How to setup Microsoft Managed Home Screen in kiosk mode on Dedicated and Fully managed devices

By: Charlotte Maguire | Sr. Software Engineer & Abigail Stein | Product Manager & Gracey Wilson | Product Manager II – Microsoft Intune

 

To deliver a multi-app, kiosk-style scenario on your Android Enterprise dedicated and fully managed devices, Microsoft Intune uses Microsoft’s Managed Home Screen. This blog post explains what Managed Home Screen is, when to use it, and how to set it up. We walk you through step-by step how to enroll your devices with Managed Home Screen and answer common questions.

What are “dedicated devices” and “fully managed devices”?

Intune customers have the option to enroll their Android devices as Android Enterprise dedicated devices. These are corporate-owned devices that are not associated with a particular user and are often leveraged to complete specific tasks.

 

Intune customers also have the option to enroll their Android devices as Android Enterprise fully managed devices. These are corporate-owned devices that are associated with a particular user. To understand more about dedicated and fully managed devices, please refer to the FAQ at the end of this post.

The Managed Home Screen app provides even more functionality to the dedicated and fully managed device solutions by limiting the set of apps available and preventing users from making changes to the device. Managed Home Screen also enables organizations to further customize, restrict, and troubleshoot their Intune-managed dedicated and fully managed devices. Note that Managed Home Screen is intended only for Intune-managed devices enrolled as an Android Enterprise dedicated or fully managed device. If you are looking for an alternative solution that allows the end user access to all apps and settings on your Intune-managed Android Enterprise fully-managed devices, see Microsoft Launcher for Enterprise.

What is Microsoft Managed Home Screen?

Screenshot of the Managed Home Screen on an Android tablet and Android device.

 

 

Managed Home Screen is an Android application available for use through Managed Google Play.

 

Use Managed Home Screen when you want your users to have access to a specific set of applications on your Intune-enrolled dedicated and fully managed devices. When configured in multi-app kiosk mode in Intune, Managed Home Screen is automatically launched as the default home screen on the device and appears to the user as the only home screen. This prevents devices from being misused and allows you to completely customize the home screen experience. Regardless of what is already installed on the device, you can pick which apps and system settings you want your users to access from Managed Home Screen to ensure the content they access is relevant to their tasks. Managed Home Screen gives you the flexibility to empower your users. Learn more by reading on!

Customization allows you to completely redesign how the home screen looks and feels:

• Set a custom wallpaper to show off your branding or use it as a visual indicator to differentiate between your devices.
• Position your apps on the home screen to make more important and frequently used apps easier to access, as well as create a consistent and familiar setup for your users between devices.
• Categorize your apps into folders to reduce cognitive overload, especially if you have a lot of apps on the home screen.
• Customize the size of how apps and folders appear on the home screen to accommodate various screen sizes.
• Add custom widgets to the home screen to get quick access to vital app data.
• Set a screen saver image to hide the home screen when the device is inactive.
• On dedicated devices, configure sign-in and sign-out capabilities in Managed Home Screen when a device is set up with Azure AD shared device mode.

 

Not only will Managed Home Screen enable you to make your organization’s devices visually appealing, but it’s also practical and streamlines the debugging process when something goes wrong on a device. With Managed Home Screen you can:

• Intuitively access device information, such as the device’s serial number and its Intune enrollment name, to locate a problematic device in the Microsoft Intune admin center.
• Access admin-related apps to upload logs or sync policies, such as Microsoft Intune app or the Android Device Policy app.
• Access MHS logs to confirm what configurations are currently set on the device to check against what was pushed from Intune.
• Access a temporary exit out of the Managed Home Screen app and return to the device’s original home screen to gain full access to the system settings, provided you have access to the admin-specified exit PIN.

These customizations are only accessible by using Managed Home Screen. Depending on your needs, you can use single-app kiosk mode to lock your devices into any other application or leave kiosk mode not configured. If you leave kiosk mode not configured, you will have limited control over the user experience. The chart below provides a visual summary of what you can accomplish with and without kiosk mode, as well as Managed Home Screen capabilities.

 

User experience without MHS VS with MHS for multi-app kiosk mode

*Control over user access to notifications, navigation buttons, power menu & status bar are only configurable on devices running Android OS 9 or later.

 

How do I set it up?

Let’s go step-by-step to set up your device with Managed Home Screen configurations.

 

Before we begin, make sure you have an Android device that is capable of enrolling into Intune as an Android Enterprise dedicated or fully managed device. Not sure if your device meets the requirements? For dedicated devices, check the “Device requirements” section of Android Enterprise dedicated device enrollment. For fully managed devices, check the “Prerequisites” section of: Android Enterprise fully managed device enrollment.

 

Step #1 – Setup your Intune enrollment profile and device group.

Create an enrollment profile to generate an enrollment token and attach it to a device group. Note that this step assumes you have already set Intune as your MDM authority and that you have connected your Intune account to your Managed Google Play account.

 

In the Microsoft Intune admin center, navigate to Devices > Android > Android enrollment and select your management mode: Corporate-owned dedicated devices or Corporate-owned, fully managed user devices.

 

Screenshot of the Android enrollment blade in the Microsoft Intune admin center.

 

Choose Create profile.

 

Fill in the Name and, if desired, a Description. You can also choose when you would like your token to expire. As of December 2022, the max expiry is 90 days from the day the token was created. This will soon be extended to 65 years.

 

If you’ve selected dedicated devices, you must now select the Type. If you anticipate that your devices will now, or in the future, require users to access M365 applications, App Protection Policies, or Conditional Access policies, select Corporate owned dedicated device with Azure AD shared mode. Otherwise, select Corporate owned dedicated device. Learn more about shared device mode in the blog post Enroll Android Enterprise dedicated devices into Azure AD shared device mode.

When you’re ready, click Create. Tip: Remember the profile name, as we will be using it next.

 

 

 

Step #2 – Create a device group

Navigate to Groups > All groups > New group.

 

 

Create a Group name and, if desired, a Group description. Verify that the Group type is set to “security".

Change Membership type to Dynamic device. And then Add a dynamic query. Use dynamic queries so that your device is automatically added to a group based on the property of your choice. This way, you don’t need to manually add devices to groups post-enrollment. If you prefer to add members manually, change the Membership type to Assigned.

 

 

In this example, we’re adding devices to this user group whenever a device enrolls with the newly made profile. To do that, we make the dynamic query add a device any time the Property  “enrollmentProfileName” is equal to the name of your Android Enterprise device enrollment profile from Step 1.

 

Configure the dynamic query by changing:

• Property to “enrollmentProfileName”
• Operator to “Equals”
• Value to <your enrollment profile name>
  
  

 

Save the query and return the New group page. Review your group’s properties and click Create when you’re ready. Confirm your device group was created in the All groups page.

 

 

Step #3 – Approve and assign Managed Home Screen and other Managed Google Play apps

This step ensures that the Managed Home Screen is downloaded and installed on your enrolled devices and is automatically launched.

Once you have linked your Intune and Managed Google Play accounts, you’ll notice that you already have Managed Home Screen synced in the console when you navigate to Apps > All apps.

 

Click on “Managed Home Screen” and choose Properties > Assignments (edit), add your device group from Step 2 to the Required assignments, and then save.

 

 

To add public, private or web applications, stay in Apps > All apps and choose “add.”

 

 

Under Select app type choose Managed Google Play app.

 

 

You should see something like the image below:

 

 

Notice the Play Store icon, a lock icon, and a globe icon on the left of the screen. To add public applications, keep the Play Store icon selected. To add private applications or web applications, choose the lock and globe icons, respectively.

In this example, we'll illustrate adding Microsoft Edge.

 

Search for “Microsoft Edge” using the search bar and then select the Microsoft Edge icon.

 

Choose Approve which will generate a pop-up like the one below.

 

 

Click Approve once more and follow the instructions on the next pop-up regarding app permission requests. Click Done when you are ready.

 

Notice the app will now be marked as “Approved” underneath its listing.

 

Repeat the above steps for all the public applications you would like to add to the store. Reference Add Managed Google Play apps to Android Enterprise devices with Intune if you would like to add private applications or web apps. The same link calls out the steps we have illustrated above for public applications, for a quick reference.

 

When you are done adding Managed Play Store applications, click the Sync button in the top left corner. The following banner will appear in your application list:

 

 

Once the applications have successfully synced into your list, repeat the steps we described for Managed Home Screen to assign the apps as “Required” to the device group you made in Step 2.

 

Step #4 – Manage Android Enterprise system apps

In addition to Managed Play Store applications, we often get questions about how to add system applications to devices that are using Managed Home Screen. System applications are the apps that ship on a device by a certain Original Equipment Manufacturer (OEM) and are not published to the Play Store. These apps are often disabled by default upon enrollment, so you will need to follow these steps to enable them and show the icon on the device. To accomplish this, navigate back to Apps > All apps in Intune and choose Add in the top left corner.

 

 

Choose Select and then fill out the App information, and assign as “Required” or “Uninstall” to the group we made in Step 2. Choose required if you would like the application available on the device or uninstall if you would like the application to always be hidden on the device. If you’re not interested in making any changes to the system apps on your devices, you may skip this step.

 

 

Please note that Microsoft does not maintain a list of OEM’s system applications. If you are having trouble locating the correct package names for your device, please work with your device OEM(s).

 

Step #5 – Create a device configuration profile

In this step, we walk through creating a device configuration profile for your dedicated devices. This profile will allow you to configure device-level behavior and will also allow you to configure kiosk mode, which is how your device(s) will know to launch Managed Home Screen automatically. Additionally, this is where you add applications to Managed Home Screen and can configure some Managed Home Screen-specific features.

 

Navigate to Devices > Configuration profiles > Create profile.

 

 

Under Platform, select “Android Enterprise.” Under Profile select “Device restrictions” beneath “Fully Managed, Dedicated, and Corporate-Owned Work Profile.”

 

 

Choose Create, provide a Name for your profile and, if desired, a Description.

 

 

When you’re ready, choose Next. Use the available categories to configure any settings that are applicable to your scenario. For this tutorial, we will focus only on showing you how to set up Managed Home Screen under the Kiosk mode category.

 

Toggle the Device experience type setting to “Kiosk mode (dedicated and fully managed)” as shown below.

 

 

Toggle the Kiosk mode setting to “Multi-app”. This will ensure your devices targeted with this profile are locked into Managed Home Screen, which you already set as a required application in Step 3. Additionally, it will show you a list of settings that are directly applicable to Managed Home Screen.

 

 

In the top section, choose Add to select any Android Enterprise applications you have added to the console, which we also did in Step 3. These are the applications that will appear to your users when they use Managed Home Screen.

 

Underneath the app selection setting, configure any of the settings that you like. You can use the tooltips to better understand what these settings do, or refer to: Android Enterprise | Device restrictions for Dedicated devices for more info.

 

When configuring, consider settings that impact the user experience of the device. For example, you can configure whether you want a user to be able to easily access the debug menu, see the number of notifications they have per-app, see basic device information, and more. If you have selected to enroll devices with Azure shared device mode, you may also choose to leverage Managed Home Screen’s integration with shared device mode by enabling Managed Home Screen sign-in to customize sign-in and sign-out experiences for your users.

 

Once you’re ready to move on from configuring settings, choose Next, assign the profile to your device group, review your changes to make sure everything looks correct, and then click Create.

 

At this point, you can enroll your devices into Intune and expect them to download any of the apps you targeted, receive applied settings and other policies, and automatically lock into and launch Managed Home Screen. Find the details in Step 7.

 

To take full advantage of all the settings that Managed Home Screen has to offer, you can create an app configuration policy, since many of the customizations are not yet available in the Device configuration profile. We walk you through this in the next step. Below is a summary of which customizations are exclusive to app configuration policy at this point in time.

 

*Currently, only some complexities available in Device Configuration.

 

Step #6 – (Optional) Create an app configuration profile

As mentioned above, if you have completed steps 1-5, you are all set to enroll your devices. This step is optional and should be used if you want to learn how to leverage all of the Managed Home Screen features available today, either pre- or post-enrollment.

This step will allow you to configure the complete list of features Managed Home Screen has to offer today. Additionally, any time Managed Home Screen publishes an update to the Google Play store with new features, the settings become instantly available via app configuration.

 

Please note, we strongly suggest using device configuration to set the Managed Home Screen settings. For the Managed Home Screen settings not yet available in device configuration, use App configuration. Let’s get started!

 

In the Microsoft Intune admin center, navigate to Apps > App configuration policies > Add > Managed devices

 

 

 

Fill in the Name and, if desired, a Description. For platform, choose Android Enterprise, for profile type, select Fully Managed, Dedicated and Corporate-Owned Work Profile Only, and for targeted app, select Managed Home Screen. Choose Next when you’re ready to continue.

 

On the top half of the screen are Permissions assignments. For this tutorial, we use the default permissions and won’t make any adjustments here. However, feel free to make changes as you see fit.

 

On the bottom half of the screen are Configuration settings.

 

 

You can choose to use configuration designer or JSON data to configure your settings.

 

 

Configuration designer will show you all available configurations for features within Managed Home Screen the instant a new update is released on the Managed Google Play Store. However, some configuration keys will only be configurable through JSON format. We will briefly show you how to use Configuration settings format > Use configuration designer to add Managed Home Screen features but will use Enter JSON data format to achieve our scenario.

 

6.A Using configuration designer to setup Managed Home Screen features

From the Configuration settings format drop-down menu, select Use configuration designer and choose Add to open a panel with all the available Managed Home Screen configuration keys.

 

Select the configuration keys you want to edit in the right panel and then click OK.

 

 

After selecting the configuration keys, you’ll see that they have default values.

 

To make a configuration value changes, hover over and interact with each row under the “Configuration value” column.

 

Once your changes have been made, click Next.

 

 

Note: Values at this point are not saved. If you want to switch configuration formats from “Use configuration designer” to “Enter JSON data,” you’ll need to delete additional example configurations in the JSON block. Finish and save this policy before switching to “Enter JSON data.”

 

On the Assignments page under Included groups, choose Select groups to include and pick the device group you created in Step 2. Click Next to review and, when you’re ready, click Create.

 

 

6.B Using JSON data to setup Managed Home Screen features

Finish configuring the home screen by using JSON to create folders, add widgets, and order items.

 

You can edit your existing app configuration profile by clicking on the policy you just made in Apps > App configuration policies.

 

 

Then select Properties > Settings (Edit)

 

Use the Configuration settings format drop-down menu to select Enter JSON data. Notice all of your existing configurations in JSON format.

 

Your JSON should always begin and end with the following:

{
    "kind": "androidenterprise#managedConfiguration",
    "productId": "app:com.microsoft.launcher.enterprise",
    "managedProperty": [
//FEATURE CONFIGURATIONS GO HERE
    ]
}

 

6.B.1 Add a widget to your home screen

Managed Home Screen provides the ability to add widgets to the home screen. MHS provides and maintains a "time" and "weather" widget. You can also add a custom LOB widget or a third-party widget using JSON data. You can easily expose your LOB or third-party widget with the package name and class name for your widget.

 

The following syntax is an example JSON script for the time widget where the package name is “com.microsoft.launcher.enterprise” and the class name is “Time”. Replace the package name and class name with the information that corresponds with the widget you want to insert:

{
    "kind": "androidenterprise#managedConfiguration",
    "productId": "app:com.microsoft.launcher.enterprise",
    "managedProperty": [
{
            "key": "widgets",
            "valueBundleArray": [
                {
                    "managedProperty": [
                        {
                            "key": "package",
                            "valueString": "package name of application that exposes the widget here. An example: com.microsoft.launcher.enterprise"
                        },
                        {
                            "key": "widget_class",
                            "valueString": "class name of widget here. an example: Time"
                        },
                        {
                            "key": "span_x",
                            "valueInteger": 5
                        },
                        {
                            "key": "span_y",
                            "valueInteger": 2
                        }
                    ]
                }
            ]
        }
]
}

 

For the time widget, the package name is “com.microsoft.launcher.enterprise” and the class name is “Time”. For the weather widget, the package name is “com.microsoft.launcher.enterprise” and the class name is “Weather”. In order to add a custom LOB widget or third-party widget, you must identify the package name and class name for the specific widget.

Tip: Widgets cannot be accessed in app ordering. The inserted widget will go in the first unordered space. If you want your widget to appear in the first two rows, place the remaining apps in row 3 or below.

Step #7 – Enroll your devices

Make sure your device is running Android OS 8+ and runs with Google Mobile Services (GMS). Once you have your device ready, you can enroll it from a factory-reset state using Near Field Communication (NFC), token entry, QR code scanning, Google’s Zero Touch enrollment or Samsung’s Knox Mobile Enrollment. Since there is no user associated with Android Enterprise dedicated devices, user credentials will not be required during enrollment or provisioning. Choose which enrollment type you’d like to use and follow the appropriate instructions found in Enroll your Android Enterprise dedicated, fully managed, or corporate-owned with work profile devices.

 

Once enrollment has been initiated on your device, you’ll need to follow simple instructions on the screen to complete the enrollment process.

 

Step #8 – Setup done

Once enrollment is complete, you’ll land on the device’s home screen. The device will sync policies with Intune. Once policies are synced, apps will begin to download and install on your device. Once Managed Home Screen is installed, it will auto-launch and show all your configurations. Your device is ready for use!

 

Next Steps

We are excited to share the robust capabilities that Managed Home Screen can provide to help you deliver a superior and consistent user experience on all your Intune-managed dedicated devices. As we continue to innovate on the Managed Home Screen, we look forward to your ongoing usage and feedback. Have feedback? Need help? Please fill out this form, and note that additional fields will become available based on selection. We’re always eager to learn more about what we can do better for you! While you’re welcome to comment back on this post, we’re taking specific service feedback on this feature in the form.

 

FAQs

1. Dedicated devices are new to me. When should I choose to enroll a device as a dedicated device?
   
   1. Intune’s Android Enterprise dedicated device solution is intended for use by customers that want their Android devices enrolled with no user-affinity. Intune’s Android Enterprise dedicated device solution requires that the device runs Android OS 8+ and can connect to Google Mobile Services (GMS). The three main scenarios Intune sees for dedicated devices are as follows, in no particular order:
      
      • Intune’s Android Enterprise dedicated device solution is intended for use by customers that want their Android devices enrolled with no user-affinity. Intune’s Android Enterprise dedicated device solution requires that the device runs Android OS 8+ and can connect to Google Mobile Services (GMS). The three main scenarios Intune sees for dedicated devices are as follows, in no particular order:
      • As a digital sign – typically locked into one application that shows viewers desired information. Consider the train schedules you might see at a subway stop, or in an airport. There is zero-to-minimal physical user interaction in this scenario.
      • Task-based devices – typically locked into one application or multiple applications, and used for specific tasks. The device has no knowledge of who is using it or when.  Example: package delivery drivers who pick up a device at the beginning of their shift and use it to navigate to their location, scan packages, complete other role-based tasks and then drop the device back off when they're done for the next delivery driver to use.
      • Multi-user, task devices – locked into one app or a set of apps, and used for specific tasks. At least one application on the device requires users to sign-in, and those apps need to have knowledge of who is using it and when. For this scenario, we generally recommend leveraging Shared device mode. Example: A device that is used in a factory by a maintenance person, shift worker and delivery driver. While the device’s apps and policies are the same per-user, applications on device display relevant information to each person based on sign-in information.
        
        
2. When I create a token to enroll my dedicated devices, it forces me to expire it in 90 days or less, how can I get around this?
   
   1. Historically, Google enforced a maximum of 90 days for token expiration. However, this restriction has recently been lifted and Intune is working to support an enrollment token lifetime of 65 years. This work is in development and is expected to be available to Intune customers by January of 2023. Do note that any expiration date selected with an enrollment token only impacts new enrollments. Existing devices enrolled on a particular token will stay enrolled until they are wiped or factory reset, agnostic of the token’s expiration date. Additionally, there is no limit to how many devices you can enroll on a specific token. If you’re interested in learning how to get around manually updating your tokens each time they expire, see the article Automatically renew Android enrollment tokens using Power Automate.
      
      
3. I want to enable system apps on my dedicated device and am having trouble locating the package names. Does Microsoft maintain a list of packages for different devices?
   
   1. Device manufacturers choose what system applications ship with their devices, and this can vary both by make and model. As such, Microsoft does not maintain any list of system packages for device manufacturers. Please work with your manufacturer or use debugging tools to find the package names of the system applications on your device(s).
      
      
4. When should I be using Intune’s single-app kiosk mode versus multi-app kiosk mode?
   
   1. Single-app kiosk mode is intended for use by customers who want their devices locked into any particular application. Devices running in single-app kiosk mode are locked down into just one selected application, disabling user access to the rest of the device. This is most useful in cases when you want to limit user interaction significantly and is particularly useful for customers who know that one app will satisfy all of their use cases at all times. Example: A digital sign at a subway stop set up to only display that day’s train schedules or a device serving as a public kiosk. Note: Although you can choose to use single-app kiosk mode with Managed Home Screen, we recommend using multi-app kiosk mode, which takes care of placing Managed Home Screen into single-app kiosk mode behind the scenes, and exposes additional settings to configure.
   2. Multi-app kiosk mode is intended for customers looking to use Managed Home Screen to optimize workflows by streamlining the user experience. This is done by limiting app access, restricting device navigation, and enabling only specific device capabilities. This mode is particularly useful for customers that require access to multiple apps but want to limit overall device access. Example: A device that is used on a factory floor to complete a few distinct functions.
      
      
5. If I use a device configuration profile and an app configuration profile to set up Managed Home Screen, do I need to worry about conflicts?
   
   1. It is completely appropriate to use a device configuration profile and an app configuration profile to set up Managed Home Screen. We recommend doing this only if there are Managed Home Screen settings that you would like to configure that are not yet available in device configuration. If you don’t set the same features in both places, there will be no conflicts to worry about.

 

Quick links

The links provided below include all the documentation you need to set up your Android Enterprise dedicated devices with Managed Home Screen in Intune.

1. Set the mobile device management authority
2. Connect your Intune account to your Managed Google Play account
3. Set up Intune enrollment of Android Enterprise dedicated devices
4. Set up enrollment for Android Enterprise fully managed devices
5. Enroll your dedicated devices and fully managed devices
   1. You can enroll your devices at any point after creating an enrollment profile and device group. In this blog post, we enrolled the devices after setting up apps a device configuration profile, but it is equally reasonable to deploy policies post-enrollment.
6. Add Managed Google Play apps
7. Add Android Enterprise system apps
8. Assign apps to your groups
   1. Choose “Required” for Managed Google Play apps and Android Enterprise system apps that you want accessible on your dedicated devices.
   2. Choose “Uninstall” for Android Enterprise system apps that you want hidden on your dedicated devices.
9. Apply device configuration settings
   1. Device restrictions
   2. OEMConfig
   3. Wi-Fi profiles
   4. Certificates
10. Apply app configuration policies to managed Android Enterprise devices
    1. Full list of features you can configure with Managed Home Screen

 

Post updates:

12/9/22: Updated to include additional features that have been released along with minor content updates.

07/29/20: Updated the chart to include new device configuration support for a number of Managed Home Screen items.

05/02/24: Updated table based on updated settings.

07/02/24: Image refresh.

08/20/24: Blog post refresh.

09/10/24: Updates to the app configuration policy table and screenshot of the Android enrollment experience in the Microsoft Intune admin center.

12/12/24: Updated section: 6.B.1 Add a widget to your home screen.