How to configure Android Corporate owned, personally enabled user devices with Microsoft Intune

Corporate-owned, personally enabled

Last week Microsoft announced the public preview for Android Enterprise corporate-owned devices with a work profile support in Intune, also known as Corporate-owned, personally enabled (COPE) devices.

This is a long-awaited management mode for many customers. This management mode provides an option to manage the Android device itself but also separate personal and corporate data by using a work profile container. Work profile we already know of the personal owned devices with a Work profile.

With this latest update, we now have 4 MDM Management scenarios (in preview) available in Microsoft Intune.

As the device itself is managed, this also provides a zero-touch enrollment, for example with Samsung Knox Mobile Enrollment. This makes the enrollment of a device much simpler for the end-user as it enrolls itself in Intune as soon as the device starts the out-of-the-box experience.

As this management mode is just released in preview, not all management features are directly available. For a current list of features which are and which are not available, read the announcement blog on Tech community.

Let`s have a look at what the current experience is in setting up the new Corporate-owned, personally enabled management mode in Microsoft Intune as admin and what the experience is for the end-user.

Create COPE enrollment profile

Assuming you have already connected your Managed Google Play account with Microsoft Intune, the first thing we need to do is creating an enrollment profile for Corporate-owned devices with work profile.
In this profile enrollment information is stored like the enrollment token and a QR Code. For manual enrollment, the QR Code is needed. If you setup Google Zero-Touch or Knox Mobile Enrollment you need the token.

  • Sign-in to the Endpoint Manager admin center
  • Browse to Devices – Android
  • Browse to Android enrollment
  • Click on Corporate-owned devices with work profile
  • Click +Create profile
  • Give the enrollment profile a Name
  • Enter a Description (Optional)
  • Click Next
  • Review the information
  • Click Create

The enrollment profile is created. The enrollment token and QR Code are found on the Token tab. Depending on how the enrollment is done, one of those are needed later.

Create a dynamic group (optional)

To only target policies, apps etc. to Android COPE devices, an option is to target these to a dynamic security group. In the query we can use the enrollment profile name, so only devices that are enrolled with this profile are added to the group.
A down-side of using such a group, it takes some time before the device is added to the group and therefore it takes some time before policies are applied or apps are installed.

  • Sign-in to the Azure Active Directory admin center
  • Browse to Groups
  • Click + New Group
  • Choose Security as Group type
  • Enter a Group name
  • Enter a Group description (Optional)
  • Choose Dynamic device as Membership type
  • Click Add dynamic query
  • Choose enrollmentProfileName as Property
  • Choose Equals as Operator
  • Enter the enrollment profile name as Value
  • Click Save – Click Create

The dynamic security group is created. Devices enrolled via this enrollment profile are automatically added to this group.

Create a Device restrictions profile

To apply some restrictions to the device and the work profile, we need to create a Device restrictions profile. Restrictions I set in this example are related to the work profile, device password and the Google Play store.
I want to block taking screen captures of the work profile. I set a minimum password length of 8 and I want to allow access to the public Play store on the personal part of the device, but I want to restrict access to the Play store in the work profile to only work apps I make available.

  • Switch to the Endpoint Managed admin center
  • Browse to Devices Android
  • On the Configuration profile tab click + Create profile
  • Choose Android Enterprise as Platform
  • Choose Device restrictions under Fully Managed, Dedicated….
  • Click Create
  • Give the profile a Name
  • Enter a Description (Optional)
  • Click Next

The settings I set in this profile are just for testing and pretty basic. Choose your own settings that you need in your environment.

  • Open General
  • Set Block at Screen capture (work-profile level)
  • At Default permissions choose Auto grant from the drop-down list
  • Open Password
  • Set Minimum password length to 8
  • Open User and accounts
  • Set Personal Google accounts to Block
  • Open Applications
  • Make sure Allow access to all apps in Google Play store is set to Not configured

When all settings are in place, assign the profile to the previously created security group.

Create a Compliance policy

To make sure our devices are secure and required (security) settings are in place, we use compliance policies.
The settings we configure here are settings that are checked on the device level, which we also have available for Fully managed devices. This might change later during preview or when COPE is General Available.

  • Browse to DevicesAndroid
  • On the Compliance policies tab choose +Create policy
  • Choose Android Enterprise as Platform
  • Choose Fully managed, dedicated, and corporate-owned work profile as Policy type
  • Click Create
  • Give the policy a Name
  • Enter a Description (Optional)
  • Click Next
  • Enter all the compliance settings of choice
  • When finished click Next

When all settings are in place, assign the profile to the previously created security group.

Applications are deployed like we are used for Android Enterprise as Managed Google Play Store app. The apps we deploy as required or made available or are installed in the work profile container and not in the personal part of the device.

End-user experience

In the end-user experience part of this post, I first show how enrollment is done by scanning the QR Code. The enrollment looks pretty familiar to the enrollment of a Fully Managed device using the QR code. The device is first prepared for enrollment, if that is finished you need to authenticated and the Intune enrollment experience is started.

After that we have a look what the end-result is when the enrollment is finished.

Enrollment is done with a Nokia running Android 9. Screenshots you see might differ when you use a device from a different vendor and a different Android version. Also, different required settings deployed with a configuration profile or compliance policy might cause a different enrollment experience.

To start the enrollment manually, tab 7 times on the free space of this first screen. This will start the manual enrollment by starting the QR code scanner. Scan the QR Code which is found on the token tab of the enrollment profile we previously created. This QR Code can be printed to hand over to your service desk or end-user.

If you use Google Zero-Touch enrollment or Samsung Knox Mobile Enrollment scanning the QR code is skipped and enrollment should immediately start.

If the device has a network connection, the enrollment is started, otherwise you`re asked to connect to a Wi-Fi connection.
Click Accept & Continue to accept the terms.

Setting up work device…
The enrollment is started.

Updating device…
The Google Play Store is being updated.

Setting up work profile…

During the setup of your work profile, a few screens are shown with information about the separation of personal and work-related apps.

When this preparation is finished, click Done.

Your subtitle here

Registering profile…

Click Accept & Continue

A sign in screen is shown to authenticate with your corporate credentials. Enter your username and password.

Setting up device…

Registering profile….
Applying your organizations`s policies

Setup your work profile.
Click Install

If a policy kicks in at this moment to set a PIN and encrypt the device, that`s the first step in this enrollment wizard. During my enrollments these where delayed and this was handled later during enrollment.

The required apps Microsoft Authenticator and Microsoft Intune are installed in the work profile. These apps don`t need to be assigned as required by the IT admin, this is done automatically in Intune.
Additional apps that are assigned by the IT admin are installed as well, but the enrollment wizard doesn`t wait for these to complete installing.

If a device policy kicks in at this moment, in which you set encryption and a PIN code as requirements, that part of the enrollment is started.

Click Start.

Depending on the requirements, set a PIN and enable secure startup.

The next step is the registration of the device using the Intune app.
Click Start.

The Microsoft Intune app is started.
Click Sign in.

We need to authenticate again.

Click Register.

Signing in…

Registration is finished.
Click Done.

The setup of the device is finished, the device is managed by Intune and a work profile container is created with work-related apps.
Click Done.

Pretty soon after finishing the work-related registration and setup, you`re asked to add your personal account.
This account is your personal Gmail account used to access the Google Play store etc on the personal part of the device.
Click Next.

Enter your Gmail account and password to finish this personal part of the setup.

The setup is now completely finished!
As you can see personal and corporate apps are separated. The corporate apps are stored in a work profile section.

Depending on the device restrictions settings, the Google Play Store in the work profile container only shows apps which are made available via Intune.

Taking a screen capture is restricted in the work profile section as I configured in the device restrictions policy, but allowed on the personal section of the device.

Admin experience

If we take a look at the Endpoint Manager admin center, under Android devices, we see our newly enrolled device. The OS is Android (corporate-owned work profile).

If we take a look at the overview tab of the device we see the ownership is corporate, the serial number, Device manufacturer and Device model.
Here you also find options like Wipe (factory reset) and Remote lock.

The Compliance policy is applied.

The Configuration profile is also successfully applied.

As I have an App Configuration Policy assigned, that one is also applied.

If we take a look at the device in Azure AD, we see the OS is AndroidEnterprise. As this is equal to our Fully Managed devices, we cannot use the OS to only group our COPE devices as the group would contain both Fully managed and COPE devices.

Conclusion

I`m ending this post with a short conclusion with keeping in mind this is a feature in preview.
The enrollment works pretty fine. It looks familiar to the enrollment process of a Fully Managed device. I noticed that sometimes to enrollment process doesn`t end with entering your personal Gmail account. No big deal as you can enter it for example when you open the Google Play Store for the first time but would be nice if the process is always the same.
Another thing I noticed is with the Outlook mobile app. As soon as I configure the app as end-user a pop-up is shown with a message I need to install the Company app. If I don`t install the app, my account is removed from Outlook. I forgot to exclude my test account from an App Protection Policy as that isn`t supported at this moment. But even after excluding the device from the policy and resetting the device multiple times I still see the pop-up. I enrolled the device in another tenant without an App Protection Policy targeted to my user and I don`t see the pop-up. I assume it`s indeed related to the App Protection Policy.

That`s it for now. As soon as Microsoft releases new features to the management mode Corporate-owned with work profile, I will update the post as soon as possible.

Happy testing 🙂

8 Comments

  1. i had the same thing when configuring a Exchange online mailbox with the Outlook app. Turned off the app protection policy and now it works. When i use on premise Exchange it works though. The only downside to that is i don’t see phone numbers in the GAL (Global address list)

  2. Hello

    Great guide, but I can’t register my device, the secure part is failing, do you have an idea why?

  3. Hi, Great guide indeed but same issue here, the device is only registered in the dynamic group until i sign in to the intune portal which is a few step too late. so my pin code is not enforced, what can we do about this?

    • Hi Sven,

      It’s known dynamic groups are slow, if you can avoid using those groups, do it. If you for example only manage personally en corporate-owned device with work profile, you could assign the profiles to all users/ device. The COPE profile isn’t applied on personally owned devices and vice-versa.

  4. Peter, great guide but you kind of skipped the QR code scanning part in the End User Experience chapter of the article.
    Android 11 + QR code scanning = how? No amount of tapping does anything.

    In my experience the Intune COPE QR scanning does not invoke Work Profile setup in any way. This is today, 26.05.2021.
    You can invoke it by typing the (Intune QR- ) URL to the browser manually but how is that 21st century…
    Part Microsoft issue but also part Android issue.
    I do understand the release date of the article.
    BYOD works great with Intune.

    • Android 11 still supports ‘tapping’ on the first OOBE screen to start the QR Scanner and enroll in, for example, COPE. Haven’t seen any issues with that.

  5. Thank you for this very detailed and helpful guide (I initially used “afw#setup” to enroll.

    However there is one strange problem I can’t really get behind: the installation of Intune and Authenticator during enrollment doesn’t seem to work whatever I’d try. Both apps show a red exclamation mark instead of a checkmark and when I hit “Next” ist just says that the device can’t be set up and needs to be reset.

  6. Hi Peter,

    Great guide and I just wanted to check something.
    In terms of user experience, it is absolutely fantastic that you can simply send them a device and it will set up two profiles for them and if we remote wipe it will not effect their personal data etc.
    The question is: If a user has a personal account added to it with personal settings, pin, password etc and the user needs to return the device back to the company. As we do not know the password to access personal settings is it essentially now a brick device as there is no way we can factory reset it for re-use?

    It is of course completely different for fully-managed devices as we have the powers to do it but not corporate owned personal devices.

    Hope the question makes sense?

    Many thanks in advance,
    Arty

Leave a Reply

Your email address will not be published.


*