This guide walks you through configuring corporate-owned Android tablets in Microsoft Intune using Multi-App Kiosk Mode with Microsoft Entra shared device mode.

• ✔ Secure tablets
• ✔ Lock them down for business use only
• ✔ Enable shared, userless operation

Minimum license:

• Microsoft 365 F1 (or higher: Business Premium, E3, E5)

F1 is designed for frontline/shared device scenarios and supports Intune kiosk configurations.

• ✅ Microsoft Intune tenant set up & MDM authority assigned
• ✅ Admin access in Intune Admin Center & Microsoft Entra ID
• ✅ APK file for your custom business app (LOB/private app)
• ✅ Device reset and ready for enrollment

3.1 Add Microsoft Apps

1. Sign in to Intune Admin Center → https://intune.microsoft.com → Apps → All apps → Add
2. Select Managed Google Play app→ Approve these apps:
   • Microsoft Intune
   • Microsoft Authenticator
   • Managed Home Screen
   • Microsoft Launcher
   • Intune Company Portal
   • Microsoft Outlook

3.2 Add a Private Custom App

1. In Managed Google Play, go to Private apps → +
2. Provide App Title and upload APK
3. Important:
   • Package name must be globally unique
   • APK must not be debuggable
4. Click Create, then Sync in Intune

3.3 Assign Apps

Assign all apps as Required to the Kiosk Device Security Group (created in step 4).

1. Go to Entra ID → Groups → New group
2. Configure:
   • Group type: Security
   • Membership: Assigned
   • Name: Android COBO Kiosk Devices
3. Save the group

This group will be used for app assignment, configuration profiles, and enrollment profiles.

1. Go to Intune Admin Center → Devices → Android → Android enrollment
2. Select Corporate-owned dedicated devices → Microsoft Entra shared mode
3. Configure:
   • Profile Name: Company Owned Tab
   • Token type: Corporate-owned dedicated device with Microsoft Entra shared mode
   • Token expiration: 12–24 months
   • Device group: Android COBO Kiosk Devices
4. Save & download the QR code

1. Go to Intune Admin Center → Devices → Configuration profiles → Create profile
2. Platform: Android Enterprise | Profile type: Device restrictions
3. Configure restrictions:
   • Block: Screen capture, Camera, Bluetooth, USB transfer, Hotspot
   • Enable: Network escape hatch (recommended so admins can access network settings when required)
   • Password policy: Required, expires in 120 days, wipe after 10 failed attempts
4. Kiosk Mode Settings:
   • Type: Multi-app
   • Allowed apps:
     • Microsoft Intune → com.microsoft.intune
     • Authenticator → com.azure.authenticator
     • Managed Home Screen → com.microsoft.launcher.enterprise
     • Microsoft Launcher → com.microsoft.launcher
     • Company Portal → com.microsoft.windowsintune.companyportal
     • Outlook → com.microsoft.office.outlook
     • Custom App → <package.name>
   • Lock home screen: Enabled
   • Orientation: Auto-rotate
5. Assign to Android COBO Kiosk Devices group

• Reset tablet → Scan QR code → Auto-enroll
• Device joins Android COBO Kiosk Devices group
• Intune pushes:
  • Required apps
  • Device restrictions
  • Managed Home Screen

• Tablets boot into Managed Home Screen
• Only whitelisted apps visible
• Play Store, hotspot, USB, external storage, camera blocked
• Apps auto-update over Wi-Fi
• Security enforced:
  • Password every 24 hrs (or as configured)
  • Wipe after 10 failed attempts

If something does not apply or an error occurs, try these checks first:

Device stuck at enrollment

• Verify QR code/token is not expired. Recreate enrollment token if needed. Ensure network connectivity during enrollment.

Apps not installing or appearing

• Confirm the app is approved in Managed Google Play, synced with Intune, and assigned as Required to the device group. Check device logs in Intune for install failure codes.

Managed Home Screen not launching

• Ensure kiosk profile is assigned and applied. Confirm "Lock home screen" is enabled and no conflicting profile is targeting the device.

Users can't sign in to apps

• For shared/userless mode ensure apps that require sign-in support accountless/shared workflows or configure single-app workflows. For app sign-in errors, check conditional access policies and network access.

Device not showing in the group

• Confirm enrollment profile targeted the same Entra group or device was added automatically — if membership is manual, add device to the group or change membership rule.

• Devices are centrally manageable via Intune and typically require factory reset to remove from management (depending on manufacturer/OS).
• Conditional Access policies can still be applied to apps (e.g., Outlook) if users sign in — test before deployment.
• Consider adding DLP or App Protection Policies for email and document apps if sensitive data is accessed.

• ✔ Secure: Data protected, no external sharing
• ✔ Locked down: Multi-app kiosk mode
• ✔ Userless: Shared device with Entra shared mode
• ✔ Centrally managed: Apps & policies via Intune