Managed Home Screen – opening PDFs via the "android" system app

Hi Community,

we're running shared Android devices (1,000+) with Microsoft Managed Home Screen (MHS) enrolled via Intune in Dedicated Device mode.

The Problem: Users couldn't open PDFs from within apps – the "Open with…" picker dialog never appeared, so files simply didn't open.

Microsoft's suggested fix: Add the system app with package ID android to the allowed apps list in MHS and include it in the Device Restrictions policy. After deploying this app, the "Open with…" dialog started appearing correctly and PDF opening works as expected.

Before we roll this out to 1,000+ devices, we have two questions:

1. What exactly does enabling the android system app unlock? The package android is essentially the Android framework / core OS package. We're not sure what capabilities or UI surfaces get exposed by whitelisting it in MHS beyond the intent picker. Does it give users access to any system settings, dialogs, or functionality they shouldn't have on a kiosk/dedicated device?

2. Is there a safer or more targeted alternative? Ideally we'd only enable the intent chooser/picker without broadly whitelisting the core OS package. Has anyone solved this differently, for example:

• Setting a default PDF handler via app configuration (managed config) so no picker is needed at all?
• Using a specific intent filter or URI handler approach?
• Any OEM-specific or Intune policy that addresses this more granularly?

We want to be confident before pushing to production at scale. Any insights from admins who have hit this or have deeper knowledge of what the android package exposes in a kiosk context would be hugely appreciated!

Thanks in advance