Intune: Managing Promethean OPS-A (Android) Devices
Promethean ActivPanels can be fitted with an OPS device, essentially a small PC that slots into the back of the screen. Using the Android module there are some management options - Admin Tools offers a platform for updating device firmware, and can be integrated with the Radix MDM - however as I am already using Intune for managing Windows, iOS and Android devices, I'd quite like to get these working on Intune too.
The main things I wanted to achieve with management are:
- Device is locked down so that settings cannot be changed - specifically setting a device lock screen PIN or signing it into Google - along with removing unnecessary apps
- Promethean apps are available
The ideal management would be corporate-owned dedicated (kiosk) device, as we can restrict access to settings and use Managed Google Play to add new apps. The drawback here is that the Promethean apps do not exist in the public Managed Google Play store, and enrolling as a dedicated device will disable most of the pre-installed apps. Luckily these can be turned back on by way of an Android Enterprise System App assignment.
Intune Configuration
- Create an enrollment token for corporate-owned dedicated devices and note down the token (you will not be able to scan the QR code).
- Create a dynamic device group or filter targeting devices using that enrollment profile. I prefer to use a filter here as dynamic groups take a while to update.
- Add the Managed Home Screen app from the Managed Play store. Assign it to all devices, filtered to include the filter created in the previous step.
- Add the following Android Enterprise System Apps, as required:
- Annotate - com.prometheanworld.annotate
- Screen Capture - com.prometheanworld.screencapture
- Timer - com.prometheanworld.timer
- Whiteboard - com.prometheanworld.whiteboard
- Spinner - com.prometheanworld.spinner
- Update - com.prometheanworld.update
- ActivPanel Test - com.prometheanworld.activpaneltest
- Manage Device - com.nd.promethean.mdmagent
- Screen Share - com.nd.promethean.casting.receiver
- Create a device restriction profile, set restrictions as desired (do not block factory reset at this point, as it is very difficult to hard-reset one of these devices if something goes wrong and it loses contact with Intune)
- Under Device experience, configure the type as Kiosk Mode (dedicated and fully-managed) and set the Kiosk Mode to Multi-app. Add the apps you wish to appear on the home screen.
- Assign this to all devices, and filter to include the filter you created previously.
You don't necessarily need to put all the apps onto the managed home screen - you can configure the screen to allow administrators to break out of the managed home screen by pressing "back" 10-15 times and entering a PIN. This way you can still access the device settings or other apps such as Update or Panel Test, without them being available for users.
Configuring the device
Configure the device by following on screen prompts. When asked to sign in to Google, enter the username "afw#setup" to enter device enrollment, and enter the enrollment token when prompted.
The devices takes a little longer to set up versus as an unmanaged device however once completed you should be presented with the Managed Home Screen, with users unable to escape as per the settings you configured. When I was setting this up I had to configure the screen orientation setting as it was defaulting to Portrait. I also tried to set a background but it didn't seem to work.
Unfortunately this disables the "task bar" at the bottom of the screen, where you'd usually see the running apps, but worth it to get the device sufficiently locked down.