Configure Locker Android App and Intune Managed Home Screen

Created: Modified: Documentation

Use Microsoft Intune to deploy the Imprivata Locker Android app with the Managed Home Screen (MHS).

Deploying the Imprivata Locker Android app with Intune’s Managed Home Screen (MHS) is supported only on corporate-owned, dedicated devices. It is not supported on corporate-owned, fully managed devices.

NOTE: For detailed information on configuring Microsoft Intune policies, profiles, and groups, see the Microsoft Intune documentation.

Before You Begin

Before you begin, configure the following prerequisites:

  1. Enroll the Android devices in Microsoft Intune.
  2. Register the Imprivata Locker app (Android) to Microsoft Intune.
Step 1: Create an Enrollment Profile

In the Intune admin console, create an enrollment profile for the Android devices.

  1. Navigate to Intune Admin Console > Devices |Android > Android Enrollment > Corporate-owned dedicated devices.
  2. Click Create profile and enter the following information:
    1. Name. Type a name for the profile.
    2. Description. Add a profile description.
    3. Click Next and Create to create the policy. Intune generates a token for enrollment.
  3. In the Token section, click Show token to display the device enrollment token (an eight-digit string) and a QR code for your Intune tenant. This single enrollment token is valid for all of the users and won’t expire.
  4. Copy the enrollment token to send to your end users, or post it to your helpdesk to enable end users to enroll their devices.
Step 2: Create a User Group

In the Intune admin console, create a user group for the devices.

  1. Create a user group for the devices.
  2. Associate the group with the new enrollment profile that you created.
  3. In the Dynamic membership rules section, in the Rules syntax, add the rule syntax with the name of the new enrollment profile. For example, (device.enrollmentProfileName -eq”LockerAndroid dedicated”).
Step 3: Create a Device Configuration Profile

Create a device configuration profile for corporate-owned dedicated devices running in multi-app kiosk mode with the Managed Home Screen app.

  1. In Devices > Android > Configuration profiles, create a profile for the dedicated devices.
  2. In the Device experience section, configure the following settings for dedicated devices:
    1. For Enrollment profile type, select Dedicated device.
    2. For Kiosk mode, select Multi-app. This allows users to access a limited set of apps on the device. When the device starts, only the apps you add start. When the policy is applied, users see icons for the allowed apps on the home screen.
    3. For Custom app layout, click Enable.
    4. In the Home Screen section, specify the apps to use with the Managed Home Screen:
      1. Add the Managed Home Screen app.
      2. Add the Imprivata Locker Android app.
      3. Add other apps, such as Epic Rover; Google Chrome, etc.
      4. For MSAL-managed Microsoft apps, such as Microsoft Teams, add the Microsoft Authenticator app.
  3. In the Applications section > Dedicated devices, in the Clear local data in apps not optimized for Share device mode, add the apps you want to log out of when the device is checked in, so that Managed Home Screen will clear all local data.
    1. For apps that are not managed by MSAL, click Add to add the apps – this can include Google Chrome, Epic Rover, etc.
  4. Assign the new device configuration profile to the user group you created earlier.
Step 3a: Configure a Session PIN

Optional.

You can allow users to get prompted to create a local Session PIN after they’ve successfully signed into the Managed Home Screen. The Session PIN will appear before the user gets access to the home screen, and can be used in conjunction with other features.

  • The Session PIN lasts until the device is checked in to GroundControl; at this time the Session PIN is cleared.
  • When the device is checked out again, the new user is prompted to enter a new Session PIN.s
  • If the device is rebooted, the device is locked and displays a screen directing the user to return the device to a dock.

To configure a Session PIN:

  1. In Devices > Policy > Configuration Profiles, create the profile and assign it to your device, as you did in Step 3.
  2. Under device experience, enable Screen Saver Mode, and set the timeout period as desired.
  3. Go to Apps > Configuration Policies and update the managed device policy for the Managed Home Screen app. Set the following configurations keys to TRUE.
    • Enable sign in
    • Enable screen saver
    • Enable session PIN
    • Require PIN code after returning from screen saver
  1. Assign the new device configuration profile to the user group you created earlier.
Step 3b: Configure Epic Rover Settings

The Epic Rover app requires configuration settings that would be lost during a “clear all local data” action, so you must set up a separate configuration policy for it.

  1. In App > App configuration policies, click Add to add an app configuration policy.
  2. From the Targeted app list, select the Epic Rover app.
  3. In the Properties > Configuration settings section, add a Configuration key for the Epic app:
    1. Configuration key: Econfig URL
    2. Value type: String
    3. Configuration value: epicrover://handheld/config/<keyFromEpicRover>, where the <keyFromEpicRover> value is obtained from Epic.
Step 4: Enroll Devices

Enroll the devices by scanning the QR code or using the token value obtained earlier. Intune enrollment begins with a factory reset of the device.

To enroll a device:

  1. Wipe the device by using the full factory reset.
  2. Turn on the newly reset device.
  3. On the Welcome screen, select your language.
  4. Connect to the Wi-Fi, and then click NEXT.
  5. Accept the Google Terms and conditions, and then click NEXT.
  6. On the Google sign-in screen, enter afw#setup instead of a Gmail account, and then click NEXT.
  7. Choose INSTALL for the Android Device Policy app.
  8. Continue installation of this policy. Some devices may require additional terms acceptance.
  9. Log in to the Microsoft Intune admin center.
  10. Browse to Devices > Enroll Devices > Android Enrollment > Corporate-owned dedicated devices.
  11. Open the enrollment profile created in Step 1.
  12. Click Token > Show token. On the device Enrollment page, scan the token from the profile. A notification displays that this isn’t a private device. Click Next.
  13. In the next enrollment phase, the work apps are installed. Click Install. After the required apps are installed, click Next.
  14. Click Set up to register the device. When the registration is complete, click Done.