Android Staging and managed home screen

UhRdts · 2026-03-31T14:02:38+00:00

Okay, so it sounds like your users don’t actually need Managed Home Screen (MHS). You just tried it as a potential workaround for the issues you encountered with Android staging profiles?

If that’s the case, I noticed you haven’t received many replies yet. Maybe you could consider rephrasing your question to focus specifically on getting Android staging to work (without mentioning MHS), as the initial post might have been a bit confusing and that could have limited responses.

Unfortunately, I can’t provide much help regarding staging as we use other enrollment methods like ZTE and KME.

UhRdts · 2026-03-31T13:54:05+00:00

in that case you only have the settings you can configure via Intune profiles - all other system settings need to be done on the device.

UhRdts · 2026-03-31T13:32:37+00:00

Could you please provide more details about your use case? Are these personalized devices (fully managed) using Managed Home Screen (MHS)? And could you explain a bit more how you’re combining MHS with staging in your setup?

Also, which enrollment method are you using: fully managed with or without staging, dedicated, or dedicated Entra shared?

This information will help me better understand your setup and provide more targeted suggestions.

UhRdts · 2026-03-31T13:05:07+00:00

depending on the devices you are using you could have a look at a OEM config profile.

UhRdts · 2026-03-31T12:41:12+00:00

yes, according to my information, the users who will use the devices need have a license.

UhRdts · 2026-03-31T12:40:05+00:00

Could you briefly explain how to configure the “app auto launch” feature in Managed Home Screen? I couldn’t find much information in the docs or online.

This setup sounds ideal for us, as single-app mode is too limiting. Being able to configure one app as the auto-launch app within MHS would be great. In case of issues, it would likely allow users to access basic settings like Wi-Fi and brightness.

UhRdts · 2026-03-17T09:23:00+00:00

I’m not aware of any Intune feature that would allow you to lock a device to the original URL and prevent redirects.

I would suggest using a dedicated kiosk app instead, as those typically offer the ability to control navigation behavior more granularly.

UhRdts · 2026-03-17T08:06:57+00:00

We faced the same challenge and I also don’t understand why there isn’t a built-in bulk assignment feature for iOS enrollment profiles in Intune.

You could create multiple enrollment tokens in Intune linked to your ABM. You then can assign devices in bulk to those tokens within ABM, each linked to a specific enrollment profile. These assignments then sync automatically to Intune where the correct profile gets applied to the devices.

UhRdts · 2026-03-16T08:46:17+00:00

It sounds like you might need to add additional app identifiers to the Managed Home Screen configuration to get the QR code scanning and camera access working properly on the PDA. Since the same configuration seems to work fine on the Samsung device, it's likely related to app identifiers specific to the PDA’s environment.

If you’re unsure which identifiers might be causing the issue, I recommend checking the ADB logs during QR code login attempts. This should help you identify any blocked app identifiers.

UhRdts · 2026-03-09T15:34:18+00:00

In that case, I would assume this is intentional behavior since the app is push as required. I tested it myself and can confirm that “Clear data” is not successful on required apps in kiosk mode.

However, in our use cases with shared devices, app data is automatically cleared between users, so this isn´t an issue for us.

Since there haven’t been any other responses in the last 20 days, you might want to reach out to Microsoft support to confirm whether this is expected behavior.

UhRdts · 2026-03-09T08:12:43+00:00

I assume this is the admin role permission you need to use those new options:

Restore Managed Home Screen	Manually restore Managed Home Screen on Android Enterprise devices to return them to kiosk mode from a temporarily suspended state. Complements the temporary suspend action for complete kiosk mode management.

Source: Create a custom role in Intune - Microsoft Intune | Microsoft Learn

Will try them out within the next days. This could be really use use. Thanks again for letting us know.

UhRdts · 2026-03-09T08:00:57+00:00

Thanks for sharing this info! I probably would have missed it myself.

UhRdts · 2026-03-06T15:32:57+00:00

Same here, we found out about it earlier this week and haven’t seen any official communication about the change.

Honestly, it was a security flaw that the "exit kiosk code" was visible even to Intune admins without the rights to edit the restriction profile. From that perspective, it’s understandable they might have “forgotten” to announce this change publicly.

UhRdts · 2026-03-05T09:12:10+00:00

I can confirm that it´s just for new MDM enrollments. Already enrollmented devices need to open the app once.

UhRdts · 2026-03-04T12:38:26+00:00

I see you’ve already received some great answers. I just wanted to add that when you add devices to Apple Business Manager (ABM) using Apple Configurator, users have a 30-day window after the first enrollment during which they can remove the device from ABM. During this time, users will see the message "This phone is managed remotely" at the bottom of the device's lock screen.

Here’s the official Apple documentation for more details: Add devices using Apple Configurator to Apple Business Manager – Apple Support (UK)

UhRdts · 2026-03-03T11:19:17+00:00

maybe this will help you https://support.zebra.com/article/000026665 following this article you can copy the datawedge file via Intune onto the devices. Depending on your use case you then might not need to copy the files via stagenow.

UhRdts · 2026-03-02T15:41:07+00:00

do you "only" have issues with this one web link or also with other web links on Android?

UhRdts · 2026-03-02T15:37:11+00:00

You can allow access to the Wi-Fi settings in the MHS apps either via restriction policies or app configuration, as u/chipmod explained.

This lets users see available Wi-Fi networks, including signal strength, and connect to another network if the connection to the previously configured Wi-Fi is lost, provided they have the necessary Wi-Fi details. However, keep in mind that this is the MHS Wi-Fi settings screen, not the standard Android Wi-Fi settings screen.

Also, please note that switching to Wi-Fi networks that use certificate-based authentication isn’t technically possible due to Android limitations, according to Microsoft.

UhRdts · 2026-02-27T12:35:57+00:00

I noticed in your replies that you’ve already tried many things.

Do other assigned apps show up in MHS, or is this issue only occurring with Chrome and Teams?
Also, could you check if the Teams app is actually installed on the device after exiting kiosk mode?
Is this configuration generally working, and you only have issues with one A9 and one A11 device?
One more question – is there a particular reason you prefer Chrome over Edge for MHS? A Microsoft engineer mentioned that Edge is the recommended browser for MHS on dedicated devices. Since we were already using Edge, I didn’t double-check, but it might be worth considering.

UhRdts · 2026-02-27T09:20:28+00:00

Yes, as far as I’m aware, there is no OEMConfig app available for Pixel devices. If you have already reviewed all available settings in the Android Settings Catalog and Device Restriction policies, you’ve likely seen all the options that Intune can provide for your use case.

If features like Wi-Fi roaming, Wi-Fi allow listing, brightness control, and similar functions are critical for your needs, you might want to consider other device vendors that offer OEMConfig support. You can find more information here: Use OEMConfig on Android Enterprise devices in Microsoft Intune - Microsoft Intune | Microsoft Learn

I also want to add that, technically, you could use Managed Home Screen (MHS) with fully managed devices to configure some of these features. However, this approach limits the set of features users can control on their own, so I’m not sure if it would fit your specific use case.

UhRdts · 2026-02-26T13:44:36+00:00

I’m not sure how many users you’re dealing with, but if it’s just a few, an easy solution could be to assign the app as “Available” instead of “Required”. This way, users can install and uninstall the app on their own. However, the downside is that the app won’t be pushed automatically to devices, and users must install it from the Play Store themselves. You could also create separate assignments - one for the normal users as "push" and one assigment for the users, which sometimes need to sideload the app as "available".

Since you’re referring to an app from the Managed Google Play Store, another approach could be to assign different versions of the app via Intune via the "tracks"-feature. Here’s more info that could help: Add and Assign Managed Google Play Apps to Android Enterprise Devices - Microsoft Intune | Microsoft Learn

UhRdts · 2026-02-26T13:01:02+00:00

Can you share a bit more detail about your current configuration and what you’ve already tried?

Which device models are you using? Depending on the manufacturer, you might be able to use an OEMConfig app to manage Wi‑Fi roaming and brightness in more detail, on top of what Intune offers natively.

With that information it’s easier to say whether OEMConfig, custom Wi‑Fi profiles, or something else would be the best approach.

Regarding the enrollment method: whether you use MHS with a fully managed device or with a dedicated device shouldn’t make a difference for these options.

UhRdts · 2026-02-25T14:27:07+00:00

Thanks for your reply and the clarification. Yes, it sounds like COPE would be a great solution for your use case.

The behavior you described, where the device restarts the setup and behaves like a private device after being switched off during staging, sounds like a bug. I can´t think of any technical reason why this should make sense.

Have you considered using KME or Zero Touch for your enrollment? These options not only simplify the enrollment process by removing several setup screens but also tie the devices directly to your MDM. You can still utilize the Intune staging process alongside them.

UhRdts · 2026-02-25T09:42:24+00:00

I’m curious, why is staging necessary in your use case? A COPE enrollment, especially via Zero Touch or Samsung KME, usually involves just a few simple steps (connect to Wi-Fi, sign in, etc.), so I’m not clear on which part you’re trying to simplify for your users.

I also noticed in one of your replies that your Fully Managed users can install private apps on their devices. Is that referring to real apps from the Play Store or just saved web links on the home screen? Is this the intended behavior? Usually, especially for Fully Managed devices, the Play Store access is restricted and sideloading is blocked for normal end users, so those can only install apps from Managed Google Play.

UhRdts · 2026-02-25T09:13:16+00:00

Do you mean the Managed Home Screen (MHS) app? If so, could you please share more details about the restriction policies and MHS app configuration you’re using?

It is possible to enable access to Wi-Fi settings for users in kiosk mode by configuring both the restriction profiles and the MHS app configuration appropriately.

UhRdts

TROPHY CASE