This post has been republished via RSS; it originally appeared at: Intune Customer Success articles.
By: Charlotte Maguire | Program Manager & Julia Syi | Program Manager 2 – Microsoft Endpoint Manager - Intune
To deliver a multi-app, kiosk-style scenario on your Android Enterprise dedicated devices, Microsoft Intune uses Microsoft’s Managed Home Screen. This blog post will help explain what Managed Home Screen is, when to use it and how to set it up. We will walk you through step-by step how to enroll your devices with Managed Home Screen and we will answer the common questions we hear regarding Intune’s dedicated device solution with Managed Home Screen.
Note that Microsoft Intune is now a part of Microsoft Endpoint Manager (MEM), a unified management platform that also includes Configuration Manager, so you will see references to MEM throughout this post.
What is a “dedicated device”?
MEM customers using Intune have the option to enroll their Android devices as Android Enterprise (AE) dedicated devices. These are corporate-owned devices are not associated with any particular user and often leveraged to complete specific tasks. If you have additional questions about Intune’s dedicated device solution, please refer to the FAQ at the end of this post.
Microsoft’s Managed Home Screen app provides even more functionality to the dedicated device solution by limiting the set of apps available and preventing users from making any changes to the device. Managed Home Screen also enables organizations to further customize, restrict, and troubleshoot their Intune-managed dedicated devices. Note that MHS is intended only for Intune-managed devices enrolled as an AE dedicated device. If you are looking for a similar solution on your Intune-managed AE fully managed devices, please use our Microsoft Launcher for Enterprise solution.
What is Microsoft Managed Home Screen?
Managed Home Screen (MHS) is an Android application available for use through Managed Google Play.
Use MHS when you want your end users to have access to a specific set of applications on your Intune-enrolled dedicated devices. When configured in multi-app kiosk mode in the MEM console, MHS is automatically launched as the default home screen on the device and appears to the end user as the only home screen. This will prevent devices from being misused and allows you to completely customize the home screen experience. Regardless of what is already installed on the device, you can pick which apps and system settings you want your users to access from MHS to ensure the content they access is completely relevant to their tasks. MHS gives you the flexibility to empower your users. Learn more by reading on!
MHS customization allows you to completely redesign how the home screen looks and feels:
- Set a custom wallpaper to show off your branding or use it as a visual indicator to differentiate between your devices.
- Position your apps on the home screen to make more important and frequently used apps easier to access, as well as to create a consistent and familiar setup for your users between devices.
- Categorize your apps into folders to reduce cognitive overload if you have a lot of apps on the home screen.
- Customize the size of how apps and folders appear on the home screen to accommodate various screen sizes.
- Add custom widgets to the home screen to get quick access to vital app data.
- Set a screen saver image to hide the home screen when the device is inactive.
Not only will MHS enable you to make your organization’s devices visually appealing, it’s also practical and streamlines the debugging process when something inevitably goes wrong on a device. In one place within MHS you can:
- Intuitively access device information (e.g.: device serial number) to find a problematic device in the Intune console.
- Access admin-related apps to sync policies (Microsoft Intune app, Android Device Policy app).
- Access MHS logs to confirm what configurations are currently set on the device to check against what was pushed from the Intune console.
- Access an exit out of the Managed Home Screen app and return to the device’s original home screen to gain full access to the system settings, provided you have access to the exit PIN.
These are customizations that you only get by using Managed Home Screen via multi-app kiosk mode. Without MHS, you can either use single-app kiosk mode if you want your devices locked into one specific app, or leave kiosk mode not configured. If you leave kiosk mode not configured, you will have limited control over the end-user experience. Reference the chart below for a visual summary of what MHS provides.
End-user experience without MHS VS with MHS for multi-app kiosk mode
|
Customizations |
Without kiosk mode |
With single app kiosk mode |
With MHS for multi-app kiosk mode |
|
Add public, private, and web-based Managed Google Play applications to the home screen. |
✔ |
|
✔ |
|
“Lock” user into one application with no home screen. The application will always be launched, with no exit path. |
|
✔ |
|
|
Set a custom wallpaper for the home screen. |
|
|
✔ |
|
Categorize apps into folders. |
|
|
✔ |
|
Customize how apps and folders look on the home screen. |
|
|
✔ |
|
Add widgets to the home screen. |
|
|
✔ |
|
Add a screen saver image. |
|
|
✔ |
|
Order items on the home screen. |
|
|
✔ |
|
“Lock” the home screen so a user can’t add, move, or remove anything. Users will only have access to the items you have explicitly made available. |
|
✔ |
✔ |
|
Pick which system settings to expose for end-user access. |
|
|
✔ |
|
Device debugging (MHS log collection, device information, easy access to Intune app and Android device policy app sync, ability to exit to OEM home screen). |
|
|
✔ |
How do I set it up?
Let’s go step-by-step to set up your device with Managed Home Screen configurations.
Before we begin, make sure you have an Android device that is capable of enrolling into Intune as an Android Enterprise dedicated device. Not sure if your device meets the requirements? Check the “Device requirements” section in docs here.
Step #1 – Setup your Intune enrollment profile and device group.
In this step you will create an enrollment profile to generate an enrollment token and attach it to a device group. Please note that this step assumes you have already set Intune as your MDM authority and that you have connected your Intune tenant to your Managed Google Play account.
In the MEM console, navigate from Devices > Android > Android enrollment > Corporate-owned dedicated devices.
Fill in the Name and, if you want to, a Description. You can also choose when you would like your token to expire, with a max expiry of 90 days from the day you create the token. When you’re ready, choose Create. Tip: Remember this name, as we will be using it next.
Step #2 – Create a device group
In the MEM admin center, navigate to Groups > All groups > New group.
Create a new group by filling out a Group name and, if you want, a Group description. Verify that the Group type is set to “security.”
Change Membership type to Dynamic device. And then Add a dynamic query. Change Membership type to Dynamic device. And then Add a dynamic query. We will use dynamic queries so that your device is automatically added to a group based on the property of your choice. This way, you don’t need to manually add devices to groups post-enrollment.
In this example, we are going to add devices to this user group whenever a device enrolls with the profile you just made. To do that, we are going to make the dynamic query add a device any time the Property “enrollmentProfileName” is equal to the name your Android Enterprise Dedicated device enrollment profile from Step 1.
Configure the dynamic query by changing:
- Property to “enrollmentProfileName”
- Operator to “Equals”
- Value to <your enrollment profile name>
Select Save to save the query and return the New group page. Review your group’s properties and hit Create when you’re ready. Confirm your device group was created in the All groups page.
Step #3 – Approve and assign Managed Home Screen and other Managed Google Play apps
This step will make sure that Managed Home Screen is downloaded and installed on your enrolled devices and automatically launched.
Once you have linked your Intune and Managed Google Play accounts, you’ll notice that you already have Managed Home Screen synced in the console when you navigate to Apps > All apps.
Click on “Managed Home Screen” and choose Properties > Assignments (edit) and then add your device group from Step 2 to the Required assignments and save.
To add public, private or web applications, stay in Apps > All apps and choose “add.”
Under Select app type choose Managed Google Play app.
You should see something like this:
On the left-hand side, notice the Play Store icon, a lock icon and a globe icon. To add public applications, keep the Play Store icon selected. To add private applications or web applications, choose the lock and globe icons, respectively.
In this example, we will illustrate adding Microsoft Edge, a public application.
Search for “Microsoft Edge” using the search bar and then select the Microsoft Edge icon.
Choose Approve which will generate a pop-up like this:
Hit Approve once more and follow the instructions on the next pop-up regarding app permission requests. Click Done when you are ready.
Notice the app will now be marked as “Approved” underneath its listing.
Repeat the above steps for all the public applications you would like to add to the store. Reference our documentation if you would like to add private applications or web apps. The same link calls out the steps we have illustrated above for public applications if you ever need a quick reference.
When you are done adding Managed Play Store applications, hit the Sync button in the top left-hand corner. You will see this banner appear back in your application list:
Once the applications have successfully synced into your list, repeat the steps we described for MHS to assign the apps as “Required” to the device group you made in Step 2.
Step #4 – Manage Android Enterprise system apps
In addition to Managed Play Store applications, we often get questions about how to add system applications to dedicated devices that are using Managed Home Screen. System apps are apps that ship on a device by a certain Original Equipment Manufacturer (OEM), and are not published to the Play Store. These apps are often disabled by default upon enrollment, so you will need to follow these steps to enable them and show the icon on the device. To accomplish this, you will navigate back to Apps > All apps and choose Add in the top left corner.
Choose Select and then fill out the App information, and follow steps to assign any scope tags, assign as “Required” or “Uninstall” to the group we made in Step 2. Choose required if you would like the application available on the device, or uninstall if you would like the application to always be hidden on the device. If you’re not interested in making any changes to the system apps on your devices, you may skip this step.
Please note that Microsoft does not maintain a list of OEM’s system applications. If you are having trouble locating the correct package names for your device, please work with your device OEM(s).
Step #5 – Create a device configuration profile
In this step, we will walk you through creating a device configuration profile for your dedicated devices. This profile will allow you to configure device-level behavior and will also allow you to configure kiosk mode, which is how your device(s) will know to launch MHS automatically. Additionally, this is where you add applications to MHS and can configure some MHS-specific features.
Navigate to Devices > Configuration profiles > Create profile
Under Platform, select “Android Enterprise.” Under Profile select “Device restrictions” beneath “Device Owner Only.”
Choose Create and fill out a Name for your profile and, if you want, a Description.
When you’re ready, choose Next. Use the available categories to configure any settings that are applicable to your scenario. For this tutorial, we will focus only on showing you how to set up Managed Home Screen under the Dedicated devices category.
Toggle the Kiosk mode setting to “Multi-app,” as shown below. This will make sure your devices targeted with this profile are locked into MHS, which you already set as a required application in Step 3. Additionally, it will show you a list of settings that are directly applicable to MHS.
In the top section, choose Add to select any Android Enterprise applications you have added to the console, which we also did in Step 3. These are the applications that will appear to your end-users when they use MHS.
Underneath the app selection setting, configure any of the settings that you like. You can use the tooltips to better understand what these settings to, or refer to our documentation.
Once you’re ready to move on from configuring settings, choose Next and then choose if you want any scope tags, assign the profile to your device group, review your changes to make sure everything looks correct and choose Create.
At this point, you can enroll your devices into Intune and expect them to download any of the apps you targeted, receive applied settings and other policies, and automatically lock into and launch MHS. Find the details in Step 7.
To take full advantage of all the settings that Microsoft Managed Home Screen has to offer, you can create an app configuration policy, since many of the customizations are not yet available in the Device configuration profile. We will walk you through this in the next step. Below is a summary of which customizations are exclusive to app configuration policy at this point in time.
|
|
Available in Device Configuration |
Available in App Configuration |
|
To customize the home screen’s appearance consider these features: |
||
|
Set a custom wallpaper |
X |
X |
|
Set app icon size |
|
X |
|
Set app folder icon |
|
X |
|
Set screen orientation |
|
X |
|
Create a Folder |
|
X |
|
Add a widget |
|
X |
|
To customize screen saver mode consider these features: |
||
|
Enable screen saver mode |
X |
X |
|
Set a screen saver image |
X |
X |
|
Set the number of seconds the device shows the screen saver before turning the screen off |
X |
X |
|
Set the number of seconds a device is inactive for before showing the screen saver |
X |
X |
|
Set whether or not playing media should we accounted when counting inactivity time |
X |
X |
|
Choose which settings you want to expose in MHS by picking from this list: |
||
|
Enable a virtual home button |
X |
X |
|
Set the type of virtual home button (floating or accessing by swiping up) |
X |
X |
|
Enable Wi-Fi configuration to see available networks |
X |
X |
|
Enable a Wi-Fi allow-list to limit networks |
|
X |
|
Set the Wi-Fi allow-list if enabled |
|
X |
|
Enable Bluetooth configuration to see available networks |
X |
X |
|
Enable Flashlight toggle (if the hardware supports it) |
X |
X |
|
Enable a media volume slider |
X |
X |
|
Enable a Device Information tab to see information around device model, manufacturer, and serial number |
|
X |
|
Enable notifications badge on applications |
|
X |
|
Enable the battery and signal strength indicators on the home screen’s status bar |
|
X |
|
To set the order of items on the home screen you’ll need all of these features: |
||
|
Set grid size |
|
X |
|
Lock home screen |
|
X |
|
Enable application order |
|
X |
|
Set the application orders |
|
X |
|
Enable extra debugging features from these features: |
||
|
Enable Exit Kiosk mode |
X |
X |
|
Set Exit Kiosk mode PIN |
X |
X |
|
Enable easy access of the debug menu |
|
X |
Step #6 – Create an app configuration profile
As mentioned above, if you have completed steps 1-5, you are all set to enroll your devices. This step is optional, and should be used if you want to learn how to leverage all of the Managed Home Screen features we have available for you today, either pre- or post-enrollment.
This step will allow you to configure the complete list of features MHS has to offer today. Additionally, any time MHS publishes an update to the Google Play store with new features, the settings become instantly available via app configuration.
Please note, we strongly suggest using device configuration to set the MHS settings that exist there. For the MHS settings you want that are not yet available in device configuration, please use App configuration. Let’s get started!
In the MEM Admin Center, navigate to Apps > App configuration policies > Add > Managed Devices
Fill in the Name and, if you want, a Description. For platform choose Android Enterprise and for targeted app select Managed Home Screen. Choose Next when you are ready to continue.
On the top half of the screen are Permissions assignments. For this tutorial, we will be using the default permissions, and will not be making any adjustments here. However, feel free to make changes as you see fit.
On the bottom half of the screen are Configuration Settings.
You can choose to use configuration designer or JSON data to configure your settings.
Configuration designer will show you all available configurations for features within MHS the instant a new update is released on the Managed Google Play Store. However, some configuration keys will only be configurable through JSON format. We will show you briefly how to use Configuration settings format > Use configuration designer to add our MHS features, but will use Enter JSON data format to achieve our scenario.
6.A Using configuration designer to setup MHS features
From the Configuration settings format drop-down menu, select Use configuration designer and choose Add to open a panel with all the available MHS configuration keys.
Select the configuration keys you want to edit in the right panel and press “OK”
After selecting the configuration keys, you’ll see that they have default values.
To make a configuration value change, hover and interact under the “Configuration value” column for each row.
Once your changes have been made, select Next.
Note: Values at this point are not saved. If you want to switch configuration formats from “Use configuration designer” to “Enter JSON data,” then you will need to delete a bunch of additional example configuration in the JSON block. Continue to finish and save this policy before switching to “Enter JSON data”.
On the Assignments page under Included groups, choose Select groups to include and pick the device group you created in Step 2. Hit Next to review + create and when you’re ready, choose Create.
6.B Using JSON data to setup MHS features
Now, let’s finish configuring our home screen by using JSON to create folders, add widgets, and order items.
You can edit your existing app configuration profile by clicking on the policy you just made in Apps > App configuration policies.
Then select Properties > Settings (Edit)
Use the Configuration settings format drop-down menu to select Enter JSON data and notice all of your existing configurations in JSON format!
Your JSON should always begin and end with this:
6.B.1 Add a managed folder to your home screen
Want to add a bit of organization to your home screen? Create a folder managed by you. This can only be done via JSON data format in an app configuration policy.
Add the following JSON snippet in where feature configurations go.
- Replace “PLACEHOLDER_FOLDER-NAME” with the name you wish to give your folder.
- Replace “PLACEHOLDER_APP-PACKAGE-NAME” with the package name of the app you wish to place inside your folder. In this instance, there are two apps within the folder. You can add as many apps as you wish. An app package name would look something like “com.example.myapp.” As an example, the Microsoft Teams app for Android has a package name of “com.microsoft.teams.”
6.B.2 Configure custom ordering of items on the home screen
To create a custom ordering of items on the home screen you will need to have:
- Already added your apps, widgets, and folders to your home screen allow-list.
- Locked the home screen so that an end-user cannot make changes by moving things around themselves.
- Set a grid size for your home screen pages.
- Enabled app ordering mode.
You will now be able to set the position of an item to assigned grid position. Positions read from smallest to largest from left-to-right and then top-to-bottom. Below, the illustration is set to a grid size of “3;7” which is 3 columns and 7 rows. This grid size will contain at maximum 21 items on each page. Note that custom widgets can take up more than one space depending on its size.
The following JSON snippet will show an example of putting the Microsoft Teams, Yammer, and SharePoint apps in positions 16, 17, and 18. To customize this JSON for your own use, simply replace the app package names and position numbers to match your customization.
Step #7 – Enroll your devices
Please make sure your device is running Android OS 6+ and runs with Google Mobile Services (GMS). Once you have your device ready, you can enroll it from a factory-reset state using Near Field Communication (NFC), token entry, QR code scanning, Google’s Zero Touch enrollment or Samsung’s Knox Mobile Enrollment. Since there is no user associated with AE dedicated devices, user credentials will not be required during enrollment or provisioning. Please choose which enrollment type you’d like to use and follow the appropriate instructions found here.
Once enrollment has been initiated on your device, you’ll need to follow simple instructions on the screen to complete the enrollment process.
Step #8 – Setup done
Once enrollment is complete, you will land on the device’s home screen. The device will sync policies with Intune. Once policies are synced, apps will begin to download and install on your device. Once Managed Home Screen is installed, it will auto-launch and show all your configurations. Your device is ready for use!
Next Steps
We are excited to share the robust capabilities that Managed Home Screen can provide to help you deliver a superior and consistent end-user experience on all your Intune-managed dedicated devices. As we continue to innovate on the Managed Home Screen, we look forward to your ongoing usage and feedback. Have feedback? Need help? Please fill out this form, and note that additional fields will become available based on selection. We’re always eager to learn more about what we can do better for you! While you’re welcome to comment back on this post, we’re taking specific service feedback on this feature in the form.
FAQ
- Dedicated devices are new to me. What are they used for?
- Intune’s AE dedicated device solution is intended for use by customers that want their Android devices enrolled with no user-affinity. Intune’s AE dedicated device solution requires that the device runs Android OS 6+ and can connect to Google Mobile Services (GMS). The three main scenarios Intune sees for dedicated devices are as follows, in no particular order:
- As a kiosk-style device – locked into one app or a set of apps to be used by any number of people, many of whom are not associated with the company that owns the device. Consider a device that you might use to navigate a menu at an airport restaurant, or in a store to put your name on a waiting list for some service.
- As a digital sign – typically locked into one application that shows viewers desired information. Consider the train schedules you might see at a subway stop, or in an airport. There is zero-to-minimal physical end-user interaction in this scenario.
- Task-based devices – typically locked into one application or multiple applications, and used for specific tasks. The device has no knowledge of who is using it or when. Example: package delivery drivers who pick up a device at the beginning of their shift and use it to navigate to their location, scan packages, complete other role-based tasks and then drop the device back off when they're done for the next delivery driver to use.
- Intune’s AE dedicated device solution is intended for use by customers that want their Android devices enrolled with no user-affinity. Intune’s AE dedicated device solution requires that the device runs Android OS 6+ and can connect to Google Mobile Services (GMS). The three main scenarios Intune sees for dedicated devices are as follows, in no particular order:
- When I create a token to enroll my dedicated devices, it forces me to expire it in 90 days or less, how can I get around this?
- Google enforces a maximum of 90 days for token expiration. However, please note that this expiration date only impacts new enrollments. Existing devices enrolled on a particular token will stay enrolled until they are wiped or factory reset, independent of the token’s expiration date. Additionally, there is no limit to how many devices you can enroll on a specific token. If you’re interested in learning how to get around manually updating your tokens each time they expire, please see the article on how to Automatically renew Android enrollment tokens using Power Automate.
- I want to enable system apps on my dedicated device, and am having trouble locating the package names. Does Microsoft maintain a list of packages for different devices?
- Device manufacturers choose what system applications ship with their devices and this can vary both my make and by model. As such, Microsoft does not maintain any list of system packages for device manufacturers. Please work with your manufacturer or use debugging tools to find the package names of the system applications on your device(s).
- When should I be using Intune’s single-app kiosk mode versus multi-app kiosk mode?
- Single-app kiosk mode is intended for use by customers who want their devices locked into one specific application that is NOT Managed Home Screen. Devices running in single-app kiosk mode are locked down into just the one application, and end-users do not have access to the rest of the device or other applications.
- This mode is particularly useful for customers who know that one app will satisfy all of their use cases at all times. Example: a digital sign at a subway stop set up to only display that day’s train schedules.
- If I use a device configuration profile and an app configuration profile to set up Managed Home Screen (MHS), do I need to worry about conflicts?
- It is completely appropriate to use a device configuration profile and an app configuration profile to set up MHS, and we recommend doing this only if there are MHS settings you would like to configure that are not yet available in device configuration. As long as you don’t set the same features in both places, there will be no conflicts to worry about.
Quick links
Below please find, in order, all the documentation you would need to set up your Android Enterprise dedicated devices with Managed Home Screen in Intune.
- Set the mobile device management authority.
- Connect your Intune account to your Managed Google Play account.
- Set up Intune enrollment of Android Enterprise dedicated devices.
- Enroll your dedicated devices.
- You can enroll your devices at any point after creating an enrollment profile and device group. In this blog post, we enrolled the devices after setting up apps a device configuration profile, but it is equally reasonable to deploy policies post-enrollment.
- Add Managed Google Play apps.
- Add Android Enterprise system apps.
- Assign apps to your groups.
- Choose “required” for Managed Google Play apps and AE system apps that you want accessible on your dedicated devices.
- Choose “uninstall” for AE system apps that you want hidden on your dedicated devices.
- Apply device configuration settings.
- Apply app configuration policies to managed AE devices.