As a follow-up on my “The Android Tales” series, I thought it would be interesting to take a closer look at the Managed Home Screen (MHS) app and OEMConfig for dedicated and fully managed Android Enterprise devices, as this is a very important aspect of this type of device enrollment.
Introduction
Managing Android Enterprise devices at scale often means balancing control, usability, and vendor-specific requirements. Microsoft Intune provides powerful building blocks to achieve this, but the real magic happens when you start combining those capabilities instead of using them in isolation. Two features that frequently come up in dedicated and fully managed scenarios are Managed Home Screen (MHS) and OEMConfig.
In this blog post, we’ll explore what Managed Home Screen and OEMConfig are, why they’re essential, and how to configure them effectively.
Managed Home Screen
What is Managed Home Screen (MHS)?
Managed Home Screen is a Microsoft Intune app that acts as a custom launcher for Android Enterprise devices. It replaces the default Android home screen with a controlled environment where users can only access approved apps and settings.
Key Features & Scenarios
Some key features are:
- App Whitelisting: Restrict access to only corporate-approved apps.
- Custom Branding: Add logos, wallpapers, and color schemes.
- Session PIN: Enable secure sign-in/out for shared devices.
- Diagnostics: Built-in tools for troubleshooting connectivity and app sync issues.
Supported scenarios include:
- Dedicated Devices: Kiosks, POS systems, or single-purpose devices.
- Fully Managed Devices: Corporate-owned devices for frontline workers.
Why is Managed Home Screen Important?
Managed Home Screen is important for several reasons:
- Security and Compliance: It locks down the device and prevents unauthorized access to system settings and apps. This ensures that corporate policies are followed and reduces security risks.
- Ideal for Kiosk and Shared Devices: Frontline workers need simplicity. Managed Home Screen provides a focused interface that minimizes distractions and improves productivity.
- Enhanced User Experience: By allowing custom layouts and branding, it creates a familiar and intuitive environment for employees, making devices easier to use.
- Seamless Integration with Microsoft Intune: Managed Home Screen works perfectly with Intune, enabling remote management of policies, app updates, and compliance checks, which reduces IT overhead.
Extending Managed Home Screen with OEMConfig
What is OEMConfig?
OEMConfig is a Google‑defined standard for Android Enterprise that enables device manufacturers (OEMs) to expose vendor‑specific management settings to enterprise mobility platforms like Microsoft Intune.
Instead of Microsoft Intune natively implementing every OEM feature, the OEM publishes an OEMConfig app to the Managed Google Play that contains a configuration schema describing its supported settings.
Microsoft Intune dynamically reads this schema and presents the options in the admin console, allowing administrators to create OEMConfig configuration profiles without waiting for Microsoft Intune product updates.
The key benefits are:
- Day‑zero support for new OEM features: faster innovation, reduced dependency on MDM updates, and deep device control beyond standard Android Enterprise policies.
- Applies them directly: On the device, the OEMConfig app receives the configured settings from Microsoft Intune and ensures the OEM remains responsible for feature execution, updates, and compatibility.
When configuring Managed Home Screen (MHS) on Android Enterprise dedicated or fully managed devices, most of the experience can be controlled using Microsoft Intune’s built‑in MHS configuration profile. However, some capabilities, especially around system‑level permissions and OEM‑specific behavior, go beyond what standard Android Enterprise policies can deliver. This is where OEMConfig comes into play.
Why OEMConfig matters for Managed Home Screen
In Managed Home Screen deployments, especially kiosk or frontline worker scenarios, it’s common to need permissions that normally require manual user interaction. Examples include enabling notifications, allowing overlays, controlling system UI elements, or granting special app access that Android doesn’t allow MDMs to configure generically. Some OEMs, such as Samsung and Zebra, expose these controls through their OEMConfig apps, making it possible to fully automate and lock down the Managed Home Screen experience.
A common example is automatically granting required permissions to the Managed Home Screen app. Without OEMConfig, users might need to manually approve these permissions on first launch, which breaks the hands‑off kiosk experience. Using an OEMConfig profile, Microsoft Intune can instruct the OEMConfig app to grant these permissions silently, ensuring that Managed Home Screen starts in a fully functional state immediately after enrollment.
How does this fit into an MHS deployment?
In practice, OEMConfig complements, rather than replaces, the standard Managed Home Screen configuration:
- Managed Home Screen app: Installed and configured using the Microsoft Intune app and app configuration policies.
- OEMConfig app (OEM‑specific): Deployed from Managed Google Play and configured using an OEMConfig device configuration profile.
Result on the device: Managed Home Screen launches as the default launcher, with required permissions pre‑granted and OEM‑specific behaviors enforced, creating a seamless and controlled kiosk or dedicated device experience.
By combining Managed Home Screen with OEMConfig, organizations can achieve a higher level of automation, consistency, and control, especially in large‑scale or zero‑touch Android Enterprise deployments.
Microsoft Intune
OEMConfig
In this blog post, we will use the Samsung Knox Service plugin app for managing Samsung devices. I won’t go into detail on how to enroll a complete device. The OEMConfig part is an addition to my blog posts on enrollment of dedicated devices (Kiosk or Shared) and fully managed devices. Make sure you read those blog posts to get the details on a complete enrollment.
Add the Managed Google Play app
First thing we need to do is to add the Samsung Knox Service Plugin app to Microsoft Intune from the Managed Google Play and assign it to our Android Enterprise devices.
Go to the Microsoft Intune admin center | Apps | Android and choose Create. As the app type, choose Managed Google Play app and then choose Select.
This will open the Managed Google Play. Now search for the Samsung Knox Service Plugin (KSP) app, Select it, then select Sync.
INFORMATION: For an overview of all supported OEMConfig apps, please visit this Microsoft page.
Once the sync is completed, you’ll notice that the Knox Service Plugin app is listed in our app list.
Let’s assign this app to our dedicated, fully managed devices as Required and save our assignment.
Create OEMConfig profile
The next thing we need to do is to create an OEMConfig profile where we will specify the necessary permissions for the Managed Home Screen app.
Go to the Microsoft Intune admin center | Devices | Android | Configuration and choose Create, and then select New Policy. Choose the following and select Create.
- Platform: Android Enterprise
- Profile type: Templates
- Template name: OEMConfig
In the next screen, fill in the following and choose Next.
- Name: AND – DVC – Samsung Knox OEMConfig
- Description: Samsung Knox OEMConfig settings for Managed Home Screen
- OEMConfig app: Knox Service Plugin
For the OEMConfig settings, we are going to configure some Device-wide policies. In the Knox Service Plugin, choose Configure at the Device-wide policies option.
The following policies under Device-wide policies need to be configured:
- Enable device policy controls
- Application management policies | Enable application management controls
- Application management policies | Enable permission controls
- Permission Controls
Enable device policy controls
Set the Enable device policy controls to true
Application Management Policies
Go to Application management policies and choose Configure.
Choose the following settings:
- Enable application management controls: true
- Batter optimization allowlist:
com.microsoft.scmx
Now go back to Knox Service Plugin settings section and choose Permission Controls and select Configure.
Let’s create two permission policies for our Managed Home Screen. Select the three dots next to Permission Controls and choose Add setting.
Our first one will include the following:
- Permission Policy: Select Appear on top, Change system settings, Alarm & Reminders
- Package Name:
com.microsoft.launcher.enterprise
The second one will include the following:
- Permission Policy: Notification Access
- Package Name:
com.microsoft.launcher.enterprise/com.microsoft.launcher.homescreen.next.model.notification.AppNotificationService
Once you’ve created the two permission policies, choose Next. You can skip Scope Tags, and at the Assignments blade, we will assign our dedicated or fully managed device groups. In this example, I’ll choose our Android Dedicated Kiosk devices group, assign your group, and choose Next
Review all the settings and choose Create.
Now that our permissions in the OEMCofig profile are set for the Managed Home Screen, we are ready to configure Managed Home Screen settings.
Managed Home Screen
For the configuration of our Managed Home Screen app, I recommend always using an App Configuration policy. There are also some settings within Configuration Profiles, but they are limited. Also, not combining both keeps a nice overview of all Managed Home Screen settings.
Go to the Microsoft Intune admin center | Apps | Android |’ Configuration and choose Create and go for Managed devices.
In the next step, choose the following and then choose Next:
- Name: AND – DVC – Managed Home Screen settings
- Description: This policy contains the settings for the Managed Home Screen app for our dedicated and fully managed devices
- Device enrollment type: Managed devices
- Platform: Android Enterprise
- Profile type: Fully Managed, Dedicated, and Corporate-Owned Work Profile Only
- Targeted app: Select Managed Home Screen
In the Settings blade, choose Use configuration designer and then +Add.
Now we can add some settings. I’m not going to go through them all. But the following are some of the settings I like to configure.
INFORMATION: The required settings depend on the type of device (kiosk or shared) and also vary per organization. Here, I will only give an example of how to add these settings.
Once you’ve chosen your settings, choose Next. In the Assignment blade, choose the required group and then choose Next.
Review all the settings and then choose Create.
Our OEMConfig and Managed Home Screen are now configured and ready to deploy. IF you want to see the user experience of such a deployment, feel free to read my previous blog, “The Android Tales: A Full Comprehensive Guide on Managing Android devices with Microsoft Intune.”
Conclusion
In the end, OEMConfig and Managed Home Screen each solve different parts of the same challenge: one gives you deep, manufacturer‑level control over the device, while the other shapes the user experience into something predictable, secure, and task‑focused. When you bring them together, they create a balanced whole, the technical precision of OEMConfig and the guided simplicity of Managed Home Screen working in harmony. Like a modern IT yin and yang, each strengthens the other, giving you a shared‑device environment that’s both tightly managed and effortless for users to navigate.
Ready to implement OEMConfig and Managed Home Screen? Start today and transform your Android device management strategy!
