Android Dedicated Device - Enforce PIN for Device Unlock
Enable a way we can enforce a policy to set a PIN code on Corporate Owned Dedicated Devices (Kiosk mode) PIN at a device level.
At present we are having to get our onsite IT staff to manually set a PIN on the device after enrollment, but still the users could go in and change the lock screen method from PIN code to Swipe, thus removing the security aspect.
Our Android team says:
“We need to learn more about this scenario. Kiosk devices are typically open for use while users sign into apps separately. Would like to know why a device level PIN for a AE dedicated enrolled device provides security.”
Can you tell us more?
Jonathan G. commented
Why is this not even possible... Come on Microsoft.
Your dev team has so much limited view of the use cases in the real world....
Like many other we have devices which are used to carry our specific functions (Audit/Inspections/training in our case). These devices have no assigned user, so I set them up as dedicated devices. The multi-app kiosk mode makes them very easy to use and we are happy in this respect. However, we would like to PIN protect the devices to help protect the apps installed on the device just in case the device managed to fall into the hands of the public as they are used out in the field.
I think the general focus here for MS & Intune is around protecting the app and it's data (per user context) vs access to the device. Whilst this is understandable there is still a lot of use cases where customers just want to prevent anyone from unlocking the shared a device and using the applications in the first instance. We have a situation where we have a number of LoB applications in which the task-based users do not sign into explicitly (this is pre-configured for them) - they grab the device (shared by many users) and unlock it and start using the apps. We want the interface to be simple (i.e. secured kiosk style) with simple unlocking - if it's any harder for the task-based users to use the technology they'll simply avoid using it.
Matthew Henry commented
This is absolutely needed solely based on the Wifi certificates aspect. If you issue a SCEP cert from Intune it will not deploy if a Pin isnt set. Unfortunately 1. Users aren't forced to enter a pin. 2. admins are unable to set a pin remotely.
Now I have to keep telling people to make sure they set a pin right away or the cert may never get issued.
THIS IS A HUGE FLAW, either let us send scripts to these devices or let us set a Pin from the console as a configuration.
Bo S. Nielsen commented
PIN is needed to roll out WiFi certificates to devices like Zebra warehouse handheld scanners. Thus enforcing (setting) a static PIN on all devices would be great. This can be done using other MDM's.
After enrollment you can still have no PIN to unlock the device even you have set a device configuration that requieres to have a PIN.
Intune yould enforce to set a PIN if device Configuration policy requieres it.
Dedicated devices are not just kiosk devices.
Two scenarios which we use dedicated enrolment are
1. Handheld scanners used in factories, warehouses and in the field. Not anyone should be able to pick up these scanners and use them. So we need a way to protect them.
2. We supply Android tablets to agency workers to allow them to go out in to the field to capture data, or show customers information . These agency workers are not employees, so we enrol the devices as non-user affinity devices. Again, the information on these devices should not be available to anyone.
In both scenarios the device may or may not be shared between different users, so it would be nice to have the ability to either set a specific PIN on the device from Intune, or allow the user to set one.
Either way, we need a way to enforce a PIN to a minimum complexity.
We have several hundred users that perform various task like inspections, etc. They do this on kiosk devices to make the tablet as easy to use as possible (no more apps visible than what they need). The inspection tools are web apps, where they log in to get access to the tool. If the tablet were to be lost/stolen, they would still be logged in to the tools and no PIN required to open the device. This is a major security issue for us!
When there is no pincode enforced and a user uses the AE Dedicated enrollment type on a corporate device anyone is able to access the device without the user.
We use Android tablets in our car fleet and we would like to secure access to the device as there is corporate data on it
i have the same issue .. testing with samsung s10 device also
If your dedicated device will add to dynamic group while enroll process, and policy with pin requirements assign to this group, it may needed some time to update group while you enroll the device.
My solution - waiting at the 1st step at the registration wizard, while step will not change to "set pin code".
Tore johnny Blomhaug commented
any update on this?
Enforcing PIN protection on dedicated kiosk devices is a must have security feature. Without it Corporate owned dedicate devices are a non-starter.
corey lahrmer commented
I can't even get it to enforce passcode...samsung phones go into correct group, but during setup, has only 3 options instead of four. Has: Install apps-register-complete. Need it to have set passcode first. Only got it to do two out of 28 times!
This is the exact issue I am facing and it would be such a simple solution to implement.
We have devices that get used by multiple people regularly, but I would like to set a dedicated pin for them all that cannot be changed.
Please allow this as a possibility as we do not ever have users log into it with specific credentials, they just need to open any tablet to do their work.
PLEASE PLEASE PLEASE add this ability for Corporate Owned Dedicated Devices
Darren Powles commented
My experience is that once the PIN is set, the options to remove PIN or change to swipe are greyed out. Afterwards, the password settings "succeed" in the portal. Also, PIN reset in the portal works as expected.