First published on TechNet on Oct 08, 2018
Hi everyone, Matt Butcher here. I’m a Support Escalation Engineer on the Intune team and today I wanted to take a minute to go through the steps to configure and enroll COSU (corporate owned single use) Android enterprise devices using the popular QR code method.
To give you a little background, back in July we announced support for Android enterprise purpose-built device management, where we can target task-based usage cases such as unattended guest kiosk experiences, inventory tracking, mobile ticketing, point-of-sale devices, etc. Devices managed in this way can enroll into Intune using a few different enrollment methods, such as scanning a QR code, which is what we’ll be discussing here. The benefit with this is that administrators can enroll these devices without needing to have user account credentials on the device. IT admins can then configure these corporate-owned devices to be used in locked-down environments, allowing only the app or apps necessary to complete the task while preventing users from accessing settings, installing other apps, or changing any device functions that might interfere with reliable operation.
For the purposes of this example, you’ll need a device running Android 7 or later that you can factory reset, and an open wi-fi network. Once you have that, just follow the steps below.
1. If you haven't done this already, start by connecting your Intune account to your Android enterprise account .
2. Next, approve any applications from the Managed Play Store that you need to be in the Managed Home Screen experience (including the Managed Home Screen & Android Device Policy ).
3. Now we need to sync those apps to Intune. Open a browser and go to the Intune portal , then navigate to Client Apps - > Setup – Managed Google Play and click Sync .
4. Once the sync is complete, we need to create an Assigned or Dynamic device group that will be used for the deployment. If using a Dynamic device group, set the membership rule to Add devices where / enrollmentProfileName / Equals / < InsertCOSUEnrollmentProfileNameHere > . I’ll be using a Dynamic device group named COSU_Dynamic_Device_Group so my rule will be Add devices where / enrollmentProfileName / Equals / COSU_Enrollment_Profile as shown below. 
5. Now we need to create our COSU Enrollment Profile. From the Intune portal , navigate to Intune - > Android Enrollment - > Kiosk and Task Device Enrollments - > Create. Name the profile what you chose in your Dynamic Membership Criteria, which in our example was COSU_Enrollment_Profile .
6. Once that’s done, we’ll now create our Kiosk Profile. From the Intune portal , navigate to Device Configuration - > Profiles - > Create Profile. And configure the profile accordingly:
a. Name: Whatever you like
b. Platform: Android Enterprise
c. Profile Type: Device Owner Only – Device Restrictions
d. Navigate to the Kiosk node and select Multi-app kiosk
e. Click Add . The list of all your apps will appear on the right
f. Add your apps but do not add the Managed Home Screen.
g. If you have Web Apps, be sure to include a browser
I also recommend adding a password just to see what happens with the Android Device Policy app.
7. Deploy all your apps as Required to your Dynamic device group. Note that if you have Web Apps, you do not need to deploy them.
8. Factory Reset your Android device.
9. Wait for OOBE to begin, then tap the white space until you’re prompted to download QR Reader .
10. Connect to your open Wi-Fi network and wait for the QR reader to be installed (your screen will just be a camera).
11. Use QR Reader to scan the QR code attached to your COSU Enrollment Profile. As the device enrolls, wait until the Managed Home Screen experience begins. If you required a PIN, manually set it before the Managed Home Screen experience begins. If you fail to do this the policy will show as failed. This is important because the PIN requirement does not present a toast notification to the user however the settings are still enforced.
That’s it! Now your device is enrolled and ready to use.
Key Notes
- Don't add the Managed Home Screen app to the Multi-App Kiosk profile.
- If using web links, you do not need to deploy these to the device groups. Only store apps are required to be deployed.
- If requiring a PIN, the user will not be prompted. The setting is enforced and you will need to configure the PIN manually.
- To get out of the Managed Home Screen experience, all you need to do is remove the Managed Home Screen app deployment. You can adjust the Multi-App Kiosk Mode profile as needed, and then redeploy the Managed Home Screen app.
- To get out of COSU, you will need to factory reset the device.
- When troubleshooting, It is recommended to include the Android Device Policy app in your Multi-App Kiosk profile. This will allow you to verify what policies Google is sending to the device.
- There is no direct communication between Intune and devices enrolled using this method. Intune sends policy information to Google which then manages policy delivery.
- Device names will look like this: 30a97bfb2327b18d_AndroidEnterprise_10/2/2018_10:34 PM . Currently this cannot be changed.
- Compliance will show as Not Evaluated because COSU does not support compliance policies.
- In this scenario, you cannot deploy certificate profiles, and wi-fi profiles are limited to open authentication or pre-shared key
Matthew Butcher
Intune Support Escalation Engineer
Microsoft CSS