by In the previous parts, we mainly looked at how we linked our Managed Google Play and provided our personal Android devices with a work profile with Microsoft Intune. In this part, I’ll take you through the configuration of Android Enterprise Dedicated Devices.
Android Enterprise Dedicated Devices
Android Enterprise dedicated devices are corporate-owned devices intended for a single, specific purpose, such as kiosk devices or for user-shared devices, for example. These devices are locked into a particular set of apps and configurations, making them ideal for frontline or task-based workers.
Requirements
To enroll Android Enterprise dedicated devices, we need the following:
- A compatible Android device with a supported OS version
- An enrollment profile for Android Enterprise dedicated devices
- An assigned device group for Enrollment Time Grouping
- An application
- A compliance policy
- A configuration profile
First, we need to create an Enrollment profile. Here, it is important to know the purpose of the device. Depending on the function or purpose of the device, we can decide which type of token we need. First, let’s briefly go deeper into the difference between the two token types.
Corporate-owned dedicated device – Default vs. Microsoft Entra Shared
If we look at creating our Token in the Enrollment Profile, we see two options, namely Corporate-owned dedicated device (default) or Corporate-owned dedicated device with Microsoft Entra shared mode.
So what is the difference between the two? The difference between a corporate-owned dedicated device (default) and one configured with Microsoft Entra shared mode lies in how the device handles user identity and usage patterns. The default mode is intended for single-purpose devices used by one person or no person at all, like kiosks, digital signage, or task-specific tablets, where no user signs in and the device runs a locked-down set of apps.
Microsoft Entra shared mode is designed for environments where multiple users share the same device across shifts or roles, such as in healthcare or retail. It allows users to sign in temporarily using their Microsoft Entra ID, access supported apps with single sign-on, and securely sign out when done, ensuring that personal data and session tokens are cleared between users.
The table below shows the main differences between the two types and also which type is used for which purpose:
Enrollment Time Grouping
Before we get started with configuration, it is also important to talk a little about Enrollment Time Grouping. Enrollment Time Grouping allows Intune to pre-assign corporate-owned Android devices to Microsoft Entra security groups during enrollment, speeding up app and policy delivery.
Instead of waiting for dynamic group membership updates after enrollment, like we did before, which could take a while, Enrollment Time Grouping ensures the device is immediately part of a designated security group as soon as it’s enrolled.
This enables Microsoft Intune to deliver required apps, configurations, and policies right away, reducing setup delays and improving time-to-productivity for users. To configure it, you create a static Microsoft Entra security group, assign the Intune Provisioning Client as its owner, and link it to the enrollment profile. I’ll show you during our configuration. Let’s go!
Configuration
Microsoft Entra ID group
As discussed earlier, we will first create our Entra Security group for Enrollment Time Grouping. This is an assigned device group that we are going to make the Intune Provisioning Client (Enterprise application) owner of.
INFORMATION: Chances are that this Enterprise Application has a different name. It is important then that you make sure that the one with AppID f1346770-5b25-470b-88bd-d5744ab7952c is the one you make the owner of the group.
Also, make sure you create an assigned user group. Dynamic groups aren’t supported.
Go to Microsoft Entra admin center | Groups and choose New group. Create a group with the following settings and choose Create
- Group type: Security
- Group Name: AND – DVC – Android Dedicated Devices – Kiosk
- Group Description: Android Dedicated Devices in Kiosk Mode
- Microsoft Entra roles can be assigned to the group: No
- Membership type: Assigned
- Owner: Intune Provisioning Client (f1346770-5b25-470b-88bd-d5744ab7952c)
Once the group is created, it is ready for use in our enrollment profile.
Enrollment Profile
First thing is to create the enrollment profile, and as discussed earlier, for this section, we are going for the Corporate-owned dedicated device.
Go to Microsoft Intune admin center | Devices | Android | Enrollment and select under Enrollment Profiles for Corporate-owned dedicated devices.
Choose Create policy and create a policy as shown below, and choose Next.
- Name: AND – Corporate-Owned Devices – Kiosk
- Description: Enrollment token for Android Dedicated Devices in Kiosk Mode
- Token type: Corporate-owned dedicated device
- Token expiration date: Choose a date 90 days from today (recommended by Google)
- Apply device name template: No
On the Device group screen, choose Microsoft Entra group and select our newly created group, then choose Next.
Review your settings and choose Create.
Our enrollment token is now ready for use. Next up, we will create a Compliance and Configuration policy (for single-app and for multi-app) to get our enrollment ready.
Compliance Policy
As with our Work profile enrollment, it is also important here, for security, that our devices must meet certain requirements before they are allowed to enroll. To control this, we will provide a Compliance Policy that sets certain requirements, such as a minimum OS version and blocking rooted devices.
Go to Microsoft Intune admin center | Devices | Android | Compliance and choose Create policy, select the following, and choose Create.
- Platform: Android Enterprise
- Profile type: Fully managed, dedicated, and corporate-owned work profile
Give the policy a name and description and select Next.
We are now going to define some requirements that our devices must meet, such as a minimum OS version, a password active, etc. This Compliance Policy is a baseline and not a requirement, but a good start. Below is an overview of all the settings per item that we are going to set under Compliance settings. Configure them as shown and choose Next.
Choose Next and configure the Actions for noncompliance after 3 days. This is also to give the device time to become compliant.
Choose Next and assign the policy to our newly created Microsoft Entra group, and choose Next again.
In the Review + create screen, review your settings and choose Create. Our compliance policy is ready to go!
Managed Google Play – Apps
Before we can start with our configuration, we also need applications to add to our Kiosk configuration.
Go to Microsoft Intune admin center | Apps | Android | Android Apps and choose Create. As the App type, choose Managed Google Play app and then choose Select. This will open the Managed Google Play environment.
Search for Microsoft Edge and select the app. Once the app screen is shown, choose Select.
Very confusing, but you will not get a notification of this after you select, choose Sync in the upper left corner. You will then be sent back to your Applications in Microsoft Intune and get the following notification. And Microsoft Edge is not yet on the list.
Refresh several times, and you will see that Microsoft Edge is now also in the App list.
Now we are going to assign our app to our Microsoft Entra group that we have created.
Make sure you do this for all the applications you need in your configuration.
Configuration Profile
The last thing we are going to configure before enrolling a device is a Configuration Policy for enabling the single-app kiosk mode and multi-app kiosk mode on our Android device.
Single App – Kiosk Mode
In this part, we will make our device a single-app kiosk device. As an example, we will use Microsoft Edge as the app, and it will open full screen on the device.
Go to Microsoft Intune admin center | Devices | Android | Configuration and choose Create and then New Policy. Choose the following:
- Platform: Android Enterprise
- Profile type: Templates
Choose Device restrictions underneath the Fully Managed, Dedicated, and Corporate-Owned Work Profile template.
Give the Configuration Profile a name and description, and select Next:
- Name: AND – Kiosk – Single App Mode
- Description: This policy will enable Single-App kiosk mode for Android Corporate-Owned Dedicated Devices
In the Configuration settings, go to Device Experience and configure the following settings, and choose Next.
- Device experience type: Kiosk mode (dedicated and fully managed)
- Kiosk mode: Single app
- Select an app to use for kiosk mode: Microsoft Edge: AI browser
Assign our newly created group to the policy and choose Next.
To finalize, choose Create.
Our Configuration Policy is now ready to go.
Rather, if you want to use Multi-app mode, choose the configuration below.
Multi-App – Kiosk Mode
In this part, we will make our device a multi-app kiosk device. As an example, we will use a couple of apps available on the start screen. But first, we need to assign those apps to our Microsoft Entra Group. So make sure the created Microsoft Entra group is assigned to all apps, as required, that need to be published on the start screen of our Multi-app Kiosk device.
IMPORTANT: Make sure the Managed Home Screen app is also assigned to our Microsoft Entra group. This app is needed for our Multi-app kiosk device.
Now let’s start creating our Configuration Profile for our Multi-App Kiosk devices.
Go to Microsoft Intune admin center | Devices | Android | Configuration and choose Create and then New Policy. Choose the following:
- Platform: Android Enterprise
- Profile type: Templates
Choose Device restrictions underneath the Fully Managed, Dedicated, and Corporate-Owned Work Profile template and choose Create.
Give the Configuration Profile a name and description, and select Next:
- Name: AND – Kiosk – Multi App Mode
- Description: This policy will enable Multi-App kiosk mode for Android Corporate-Owned Dedicated Devices
In the Configuration settings, go to Device Experience and configure the following settings, and choose Next.
- Device experience type: Kiosk mode (dedicated and fully managed)
- Kiosk mode: Multi-app
- Custom app layout: Enabled
- Grid Size: 4 columns x 5 rows
- Home screen: Add the desired apps
Assign our newly created group to the policy and choose Next.
To finalize, choose Create.
Our Configuration Policy for our Multi-App kiosk devices is now ready to go.
IMPORTANT: We’ve created both configuration policies for Single-App and Multi-App. Only assign one of them to the Microsoft Entra Group; otherwise, a conflict will occur, and your configuration will fail.
In this last part, I’ll show you how to enroll your device and show the difference between the Single-App mode and Multi-App mode as an end-user experience.
Enrollment
Boot your device and tap the Welcome screen 6 times on the device screen. Select your language, then scan the QR code you created in the Enrollment profile. Choose your Wi-Fi connection and start deploying.
When you get the screen This device belongs to your organisation, choose Next. Now follow all the steps until you get to the This [model device] isn’t private screen and choose Next.
On the Your work checklist screen, configure a PIN code and choose Install for the work apps. Once you are through this, choose Done. We are now in the final stage before our device is ready.
After the device is registered, you will get two more questions around Google Services and the Privacy Policy. Choose Accept and Next. After that, our device is enrolled as a kiosk device.
User Experience
Single-App Mode vs Multi-App Mode
Depending on which configuration you chose, single-app or multi-app, you will see the user experience on the device below.
Conclusion
Android Corporate-owned Dedicated Device enrollment offers a streamlined and secure way to manage purpose-built devices within enterprise environments. Single App Mode ensures a focused user experience by locking the device to a single application, ideal for kiosks or task-specific scenarios. In contrast, Multi-App Mode provides flexibility by allowing access to a curated set of apps, suitable for shared devices or multi-role use cases. Both modes enhance device control, reduce user distractions, and support compliance with organizational policies, making them powerful tools in modern workplace deployments.
