How to start with Android Enterprise Corporate owned, fully managed user devices

A few days ago I wrote about setting up Android Enterprise Work profiles. Today I will show how to get started with a second management mode; Corporate owned, fully managed user devices. With this management mode the IT admin takes full control of the device, unlike with Work profiles.
At the moment of writing, Corporate owned, fully managed user devices is a preview in Intune. Not all management scenarios are already available yet, so start testing this in your lab as it isn`t business ready yet.
Since the first preview these scenarios are available:

  • Device enrollment using NFC, token entry, QR Code and Zero Touch
  • Device configuration for user groups
  • App distribution and configuration for user groups

In the second preview the Intune team added a few new options:

  • Updated onboarding flow for key required policies
  • Added Device Owner compliance policies
  • Built conditional access workflows
  • Added device group targeting
  • Released a new end user app called ‘Microsoft Intune’ into the Play store as the app to be used on fully managed devices
  • Enabled support for access to the full Play store
  • Introduced Knox Mobile Enrollment

To get started with Android Enterprise Corporate owned, fully managed devices your managed Google Play account needs to be connected with your Intune tenant. If you want to see the steps which needs to be taken to connect Intune with Google play, see my previous blog.

Enable Corporate owned devices

When the connection is set between Intune and Google Play, the next thing we need to do is enabling Corporate owned devices.

  1. Open the Device Management Portal and click Device Enrollment
  2. Click Android enrollment
  3. Click Corporate owned, fully managed user devices (Preview)

Set Allow users to enroll corporate-owned devices to Yes.

An enrollment token will be created. During enrollment this token is needed to let your users scan the code and enroll their device.

Create a device restrictions profile

The second step is creating a device restrictions profile for Device owner only.

  1. Click Device configuration – Profiles
  2. Click Create profile
  3. Give the configuration a Name
  4. Give the configuration a Description (Optional)
  5. Choose Android Enterprise as Platform
  6. Choose Device Owner Only – Device restrictions as Profile type

Pick the right settings for your environment on all the configuration tabs. For my test I only blocked Factory reset.
A new tab since the second preview is the Applications tab. On this tab you can choose to allow access to all the apps in the Google Play store.
When finished the settings click OK twice and click Create.

  1. Click the Assignments tab
  2. Search for your security group and add it
  3. Click Save

Create a Device Owner Compliance policy

Since the second preview of Corporate owned, fully managed user devices the Device Owner Compliance policy option is available. So from now on we can create a compliance policy and use that for example in a Conditional Access policy to allow or block access to company data.
To create a compliance policy, follow below steps.

  1. Click Device Compliance – Policies
  2. Click Create Policy

  1. Give the compliance policy a Name
  2. Dive the policy a Description (optional)
  3. Choose Android Enterprise as Platform
  4. Choose Device Owner as Profile Type
  5. Click the Settings tab – Device properties tab to configure devices requirements like minimum OS versions
  6. Click OK

On the System security tab you set requirements like Require a password and the password type.
Click OK twice and Create when finished.

\

  1. Click the Assignments tab
  2. Search for the security group of choice and select the group
  3. Click Save to assign the compliance policy

Approve and assign Android applications

The next step in this configuration is approving and assigning Android applications from the Managed Google Play store.

  1. In the Device Management Portal click Client apps – Apps
  2. Click Add

  1. Choose Managed Google Play as App type
  2. Click the Managed Google Play (Approve) tab
  3. Search for the required app and click the app

Click Approve

Click Approve

  1. Click Keep approved when app requests new permissions
  2. Click Save

Click OK

Click Sync

After a few seconds the approved apps are available in Intune.

  1. To assign the approved app, click the app
  2. Click the Assignments tab
  3. Click Add group
  4. Select Required as Assignment type
  5. On the Include tab search for the security group you want to assign the policy to and select the group
  6. Click OK twice – click Save

Repeat these steps for all Android applications you want to deploy to your managed devices.

End-user Experience

Now let`s have a look at this end-user experience. For this test using the QR code scanner, you need an Android device with Android 7 or higher.
Some of the screens below might look different the you will see, or you will see some extra screens. That depends on the Android OS version and supplier. For example I got to accept some terms and conditions from Motorola on my test device.

After starting your Android device, tab 7 times on the screen at a white space. It will start the QR code setup which needs you to connect to a Wi-Fi network. After connecting to a Wi-Fi network, the QR Code Reader will be installed.

When the installation of the QR Code Reader is finished, scan the QR Code which we have in the Device Management Portal. This will start the device enrollment.
Click Encrypt.

You will be redirected to the settings to encrypt your device. Depending on the Android OS version and supplier of the device, the screen might look different.
Click Encrypt phone.

Read the information and click OK.

After encryption is finished, the setup is continued.

Google Play services are downloaded

Accept the Chrome Terms of service and Privacy notice by clicking Accept & Continue.

Sign in with your corporate credentials.

Setting up device

Registering device

Click SET to set the required PIN

When the PIN is set, the next step is to install work apps.
Click Install.

The applications assigned as required are installed even as the (new) Microsoft Intune and Microsoft Authenticator apps. The Authenticator app is installed to support Conditional Access policies and the Intune app to support Compliance policies.
At my testing the apps which I marked as required, but in the screen show as additional, are installed during this phase of enrollment.

When the app installations is finished, the device is enrolled.
Click Done.

You are now logged on to the Android device.
We can see all the applications assigned as required are installed.

Installation of those applications is done without the need of a (personal) Google Play account.

If we open the settings, we can see Factory reset is not available as set in the Device Restrictions policy.

When we open the Microsoft Intune app and sign-in, it allows us to register the device by clicking continue.

When registration is finished, click continue to open the Intune app.

At this moment the Intune app only shows some device information like device name, model and compliance status.

Applying Intune policies is handled by the Device Policy app which is installed by default, but since a short while not shown between the apps. You can open the app from the Play Store or via Settings, Google, Device Policy.
When you open the app you can perform a manual sync and see an overview of (some of the) applied settings and installed apps.

NB: Keep in mind Android Enterprise – Corporate owned, fully managed user devices is in preview at the moment of writing.
The end-user experience during enrollment is now already different as I have seen a few weeks ago.
There is a known issue with the compliance policy in combination with the Intune app, the device is not marked as compliant.
And the App configuration Policy might show pending in the portal even if the policy is actually applied successfully.

Share This!

7 Comments

  1. Thanks for this article, it is really helpful. I have some questions still. At which part do you as an admin hand over the device to the end-user? Is it before entering the Microsoft Account? Can a device be turned off and on again and proceed with that step? Also, are there any options to enroll the device on behalf of an end-user (that doesn’t require you having the password)? Thanks in advance!

    • Hi Cheeko,
      I think that depends on your environment and the kind of service you want to provide to your end-users. It`s not a solutions like Apple DEP, you don`t register the device as corporate owned before handover it to the user. There are a lot of steps to be taken by the user and yes you can reset the device during setup. Even during the new on-boarding flow you can reset the device.
      So I think you hand-over the device as soon as the user is logged on to the device.
      But if you have a CA policy in place which requires a managed/ compliant device to access corp data, your users have no other option than enrolling the device and maybe you can hand-over the device to some handy users to enroll themselves.
      Another option is creating a Zero Touch auto provisioning deployment. Not yet available in the Intune portal, but available through the Zero Touch portal of Google. Haven`t tried that option myself. That`s seems more like a solution like DEP, purchase devices at a zero-touch reseller, assign the device to the user and when turned on enrollment begins. Have a look at this page https://www.android.com/enterprise/management/zero-touch/

  2. I was able to log in to the Microsoft Intune app. But as soon as I opened Outlook, it said I needed the Company Portal to access it. Under ALl Devices in Intune, I had one entry for name_AndroidEnterprise_date. After installing the Company Portal, that disappeared and just had the name_Android_date and Not Compliant. Although the device is in the Device Security Group, the compliance policy associated with it has not attached itself.

    • Hi Bill,
      Yes, I`m now able to sign in to the Intune app and register the device successfully.
      I don`t have the issue with Outlook. Have you assigned App Protection Policies? I haven`t because those are not supported at this moment. Maybe AP Policy is causing your issue.

  3. Hi Peter, We managed to setup a working device compliance and configuration policy.
    The only problem is that we can’t register the device with the Intune app when all “User and account” settings are set to “block”. Did you test this settings as well? All other settings seems to work well. Do you use Samsung Knox to ennroll your android devices?
    Looking forward to a reply!

    • Hi Roy,
      No I haven`t tested this with these settings, but let me give it a try and get back to you.
      No I`m not using KME, it`s just a lab environment. Used the QR code to enroll the device.

      • Hi Roy,
        I can confirm when applying these three ‘Users and accounts’ settings, I`m not able to register the device using the Intune app. It gives me an error: This change isn`t allowed by your administrator.

Leave a Reply

Your email address will not be published.


*