Android Enterprise corporate-owned dedicated devices and Azure AD shared device mode

This week is all around the Android Enterprise corporate-owned dedicated devices deployment scenario. That deployment scenario is designed to address the typical kiosk-type devices, which are often referred to as the corporate-owned, single-use (COSU) use case. This week is specifically focused on enrolling those devices in to Azure AD shared device mode. That mode will provide users with a single sign-on and single sign-out experience across all of the participating apps on the device. In other words, users will be able to sign in to the device and will automatically be signed in to any participating apps. That enables an organization to provide a little personalized experience across dedicated devices that are shared between multiple users. In this post I’ll have a look at the main configurations that are required for creating that experience and I’ll end by having a quick look at the created experience.

Important: At the moment of writing, this is still preview functionality and the participating apps are currently the Microsoft Teams and the Managed Home Screen app.

Enrollment profile for corporate-owned dedicated devices with Azure AD shared device mode

The first main configuration that is required, is the configuration of the enrollment profile for the corporate-owned dedicated devices. That’s not the most exiting configuration, but it contains an important configuration to trigger the enrollment in to the Azure AD shared device mode. That configuration is the toke type that should be configured. The following five steps walk through the process of creating an enrollment profile for corporate-owned dedicated devices with Azure AD shared device mode.

  1. Open the Microsoft Endpoint Manager admin center portal navigate to Devices Android > Android enrolment > Corporate-owned dedicated devices to open the Corporate-owned dedicated devices blade
  2. On the Corporate-owned dedicated devices blade, click Create profile to open the Create a profile wizard
  3. On the Basics page, provide the following information and click Next
  • Name: Provide a valid name for the enrollment profile
  • Description: (Optional) Provide a valid description for the enrollment profile
  • Token type: Select Corporate-owned dedicated device with Azure AD shared mode
  • Token expiration date: (Optional) Select a valid date for the token expiration
  1. On the Scope tags page, configure the required scope tags click Next
  2. On the Review + create page, verify the configuration and click Create

Device configuration profile for corporate-owned dedicated devices

The second important configuration, is the configuration of the device configuration profile. It’s not a completely required step, but that’s the easiest method for performing a few basic configurations for a corporate-owned dedicated device. Even for a multi-app kiosk mode. The following eight steps walk through the creation of a device configuration profile that can be used for creating a multi-app kiosk mode.

Important: When creating a multi-app kiosk, keep in mind that the Managed Home Screen app is required for creating a multi-app kiosk experience.

  1. Open the Microsoft Endpoint Manager admin center portal navigate to Devices Android > Configuration profiles to open the Android | Configuration profiles blade
  2. On the Android | Configuration profiles blade, click Create profile to open the Create a profile page
  3. On the Create a profile page, provide the following information and click Create to open the Device restrictions wizard
  • Platform: Select Android Enterprise
  • Profile type: Select Device restrictions
  1. On the Basics page, provide the following information and click Next
  • Name: Provide a valid name for the device restriction profile
  • Description: (Optional) Provide a valid name for the device restriction profile
  1. On the Configuration settings page, provide at least the following information and click Next
  • Navigate to section Device experience
    • Enrollment profile type: Select Dedicated device
    • Kiosk mode: Select Multi-app

Note: The mentioned settings are only the settings to create a minimal multi-app kiosk device. Make sure to further configure any required setting for the multi-app kiosk device. That includes any further limitations, or any apps, for the multi-app kiosk mode, in this section of the configuration, but that also includes any other configurations in the other sections of the device configuration profile.

  1. On the Scope tags page, configure the required scope tags click Next
  2. On the Assignments page, configure the assignment to the required devices and click Next
  3. On the Review + create page, verify the configuration and click Create

Note: For the assignment of the device configuration profile, a dynamic device group can be used that only contains corporate-owned dedicated devices with Azure AD shared device mode by using the enrollmentProfileName property. That dynamic device group can be used for every assignment for this specific scenario.

App configuration policy for Managed Home Screen app

The third important configuration, is the configuration of the app configuration policy for the Managed Home Screen app. It’s a required step – at this moment – to configure the Azure AD sign-in experience to the corporate-owned dedicated device. That can be achieved by performing app configurations on the Managed Home Screen app, which are currently not available by using the previously described device configuration profile. The following seven steps walk through the creation of an app configuration profile that can be used for further configuring the multi-app kiosk mode.

  1. Open the Microsoft Endpoint Manager admin center portal navigate to Apps App configuration profiles to open the Apps | App configuration policies blade
  2. On the Apps | App configuration policies blade, click Add > Managed devices to open the Create app configuration policy wizard
  3. On the Basics page, provide the following information and click Next
  • Name: Provide a valid name for the app configuration policy
  • Description: (Optional) Provide a valid name for the app configuration policy
  • Device enrollment type: (Grayed out) Managed devices
  • Platform: Select Android Enterprise
  • Profile Type: Select Fully Managed, Dedicated, and Corporate-Owned Work Profile Only
  • Targeted app: Select Managed Home Screen
  1. On the Settings page, provide at least the following information and click Next
  • Configuration settings format: Select Use configuration designer
  • Click Add to add at least the keys and values as described in the table below to create a sign-in and sign-out experience for Azure AD accounts on the dedicated device.

Note: Most of the other keys and values can be configured by using the device configuration profile. Together with these new keys and values a few more new keys and values are introduced for configuring a sign-in wallpaper, custom privacy statement, session PIN and more. These keys and values are shown when using the configuration designer.

Configuration keyValue typeConfiguration valueDescription
Enable sign inbooltrue Enable sign-in to dedicated device
Sign in typestringAADConfigure AAD account sign-in when sign-in is enabled
Enable Auto Sign-outbooltrueEnable auto sign-out of dedicated device
Auto Sign-out timeinteger300Time (in seconds) until auto sign-out is determined when auto sign-out is enabled
Count down time on auto Sign-out dialoginteger60Time (in seconds) until sign on auto sign-out dialog is shown when auto sign-out is enabled
  1. On the Scope tags page, configure the required scope tags click Next
  2. On the Assignments page, configure the assignment to the required devices and click Next
  3. On the Review + create page, verify the configuration and click Create

Note: At some point in time, I expect that this configuration will become available in the device restrictions profile for dedicated devices with a multi-app kiosk.

End-user experience for corporate-owned dedicated devices with Azure AD shared device mode

Now let’s end this post by having a quick look at the end-user experience. Below are a few examples of the created behavior. When the users get their device at the beginning of their shift, they can sign in to the device (as shown in Figure 4). After sign-in, the users receive an awesome single sign-on experience with any participating app. At this moment that includes Microsoft Teams and the experience is as smooth as advertised. Can’t wait for more apps to follow. After the users become inactive on their device, the auto sign-out timer will start and will eventually show a countdown timer in a dialog box (as shown in Figure 5). At the end of their shift the users also always have the ability to sign-out manually by using the account section of the Managed Home Screen app (as shown in Figure 6). That will completely sign off the user of the device and the participating apps. As shown throughout the different figures, the look-and-feel can be completely customized.

Note: The Microsoft Intune app and the Microsoft Authenticator app are automatically installed during enrollment of a dedicated device with Azure AD shared device mode.

More information

For more information about Android Enterprise corporate-owned dedicated devices and Azure AD shared device mode, refer to the following docs.