COSU Configuration and Enrollment using the QR code enrollment method

Hi everyone, Matt Butcher here. I’m a Support Escalation Engineer on the Intune team and today I wanted to take a minute to go through the steps to configure and enroll COSU (corporate owned single use) Android enterprise devices using the popular QR code method.

To give you a little background, back in July we announced support for Android enterprise purpose-built device management, where we can target task-based usage cases such as unattended guest kiosk experiences, inventory tracking, mobile ticketing, point-of-sale devices, etc. Devices managed in this way can enroll into Intune using a few different enrollment methods, such as scanning a QR code, which is what we’ll be discussing here. The benefit with this is that administrators can enroll these devices without needing to have user account credentials on the device. IT admins can then configure these corporate-owned devices to be used in locked-down environments, allowing only the app or apps necessary to complete the task while preventing users from accessing settings, installing other apps, or changing any device functions that might interfere with reliable operation.

For the purposes of this example, you’ll need a device running Android 7 or later that you can factory reset, and an open wi-fi network. Once you have that, just follow the steps below.

1. If you haven't done this already, start by connecting your Intune account to your Android enterprise account.

2. Next, approve any applications from the Managed Play Store that you need to be in the Managed Home Screen experience (including the Managed Home Screen & Android Device Policy).

3. Now we need to sync those apps to Intune. Open a browser and go to the Intune portal, then navigate to Client Apps -> Setup – Managed Google Play and click Sync.

4. Once the sync is complete, we need to create an Assigned or Dynamic device group that will be used for the deployment. If using a Dynamic device group, set the membership rule to Add devices where / enrollmentProfileName / Equals / <InsertCOSUEnrollmentProfileNameHere> . I’ll be using a Dynamic device group named COSU_Dynamic_Device_Group so my rule will be Add devices where / enrollmentProfileName / Equals / COSU_Enrollment_Profile as shown below.


5. Now we need to create our COSU Enrollment Profile. From the Intune portal, navigate to Intune -> Android Enrollment -> Kiosk and Task Device Enrollments -> Create. Name the profile what you chose in your Dynamic Membership Criteria, which in our example was COSU_Enrollment_Profile.

6. Once that’s done, we’ll now create our Kiosk Profile. From the Intune portal, navigate to Device Configuration -> Profiles -> Create Profile. And configure the profile accordingly:

a. Name: Whatever you like
b. Platform: Android Enterprise
c. Profile Type: Device Owner Only – Device Restrictions
d. Navigate to the Kiosk node and select Multi-app kiosk
e. Click Add. The list of all your apps will appear on the right
f. Add your apps but do not add the Managed Home Screen.
g. If you have Web Apps, be sure to include a browser


I also recommend adding a password just to see what happens with the Android Device Policy app.


7. Deploy all your apps as Required to your Dynamic device group. Note that if you have Web Apps, you do not need to deploy them.

8. Factory Reset your Android device.

9. Wait for OOBE to begin, then tap the white space until you’re prompted to download QR Reader.

10. Connect to your open Wi-Fi network and wait for the QR reader to be installed (your screen will just be a camera).

11. Use QR Reader to scan the QR code attached to your COSU Enrollment Profile. As the device enrolls, wait until the Managed Home Screen experience begins. If you required a PIN, manually set it before the Managed Home Screen experience begins. If you fail to do this the policy will show as failed. This is important because the PIN requirement does not present a toast notification to the user however the settings are still enforced.

That’s it! Now your device is enrolled and ready to use.

Key Notes

  • Don't add the Managed Home Screen app to the Multi-App Kiosk profile.
  • If using web links, you do not need to deploy these to the device groups. Only store apps are required to be deployed.
  • If requiring a PIN, the user will not be prompted. The setting is enforced and you will need to configure the PIN manually.
  • To get out of the Managed Home Screen experience, all you need to do is remove the Managed Home Screen app deployment. You can adjust the Multi-App Kiosk Mode profile as needed, and then redeploy the Managed Home Screen app.
  • To get out of COSU, you will need to factory reset the device.
  • When troubleshooting, It is recommended to include the Android Device Policy app in your Multi-App Kiosk profile. This will allow you to verify what policies Google is sending to the device.
  • There is no direct communication between Intune and devices enrolled using this method. Intune sends policy information to Google which then manages policy delivery.
  • Device names will look like this: 30a97bfb2327b18d_AndroidEnterprise_10/2/2018_10:34 PM. Currently this cannot be changed.
  • Compliance will show as Not Evaluated because COSU does not support compliance policies.
  • In this scenario, you cannot deploy certificate profiles, and wi-fi profiles are limited to open authentication or pre-shared key

Matthew Butcher
Intune Support Escalation Engineer
Microsoft CSS

Comments (2)

  1. ._frost says:

    Great article, thanks! We’re looking to enrol about 500 COSU devices using this method.
    One of the issues we’re having is that any sideloaded apps are removed by the device policy when configured this way. It seems like the only way to get apps onto the device is via the managed Play Store. Is there a way to whitelist sideloaded apps so they’re not removed automatically? We have some LOB apps that cannot be uploaded to the store.

    1. Hi Frost, thank you for your question! I can definitely see a use case for this but unfortunately today the only applications that can be added to the Managed Home Screen are Managed Play apps and weblinks deployed from Intune. I would absolutely encourage you to provide your feedback on this to our uservoice forum here:

      However, if you have some LOB apps that you’re unable to upload, I’m not aware of any issues that would be preventing this so your best bet would be to open a support case so we can take a look. We have information on opening a free support case here:

Skip to main content