Android enterprise kiosk devices
With this feature, administrators have the ability to lock the use of a device ( authorized applications,…). Thus the user cannot install his applications (social networks, games,…). It’s important to note that registration is done without a user account. The equipment is therefore not associated with any end user.
- Android version 5.1 and later
- Have an android distribution with GMS connectivity (Google Mobile Services)
Configure Android kiosk device management
It’s necessary first to configure Android for Works in Intune. This point will be the subject of a future article. Thereafter, it’s necessary to create a registration profile. Following the creation of a registration profile, a registration token as well as a QR code is generated.
From the Intune portal, select Device Enrollment then Android Enrollement. In the central panel, click on Kiosk and task device enrollments.
Click on Create and enter the name you want. If you want you can enter a description. You need enter Token Expiration Date (maximum:90 days).
Click on Create to proceed with the creation.
From the Token tab, it is possible to replace, delete or view the Token.
Create Security group
We will use a dynamic security group in order to allow the automatic connection of device registered in Kiosk mode to a security group. Thus it’s possible to automate profil or application deployment following device Registered.
Into the Intune platform, click on Azure Active Directory then on Groups. In the central panel click on New Group.
From the Group Type drop-down list select Security. Enter the name and description that you want and select Dynamic Device from the Membership drop-down list.
Click on Add dynamic query and choose Simple rule. Configure the filter as below:
- In the first drop-down list choose : attribute enrollmentProfileName
- In the middle drop-down list choose: match
- In the last drop-down list enter : enrollment profile name (Kiosk-IT for me)
Click on Add query then on Create.
The group is now been created.
Enroll Kiok Device
The enrollemnt method depending on the version of your Android.
- Android 5.1 or later : Use NFC (Near Field Communication)
- Android 6 or later : Use Token entry
- Android 7 or later : Use QR Code
- Android 8 : Zero Touch
I own a Samsung with an Android 6, so I will choose the enrollment by token entry. On the first time, you need execute factory reset on your device (unless the equipment comes out of the box).
In the wizard, select the language and connect the equipment to a Wi-Fi network.
When adding the Gmail account enter afw#setup then press Next.
Press Install to install Android Device Policy. Download is in progress.
After installation, press Configure to configure Device Policy . The device and Google Play Store are updated.
With your mobile and intune portal, scan the QR Code or enter manually the token.
Enrollment in Microsoft Intune is now complete. You can see on the device that the interface is limited. Moreover, the applications available in the Google Play Store are only those deployed by the IT team.