Configure permissions for the Managed Home Screen (MHS) on Android Enterprise devices using Microsoft Intune

  • Article

The Managed Home Screen (MHS) is an Intune app that allows you to configure the home screen on the device. It only shows the apps that your users access and the device settings that admins need to manage.

The MHS is used for kiosk devices, including frontline worker (FLW) devices. It replaces the default launcher on your Android Enterprise dedicated and fully managed devices. To learn more about the MHS app, go to Configure the Microsoft MHS app for Android Enterprise.

Typically, when you configure the MHS on a device, end users need to manually accept certain permissions that MHS needs. These permissions allow the MHS to access device features and settings.

Instead of relying on end users to accept the permissions, you can use an OEMConfig device configuration policy to automatically grant permissions to the MHS app.

This feature applies to:

Supported OEMs include:

  • Samsung
  • Zebra

Note

More OEMs are being added, including Honeywell (no ETA).

This article:

  • Lists the required permissions that the MHS needs.
  • Shows how to get the OEM app from the Managed Google Play Store.
  • Lists the steps to create an OEMConfig policy in Intune that automatically grants permissions for the MHS app.

Required permissions

For the MHS to work, certain permissions are required for certain features. Samsung and Zebra allow the MHS app to grant many of these permissions using the OEMConfig app schema.

The following table lists the permissions that you can configure for the MHS app on Samsung and Zebra devices:

Permission Samsung Zebra Legacy Zebra
Overlay Permission is required by:

- Virtual home button
- Screen saver
- Automatic sign out
Notification Permission is required by:

- Notification badge
Alarms & Reminders permission is required by:

- Screen saver
- Automatic sign out
- Automatic relaunch		 n/a n/a
Write Settings permission is required by:

- Brightness toggle
- Rotation toggle		 n/a n/a

For information on when to use Zebra vs. Legacy Zebra, go to OEMConfig apps for Zebra devices.

Before you begin

Step 1 - Get the app from the Managed Google Play Store

OEMs provide their own OEMConfig app that lets you configure features within the app. In this step, you:

  • Get the OEMConfig app from the Managed Google Play Store.
  • Assign the app to your devices or device groups that use the MHS.

Samsung and Zebra OEMs use the following Managed Google Play apps:

OEM App name
Samsung Knox Service Plugin
Zebra Zebra OEMConfig Powered by MX

Zebra OEMConfig Powered by MX is a new version of the OEMConfig app released in May 2023.
Zebra Legacy Zebra OEMConfig

Add the OEMConfig app

  1. In the Microsoft Intune admin center, sign in to your Managed Google Play account.

  2. Search for the Knox Service Plugin app, select the app, and then select Sync.

    For the specific steps, go to Add Managed Google Play apps to Android Enterprise devices with Intune.

  3. In the Knox Service Plugin app properties, make it a required app, and assign the app to your devices or device groups that use the MHS.

    For the specific steps, go to Add Managed Google Play apps to Android Enterprise devices with Intune.

Step 2 - Create the OEMConfig profile that configures the app

The next step is to create an OEMConfig profile that configures the permissions in the OEMConfig app. In this profile, you configure the app schema settings that autogrant permissions to the MHS app features.

When you use the schema settings in the Knox Service Plugin app, the Intune profile grants the following permissions:

  • Overlay Permission
  • Notification Permission
  • Alarms & Reminders Permission
  • Write Settings

Create the policy:

  1. Sign in to the Intune admin center.

  2. Select Devices > Manage devices > Configuration > Create > New policy.

  3. Enter the following properties:

    • Platform: Select Android Enterprise.
    • Profile type: Select OEMConfig.

  4. Select Create.

  5. In Basics, enter the following properties:

    • Name: Enter a descriptive name for the new profile.
    • Description: Enter a description for the profile. This setting is optional, but recommended.
    • OEMConfig app: Choose Select an OEMConfig app.
    • Associated app: Select the Knox Service Plugin app.

  6. Select Next.

  7. In Configuration settings, select the Configuration designer. The properties available within the app schema are shown for you to configure.

    For guidance on configuring the OEM app schema, use the following links:

    When you create the Intune policy, you enter the following info:

    • MHS Package Name: com.microsoft.launcher.enterprise
    • MHS notification service package name: com.microsoft.launcher.enterprise/com.microsoft.launcher.next.model.notification.AppNotificationService

  8. Select Next, add any optional scope tags > Next.

  9. In Assignments, select the devices or device groups that should receive your profile. Assign one profile to each device. The OEMConfig model only supports one policy per device.

    For more information on assigning profiles, go to Assign user and device profiles.

  10. Select Next, and review your settings. When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.

The next time the device checks for configuration updates, the settings you configured are applied to the app.