How to Configure Android Intune Kiosk Mode and Block Google Play Store Access

By /
How to Lock Down Android Devices with Intune Kiosk Mode and Block Google Play Store Access

When deploying Android tablets in the enterprise, kiosk mode is often the go-to solution for restricting devices to a limited set of business apps. This ensures users can only access what’s necessary for their work.

A recent case highlights a common challenge: an admin enrolled Samsung tablets into Intune, set up multi-app kiosk mode for Chrome and Limble, but discovered the Google Play Store was still accessible. That loophole allowed users to download additional apps—completely defeating the kiosk purpose.

If you’ve faced this, you’re not alone. Here’s a breakdown of why this happens and the steps you need to take to fully lock down Android kiosk devices with Intune.

Why the Play Store Stays Open in Kiosk Mode

Intune’s multi-app kiosk configuration allows you to pick which apps are available, but by default it does not automatically block the Play Store. Unless you explicitly configure device restrictions and app distribution settings, the Play Store remains visible.

On Samsung devices, this gets more complex because Knox adds its own management layer. Without proper Knox restrictions, the kiosk profile alone isn’t enough.

Step 1: Apply Device Restrictions in Intune

First, you need to create a Device Configuration Profile in Intune with strict restrictions.

  1. Go to Intune Admin CenterDevicesConfiguration profiles+ Create profile.
  2. Choose Android EnterpriseDevice restrictions.
  3. Configure the following:
    • Block Google Play Store → Yes
    • Block install from unknown sources → Yes
    • Disable developer options → Yes
    • Restrict system settings changes → Yes

This prevents users from accessing the Play Store or sideloading apps.

Step 2: Use Managed Google Play

Instead of relying on the standard Play Store, integrate Intune with Managed Google Play. This ensures only approved apps are available.

  1. Go to Intune Admin CenterTenant administrationConnectors and tokensManaged Google Play.
  2. Approve business apps you want (e.g., Chrome, Limble).
  3. Sync approved apps into Intune.
  4. Assign those apps to your kiosk devices.

When users open the Play Store, they’ll see only the apps you’ve approved—no browsing, no games, no social media.

Step 3: Leverage Samsung Knox Capabilities

Since the devices are Samsung tablets, you can tighten restrictions with Samsung Knox Mobile Enrollment (KME) and Knox-specific Intune policies.

  1. Enroll devices through Knox Mobile Enrollment to enforce enrollment and configuration automatically.
  2. Use Knox Service Plugin (KSP) policies in Intune to configure deeper restrictions, such as:
    • Enabling Knox kiosk mode
    • Blocking hardware keys or system UI
    • Controlling status bar, navigation, and screen timeout

Knox complements Intune by adding OEM-level lockdowns that prevent users from escaping kiosk mode.

Step 4: Add Compliance Policies for Monitoring

Even with restrictions, you should have a safety net. Create a compliance policy that checks for unauthorized apps or modifications.

  1. Go to Intune Admin CenterDevicesCompliance policiesCreate policy.
  2. Configure rules such as:
    • Only approved apps allowed
    • Rooted/jailbroken device detection
    • System integrity checks
  3. Combine with Conditional Access so that non-compliant devices lose access to company resources.

This ensures that if someone bypasses restrictions, they’ll be cut off from sensitive data.

Step 5: Test in Layers

One reason admins get stuck is testing only one layer of policy. In reality, kiosk mode requires stacked controls:

  • Device restrictions block Play Store and sideloading
  • Managed Google Play ensures only approved apps exist
  • Samsung Knox enforces OEM-level lockdowns
  • Compliance policies detect anything that slips through

When combined, these settings create a true locked-down kiosk environment.

Common Mistakes to Avoid

  • Leaving deferrals or defaults in place – many admins assume multi-app kiosk automatically disables Play Store. It doesn’t.
  • Skipping Managed Google Play integration – if you don’t use it, users still see the full Play Store.
  • Not leveraging Knox on Samsung devices – Knox adds critical restrictions missing from generic Intune profiles.
  • Forgetting compliance/Conditional Access – without this, unauthorized devices can still access corporate resources.

Final Thoughts

Setting up multi-app kiosk mode in Intune for Android requires more than just assigning a kiosk profile. To fully lock down devices and prevent unwanted app installs, you need:

  • Device restrictions to block Play Store and sideloading
  • Managed Google Play to tightly control app availability
  • Samsung Knox policies for OEM-level kiosk enforcement
  • Compliance + Conditional Access as a monitoring and enforcement layer

With these steps, you’ll turn an open Android device into a purpose-built, secure kiosk that runs only the apps you choose—no surprises, no loopholes.

LinkedInCopyPinterestRedditTelegram

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by
Scroll to Top