When it comes to managing Android devices within the organization (using Microsoft Intune/Microsoft Endpoint Manager), there are several options available. You’ll want to carefully review your requirements, but yet give users options. For those who know me well, you know that I always ask two questions when it comes to MDM:
- What are you trying to do?
- Why are you trying to do it?
Sometimes MDM isn’t the answer. Sometimes MAM (Mobile Application Management) is the answer (see my blog Intune MAM vs MDM: What’s the Difference?). Sometimes managing the apps and device isn’t the answer and you need an Endpoint Data Loss Prevention or Data Protection solution like Windows Information Protection or Azure Information Detection. It just “depends”.
IMPORTANT: For enrolling an iOS/iPadOS device into Intune MDM, see my blog article Intune: How to MDM enroll iOS/iPadOS devices
Specifically when it comes to Android, there are several options available that may each be a different solution to the problem you are trying to solve:
Android Enterprise work profile: For personal devices granted permission to access corporate data. Admins can manage work accounts, apps, and data. Personal data on the device is kept separate from work data and admins don’t control personal settings or data. This is useful where a user owns their device (personal device) but wants to access to corporate data/resources – they would manually enroll the device into Intune MDM). This creates a “sandbox” between corporate data and personal data. Here’s a great datasheet on Work Profiles.
Note:By default, enrollment of personally-owned work profile devices is enabled, so no further action is needed. To configure platform restrictions and assign them to specific user groups, go to Enrollment restrictions within Microsoft Endpoint Manager (Intune)
Android Enterprise dedicated: For corporate-owned, single use devices, such as digital signage, ticket printing, or inventory management. Admins lock down the usage of a device for a limited set of apps and web links. It also prevents users from adding other apps or taking other actions on the device. This is perfect for bar code scanners in a warehouse, kiosks, etc.
Android Enterprise fully managed: For corporate-owned, single user devices used exclusively for work and not personal use. Admins can manage the entire device and enforce policy controls unavailable to work profiles. This is useful where the organization issues a device to the end user, and the organization MDM manages the entire device – there is no “sandbox” between personal and work data like there is in the work profile above.
Note: In this blog I will cover Android Enterprise Work Profile using Microsoft Intune (aka Microsoft Endpoint Manager) Mobile Device Management (MDM). I will cover the other methods in future blogs.
Learn about Android Enterprise
Before we go further, I strongly suggest pausing and learn more about Android Enterprise. Just like Apple’s Device Enrollment Program and supervision capabilities, Android Enterprise allows for some amazing features and benefits (including Zero Touch deployment)
IMPORTANT: Android Enterprise comes with many devices built-in and does not cost extra, review this page to see which devices are supported.
Set up Android Enrollment in Intune (Microsoft Endpoint Manager)
From within Microsoft Endpoint Manager (Intune) at https://endpoint.microsoft.com. Click on Devices and browse Enroll Devices -> Android Enrollment. From here, clilck on Managed Google Play under Prerequisites
Next, you will need to connect your managed Google Play account to manage Android enterprise devices. Follow the instructions on the screen (I have already done this in my lab, and simply created a new Google account for this purpose). For more information on this see:
MDM Enroll the Android Device using Company Portal
- Launch the Google Play Store and download the Intune Company Portal app
2. Launch the Intune Company Portal app from the application screen
3. Tap Sign In
4. Login with your Azure Active Directory Credentials
5. On Contoso (insert your organization name here) Access Setup review the instructions on the screen and tap Begin
6. On Contoso cares about your privacy screen review what the organization can see on your device, and not see and tap Continue
7. On Let’s set up your work profile tap Accept & continue
8. The device and Intune will start to set up the work profile
9. On Contoso Access Setup tap Continue
10. At this point, on the You’re all set! screen, the device is now enrolled into Intune MDM and a work profile has been created. Tap Done
11. From within the Company Portal app tap the Devices tab to view all your devices under management of Intune MDM:
12. Tapping on the Apps tab will show any apps that have been published to Intune (e.g. Line of Business apps) that end-users are allowed to install and download.
13. Exit the Intune Company Portal app and return to the home screen. Launch the apps screen. Notice on the apps screen there are now two tabs, Personal and Work.
14. Tapping on the Work tab you will notice only the work apps that were pushed from Intune. Android Enterprise Work Profiles creates a “sandbox” and separates work data from personal data.
Here is a PowerPoint or “Click Thru” deck of these screenshots, feel free to download and reuse.