Enterprise Endpoint Management

Mobile Device Management
via Microsoft Intune

End-to-end deployment of corporate-owned Android devices in a locked-down kiosk configuration for a client, from unboxed hardware to production-ready fleets.

Microsoft Intune Android Enterprise Managed Home Screen Managed Google Play CODD Enrollment Kiosk Mode
PlatformMicrosoft Intune
Device OSAndroid
Deployment typeCorporate-Owned Dedicated

Background

Overview

A client needed a fleet of tablets that had access to specific apps, configurationsthat can be controlled remotely, and with settings locked off to the end users.

I delivered and managed the entire project: consulting with the client on the android tablet to procure with my sales and procurement team, creating the device profile in Intune, setting up Corporate-Owned Dedicated Device (CODD) enrollment, configuring Managed Home Screen for kiosk mode, deploying apps through Managed Google Play, and hardening device restrictions to prevent exploitation.

Result: Delivered a production-ready Android kiosk deployment, configuring devices with a standardized app layout and enforcing restricted system access to maintain security, consistency, and controlled user interaction.

Architecture

Deployment Architecture

How policies, apps, and configurations flow from Intune to each device.

Intune → Android Enterprise flow
Intune Android Enterprise Deployment Architecture Enrollment profile is created first, then configuration profile, app assignments, QR enrollment, device configuration, and app deployment. Microsoft Intune MDM Portal 1. Enrollment Profile CODD / QR code 2. Config Profile Kiosk + restrictions 3. App Assignments Managed Google Play 4. Android Tablet Enrolled via QR code Device enrolls → profile applies → approved apps deploy → kiosk mode active

How it was done

Process

How the deployment was executed, step by step.

01
Configured CODD Enrollment

Created a Corporate-Owned Dedicated Device (CODD) enrollment profile under Android Enterprise. Configured the enrollment method for a QR code token so devices could be enrolled without needing user accounts. This enrollment profile will be linked to the device configuration profile in the next step so settings are applied automatically on first boot.

Android Enterprise · Dedicated devices
02
Created the Device Configuration Profile

Set up the foundational profile in Intune defining how each device would behave in kiosk mode via Managed Home Screen, allowed out of box apps, screen settings, and PIN policy. This profile was assigned to the device group which dynamic membership rules were based off a tablet model number variable and the Enrollment Profile used to enroll the device.

Intune › Devices › Configuration profiles
03
Assigned Apps via Managed Google Play

Synced Intune with Managed Google Play and approved the client selected apps. Apps were assigned as Required to the device group.

Managed Google Play · Required assignment
04
Configured Kiosk Mode

Within the Managed Home Screen configuration, the exact grid layout of the set to be deployed were in which positions. Disabled the ability for users to rearrange the grid, access the app drawer, or navigate outside the approved app set.

Managed Home Screen · Grid configuration
05
Applied Device Restrictions

Hardened each device with a restriction profile targeting Android Enterprise dedicated devices. Blocked access to system settings, disabled factory reset, removed developer options, and prevented installation of any apps outside Managed Google Play.

Managed Home Screen · Grid configuration
06
Enrolled Devices for Zero-Touch Setup

Physically enrolled each device using the QR code from the enrollment profile. Once scanned; the device was registered in Entra ID, Intune automatically pushed the configuration profile, and began synced app assignments.

Zero-touch / QR enrollment

Security configuration

Restrictions Applied

Settings locked down via the Intune device restriction profile to prevent end-user exploitation.

System settings accessBlocked, end users cannot open Android Settings
Factory resetDisabled, preventing complete device wipe by end users
Unknown app installationBlocked manual app installation and sideloading of apps
Developer optionsHidden ADB access/debug mode
App drawerOnly apporved app are available will appear to end users
Home screen customisationGrid layout locked, end users cannot rearrange icons
Approved appsDeployed via Managed Google Play
Remote managementIT can push updates, wipe, and reconfigure via Intune

End result

Kiosk Home Screen Layout

Managed Home Screen was configured to display a fixed grid of approved apps. End users see only this — no launcher, no app drawer, no settings access.

09:41
82%
Managed Home Screen
Secure Link 1
Secure Link 2
Secure Link 3
Proprietary App
Company App 1
Company App 2

Fixed grid · No launcher access

Results

Outcomes

< 2 Weeks
Full deployment from unboxed to production
30
Enrolled, configured, & distributed devices
100%
Consistent app layout across the entire fleet

Successfully delivered production-ready Android tablets with a comprehensive handover package, including configuration documentation, app provisioning details, and secure credential transfer. Ongoing management was maintained through Microsoft Intune, enabling continuous updates, compliance enforcement, and remote app deployment.

Stack

Tools & Technologies

Microsoft Intune Microsoft Endpoint Manager Microsoft Entra ID Android Enterprise Managed Google Play Managed Home Screen CODD Enrollment Device Configuration Profiles Device Restriction Policies