![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 1%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMH%3C/text%3E%3C/svg%3E)
Microsoft Security | Intune | Microsoft Intune Android
Managing Android devices using Microsoft Intune
Different app sets per user on a Microsoft Entra shared Android device using Managed Home Screen (MHS) are not supported in the way described.
Key points from the documented behavior:
- Shared device mode + MHS sign-in
- Managed Home Screen supports a sign-in experience that integrates with Microsoft Entra shared device mode.
- When Enable sign in is set to
Trueand Sign in type isMicrosoft Entra ID, users sign in to MHS and get single sign-on to other apps that participate in shared device mode. - However, the documented MHS configuration is device-level, not per-user. The MHS app configuration and device restriction profiles apply to the device (or device group), not dynamically per signed-in user.
- Kiosk / multi-app behavior is device-scoped
- For Android Enterprise dedicated or fully managed devices, kiosk mode (single-app or multi-app) is defined in a device configuration profile under Device experience.
- In multi-app mode, every app in the policy must be a required app and assigned to the devices. If an app is not required or not assigned, devices can lock out users and show
Contact your IT admin. This phone will be erased. - This configuration is again device-based: the allowed app list is tied to the device configuration profile, not to the user who signs in.
- Managed Home Screen app configuration scope
- The MHS app configuration policy is created under Apps → Configuration and targeted to managed devices running Android with Managed Home Screen as the associated app.
- These settings (including sign-in, offline app access, app access without sign-in, lock home screen, etc.) are applied per device/app instance, not per user session.
- What can be varied
- Different device groups can receive different kiosk / MHS configurations (for example, one device group for “role A” with one app set, another device group for “role B” with another app set).
- Within a single shared device, the documented configuration does not support dynamically switching the visible/launchable app set based on which Entra user signs in.
- “Ghost app” behavior
- The behavior where an app is visible but not selectable typically indicates assignment or kiosk configuration mismatch (for example, app not required/assigned correctly in a multi-app kiosk scenario). The documentation stresses that in multi-app mode every app in the policy must be required and assigned to avoid lockout or unusable icons.
Conclusion:
- Managed Home Screen with Microsoft Entra shared device mode is designed so that the kiosk / app set is defined at the device level.
- Different app sets per user on the same shared device are not supported by the documented MHS and Intune kiosk configuration model.
- To achieve different app sets, separate device groups and profiles per scenario/role are required, rather than per-user variation on a single shared device.
References: