How to start with Android Enterprise Corporate owned, fully managed user devices in Microsoft Intune

A few days ago I wrote about setting up Android Enterprise Work profiles. Today I will show how to get started with a second management mode; Corporate owned, fully managed user devices. With this management mode the IT admin takes full control of the device, unlike with Work profiles.
At the moment of writing, Corporate owned, fully managed user devices is a preview in Intune. Not all management scenarios are already available yet, so start testing this in your lab as it isn`t business ready yet.
Since the first preview these scenarios are available:

  • Device enrollment using NFC, token entry, QR Code and Zero Touch
  • Device configuration for user groups
  • App distribution and configuration for user groups

In the second preview the Intune team added a few new options:

  • Updated onboarding flow for key required policies
  • Added Device Owner compliance policies
  • Built conditional access workflows
  • Added device group targeting
  • Released a new end user app called ‘Microsoft Intune’ into the Play store as the app to be used on fully managed devices
  • Enabled support for access to the full Play store
  • Introduced Knox Mobile Enrollment

To get started with Android Enterprise Corporate owned, fully managed devices your managed Google Play account needs to be connected with your Intune tenant. If you want to see the steps which needs to be taken to connect Intune with Google play, see my previous blog.

Enable Corporate owned devices

When the connection is set between Intune and Google Play, the next thing we need to do is enabling Corporate owned devices.

  1. Open the Device Management Portal and click Device Enrollment
  2. Click Android enrollment
  3. Click Corporate owned, fully managed user devices (Preview)

Set Allow users to enroll corporate-owned devices to Yes.

An enrollment token will be created. During enrollment this token is needed to let your users scan the code and enroll their device.

Create a device restrictions profile

The second step is creating a device restrictions profile for Device owner only.

  1. Click Device configuration – Profiles
  2. Click Create profile
  3. Give the configuration a Name
  4. Give the configuration a Description (Optional)
  5. Choose Android Enterprise as Platform
  6. Choose Device Owner Only – Device restrictions as Profile type

Pick the right settings for your environment on all the configuration tabs. For my test I only blocked Factory reset.
A new tab since the second preview is the Applications tab. On this tab you can choose to allow access to all the apps in the Google Play store.
When finished the settings click OK twice and click Create.

  1. Click the Assignments tab
  2. Search for your security group and add it
  3. Click Save

Create a Device Owner Compliance policy

Since the second preview of Corporate owned, fully managed user devices the Device Owner Compliance policy option is available. So from now on we can create a compliance policy and use that for example in a Conditional Access policy to allow or block access to company data.
To create a compliance policy, follow below steps.

  1. Click Device Compliance – Policies
  2. Click Create Policy
  1. Give the compliance policy a Name
  2. Dive the policy a Description (optional)
  3. Choose Android Enterprise as Platform
  4. Choose Device Owner as Profile Type
  5. Click the Settings tab – Device properties tab to configure devices requirements like minimum OS versions
  6. Click OK

On the System security tab you set requirements like Require a password and the password type.
Click OK twice and Create when finished.

  1. Click the Assignments tab
  2. Search for the security group of choice and select the group
  3. Click Save to assign the compliance policy

Approve and assign Android applications

The next step in this configuration is approving and assigning Android applications from the Managed Google Play store.

  1. In the Device Management Portal click Client apps – Apps
  2. Click Add
  1. Choose Managed Google Play as App type
  2. Click the Managed Google Play (Approve) tab
  3. Search for the required app and click the app

Click Approve

Click Approve

  1. Click Keep approved when app requests new permissions
  2. Click Save

Click OK

Click Sync

After a few seconds the approved apps are available in Intune.

  1. To assign the approved app, click the app
  2. Click the Assignments tab
  3. Click Add group
  4. Select Required as Assignment type
  5. On the Include tab search for the security group you want to assign the policy to and select the group
  6. Click OK twice – click Save

Repeat these steps for all Android applications you want to deploy to your managed devices.

End-user Experience

Now let`s have a look at this end-user experience. For this test using the QR code scanner, you need an Android device with Android 7 or higher.
Some of the screens below might look different the you will see, or you will see some extra screens. That depends on the Android OS version and supplier. For example I got to accept some terms and conditions from Motorola on one device, but haven`t such conditions on a Nokia.
Depending on the device/ Android version it will install a QR code reader if that isn`t already available on the device by default.

Scan the QR Code which we have in the Device Management Portal. This will start the device enrollment.

The setup of the work device is started.

Accept the Chrome Terms of service and Privacy notice by clicking Accept & Continue.

Sign in with your corporate credentials.

Setting up device

Click INSTALL to start the installation of the assigned apps

Wait for the required apps Microsoft Authenticator and Intune are installed. Those apps are installed by default, without the need to assign them manually.
Click Next when the apps are installed.

The next step is to register your device. It is done by signing in to the Microsoft Intune app.
Click START.

Click SIGN IN.

Click NEXT to register the device in Intune.
During my testing one time I needed to provide my password to sign in to the app, while the other time it was a SSO experience. I expect it will be SSO when this is all out of Preview.

Click DONE.

The setup and registration is finished.
Click DONE.

You are now logged on to the Android device.
We can see all the applications assigned as required are installed, or will be installed shortly.

Installation of those applications is done without the need of a (personal) Google Play account.

When we open the Microsoft Intune app all the user owned devices are shown. (After the first sign in it can take a few minutes and you might need to refresh the page to see all devices).

After a refresh your current device might show a message you need to update your device settings to gain access to corporate data.
Click Continue.

If some of the device compliance settings are not yet met, the Intune app shows what settings to be updated, before everything is fine and you are allowed to continue. When you click for example on Resolve below Set a password, the settings app is opened and you`re able to set a PIN.

When all the required settings are in place, click Continue and your device is now compliant.

Applying Intune policies is handled by the Device Policy app which is installed by default, but since a short while not shown between the apps. You can open the app from the Play Store or via Settings, Google, Device Policy.
When you open the app you can perform a manual sync and see an overview of (some of the) applied settings and installed apps.

If we open the settings, we can see Factory reset is not available as set in the Device Restrictions policy.

NB: Keep in mind Android Enterprise – Corporate owned, fully managed user devices is in preview at the moment of writing and probably will be until Q4 2019.
The end-user experience during enrollment is now already different as I have seen a few weeks ago.
And the App configuration Policy might show pending in the portal even if the policy is actually applied successfully.

Are you also interested in using Android Enterprise combined with Samsung Knox Mobile Enrollment (KME)? Have a look at my article about Samsung KME.

Share This!

7 Comments

  1. Thanks for this article, it is really helpful. I have some questions still. At which part do you as an admin hand over the device to the end-user? Is it before entering the Microsoft Account? Can a device be turned off and on again and proceed with that step? Also, are there any options to enroll the device on behalf of an end-user (that doesn’t require you having the password)? Thanks in advance!

    • Hi Cheeko,
      I think that depends on your environment and the kind of service you want to provide to your end-users. It`s not a solutions like Apple DEP, you don`t register the device as corporate owned before handover it to the user. There are a lot of steps to be taken by the user and yes you can reset the device during setup. Even during the new on-boarding flow you can reset the device.
      So I think you hand-over the device as soon as the user is logged on to the device.
      But if you have a CA policy in place which requires a managed/ compliant device to access corp data, your users have no other option than enrolling the device and maybe you can hand-over the device to some handy users to enroll themselves.
      Another option is creating a Zero Touch auto provisioning deployment. Not yet available in the Intune portal, but available through the Zero Touch portal of Google. Haven`t tried that option myself. That`s seems more like a solution like DEP, purchase devices at a zero-touch reseller, assign the device to the user and when turned on enrollment begins. Have a look at this page https://www.android.com/enterprise/management/zero-touch/

  2. I was able to log in to the Microsoft Intune app. But as soon as I opened Outlook, it said I needed the Company Portal to access it. Under ALl Devices in Intune, I had one entry for name_AndroidEnterprise_date. After installing the Company Portal, that disappeared and just had the name_Android_date and Not Compliant. Although the device is in the Device Security Group, the compliance policy associated with it has not attached itself.

    • Hi Bill,
      Yes, I`m now able to sign in to the Intune app and register the device successfully.
      I don`t have the issue with Outlook. Have you assigned App Protection Policies? I haven`t because those are not supported at this moment. Maybe AP Policy is causing your issue.

  3. Hi Peter, We managed to setup a working device compliance and configuration policy.
    The only problem is that we can’t register the device with the Intune app when all “User and account” settings are set to “block”. Did you test this settings as well? All other settings seems to work well. Do you use Samsung Knox to ennroll your android devices?
    Looking forward to a reply!

    • Hi Roy,
      No I haven`t tested this with these settings, but let me give it a try and get back to you.
      No I`m not using KME, it`s just a lab environment. Used the QR code to enroll the device.

      • Hi Roy,
        I can confirm when applying these three ‘Users and accounts’ settings, I`m not able to register the device using the Intune app. It gives me an error: This change isn`t allowed by your administrator.

Leave a Reply

Your email address will not be published.


*