Since last year Microsoft Intune supports Android Enterprise corporate-owned devices with a work profile, also known as Corporate-owned, personally enabled (COPE) devices (at the moment of writing still in preview in Intune). This is the equivalent of the personally owned devices with work profile for the BYOD scenario, but this management option is for corporate-owned devices. The full device is managed with Intune, but personal and corporate apps and data are separated.
Android COPE with Intune can be combined with Samsung Knox Mobile Enrollment (KME) for easy deployment of the corporate-owned devices. With Samsung KME, vendors register the purchased Android devices in the Samsung portal. Here the IT admin creates an MDM profile, in this case for Intune, and assigns the profile to the devices. When the user starts the device out of the box, it checks in to the Samsung services, receives the settings to enroll the device in the MDM, and starts an easy enrollment process.
In this article, I describe how the configuration is done with Microsoft Intune and Samsung Knox. And we also have a look at the end-experience.
Registration of a device can also be done manually as I described in this previous article.
In this article, I only describe the enrollment part for Android COPE. If you want to read a more in-depth article on COPE, read this article.
Create COPE enrollment profile
For this article, I assume you have already connected your Google Play account with Microsoft Intune.
We first create an Android COPE enrollment profile, to get an enrollment token, which we need later in our Samsung KME enrollment profile.
- Sign-in to the Endpoint Manager admin center
- Browse to Devices – Android
- Browse to Android enrollment
- Click on Corporate-owned devices with work profile
- Click Create profile
- Give the enrollment profile a Name
- Enter a Description(Optional)
- Click Next
- Review the information
- Click Create
Open the Token tab after the profile is created.
The token we find here is needed later when we create the MDM profile in the Samsung portal.
Setup Samsung Knox Mobile Enrollment
To use Samsung Knox Mobile Enrollment we need to create an account, this can be done on this site.
Sign-in to the Samsung Knox portal.
There are several Knox solutions, but we are now interested in Knox Mobile Enrollment.
Click Launch under KME.
- Check I have read and agree…
- Click Submit application
Now the waiting starts to get your account approved. It might take a couple of hours before your account is approved and sometimes it even might takes days.
When registration is finished, sign-in again to the Knox portal. When you launch the KME portal, answer the question to get started.
- Browse to the MDM Profiles tab
- Click Create profile on the right
- Select Android Enterprise as profile type
- Give the enrollment profile a Name
- Give the profile a Description (optional)
- Choose Force Device Owner enrollment
- Pick Microsoft Intune as MDM provider
- The MDM Agent APK URL is pre-filled
- Click Continue
- Enter this custom JSON
{"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN":"Enter Intune enrollment token string"}Replace Enter Intune enrollment token string with the token from the Android COPE profile as created in Intune.
- Make your choice for the System applications
- Enter the Company Name
- Click Create
If you want your vendor (reseller) to register your Samsung devices in Knox, this can be done on the Reseller tab.
When you register a reseller, you can also assign a default profile to these registered devices.
Everything is in-place to start our first enrollment.
End-user experience
Enrollment with Samsung Knox Mobile Enrollment is done out of the box or after a factory reset. As soon as an internet connection is detected, the Knox Enrollment Service is updated.
Click Accept & Continue.
The enrollment is started.
The user is informed the device isn’t private.
Click Next.
A Work profile is created.
Click Done.
Enter your username and password for authentication.
Setting up device….
The following screens might differ, based on (compliance) settings applied to the device.
First, we need to set a screen lock.
Click Set up.
Enter a PIN code as screen lock.
Next, we need to enable secure startup for device encryption.
Click Start.
Select Secure startup.
Select Require PIN when device turns on.
Click Apply.
Next, the work apps are installed.
Click Install.
When the apps are installed, click Next.
Time to register the device.
Click Set up.
Click Sign in.
Enter your password and click Sign in.
Click Register.
Click Done.
To set up the personal section of the device, for example to install apps, you’re asked to provide a personal (Gmail) account.
Click Next.
Provide your account details, create a personal account or skip adding a personal account.
The enrollment is finished!
We have a personal section on the device, with personal apps and data.
And we have a work section, with our work apps and data.
In the Work section, we find the Intune app. Here you find your device, with compliance state.
That’s it for this post. Thanks for reading!
Super blog, have implemented it exactly the same with me. But I noticed that the device is displayed in Intune as Fully Managed and not as COPE device. Although there is not even a profile / token for Fully Managed. Do you have any ideas?
Hi Alex,
That’s not my experience.
As you can see in my previous article related to COPE it shows as “Android (corporate-owned work profile)”.
The article is found here https://www.inthecloud247.com/how-to-configure-android-corporate-owned-personally-enabled-user-devices-with-microsoft-intune/
Are you sure you took the right token for enrollment which you added to the enrollment profile and assigned to the right MDM Profile in the KME portal?
Yes I am absolutely sure. What I found is the part in the following article:
https://docs.samsungknox.com/admin/knox-mobile-enrollment/create-profiles.htm#Configur
If I understand it correctly:
“Force Device Owner Enrollment” sets the device as Fully Managed.
And “Let MDM choose to enroll as a Device Owner or Profile Owner” would enroll the device as COPE if supported. Do you see it the same way?
I’m not completely sure what this setting exactly does. But I’ve set it to “Force Device Owner Enrollment” and that works fine for me.
Hi Alex,
you are right. We experienced the same! COPE in Intune is broken at the moment. For us the only way is Samsung Knox Portal + COPE Token and then skip private Gmail account in the setup assistent.
Hi all, I was testing the same thing today and found this tutorial because I was getting a fully managed enrollment every time. I did 2 things different from this tutorial.
1. I selected “Let MDM choose to enroll as a Device Owner or Profile Owner”. After this it immediately enrolled to COPE.
2. I selected “Disable system applications” because I noticed that this settings applies to the “Work” section and not the “private” section and I don’t need the system apps there as well.
Thanks for posting this, well documented!
There is documentation somewhere that tells you if it is Android 10+ and has the option to use Profile owner, it will. Otherwise it will default to Device Owner which is the old school way of doing things. So Bart is correct, change that setting.
Note, I have also encountered that using a PO profile you aren’t technically supported to push Outlook app config, just app protection policies. Very disappointing. I seem to recall Airwatch, ahem, VMware, telling me the same thing in their platform ~1 year go, but I’m not convinced.
COULD ANYBODY HELP ME WITH MY (RELATED) ISSUE PLEASE?
-I am working with the Galaxy S20FE device for about 2 years
-09/22 would have installed MS Intune work profile (mod) for company owned Android Enterprise (COPE) for device management
Unified Endpoint Management solution (it can be Knox Mobile Management, Intune or Mobile Iron) must instruct the device to start using that mode and can provide to the device configs and apps over Android API system.
Example of policy which can be delivered by UEM is Network Config.
-and from this point on, my device’s Wi-Fi module starts automatically/ spontaneously (irregularly):
-IT department on trial removed the “corporatemobile” wifi connection on Android, and the automatic connection disappeared
-by trial/error I have come to the conclusion that the connection problem is generated by the MS Intune environment – can you please help me where to change the MS Intune settings ?