If you’ve been following along, you know I spend a lot of time thinking about shared and kiosk-style devices — especially the kind frontline workers and shift teams rely on every day. Managed Home Screen (MHS) on Android Enterprise has been a game-changer for locking those experiences down while still giving users seamless Microsoft Entra SSO across approved apps.
But there was always one pain point that felt clunky: when troubleshooting was needed, you had to rely on an admin-set exit PIN and coach the user through spamming the back button to reach the debug menu. Not ideal for security or support workflows.
The New Feature – Suspend and Restore MHS
Microsoft recently shipped new remote actions to Suspend and Restore Managed Home Screen on Android devices.
Official announcement: What’s new in Microsoft Intune
Suspend action docs: Suspend Managed Home Screen
Restore action docs: Restore Managed Home Screen
Key capabilities:
- No more sharing an exit PIN with end users or service desk.
- Triggered directly from the device page in the Intune admin center.
- You set an auto-timeout — once it expires, MHS automatically re-enforces.
- Or manually restore it anytime with the Restore action.
- Applies to: Android Enterprise corporate-owned Fully Managed (COBO) and corporate-owned Dedicated (COSU) devices.
This is a solid step toward true zero-touch, admin-controlled kiosk experiences. Take a look at the screenshots below!
Prerequisites & Setup
You’ll need a supported OEM. In my lab I’m using Samsung (most common), but Zebra, Zebra Legacy, and Honeywell are also supported. If you do not have a Samsung Know license this is a great article to get you registered to take advanced to these advanced controls – https://timmyit.com/2022/02/14/intune-knox-platform-for-enterprise-oemconfig-claim-your-2-year-free-license-for-premium-features/
Required permissions for MHS (via OEMConfig – this is critical):
- Appear on top (Overlay)
- Change system settings (Write Settings)
- Alarms & Reminders
Samsung Knox Service Plugin configuration steps (high-level):
- Add Knox Service Plugin from Managed Google Play and assign as Required.
- Create an Android Enterprise > OEMConfig profile.
- Enable:
- Knox License
- Device policy controls
- Application management controls
- Permission controls
- Permissions Configuration 1:
- Permissions: Appear on top, Change system settings, Alarms & Reminders
- Package name: com.microsoft.launcher.enterprise
- Permissions Configuration 2 (Notification Access):
- Package/Component: com.microsoft.launcher.enterprise/com.microsoft.launcher.homescreen.next.model.notification.AppNotificationService
Full guidance: Configure permissions for Managed Home Screen (Samsung) & Samsung Knox – Grant special permissions
Pro tip: Keep your device firmware, Company Portal, and Intune apps fully updated. Once the policy applies, the suspend/restore actions are fast and reliable in my testing. The device even notifies the user that an admin has triggered suspension.
Why This Matters
For shared diagnostic tools, shift tablets, or any frontline kiosk — this removes a security friction point and gives service desk real admin control without compromising the locked-down experience. It’s another piece of the cloud-native, zero-trust puzzle we’re all building.
I’ll be rolling this out more broadly in customer environments and will share how it performs at scale. If you’ve already tested the new remote actions, drop a comment below — I’d love to hear what you think.
As always, thanks for reading. Keep building better experiences for your users.
— Kevin
Kevin Malinoski 
Leave a comment