Android Enrollment - Corportate-owned Dedicated Devices can't see all the Policies created
Good morning everyone, Last week, I noticed that none of the new enrollment profiles I created are appearing on the page, and some old ones that I need to use are also "invisible." Is anyone else experiencing this issue, or is it just me? To ensure the profiles weren't deleted, I made an export and can see them all. Only 4 are appearing on the console, and on the report i have 13... Thank you.iOS Update Installation Failure - Status -2016330697
Dear Forum Members, I have an iPad configured in Kiosk mode and locked in with single app Edge browser. I also configured an iOS update policy to update the iOS from 12.4.6 to 13.0.0. I didn't work and received an installation failure status -2016330697 (It is a minus sign, not a hyphen). The error is from Intune - Software Updates - Installation failures for iOS devices. Can anyone tell me what is this error mean and direct me where to troubleshoot next? Thank you all so much!
Managed Home Screen Woes
Setting up a Company Owned Dedicated (kiosk) Android device can be a bit challenging to get just right. After several hours of reading Reddit, Microsoft, and Personally owned blogs and threads, I figured I would consolidate everything I have found to hopefully have this show up on someone else's Google results. (Main link for Managed Home Screen Configuration: Configure the Microsoft Managed Home Screen app - Microsoft Intune | Microsoft Learn ) Calling issues with Managed Home Screen The Issue: Devices were able to receive phone calls, but the only notification was in the default system's notification tray; this was while the device was locked and unlocked. This posed an issue as we would like to 1) disable the default system tray and 2) We need at least the phone to light up when it was locked to let the users know they're getting a call. The Solution: After researching it is my assumption that the underlying issue is that while the phone is managed, and enrolled as a Company Owned Dedicated Device, for some reason the UI elements are NOT identified as managed items. So the administrator must deploy the following applications as Android Enterprise System Apps and set them as required installs: com.samsung.android.incallui --- I named this Call UI, Publisher Android com.android.server.telecom --- I named this Telecom (1 of 2 Req for Phone App), Publisher Android com.samsung.android.app.telephonyui --- I named this Telephony UI (2 of 2 Req for Phone App), Publisher Android (Yes, these are probably not the "Android Designated Application Name" but that's what they're staying as in my tenant.) That's it. Done. Phone was able to receive calls with the normal quarter of the top screen notification, as well as a full screen notification if the device was locked. However, some previous research also let me to these other items that may help someone else from googling: The Android Phone App Package ID / Android Phone App Bundle ID / Samsung Phone App is: com.samsung.android.dialer --- I named this Phone, Publisher Samsung (unsure for Google, Motorola, etc phones, this works for Samsung) This needs to be set as required as well, and assumedly placed on the managed home screen for the user to make calls (unsure if it is needed to receive calls only... if you have some type of use case for that?). Most predominant links relating to the issue: Article 1: Shared Android Phone/Calls from Kiosk Mode? : r/Intune (reddit.com) Article 2: Shared Android Phone - KIOSK device - Phone Calls - Samsung : r/Intune (reddit.com) Managed Home Screen Conflicts App Configuration Policies currently don’t really show you any information as to why or what a conflict is; just that it’s conflicting (thanks, Microsoft). Some common issues I’ve seen around is that while some configurations are available in both the Device Configuration Profile and the App Configuration Policy; you should not apply these settings in both places (see the tables of configurations on the Microsoft doc for Managed Home Screen at the top of this article). Personally, I like having the configurations setup as: Managed Home Screen App Config Policy: Configuration Key Value Type Configuration Value Exit lock task mode password string 123456 MAX time outside MHS integer 600 MAX inactive time outside MHS integer 180 Enable MAX time outside MHS bool TRUE Enable MAX inactive time outside MHS bool TRUE Enable easy access of debug menu bool TRUE Define Theme Color string light Applications in folder are ordered by name bool TRUE Application order enabled bool TRUE Device's serial number choice {{SerialNumber}} Show device name bool TRUE Show Device Info setting bool TRUE Show Volume setting bool TRUE Show Flashlight setting bool TRUE Show Bluetooth setting bool TRUE Show Managed Setting bool TRUE Show Wi-Fi setting bool TRUE Battery and Signal Strength indicator bar bool TRUE Set device wall paper string https://i.imgur.com/OPlCeFG.jpg Lock Home Screen bool TRUE Enable notifications badge bool TRUE (Exiting Kiosk mode is then within the Device Managed Settings > i > Exit Kiosk Mode with the ‘Exit lock task mode password’ pin.) Dedicated Device Configuration Policy: (In my experience, this is an overview of the settings that should / shouldn’t be set with Managed Home Screen. This is not all the settings, that’s a lot of typing. But this will give you a good start. I am sure not all of these affect the Managed Home Screen as well, but at least the ones under Device Experience do.) General: Permission Policy – Default Date and Time – Block Factory Reset, Status Bar – Blocked Skip first hints – Enable Power Button Menu – Block System Error Warnings – Allow Enabled System Navigation Features – Home and overview buttons System Notifications and Information – Show both Device Experience: Enrollment Type – Dedicated Device Kiosk Mode – Multi-App Custom Layout – Enable (Note: all of these apps need to be deployed and set as required) App Notification Badges – Enable Virtual Home Button thru Wi-Fi Configuration– ALL Not Configured (as these are configured within the App Configuration Policy!) Bluetooth, Flashlight, Media, Quick access to device info – Enabled Managed Home Screen Background I found that the best place to configure this is only within the App Configuration Policy. The main issue everyone seems to face is that the image URL must end with a ‘.jpg’. This is very easily overcome; find an image on Google, Download it, Go to Imgur, Upload it (watch your ad), Right click it afterwards, then click Copy Image Link. Boom imgur.com/somerandomletters.jpg Finding the Android App Identifier Honestly, this is a lot more complicated than it needs to be. Note: Adding the Managed Home Screen app to the Home Screen shows up as Managed Settings and works great. Here’s a list of the common ones: App Name Store URL App Identifier Calendar https://play.google.com/store/apps/details?id=com.samsung.android.calendar com.samsung.android.calendar Camera https://play.google.com/store/apps/details?id=com.sec.android.app.camera com.sec.android.app.camera Clock https://play.google.com/store/apps/details?id=com.google.android.deskclock&hl=en-US com.google.android.deskclock Gallery https://play.google.com/store/apps/details?id=com.sec.android.gallery3d com.sec.android.gallery3d Google Play Store com.android.vending Microsoft Intune https://play.google.com/store/apps/details?id=com.microsoft.intune&hl=en-US com.microsoft.intune Managed Home Screen https://play.google.com/store/apps/details?id=com.microsoft.launcher.enterprise&hl=en-US com.microsoft.launcher.enterprise Microsoft OneDrive https://play.google.com/store/apps/details?id=com.microsoft.skydrive&hl=en-US com.microsoft.skydrive Microsoft Outlook https://play.google.com/store/apps/details?id=com.microsoft.office.outlook&hl=en-US com.microsoft.office.outlook Microsoft Teams https://play.google.com/store/apps/details?id=com.microsoft.teams&hl=en-US com.microsoft.teams Phone https://play.google.com/store/apps/details?id=com.samsung.android.dialer com.samsung.android.dialer Samsung Notes https://play.google.com/store/apps/details?id=com.samsung.android.app.notes&hl=en-US com.samsung.android.app.notes Settings https://play.google.com/store/apps/details?id=com.android.settings com.android.settings There were a LOT of articles and treads I read about these issues and I cannot possibly find them all again to post here. But here are a few to try and give credit: Configure the Microsoft Managed Home Screen app - Microsoft Intune | Microsoft Learn Shared Android Phone/Calls from Kiosk Mode? : r/Intune (reddit.com) Shared Android Phone - KIOSK device - Phone Calls - Samsung : r/Intune (reddit.com) GitHub - petarov/google-android-app-ids: Google Android apps found on the Play Store (Some of these are incorrect for my use cases (needed Android apps not Google Apps)) Corporate-owned Android Enterprise device restriction settings in Microsoft Intune | Microsoft Learn Manage Android Enterprise system apps in Microsoft Intune | Microsoft Learn
Kiosk Mode not logging in - "kioskUser0 the user name or password is incorrect"
I am working with creating a Device Configuration Profile for Kiosk Mode. The device is Windows 10 1809 and is Azure AD joined only and is syncing and receiving policies, updates, and software. When the device is restarted the Kiosk policy attempts to force the Auto-login option but fails. It is showing User "kioskUser0" and giving the generic message of "username/password is incorrect". I wait a minute or 2 and the timeout for attempting the login with the kiosk user occurs, then I am able to then login with any azure ad user I attempt. When the policy is applied is it creating kioskUser0 as a local account on the device? Other than restarting, is there any way for the device to attempt to log back into the kiosk section? (logging in and signing out does not seem to trigger this)Kiosk XML - Whitelist apps in %userprofile%
Hi all, I have a problem with my multi app kiosk config (Assigned Access XML in Intune -> ./Device/Vendor/MSFT/AssignedAccess/Configuration). I want my users have the choice whether to use Teams, Starleaf, Zoom etc. - but, just StarLeaf isn't working. Die Ausführung von %PROGRAMFILES%\STARLEAF\STARLEAF\STARLEAF.EXE wurde zugelassen. (fine) Die Ausführung von %PROGRAMFILES%\STARLEAF\STARLEAF\MISC\STARLEAFINSTALLER.EXE wurde zugelassen. (fine) Die Ausführung von %OSDRIVE%\USERS\063690\APPDATA\LOCAL\STARLEAF\STARLEAF\1\STARLEAF.EXE wurde verhindert. (blocked) Is there any way to whitelist apps installing in the userprofile directory? <?xml version="1.0" encoding="utf-8" ?> <AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config" > <Profiles> <Profile Id="{a4457869-7414-4c11-bb0b-50fdff39d54a}"> <AllAppsList> <AllowedApps> <App AppUserModelId="StarLeaf.Breeze2.Windows.2" /> <App DesktopAppPath="%USERPROFILE%\AppData\Local\StarLeaf\StarLeaf\1\StarLeaf.exe" /> <App DesktopAppPath="C:\PROGRAM FILES (x86)\StarLeaf\StarLeaf\StarLeaf.exe" /> <App DesktopAppPath="C:\PROGRAM FILES (x86)\StarLeaf\StarLeaf\MISC\StarLeafInstaller.exe" /> </AllowedApps> </AllAppsList> <StartLayout> <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"> <LayoutOptions StartTileGroupCellWidth="6" /> <DefaultLayoutOverride> <StartLayoutCollection> <defaultlayout:StartLayout GroupCellWidth="6"> <start:Group Name="Conferencing"> <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="StarLeaf.Breeze2.Windows.2" /> </start:Group> </defaultlayout:StartLayout> </StartLayoutCollection> </DefaultLayoutOverride> </LayoutModificationTemplate> ]]> </StartLayout> <Taskbar ShowTaskbar="true"/> </Profile> </Profiles> <Configs> <Config> <UserGroup Type="AzureActiveDirectoryGroup" Name="057b819d-453c-4c25-8358-141e207d8076" /> <DefaultProfile Id="{a4457869-7414-4c11-bb0b-50fdff39d54a}"/> </Config> </Configs> </AssignedAccessConfiguration> Thanks in advance!
Intune doesn't show sync when uses kiosk autostart profile
Goal We want to use Intune MDM to create kiosk devices with multiple applications. To set up the devices, we use Autopilot with a SelfDeployment profile. The device will be assigned a Kiosk profile with auto-enrollment enabled. Problem Setting up the devices works without any problems and also new apps or changes are synchronized, but we do not get any feedback in intune if changes were successful or not. So to speak, there is only a one-sided synchronization. For example, we can successfully update an application after a successful setup, but Intune always shows us the old version. We know that the autostart function creates a local user and logs in with it and logically this user cannot synchronize. But is this intentional or are we missing something here? There must be a way to synchronize a device with an Autostart Kiosk. If you guys need any information, please let me know.Win10 multi-app kiosk local user - win32 app post-autopilot not working
Similar to this https://docs.microsoft.com/en-us/answers/questions/378888/win32-apps-don39t-install-on-intune-kiosk.html That was posted in May, with no recent updates, other than some BS from a "Community Expert" which doesn't even come close to answering the question. Our Win10 multi-app kiosk policy with local user logon doesn't seem to install Win32 apps after it completes autopilot. If you make the apps required in the ESP, they install fine...once... but they'll never update or get other non-ESP required app deployments, because the user is a local user and not an AAD user. Is that the expected behavior and why is Microsoft always doing something silly like this? Basically it makes the device unmanaged. Because apps never have security vulns and they never need to be updated, right? Maybe if the Intune dev team were handed a monthly report from InfoSec showing all the app vulns that need updates to fix... just divorced from reality, I guess. I swear I need to retire from IT.
