flows Designing for frontline device scenarios - single user, shared, rugged, kiosk, and high-risk operational models Consolidating to a single Intune tenant - simplifying governance, policies, and operating models Getting the ecosystem right - apps, connectivity, certificates, and the infrastructure dependencies that influence reliability Executing the migration safely - pilots, phasing, cutover windows, and planning for 24/7 operations Life after migration - monitoring, support readiness, and ongoing operational ownership We’ll share practical guidance, common friction points, and patterns we’ve seen work across industries. Future articles will include perspectives from Microsoft Product Managers and community experts with hands-on experience managing large scale frontline device estates. Look out for the next article in the series - Understanding the reality of your estate. We’d love to include your perspective. If you have questions, scenarios, or experiences you want this series to address, share them in the comments below to help shape the upcoming articles, or reach out to us on X @IntuneSuppTeam. Our goal is simple: To help you migrate frontline mobile fleets to Intune without disrupting the business.1KViews0likes0CommentsMulti-App Kiosk not applying on Samsung A55 (Android 16)
Hello everyone, I’m facing a critical issue with Android Enterprise Multi-App Kiosk mode on a Samsung Galaxy A55 (SM-A556B). The problem started suddenly last week without any configuration changes, and now no Android Enterprise configuration profiles apply anymore. What happened originally The device was running Android 15, and it had been working fine for months in Managed Home Screen (Multi-App Kiosk). Then suddenly: Managed Home Screen stopped showing all apps The device booted into MHS, but the screen was completely empty No policy changes were made on our side I tried several troubleshooting steps, but nothing fixed it. Eventually, I factory-reset the device and re-enrolled it as a Corporate-Owned Dedicated Device (COBO). Current situation after re-enrollment Even after a clean enrollment: No Android Enterprise device restriction profiles apply (Multi-App Kiosk doesn’t start at all) The device stays in the normal Samsung launcher Only very basic commands work: Remote restart App install/uninstall via group assignment All assigned apps show as Installed Profile status in Intune shows Success, but nothing is actually enforced I then upgraded the device to Android 16 (patch 2025-11-01). Unfortunately, the behavior did not change. Current configuration Android Enterprise → Device Restrictions → Multi-App kiosk Allowed apps: Teams, Managed Home Screen, Contacts Managed Home Screen installed Enrollment type: Android Enterprise – Fully Managed / Dedicated No OEM kiosk (no Samsung Knox settings) No Work Profile on the device Symptoms now Managed Home Screen never launches Kiosk mode is completely ignored Device is fully usable like a normal phone Only app deployments work, nothing else This began while still on Android 15 Updating to 16 did NOT resolve the issue Questions Has anyone seen this behavior where Android Enterprise policies stop applying entirely after MHS fails? Is there a known issue with Samsung A55, Android 15/16, or Managed Home Screen? Could this be related to a bug in the Fully Managed/Dedicated enrollment flow for the A55? Any recommended workarounds or known fixes? Any guidance is appreciated — this behavior is completely blocking Kiosk deployments for us. Thanks!322Views0likes1CommentFrom the frontlines: Delivering critical early responder device management
By: Catarina Rodrigues – Product Manager 2 | Microsoft Intune In high-stakes environments like emergency response, speed, accuracy, and security are essential. Whether it’s paramedics delivering life-saving care or police officers responding to critical incidents, frontline teams need real-time access to information—right where the action is. To meet these demands, emergency services are increasingly deploying mobile devices, paired with advanced device management solutions, to empower their teams in the field. I’m Catarina Rodrigues, a Product Manager in the Microsoft Intune team, and in this blog of the “From the Frontlines” series, I’ll share my experience working with emergency services, exploring how to deploy and manage iPads and Android tablets using Intune. For more information refer to: Frontline worker device management overview in Microsoft Intune. Shared iPads in ambulances Ambulances operate around the clock, often with rotating crews. To ensure seamless and secure access to clinical apps, maps, and emergency protocols, organizations are increasingly often equipping vehicles with iPads that are prepared to be shared by personnel working shift. There are different ways to support Apple devices for frontline scenarios depending on the requirements. Shared iPad mode is recommended for shared use of iPads; it creates multiple user partitions, making it easy for several users to log in and access their applications and data according to their preferences. Intune together with Apple's Automated Device Enrollment (ADE) makes it simple to address this scenario seamlessly, enabling zero-touch provisioning and device supervision for additional security configurations. Below is an ADE enrollment profile configured to setup devices as Shared iPads: User affinity: Enroll without User Affinity Supervised: Yes Locked enrollment: Yes Shared iPad: Yes You can then configure the number of maximum cached users and inactivity settings for these profiles, as needed. Once iPads are enrolled and functional, users will be able to setup their profiles, where they’ll have access to the applications and data according to their permissions. Once their profiles are setup, users can see them in the login screen, as they will be available for them to login again in the future. Benefits of Shared iPad with ADE for IT admins and frontline workers Zero-touch deployment: Devices are automatically enrolled and configured via Apple’s Automated Device Enrollment (ADE), reducing manual setup and ensuring consistency across the fleet. Targeted assignment: Enables IT admins to permanently assign an iPad to a specific ambulance, streamlining shift handovers and ensuring paramedics always have access to the right tools. Persistent configuration: Shared iPad can cache up to 100 user profiles (24 recommended on a 32 or 64 GB iPad), ensuring device settings and apps remain consistent and reducing login friction. Enhanced security and compliance: While these devices are shared, device-level management and app protection policies keep sensitive data secure and encrypted. Remote actions and support: IT teams can monitor, lock, or wipe devices remotely through Intune, with supervision mode enabling deeper administrative controls, such as Lost Mode and Locate Device. This setup gives paramedics immediate access to clinical apps, maps, and protocols and all information they might need to access or share without compromising security or adding friction to their workflow. Fully managed Android tablets for police For police departments, data sensitivity is paramount. Officers need access to real-time intelligence, case files, and communication tools without risking exposure of confidential information. While there are other options to enroll Android devices in Intune (you can see an overview here), setting up corporate-owned, fully-managed Android tablets with Intune can deliver the data protection and device lock-down that police departments need, while ensuring police officers remain productive. Users won’t be able to change pre-defined configurations and install applications from the public store. These devices are associated with a single user, in this case a police officer, as they aren’t intended for shared use. To ensure minimal disruption in the working day of these users, IT admins can use device staging to decrease the number of steps needed to enroll a brand-new device and get it to a functional state. Device staging Device staging is designed to simplify and accelerate the deployment of corporate-owned, fully managed Android devices—especially in high-stakes environments. Instead of requiring police officers to navigate a lengthy setup process, IT teams or authorized third-party vendors pre-configure the devices using a secure enrollment token generated in the Intune admin center. This token allows the device enrollment and provisioning without needing the officer’s credentials, ensuring that critical apps, such as Intune and Microsoft Authenticator, are installed and ready before the device is even handed over. When the officer powers on the device for the first time, they simply sign in to the Intune app, and the device completes its configuration, applying all necessary policies and security settings (see image below). This approach not only saves valuable time during rollouts but also ensures that every police officer receives a consistent, secure, and fully operational device from the moment they turn it on—an essential advantage when reliability and speed are crucial. In the picture below, you see the steps users go through to complete enrollment which requires authentication using the Intune application, so that apps and policies assigned to that user identity are applied. Microsoft Intune and Android Enterprise corporate-owned, fully managed enrollment To enable device staging, IT sets up an Android Enterprise enrollment profile, with a token associated that has a configurable expiry date, up to 65 years in the future. This token can be revoked any time as needed. In addition, IT can also apply a device naming template to all the devices that are enrolled under the same profile, making it easier to identify and group devices by police station, department, or region. You can check the supported strings for this device naming template here. Below you can see an example of an enrollment profile configured with the following parameters: Token type: Corporate-owned, fully managed, via staging Apply device name template: Yes Device name template: {{SERIAL}} Benefits of corporate-owned, fully managed, via staging for IT admins and frontline workers End-to-end control and security: IT admins retains full control over the device lifecycle—from provisioning to retirement—ensuring that only approved apps, settings, and security policies are applied and maintained throughout use. Simplified, secure user experience with Managed Home Screen: Managed Home Screen provides a locked-down, customizable launcher that ensures users access only approved apps and settings. This minimizes distractions, enhances security, and delivers a consistent, role-based experience across all devices—ideal for high-stakes field environments. Faster, frictionless rollouts: Device staging eliminates the need for users to complete complex setup steps. Devices arrive pre-enrolled and pre-configured, so users can simply sign in and start working immediately. Consistent, compliant configuration: Every device is enrolled with the same baseline—apps, policies, and restrictions—ensuring compliance with organizational standards and reducing variability in the field. Reduced IT overhead: By shifting setup responsibilities to staging teams or vendors, IT departments can scale deployments without increasing support load or requiring one-on-one onboarding. Operational readiness from day one: Users receive devices that are mission-ready, with secure access to critical apps like dispatch systems, communication tools, and field data—right out of the box. This setup gives officers the tools they need while maintaining operational integrity and data confidentiality. Summary This blog post explored how to securely manage devices used by emergency services teams. These examples are applicable to other scenarios where workers need to access confidential, sensitive information while in the field. I hope this blog inspires you to try these methods and look forward to answering questions in the comments. This blog is part of the “From the Frontlines” series, where we explore different scenarios of how workers in field use devices and how IT admins can enable them. Check the other blog posts for more inspiration! Please refer to the documentation here for more guidance: For information on how to support Apple devices in the frontline refer to: Get started with iOS/iPadOS frontline worker devices. For information on how to set up Shared iPad refer to: Shared iPad devices. For information on how to support Android devices in the frontline refer to: Get started with Android frontline worker devices. For information on how to set up corporate-owned, fully managed Android devices refer to: Set up enrollment for Android Enterprise fully managed devices. If you'd like to learn more about incorporating device staging to reduce user steps during enrollment see: Device staging overview. To ensure your organization can navigate modern security challenges following Microsoft's Zero Trust approach see: Zero Trust security strategy. As always, if you have any questions let us know in the comments or reach out to us on X @IntuneSuppTeam or @MSIntune!1.1KViews0likes0CommentsSupport tip: Changes to Google Play strong integrity for Android 13 or above
By: Wayne Bennett – Sr. Product Manager | Microsoft Intune Google recently implemented changes in May 2025 which require Android 13 or above devices to need hardware-backed security signals and a security patch released in the past 12 months to meet the strong integrity verdict. To minimise the impact of the changes, app protection and compliance policies in Microsoft Intune have been adjusted in alignment with Google’s recommended backward compatibility guidance. However, Microsoft Intune will also enforce the strong integrity requirements by September 30, 2025. You’ll have received a notice in your Message center (MC1085670) if you have devices that won’t meet the new strong integrity standard after this change. Content from the Message center post is also available here: Plan for Change: Google Play strong integrity definition update for Android 13 or above. Prior to this change, if you have existing or plan to create device compliance or APP conditional launch policies with the 'Check strong integrity' value, you should identify devices that don’t meet the new strong integrity verdict requirements. Configure APP or device compliance policy settings to either warn or block users that don’t meet the requirements: Configure device compliance policy For Intune enrolled Android devices, the Minimum security patch level setting can be configured within the Device properties section of compliance policies. You can either update an existing policy or create a new one: Navigate to the Microsoft Intune admin center. Select Devices > Compliance > Create policy, from the Platform list, select Android Enterprise, from the Profile type list, select either Fully managed, dedicated, and corporate-owned work profile or Personally-owned work profile and select Create. Enter a suitable name for the compliance policy and select Next. On the Compliance settings page, depending on the profile type you selected, ‘Minimum security patch level’ is found under either the Device Health or System Security section. To ensure devices meet the Strong Integrity verdict, you should configure ‘Minimum security patch level’ to a date less than 12 months old, the date must be entered in the format YYYY-MM-DD. On the Actions for noncompliance page, the default action is to mark the device non-compliant immediately, update this by setting Schedule (days after noncompliance) to 90 or another value which will allow you time to monitor the devices which don’t meet the patch level requirements. Note: You may wish to configure additional settings such as sending an email to the user, for more details refer to Available actions for noncompliance. On the Assignments page, target the policy to the required group of users or devices. On the Review and create page, save the policy by selecting Create. By configuring the setting Schedule (days after noncompliance), also known as a ‘grace period’, devices which don’t meet the minimum patch level won’t be blocked immediately. This gives you an opportunity to inform users they should update their devices before they’re blocked at a future date. To review the in-grace period devices within the Intune admin center, under Devices > Compliance > Policies, select the newly created security patch level compliance policy and select Per-setting status. Selecting the numerical value in the Noncompliant devices column shows a list of devices which are in the ‘Minimum security patch level’ grace period. You can then reach out to the individual users, asking them to upgrade. Configure APP conditional launch You can also use the conditional launch settings within APP to require a minimum operating system and patch versions. Either update an existing policy or create a new one: Navigate to the Microsoft Intune admin center. Select Apps > Protection > Create, choose Android as the platform you want to target with APP. On the Basics page, enter a name for the policy which makes it easily identifiable. Complete the Apps, Data protection and Access requirements pages with the Android app protection policy settings which meet your organization’s requirements.. Within the Device conditions section on the Conditional launch page configure the ‘Min OS version’ with a minimum required value, such as 13.0, configure Action to Block access, Wipe data, or Warn, as per the action required for your organization. Configure ‘Min patch version’ to a date less than 12 months old, the date must be entered in the format YYYY-MM-DD. On the Assignments page, target the policy to the required group of users or devices. On the Review and create page, save the policy by selecting Create. With the configuration shown, when users launch a targeted app they are blocked if the device does not meet the Android 13.0 or above operating system requirements but will only receive a warning if their device doesn’t meet the minimum patch version requirements. Monitoring You can use the Platform version and Android security patch version columns within the App protection status report to view the current OS version and security patch level deployed to each device. The app protection status report is accessed from the Intune admin center by selecting, Apps > Monitor > App Protection Status. Within the report, you can search and filter for specific Android security patch versions. For user-less Intune enrolled Android devices, use the devices view to check the OS version and security patch version level. From the Intune admin center, select Devices > By platform > Android. The OS version column is displayed by default, you will need to select Columns > Security patch level to view this information. Conclusion Using the examples in this blog post, you can update or implement new policies to identify devices which don’t meet the Play Integrity strong integrity verdict and inform your users prior to the changes which will be enforced at the end of September 2025. If you have any questions, leave a comment below or reach out to us on X @IntuneSuppTeam or @MSIntune. You can also connect with us on LinkedIn. Post Updates: 08/25/25: Expanded guidance for the 'Check strong integrity' setting across certain policies.5.2KViews0likes10CommentsFrom the frontlines: Managing warehouse devices with Microsoft Intune
By: Peter Egerton – FastTrack Subject Matter Expert | Microsoft Intune Warehouses rely on a wide range of specialized devices to keep goods moving - from vehicle-mounted scanners to rugged handhelds used by engineers and associates. Each role has specific device requirements, and IT teams need a way to securely configure, manage, and support them at scale. The following examples show how Microsoft Intune supports Android-based industrial devices commonly used in warehouses, mapped to key roles: the maintenance engineer, the equipment operator, and the warehouse associate. Role-based configurations - such as work profile enrollment, kiosk modes, and OEMConfig profiles - enable secure, task-specific setups that empower frontline workers while giving IT full visibility and control. I’m Peter Egerton, I work in Microsoft FastTrack assisting a multitude of different organizations with onboarding and getting the most out of their investment in Microsoft Intune. In this article, part of our “From the frontlines” series, we look at some examples of how Intune can be used to support typical frontline workers in the world’s continuously operating warehouses. The maintenance engineer The maintenance engineer role is as critical as any in a warehouse. They keep vital equipment functioning including conveyors, specialist machinery, and materials handling equipment. Generally, the person in this role moves from task to task during the working day but still needs to stay in touch with employee communications and call or support others using their mobile device. In addition, this person may be expected to participate in an on-call schedule requiring contact outside of typical working hours. Figure 1. – A maintenance engineer checking equipment. For this role we’d recommend using an Android device enrolled as a Corporate-owned device with a work profile. This allows the worker to take their mobile device with them wherever they go, including away from the warehouse when on-call. These devices would often be ruggedized, due to the environmental conditions of the warehouse. Using this enrollment type means our engineer can switch the work profile on and off as needed, such as when the engineer is off-duty or needs to focus without the distraction of work notifications. Importantly, the IT admin retains overall ownership of the device in case they need to run remote actions such as wipe, remove apps and configuration, or find a lost device. Figure 2. – Remote actions for Corporate owned device with work profile. The device may also be capable of scanning barcodes. As part of their responsibilities the maintenance engineer can scan the unique barcode of each piece of machinery checked as part of their proactive maintenance, and upload that into their maintenance tracking app. With Intune, the device can be configured based on the original equipment manufacturers (OEM) specific capabilities to further meet the engineer’s needs. OEMConfig is a standard for the Android Enterprise platform that enables OEM and enterprise mobility management (EMM) providers to build, configure and support OEM-specific features in a standardized way on Android Enterprise devices. The first step for creating an OEMConfig profile is to add the appropriate OEMConfig application into Intune. A list of supported OEMConfig apps is provided and the app must be in the application list prior to creation of the profile. When creating OEMConfig profiles in Intune you choose the supported OEMConfig app of the devices that you will target. This enables manufacturer specific features available for configuration in the Intune admin center alongside the rest of your device configurations. The warehouse equipment operator In logistics and manufacturing locations, parts and products are often moved around with a forklift-truck or other type of materials handling equipment. With a vehicle mounted device, operators gain real-time access to warehouse management systems. Intune enables you to configure an Android Enterprise vehicle-mounted device operating in dedicated mode, where a single warehousing application is utilized by the operator. This scenario is referred to as a single-app kiosk. Each worker logs into the application for identification and uses a barcode scanner on the device when checking in or moving goods. You can configure this in Intune with a device restrictions profile. In this profile type, you list the package ID of the app to use for kiosk mode. Figure 3. – An example configuration for a single-app kiosk device. In single-app kiosk mode, only the app selected for kiosk mode is launched. In the example depicted in the following screenshots, we see the Microsoft Warehouse Management mobile app. This Warehouse Management app is used by organizations to complete warehouse tasks using a mobile device. The app enables workers to complete material handling, receiving, picking, put away, cycle counting, and production tasks from the warehouse floor. Figure 4. – An example of a single-app kiosk device using the Microsoft Warehouse Management app. Figure 5. – An example of a single-app kiosk device using the Microsoft Warehouse Management app. You can further configure the device to meet the needs of the task, for example disabling or enabling a camera or setting app permissions. Using an OEMConfig profile, you can additionally configure the OEM specific capabilities of the device such as the barcode scanner, keyboard mappings, sensors, or software updates. If the device has been misplaced or lost, you can remotely locate the device, play the lost device sound and even remotely wipe the device. Figure 6. – Intune remote actions for Android dedicated devices. Furthermore, using the additional capabilities of Remote Help from Microsoft Intune Suite an Intune IT admin can offer the device operator remote assistance should they run into any problems. You can use Remote Help when a user is actively using the device, or when no user is using the device. These are respectively called attended and unattended mode. For guidance on implementing Remote Help refer to: Use Remote Help on Android to assist users authenticated by your organization. The warehouse associate No warehouse is complete without associates who typically perform a variety of tasks to support the day-to-day operations of a warehouse or factory. For this role, we recommend using Android devices configured as a single-app kiosk which we’ll focus on in this blog, or even a multi-app kiosk if the role requires a number of different applications. In previous “From the frontlines” series of articles, we’ve covered some examples of using multi-app kiosk we’d recommend reviewing those for a better understanding of those use cases. Figure 7. – A warehouse associate scanning items. Many industrial or rugged devices include customisable physical buttons provided by the device manufacturer. Utilizing Intune allows us to leverage the benefits of OEMConfig profiles once more to configure the capabilities of these buttons, leverage extended hardware capabilities and enhance the users experience. As an example, for greater efficiency, you can use a configurable button by mapping these buttons to launch or activate alternate apps or hardware capabilities. For example, to enable Microsoft Teams Walkie Talkie push-to-talk (PTT) experience to help workers communicate easily with each other and resolve queries quickly. A step-by-step guide for configuring this is available in a previous blog: How to enable Microsoft Teams push-to-talk (PTT) capabilities on Samsung XCover Pro with Intune. Figure 8. – Microsoft Teams PTT functionality highlighting the location of the hardware button on a Samsung XCover Pro device. (Source:How to use Microsoft Teams Walkie Talkie on your Galaxy XCover Pro | (samsung.com)). You can also configure the device to align with standard corporate compliance policies and configuration requirements. Additionally, you can configure a simple lock screen message in a device restriction profile to let people know where the device belongs. Figure 9. – Adding a lock screen message in a device restrictions profile. As you can see, there are whole host of options for the eco-system of industrial devices that are often used in warehousing environments. Intune helps empower your frontline workers and integrates seamlessly with OEM device functionality through a supported OEMConfig app. As soon as an OEM updates their app with new features, those are also available to configure with Intune right away. I hope this blog helps you to envision some use cases in your own organization to get the most out of Intune. Refer to the documentation for more guidance: For information on how to set up shared Android devices refer to: Enroll Android Enterprise dedicated, fully managed, or corporate-owned work profile devices in Intune To learn more about using OEMConfig with Intune refer to: Use OEMConfig on Android Enterprise devices in Microsoft Intune If you want to know more about the remote actions you can perform with Intune, refer to: Run remote actions on devices with Microsoft Intune To learn more about Remote Help from Intune Suite, refer to: Use Remote Help to assist users authenticated by your organization For information about Teams push-to-talk capabilities with Intune refer to: How to enable Microsoft Teams push-to-talk (PTT) capabilities on Samsung XCover Pro with Intune. Let us know how you’re using Intune in your frontline worker scenarios or if you have questions by leaving a comment below or reaching out to us on X @IntuneSuppTeam or @MSIntune. You can also connect with us on LinkedIn. Stay tuned for the next post in our series of “From the frontlines” articles or catch up by reviewing: From the frontlines: Frontline worker management with Microsoft Intune.1.9KViews1like2CommentsFrom the frontlines: Delivering great dedicated device experiences for retail workers
By: Shawn Catlin - Product Manager 2 | Microsoft Intune This is the fourth blog in the "From the frontlines" series focused on frontline worker scenarios. I'm Shawn Catlin, and I’ve had the privilege of working closely with retail customers to enhance their digital experiences. In today's rapidly evolving retail landscape, technology plays a crucial role in enhancing operational efficiency and flexibility. This article delves into how Intune can empower IT professionals to effectively manage retail devices, ensuring seamless operations and a balanced work-life experience for retail managers. Join me as we explore practical scenarios and insights on leveraging Intune to transform retail device management. Advancements in technology have significantly transformed the retail sector, enhancing both operational efficiency and flexibility. Retail managers play a crucial role in overseeing frontline workers (FLWs) in fulfillment, ensuring accurate and swift delivery of goods to consumers, and managing the unloading and unboxing of shipments to stock shelves more quickly and efficiently. By making technology accessible and meaningful, we can directly impact day-to-day operations and improve overall productivity. Here’s a walkthrough of a scenario where Intune can help administrators effectively manage a retail manager’s company-issued device, while still supporting work-life balance without compromising the device’s manageability or security. Setup a manager's device in retail Managers in retail fulfillment must oversee daily operations, ensuring that tasks are completed efficiently while maintaining a high level of productivity. Their responsibilities include directing and supervising employees, inventory control (stocking and receiving merchandise), and administrative tasks such as scheduling shifts, managing payroll, and reporting sales. Additionally, they communicate with the store’s general manager about staff performance and customer feedback. To handle these responsibilities, a shift manager is always on the move overseeing tasks. Since they may also perform shift work while still managing employee shifts (cancels, shift changes, etc.) as well as personal aspects outside of typical working hours, companies can leverage Intune enrollment of Android Enterprise corporate owned devices with work profile. This allows a manager the flexibility to shift between work and personal tasks as a value add for the in-and-out nature of their role. To achieve this, their scenario ideally fulfills the following: Access to apps like Microsoft Teams for store-to-store communications, human resource applications for feedback and reviews, Microsoft 365 apps for productivity, and line-of-business applications related to respective store tasks such as inventory, fulfillment, and employee clock in/out. Their device must allow some personal aspects like calendaring and texting outside of shift hours to communicate with employees from their phone or manage unrelated work activities like checking family calendars for kids' school trips, etc. Ability to configure restrictions that block notifications and apps outside of operating hours. Staged enrollment so admins can partially provision devices, saving users setup time and energy. Let's start with an example: there are a total of 200 retail locations, each requiring a device for that location’s manager. First, you’ll create the Android Enterprise Corporate-owned with work profile in Intune to provision the devices and enable (Fig. 1) in this profile. Fig 1. – Setting up an Android Enterprise corporate owned with work profile with device staging. Next, you’ll create an enrollment profile and staging enrollment token in the admin center. This process includes setting a token expiration date, applying a device naming template, and assigning a dynamic device group. Afterward, admins or technicians will complete all userless setup steps before sending the device to shift managers. The manager will then sign in to the Microsoft Intune app using their work or school account, completing the full enrollment process (Fig. 2). Fig 2. – Left picture depicts admin or technician kicking off userless staging steps. Right picture shows a user signing into the Microsoft Intune app. You can add and assign Managed Google Play apps to ensure that Teams and other applications required by the shift manager are installed shortly after device enrollment. This enables shift managers to be productive as soon as possible and equips them with the right set of apps needed for daily tasks and job functions. You can limit access to Teams for managers during off-shift hours using working time settings. Some organizations may need to be strict, encouraging or even outright blocking access to Teams for legal reasons (Fig. 3). Fig 3. – Picture on the left shows Teams being blocked outside of hours while the picture on the right shows a warning. If you're concerned with maintaining Zero Trust security strategy, you can further separate the work and personal side of a user's corporate owned device by: Preventing Copy and Paste and data sharing between work and personal profiles to ensure company data is safe. You could also choose to prevent the user from searching work contacts in the personal profile or even choose to prevent contact sharing via Bluetooth. This is just one of many examples where Intune can empower you to manage your frontline worker devices. Other scenarios include customer product fulfillment or a store supply chain employee ensuring proper inventory levels to support sales. Please refer to the documentation here for more guidance: For information on how to set up Android corporate owned with work profile devices refer to: Android Enterprise Corporate-owned with work profile. If you'd like to learn more about incorporating Device staging to reduce end user steps during enrollment see: Device staging overview. To speed up app and policy provisioning during enrollment check out: Set up enrollment time grouping. You can learn more about adding and assigning Android apps to devices here: Add and assign Managed Google Play apps to Android Enterprise devices. If you want to limit access to Microsoft Teams when frontline workers are off shift refer to: Limit access to Microsoft Teams when frontline workers are off shift. To ensure your organization can navigate modern security challenges following Microsoft's Zero Trust approach see: Zero Trust security strategy. For more information on Android Device Restrictions specific to Corporate-owned work profile devices see: Corporate-owned Android Enterprise device restriction settings in Microsoft Intune. This blog is part of the From the Frontline series so keep your eyes peeled—there’s more to come! Check out: From the frontlines: Frontline worker management with Microsoft Intune to explore the rest of our FLW blogs! If you have any questions for the team, leave a comment below or reach out to us on X @IntuneSuppTeam or @MSIntune. You can also connect with us on LinkedIn: aka.ms/IntuneLinked. Post Updates: 8/22/25: A minor clarification has been added to the Setup a manager's device in retail section regarding the assignment of dynamic device groups.1.6KViews3likes0CommentsFrom the frontlines: Accelerating retail worker shared device experience (Part two)
By: Vignesh Mitsume – Sr Product Manager | Microsoft Intune Welcome to part two of "Accelerating retail worker shared device experience." In Part one, we explored how Intune empowers frontline workers by enabling shared device usage among associates in a 24/7 retail business environment, with enhanced productivity and security. Now, we'll dive into how Intune optimizes the management of devices running multiple apps, that are utilized by both associates and customers. I'm Vignesh Mitsume, and in my previous roles, I’ve had the privilege of working with leading companies in the beverage and other retail industries. In these roles, I collaborated closely with sales and marketing teams, addressing their system, infrastructure, and reporting requirements as they interacted with supermarkets and convenience stores. In this blog, I'll be sharing some of my experiences with customer scenarios. Technology's evolution in retail: The rise of shared devices The retail industry has undergone a significant digital transformation, with technology playing a pivotal role in streamlining operations and enhancing customer experiences. Historically, retail operations were fragmented, with separate systems for employees and customers. Today, modern kiosks, tablets, and smart screens are bridging this gap, enabling self-service ordering, inventory tracking, and real-time assistance—all from a single device. Whether it's self-checkout stations in grocery stores, smart fitting rooms in fashion retail, or digital vending machines in the beverage industry, shared devices have become the backbone of efficient retail operations. Many of these devices operate on either the Android or iOS platform. Today, we'll explore how Contoso Eateries and Contoso Pastries, which are competitors in integrating technology into their business practices, are Intune to efficiently manage their dedicated devices by enabling multi-app kiosk modes for both platforms. This strategy aids their frontline workers in effectively managing business operations. Scenario 1 – Contoso Eateries Contoso Eateries is a chain of eateries that aims to deploy Android tablets in their stores. Each store will have one tablet used as a point of sales (POS) device for billing customers, managing inventory, and placing restock orders from the central distribution warehouse by the store manager. The IT admin team wants to manage these devices centrally and restrict access to any other apps. To achieve this, the IT admin team first creates a Microsoft Entra security group for grouping and targeting the devices and leveraging enrollment time grouping (new for Android in our April 2025 release). Once the assignment group is ready they create Android Enterprise dedicated devices with the default token type, corporate-owned dedicated device (Fig. 1), which enrolls the device without any user affinity. Note: Microsoft Entra security dynamic device groups can be created based on the enrollment profile name; however, static groups that use enrollment time grouping will expedite app and policy provisioning during device enrollment. Fig. 1 – Setting up an Android Enterprise corporate-owned dedicated device. Next, they add the POS and organization specific inventory management applications from the Managed Google Play Store, along with the Microsoft Managed Home Screen application. These apps are assigned to the groups created earlier specifically for the devices enrolled using the Android enterprise dedicated device enrollment profile (Fig. 1). After the applications are added and assigned, they restrict the device functionality to allow only the use of POS and organization specific inventory management applications. This is done by creating a device restriction configuration profile to setup the device into multi-app kiosk mode (Fig. 2), which ensures users can only access the applications placed in the Microsoft Managed Home Screen. This configuration profile is then assigned to the Microsoft Entra device group previously created. Fig. 2 – Configuration profile to restrict device as dedicated multi-app kiosk devices. In addition to the mandatory configuration, Contoso Eateries wants to customize their Managed Home Screen experience. Therefore, they also create an app configuration policy for their Managed Home Screen. Result: The device is restricted to POS and organization specific inventory management applications within the managed home screen (Fig. 3). Contoso Eateries will keep the POS application open for customer self-checkout, while using the organization specific inventory management application to replenish stocks during non-business hours. Fig. 3 – Personalized user experience on an Android device. Scenario 2 – Contoso Pastries Contoso Pastries aims to provide a similar experience for their frontline workers and customers as Contoso Eateries, but with iPads instead of Android tablets. The Contoso Pastries IT admin team wants to manage these devices centrally and restrict access to any other apps. Contoso Pastries gets all their iPads from an Apple Authorized Reseller, ensuring that all devices are added to their Apple Business Manager (ABM) account by the reseller, with supervised mode enabled by default. Note: If ABM is not available, then Apple configurator can also be used to enable supervise mode to achieve the requirements. To comply with Contoso Pastries’ requirements, the HQ IT team creates an enrollment profile to enroll the devices without user affinity. Then, they create a device filter (Fig. 4) to filter for devices enrolled using this profile. Fig. 4 – Device filter for specified enrollment profile. Next, they add their line-of-business POS app and organization specific inventory management applications to Intune and assign to all devices using the above created device filters (Fig. 5). This avoids the processing delay of dynamic device groups and reduces management overhead associated with creating and maintaining multiple security groups. Fig. 5 – Assigning to all devices along with device filters For iOS/iPadOS devices, they’ll configure the entire device to function like a managed home screen by removing unwanted apps and retaining only the required ones. As a first step, they allow only the Contoso POS and organization specific inventory management applications by configuring device restriction profile (Fig. 6). Fig. 6 – Device restriction profile. To further customize the home screen appearance and dock configuration, the admin creates a device features configuration profile and adds the necessary apps accordingly (Fig. 7) Fig. 7 – Device features configuration profile in the Microsoft Intune admin center. Result: Once the device is dispatched to the stores and the store manager turns it on, the device is enrolled into Intune with all the specified configurations applied. The device is then restricted to POS and organization-specific inventory management applications (Fig. 8). This setup ensures that the POS application remains open for customer self-checkout, while the organization-specific inventory management application is used for stock replenishment during non-business hours. Fig. 8 – Personalized user experience on an iPad. With Intune, frontline worker scenarios in the retail industry can be managed effectively, ensuring that both associates and customers benefit from streamlined operations and enhanced user experiences. As demonstrated by Contoso Eateries and Contoso Pastries, Intune's capabilities in managing dedicated devices, whether on Android or iOS/iPadOS platforms, provide a robust solution for modern retail environments. By leveraging features such as multi-app kiosk modes and customized home screen configurations, businesses can maintain control over their devices while empowering their frontline workers to perform their tasks efficiently. By adopting Intune, organizations can ensure that their frontline workers are equipped with the right tools to handle business operations seamlessly, ultimately driving productivity and customer satisfaction. Please refer to the following documentation for more guidance: For information on how to set up Android dedicated devices refer to: Enroll Android Enterprise dedicated devices in Intune To find more information on Managed Home Screen and how it can improve the user experience refer to: Configure the Microsoft Managed Home Screen app If you’d like to learn more about enrolling iOS/iPadOS using Apple Business Manager refer to: Set up automated device enrollment (ADE) for iOS/iPadOS To learn about filters refer to: Using Filters in Intune Stay tuned for more interesting contents in this blog series, we’re keeping the initial blog updated with each posting for your reference: From the frontlines: Frontline worker management with Microsoft Intune . If you have any questions or want to share how you’re using frontline devices in Intune, leave a comment below or reach out to us on X @IntuneSuppTeam or @MSIntune. You can also connect with us on LinkedIn: aka.ms/IntuneLinked2KViews2likes0CommentsFrom the frontlines: Accelerating retail worker shared device experience (Part one)
By: Yusuke Shinoki – Sr Product Manager | Microsoft Intune This is the second article in the "From the frontlines" series. I'm Yusuke Shinoki, I wanted to share the insights I’ve gained from my retail customers who often talk to me be about their frontline worker device scenarios. Technology has revolutionized the retail industry by enhancing operational efficiency and customer experiences. Retail employees now use shared devices to access inventory data, check product availability, and manage orders on the go. Store staff monitor sales and productivity digitally, enabling frontline workers to better serve customers by quickly accessing essential information. In supermarkets and pharmacies operating 24/7, shared devices are rotated among shift workers to perform tasks critical to the business operations. Collaboration and real time access to data is becoming increasingly important for frontline workers. Simultaneously, it’s essential to maintain secure access in line with the Zero Trust security strategy. Let’s discuss how retail associates can benefit from using Intune-managed devices at work while balancing productivity and security. Retail associates device needs Let’s say retail giant ‘Contoso’ wants to provide shared devices to retail associates, so they can help customers and drive sales. They want each associate to be able to pick up a device at the beginning of their shift and allow them to feel like it’s their own for the duration of the shift. Additionally, they want their associates to be able to collaborate with other associates via Microsoft Teams and access their internal employee portal. At the end of their shift, they want associates to log off and return their devices to the central pool, confident that their personal data won’t be seen by the next associate. To support this scenario on shared devices, use Intune’s Android Enterprise dedicate devices enrollment solution with Microsoft Entra shared mode (Fig. 1) and Managed Home Screen. Android Enterprise dedicated devices with Microsoft Entra shared mode and Managed Home Screen allows IT admins to provide consistent shared device user experience. In Contoso’s case, the Contoso IT team needs to provide user experiences for retail associates such as: Easy experience for device sign-in when starting their shift and sign-out at the end of their shift. Setting a temporary session PIN for individual associates during their shifts while using devices. Easy app switching. Associates experience The Contoso IT team must ensure seamless device sign-in to maximize associate productivity during limited shift hours. Intune and Managed Home Screen provide options to reduce shift swapping time by allowing workers to simply enter their Microsoft Entra ID account into the device and sign in. Microsoft Entra ID accounts require entering a User Principal Name such as "user@contoso.com". By configuring the "Domain name" setting in Managed Home Screen, associates will automatically see the domain name options available to them. This allows associates to quickly enter their ID and start using the device efficiently. (Fig. 2) After completing the initial Microsoft Entra ID authentication on the Managed Home Screen, associates set up a temporary session PIN (Fig. 3). This session PIN allows them to securely use shared devices for their tasks throughout their shift. The associates’ credentials are then used to enable a single sign-on experience with supported apps. Usually switching apps in Kiosk mode is cumbersome, but Managed Home Screen leverages the virtual app switcher button to switch between apps quickly, just like they do on their regular Android devices. (Fig. 4) This feature enhances the user experience by allowing seamless transitions between applications, ensuring that workers can maintain productivity without unnecessary delays. Once the associate's shift ends, they can easily log out and return the device to the pool. This ensures that all apps are securely signed out, preventing the next shift's associate from accessing any personal data handled by the previous user (Fig. 5). Even if the previous user forgets to sign out at the end of their shift, it's not a problem. The next user can easily start their session by using the “Switch User” option (Fig. 6). These streamlined user experiences allow retail associates to concentrate on their tasks without delays, improving productivity and user experience. Setting up Managed Home Screen and the new simplified sign-in option Configuring Managed Home Screen can be done through the device configuration profile (Fig. 7) but if you need advanced customization you can use app configuration policies (Fig. 8). This configuration is the same as described previously for the healthcare scenario: From the frontlines: Revolutionizing healthcare workers experience. For step-by-step instructions on setting up Managed Home Screen, refer to the blog: How to setup Microsoft Managed Home Screen in kiosk mode on Dedicated and Fully managed devices. In addition to “Domain name” configuration, we’ve been working on further simplifying the sign-in experience. As of March 2025, we introduced QR code sign-in as a public preview. This new feature aims to streamline the initial sign-in process for frontline workers. For additional details on QR code authentication, refer to the following information: Simplify frontline workers’ sign-in experience with QR code authentication | Microsoft Community Hub How to enable QR code authentication in Microsoft Entra ID (preview) - Microsoft Entra ID | Microsoft Learn. Summary In this post, we explored how retail shop associates can use Android Enterprise dedicated devices with Entra Shared Mode and Managed Home Screen powered by Microsoft Intune throughout their shifts. This same type of configuration can be used in many other Android shared device scenarios such as warehouse operations, factory floor, and more. For more guidance review the Microsoft Learn articles: For information on how to set up shared Android devices refer to: Enroll Android Enterprise dedicated, fully managed, or corporate-owned work profile devices in Intune You can find more information on Managed Home Screen and how it can improve the user experience refer to: Configure the Microsoft Managed Home Screen app If you’d like to learn more about how Microsoft Entra Shared Device Mode can help your users easily sign in and sign out leveraging single sign-on review: Shared Device Mode overview - Microsoft identity platform To learn about how to setup maintenance windows and define application update conditions refer to: Corporate-owned Android Enterprise device restriction settings in Microsoft Intune For information on enabling new QR code authentication refer to: How to enable QR code authentication in Microsoft Entra ID (preview) - Microsoft Entra ID. If your device usage is similar to that of frontline workforces, consider using this solution and let us know how it works for you by leaving a comment below or reaching out to us on X @IntuneSuppTeam! In our next “From the frontlines”, we’ll dive into scenarios involving dedicated devices tailored for specific tasks that enhance customer service and efficiency in the retail industry. Check out From the frontlines: Frontline worker management with Microsoft Intune to see more “From the frontlines” blogs. Stay tuned!3.1KViews5likes0CommentsFrom the frontlines: Revolutionizing healthcare workers experience
I'm Catarina Rodrigues and recently, I've had the opportunity to have several conversations with healthcare customers on how Intune can effectively manage devices in frontline critical environments. In this “From the frontlines” blog, I want to share with you some of my learnings. Technology has revolutionized the healthcare sector, where hospitals are replacing paper with digital systems to ensure patient information is securely stored and easily accessible. Doctors can now check patient files and statuses on the go as they move around the hospital. Nurses can check their patients’ exams digitally and first responders in ambulances get access to essential information that helps save lives. As shared in From the frontlines: Frontline worker management with Microsoft Intune , Intune allows healthcare organizations to secure mobile devices and manage data access, while ensuring a great user experience. Intune supports multiple platforms, making it the ideal solution for unified endpoint management. It allows for the configuration of devices to meet specific needs, whether for individual users, shared devices, or dedicated use. Let's look at an example of how Intune can enhance healthcare operations and patient care: The Nurses station in the Hospital’s ICU Nurses in the Intensive Care Unit (ICU) manage some of the most complex patient cases within the hospital and are typically responsible for multiple patient beds on the same floor. They typically have a short time window to act, need access to patient records and must easily communicate with other departments in the hospital. To modernize workflows and improve patient care, IT admins of a hospital are looking at ways to implement the use of Android tablets in the nurses’ station of the ICU. With this device, they are hoping to provide the nurses access to essential information, such as a live feed of patient rooms, vital signs and recent exam results, allowing them to monitor significant changes in their patient’s health. To build such a reliable and safe solution, IT admins need to consider the following requirements: These Android devices are shared by different people throughout the day, as nurses work in shifts. Users must sign in using their credentials to ensure they are verified and authorized hospital staff. New versions of essential applications need to be tested before moving to production. System and application updates need to happen during a specified maintenance window. This device is used to communicate with other hospital services via message or voice. This device can only connect to approved networks. Considering these requirements, we can set up these devices as Android Enterprise Dedicated with Microsoft Entra Shared Device Mode (Fig. 1) to enable nurses to use them even as shifts change. Fig. 1 – Setting up a Corporate-Owned Android Enterprise Dedicated with Microsoft Entra shared mode enrolment profile. Nurses must sign in and authenticate to access this information, thereby protecting their patients' personal information. With Managed Home Screen, nurses will see a login screen that they can use to authenticate once (Fig. 2). From that point onward, during their shift, they’re signed in to all applications seamlessly and can trigger access using a PIN. IT admins work with the developers of essential applications to enable phased deployments of new application versions using testing tracks in assignments. IT admins can use application configuration policies to manage settings of essential applications. System and applications updates can be scheduled to occur during a maintenance window to avoid disruption in the critical ICU department. Lastly, by utilizing Intune configuration profiles, IT admins can set up Microsoft Teams to function as a walkie-talkie, enabling the voice feature. For security measures, Wi-Fi connectivity is limited to the hospital's network. These profiles can also be used to set up a custom wallpaper with hospital branding or even a widget to display weather conditions. This is just an example of how Intune can assist healthcare organizations in managing their FLW devices. Other examples include doctors being able to check patient files and calendars on their managed corporate iPhones, or hospitals having an admission system at the entrance that allows patients to check-in easily upon arrival for their consultation. This blog is part of a series: “From the frontlines:”. We’ll publish additional blogs on other healthcare scenarios and industries, such as retail and airlines, in the upcoming months. Check out From the frontlines: Frontline worker management with Microsoft Intune to see all other “From the frontlines:” blogs! Stay tuned! Please refer to the documentation here for more guidance: For information on how to set up shared Android devices refer to: Enroll Android Enterprise dedicated, fully managed, or corporate-owned work profile devices in Intune You can find more information on Managed Home Screen and how it can improve the user experience refer to: Configure the Microsoft Managed Home Screen app If you’d like to learn more about how Microsoft Entra Shared Device Mode can help your users easily sign in and sign out leveraging single sign-on review: Shared Device Mode overview - Microsoft identity platform To learn about how to setup maintenance windows and define application update conditions refer to: Corporate-owned Android Enterprise device restriction settings in Microsoft Intune Let us know if you have any questions by leaving a comment on this post or reaching out on X @IntuneSuppTeam.2.2KViews3likes5CommentsFrom the frontlines: Frontline worker management with Microsoft Intune
So, here we are. You’ve been asked to start managing frontline devices for your organization with Intune. You may be a pro with Intune management - with experience managing Windows devices, personal mobile devices, or corporate-owned productivity user based mobile devices. Maybe you just completed your migration efforts from another product to Intune for some portion of your device estate. Or this may be your first interaction with Intune. Regardless of where you’re starting from, managing frontline worker devices in Intune is simple, and you can even leverage existing Intune policies you already configured. So, get out that rugged bar code scanner, Android tablet, kiosk device, shared iPad, wearable device, or any other frontline worker device and let’s get started! My name is Dan Andersen, Principal PM Manager at Microsoft. My team partners directly with engineering to assist in product development and our worldwide team has assisted over 1,800 enterprises successfully onboard their device scenarios into Intune. In this post I’m introducing a blog series focused on frontline worker (FLW) device management. Why focus on FLW? This space represents a multitude of devices and use-cases that have enabled frontline workers, and we’ve worked with others like you to craft great FLW solutions. We will use this series to share these solutions and options with you and hopefully make your FLW journey with Intune seamless and exciting. Before getting into the series, if you’re looking for some background on FLW usage examples, check out the Microsoft Intune Blog: Microsoft Intune empowers frontline workers in retail and beyond. Throughout this year we’ll deliver monthly blogs delving into FLW use-cases and how to manage these devices. We’ll dive into key scenarios and explain how to approach them and at times, specifically how to configure them. Instead of rewriting product documentation, we’ll include links to more details when applicable, and keep the posts focused on enabling success. Each blog post will be published here in the Microsoft Intune Customer Success blog and include “From the Frontlines:” in the title for easy searching. For quick reference, we’ll keep this table updated as we publish the series, so stay tuned here or follow us @IntuneSuppTeam on X for more in the coming months! Blog Topics Publish date From the frontlines: Revolutionizing healthcare worker experience February 28, 2025 From the frontlines: Accelerating retail worker shared device experience (Part one) March 25, 2025 From the frontlines: Accelerating retail worker shared device experience (Part two) April 23, 2025 From the frontlines: Delivering great dedicated device experiences for retail workers May 28, 2025 From the frontlines: Managing warehouse devices with Microsoft Intune July 01, 2025 From the frontlines: Managing common kiosk scenarios in your business August 28, 2025 From the frontlines: Delivering critical early responder device management September 30, 2025 From the frontlines: Empowering call center agents with Windows 365 Frontline October 31, 20252.5KViews1like0Comments