The incredible Managed Home Screen (MHS) of Intune

Managed Home Screen (MHS) is an innovative feature within Microsoft Intune that revolutionizes the way organizations control and customize the home screen experience on corporate-owned Android devices. By leveraging MHS, IT administrators can lock down devices to a single app or a set of specific apps, ensuring that employees have streamlined access to the tools they need while maintaining security and compliance standards.

This feature is particularly useful in scenarios such as kiosk mode, shared device management, and frontline worker configurations, where a tailored, secure user interface is essential for productivity and security. Dive into the legend of Intune Managed Home Screen to explore how it can transform your device management strategy.

Managed Home Screen - MHS - Intune - Android

What is Managed Home Screen?

Managed Home Screen (MHS) is a pivotal feature of Microsoft Intune, designed to offer organizations granular control over the user experience on corporate-owned Android devices. By providing a customizable and secure interface, MHS enables IT administrators to streamline device usage, ensuring that employees and users have access only to the necessary applications and features.

Key Features of Managed Home Screen
  1. Customizable Home Screen Layouts:
    • Single App Mode: MHS allows devices to be locked into a single application, ideal for kiosk setups where the device is dedicated to one specific function. For example, in a retail environment, a device might be set to run a point-of-sale application exclusively.
    • Multi-App Mode: Organizations can configure the home screen to display a curated selection of applications. This is particularly useful for shared devices or for employees who need access to multiple tools throughout their workday.
  2. Enhanced Security:
    • App Whitelisting: MHS ensures that only approved applications are accessible, reducing the risk of unauthorized software installation and potential security breaches.
    • Device Lockdown: The feature can restrict access to device settings and other system functionalities, preventing users from making unauthorized changes.
  3. User Experience and Productivity:
    • Streamlined Interface: By limiting distractions and providing direct access to essential apps, MHS enhances productivity and ensures that users can focus on their tasks without navigating through unnecessary options.
    • Consistent Experience: MHS offers a uniform experience across all managed devices, which is particularly beneficial for organizations with large fleets of devices. This consistency reduces the learning curve for employees and ensures efficient use of the devices.
  4. Ease of Management:
    • Centralized Control: IT administrators can configure and manage MHS settings remotely through the Intune console. This includes deploying updates, changing home screen layouts, and adjusting security settings without needing physical access to the devices.
    • Scalability: Whether an organization is managing a handful of devices or thousands, MHS scales to meet the needs of any size deployment, making it a versatile solution for various industries.
Use Cases for Managed Home Screen
  1. Retail:
    • MHS can transform Android devices into dedicated point-of-sale terminals, digital signage, or inventory management tools. This ensures that retail staff have immediate access to the necessary applications, enhancing customer service and operational efficiency.
  2. Healthcare:
    • In healthcare settings, devices configured with MHS can be used for patient check-ins, accessing medical records, or telehealth consultations. The controlled environment ensures compliance with health information privacy regulations and reduces the risk of data breaches.
  3. Education:
    • Educational institutions can use MHS to provide students with access to learning resources and educational apps while restricting access to games and social media. This focused approach supports a productive learning environment.

Managed Home Screen (MHS) is a robust solution for organizations looking to enhance device security, streamline user experiences, and improve operational efficiency. By leveraging the capabilities of MHS, businesses can ensure that their corporate-owned Android devices are used effectively and securely, tailored to their specific needs and use cases. Whether in retail, healthcare, education, or field services, MHS offers a versatile and scalable approach to device management that meets the demands of modern enterprises.

The official documentation of MHS can be found here.

MHS Requirements

Before diving into the setup of Managed Home Screen (MHS), it’s crucial to ensure the the Android devices meet the necessary requirements. Firstly, we have to confirm that the devices are compatible. Intune supports the enrollment of Android Enterprise dedicated devices for those running OS version 8.0 and above, provided they reliably connect to Google Mobile Services. Similarly, MHS requires Android devices with OS version 8.0 or higher.

In addition to the OS version, there are a few more prerequisites to consider:

  1. Google Mobile Services (GMS): The Android devices must have access to GMS, which includes Google Play services and other essential APIs that facilitate secure and efficient operation.
  2. Intune Enrollment: Devices must be enrolled in Intune and configured as Android Enterprise dedicated devices. This allows for the comprehensive management and application of MHS settings.
  3. App Installation: The Managed Home Screen app must be installed and configured correctly on each device.

By meeting these requirements, we can ensure a smooth implementation and operation of Managed Home Screen, enhancing security and user productivity across your organization’s Android devices.

Device Enrollment

In order to be able to deploy and configure MHS to Android devices, we have to first enroll them to Intune. In the scenarios below the enrollment is performed without using any additional platforms such as Samsung Knox etc. As mentioned above, we have to create a Corporate-owned dedicated devices enrollment profile. We are able to do this by navigating to Devices -> Android -> Enrollment -> Corporate-owned dedicated devices.

Next we have to give a name to our enrollment profile, select the Token Type and the token expiration date. A good choice is to give either 3 or 6 months to the expiration date, so that we have a better management over the enrollment process.

After reviewing and creating the enrollment profile we can access it to explore the available options.

As we can see there is an indication about a token and QR code here. What could that be…..

This QR code or Token is essential for enrolling devices in the corporate-owned dedicated device profile.

When setting up a Corporate Owned Dedicated Devices Enrollment Profile in Intune, we are provided with a token or QR code. This token or QR code facilitates the enrollment of Android devices into the organization’s Intune environment.

To begin the enrollment process, we have to follow these steps:

  1. Generate the Token or QR Code: The Intune admin console generates a token or QR code that is unique to your organization’s enrollment profile. In our case it is performed by creating the enrollment profile. The below image shows the QR code and the Token.
  1. Distribute the Token or QR Code: Send this token or QR code to the personnel responsible for enrolling the devices. This could be IT staff or other designated employees.
  2. Enroll the Device: On the Android device, initiate the enrollment process by scanning the QR code or entering the token. This action will automatically configure the device according to the settings and policies defined in the enrollment profile.

This method streamlines the setup process, ensuring that devices are quickly and accurately configured to meet the organization’s standards. The token or QR code includes all necessary configurations, minimizing the need for manual setup and reducing the potential for errors. This approach not only enhances security but also improves efficiency, making it easier to manage a fleet of corporate-owned devices.

The exact process to enroll a device using the above method is provided by the following MS documentation.

BEFORE enrolling the first device it is advisable to create a dynamic group that will automatically include all the devices enrolled using this device. The steps to create the dynamic group are shown below:

The dynamic rule used is the following: (device.enrollmentProfileName -eq “Corporate Owned Dedicated Devices Enrollement Profile”).

For our scenario below, I used the QR code enrollment to enroll the device. If you do not manage to find the QR scanner, you can always proceed with the Token enrollment method.

Single app vs Multi app kiosk

Now that we have a device enrolled as a corporate-owned dedicated device, let’s continue the Managed Home Screen (MHS) part of this post. MHS offers two primary configurations for Android devices: Single App Kiosk and Multi App Kiosk. Each mode serves different use cases and provides unique benefits depending on your organizational needs.

Single App Kiosk

In Single App Kiosk mode, the device is locked to a single application. This setup is ideal for scenarios where the device needs to perform one specific function without any distractions. The primary benefits of Single App Kiosk mode include enhanced security and ease of use. Users are restricted to a single application, minimizing the risk of unauthorized access and simplifying the user interface.

Multi App Kiosk

Multi App Kiosk mode allows devices to run multiple predefined applications while restricting access to other system functions and apps. This mode is useful in environments where users need access to several tools to perform their tasks effectively. The benefits of Multi App Kiosk mode include increased flexibility and productivity. Users can access all the necessary applications for their roles, improving workflow and reducing the need to switch devices or return to a central location for different tasks.

Through various tests it was found that MHS in single app mode, doesn’t work so well. Sometimes it does not form a proper kiosk and prevent features from being used. In this case we could utilize a multi app kiosk and use the desired app and another dummy app such as a common one or a system app (I will demonstrate that later in this post). That way we can achieve almost everything using a multi app kiosk.

MHS – New Experience

An important update was introduced to MHS this year. Specifically, the Managed Home Screen (MHS) app has undergone a significant redesign to enhance usability and support for organizations. Here are the key updates:

  1. Top Bar Addition: A configurable top bar has been added to the MHS interface, which can display device identifying information such as serial number, device name, and tenant name. When user sign-in is configured, the top bar will show the signed-in user’s name along with other device details​.
  2. Streamlined Navigation: The update includes easier navigation with a settings wheel icon in the top bar for quick access to settings. When sign-in is enabled, the top bar also includes a sign-out button. This replaces the previous method of swiping down to access settings, ensuring that only administrator-configured settings are visible to users.
  3. Updated Permissions Flow: The permissions granting process has been improved to ensure users do not miss essential permissions. Users will be prompted to grant required permissions via a prominent message and settings screen, enhancing the functionality of all configurations set by IT administrators​.
  4. Enhanced Troubleshooting: New troubleshooting features include a debug menu accessible from settings, which offers options like Get Help, Exit Kiosk Mode, and About. This makes it easier for users to upload logs and view key information about MHS.
  5. New Features:
    • Brightness Slider and Adaptive Brightness: Allows users to adjust screen brightness and toggle adaptive brightness settings.
    • Autorotation: Users can turn on and off the device’s auto-rotation feature.
    • Domain-less Login and Custom Login Hint Text: Supports domain-less sign-in and custom login hints, making the login process smoother.
    • Session PIN Inactivity Timer: Requires users to re-enter their session PIN after a specified period of inactivity, enhancing security.

These updates are aimed at making MHS more user-friendly and supportive for IT administrators. To utilize these new features, ensure your devices are running version 2.2.0.91169 or higher of the Managed Home Screen app and enable the updated user experience in the app configuration settings​.

More details about the new experience can be found here.

For the scenarios of this post we will use the new MHS experience.

How to configure a multi app kiosk using MHS

Applications deployment

The first step into creating the multi app kiosk is to deploy the Managed Home Screen application to the enrolled Android devices. To do this follow the below steps.

Go to Apps -> Android -> Managed Home Screen.

Edit the assignments and add the dynamic group we created previously.

The next application that we should deploy is the one, that the users are going to use. Let’s suppose that in our scenario, Microsoft Edge for Android is the app that our Kiosk will contain.

After creating the above application deployments, we have all the wanted applications to our devices. Now we can move forward to the policies/profiles part.

Configuration Profiles Creation

Now we should start preparing the kiosk environment. We should create 2 main profiles:

  1. Device Restrictions Profile (official documentation here)
  2. Application Configuration Profile for the Managed Home Screen application
Device Restrictions Policy Creation

To define the kiosk structure and settings we should create a device restrictions policy that enforces the desired settings to the device. To do that we have to navigate Devices -> Android -> Configuration -> Create -> New Policy.

As we can see from the above image, the enrollment profile type is set to “Dedicated device,” indicating that the device is intended for a specific purpose, such as a kiosk or a shared device in a work environment. The kiosk mode is configured to “Multi-app,” which allows the device to run multiple pre-approved applications while restricting access to other functionalities.

Additionally, the “Custom app layout” feature is enabled, permitting us to define the specific layout of apps on the home screen, ensuring a consistent and organized interface tailored to the organization’s requirements. The grid size is set to 4 columns by 5 rows (since in this case we are only deploying a single app, this setting is not important), meaning the home screen can display up to 20 apps at once in a structured manner. The Home Screen section illustrates that only Microsoft Edge is configured to be accessible.

Attention! To be able to have a proper single app kiosk while using a Multi App kiosk mode, we have also to assign some dummy app/apps in the Home screen layout. To do that we could create 2 systems apps that could be used for this purpose. These apps will not be visible to the end user and will assist us in forming a proper kiosk.

After assigning this app to our dynamic device group, we also have to add it to the device experience blade under the Device Restriction profile we created previously.

Regarding the other settings of the profile, for the current scenario we will define an exit code and do not apply any other setting.

If you want to apply any other settings, check the official documentation for the available options.

App Configuration Profile Creation

The last part before checking the user experience is to create an app configuration policy to define specific permissions and settings specifically for the Managed Home Screen application.

We have to navigate to Apps -> App Configuration policies -> Add -> Managed devices and create a new policy targeting the MHs application.

We will first use the Configuration Designer to apply some basic settings (Here we are just applying a basic profile, you can apply any additional settings that are required by your individual use case).

After that we will change to JSON editor and add the required settings for the New MHS experience. 

{
"key": "enable_updated_user_experience",
"valueBool": true
},
{
"key": "device_name",
"valueString": "{{DeviceName}}"
},
{
"key": "device_serial_number",
"valueString": "{{SerialNumber}}"
}

Now we just assign the app configuration to our dynamic device group and wait for the policy to be deployed.

Important! PERMISSIONS!!!

For the Managed Home screen to work properly we have to apply the “Appear on Top” permission (or the corresponding permission for the Android version and device vendor that you have) manually through the Android Settings.

If we don’t do that the behavior of the MHS won’t be the desired one.

Final Remarks

Concluding this guide should assist you in getting started with Managed Home Screen and Android Management using Intune. While we covered many aspects, it’s impossible to include every available option or configuration to achieve everything you might need.

To fully leverage Intune’s and the Managed Home Screen’s capabilities, you’ll need to dive in, tinker around, and explore its features—often through a bit of trial and error.

Remember, mastering anything is like cooking a new recipe: sometimes you need to experiment and taste-test along the way. So, roll up your sleeves, get hands-on, and don’t be afraid to make a few mistakes. After all, as they say, practice makes perfect—especially when it comes to tech! Happy configuring!

References and documentation:

Check the below posts to find out more interesting relevant topics:

androidintuneMHS
By IntuneLeave a Comment on The incredible Managed Home Screen (MHS) of Intune

Leave a Reply

Your email address will not be published. Required fields are marked *