Configure Corporate-owned dedicated device with Intune (part 1/3)

In this blog I will show how to configure a Corporate-owned dedicated device profile with Intune. The blog consists of several parts in which I show the configuration process in detail.

  1. This is the first part in which I will create the basic setup.
  2. In the second part I will use app configuration policies to configure permissions.
  3. In this final part I will use OEMConfig to configure in depth device settings.

For this blog series I will be using a Zebra TC26 Android device. The major advantage of this device is the extensive OEMConfig configuration options. Other brands require additional licenses or offer fewer options and support. You can use other brands but not all will support the options and settings shown in this blog. There are only two requirements for an Android Enterpris dedicated device:

  • Android OS version 6.0 or above.
  • Google Mobile Services must be available/connected.

 

Configuration

The configuration consists of a Multi Kiosk device with Teamviewer and Office on the Home screen. By using a dedicated profile, users cannot add apps themselves and can only perform actions approved by the administrator. Devices enrolled with this profile are not associated with an end user, therefore are not intended for used with personal use applications. If you would like to use an identity on a dedicated device to authenticate into applications, there is the option to use a “Corporate-owned dedicated device with Azure AD shared mode” type. These devices are intended for use with applications that have integrated with Azure AD’s Shared device mode to allow for single sign-in and single sign-out between users across participating applications.

For the basic profile, we are going to configure the items below:

  • Add a Corporate-owned dedicated devices profile
  • Create a dynamic device group
  • Add and assign the applications
  • Configure the Multi-app kiosk profile
  • Enroll a device with this profile

Let’s start to configure a Corporate-owned dedicated device.

 

Add a Corporate-owned dedicated devices profile

1. In the MEM admin center select “Devices”-> “Android” -> “Android Enrollment” and select “Corporate-owned dedicated devices”

 

2. Press the “+ Create profile” button.

 

3.  Enter a name for the enrollment profile and select a token type and press “Next” to continue. (The validity period of the token is valid for a maximum of 90 days.)

 

4. Press “Create” to create and activate the new enrollment profile.

 

Create a dynamic device group

Because the devices are not associated with an user we need to create a device group to assign the device configuration profiles, apps and other policies. There are multiple options like an assigned device group, dynamic group or you can also assign settings to all devices. Because I like to automate assignment I will use the Dynamic device group. The disadvantage of a dynamic device group is that membership processing takes time and it cannot be started or updated manually. Updating a dynamic group takes around 15 minutes on average, but it can take longer than 30 minutes in directories with many users. If you don’t want that you should choose another option.

 

5. Select Groups in the menu and press “New group”

 

6. Enter group name (1) and select membership type: “Dynamic Device” (2). Press Add dynamic query (3).

 

7. Configure the rule (1) and press “Save” (2)

Property enrollmentProfileName (step 3-1)
Operate Equals
Value <Enrollment profile Name>

 

8. Press “Create” to create the Dynamic Group

 

Add and assign the applications

To use the Multi Kiosk you will need to assign the Managed Home Screen and other apps you would like to publish on the dedicated Multi Kiosk devices. In this demo I wil publish Office and Teamviewer on the Kiosk dashboard (Managed Home Screen), but I will also assign Zebra OEMConfig to deploy OEMConfig configurations to device.

 

9. Select Apps -> Android. If there are any apps missing first add those apps from the store. Than assign Managed Home Screen to the created Dynamic Device Group.

 

10. And assign the other apps to the dynamic device group.

 

Configure the Multi-app kiosk profile

 

11. Select Devices -> Android -> Configuration profiles. Create a new Android Configuration profile. Select “Fully Managed, Dedicated and Corporate-Owned Work Profile” -> “Device restrictions” (Do not use Personally-Owned Work Profile!)

 

12. Enter a name for the configuration profile and press “next”

 

13. Unfold “Device Experience” (1) and select the enrollment profile type “Dedicate device” (2). Now you will be able to select a Kiosk mode select the option “Multi-App” (3).

 

14. Select Custom app layout “Enable” (1) to configure the layout of the Home screen. Press on the + (2) to add applications to the Home Screen. Select in the “Add items” blade the applications (3) you want to add to the Home Screen.

 

15. I will also enable the “Leave kiosk mode” so I will be able the leave the kiosk mode. To prevent users from leaving I will add a code.

 

16. Assign the policy to the dynamic group “Dedicated-MultiKiosk devices”

 

17. Review the settings and press “Create” to continue and apply the configuration to the dedicated devices.

 

Enroll a device with this profile

18. Select “Devices -> Android -> Android enrollment -> Corporate-owned dedicated devices” and select the “Dedicated-MultiKiosk”

 

19. Select “Token” and press “Show Token” to view the enrollment token. Use this QR code to manually enroll your devices. You can also use the Token for automatic enrollment like Samsung Knox.

 

20. Enroll the device using the QR code by tapping 5 times on the Welcome screen and scanning the code. During the enrollment the intune client will be installed.

 

21. Because the apps and configuration profiles are assigned using a dynamic device group it will take some additional time for these settings are applied. The dynamic group needs to be process the new members and the Intune client needs to sync again.

 

22. Once the applications and configuration are applied you will notice an permission pop-up. We will address this pop-up in part 2 of this blog, for now we will press “Allow” so we will see the Home Screen with the two configured apps “Office” and “Teamviewer”.

 

Configure Corporate-owned dedicated device with Intune (part 2/3)

 

 

2 thoughts on “Configure Corporate-owned dedicated device with Intune (part 1/3)

    1. Aad Lutgert Post author

      Hi Peder,

      You first need to enable “Leave kiosk mode” in the device restrictions policy. This feature is only available in Multi-App Kiosk mode with a managed home screen. After you’ve enabled this setting you will be able to leave the kiosk mode by pressing the “back” key multiple times on the device. A popup should appear with the option to leave managed home screen.

      regards, Aad

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *