How to start with Android Enterprise work profiles in Microsoft Intune

Later this year with the introduction of Android 10, Google will stop the support of Android Device Admin on this new Android OS. This means we can no longer use the traditional way of managing Android devices when you purchase new Android devices or upgrade your existing devices to Android 10. For Android 10 we need to use Android Enterprise to start managing our Android devices.
With Microsoft Intune we have three Android Enterprise deployment scenarios; Work Profile (BYOD), Dedicated (Corporate owned kiosk devices) and Fully managed (Corporate owned).

In this blog post I will show how to get started with Android Enterprise Work Profile using Intune. We start with connecting Intune with Android Enterprise, enabling Android Enterprise in Intune and creating an Android Enterprise Work Profile. When these steps are finished we approve some Android applications from the Managed Google Playstore to deploy to the Work profile. And the last step is showing the end-user experience.

Link your Managed Google Play account to Intune

The first thing we need to do is linking a Managed Google Play account which isn`t already used to Intune. Follow the below steps to set this up.

  1. Open the Device Management Portal and click Device enrollment
  2. Click Android enrollment
  3. Click Managed Google Play (Link your managed Google Play account to Intune)
  1. Check I agree
  2. Click Launch Google to connect now

Click Get started

  1. Enter your Business name
  2. Click Next
  1. Fill in the requested information (you can skip this, it`s optional)
  2. Check I have read and agree to the Managed Google Play agreement
  3. Click Confirm

Click Complete Registration

Enable Android Enterprise

The next step is enabling Android Enterprise Work Profile in Microsoft Intune to allow users to use Android Enterprise as enrollment platform.

  1. Click Device enrollmentEnrollment Restrictions
  2. Click Default under Device Type Restrictions
  3. Click PropertiesSelect platforms
  4. Click Block behind Android
  5. Click Allow behind Android work profile
  6. Click OKSave

Create an Android Enterprise Work Profile

The third step is creating and assigning an Android Enterprise Work Profile with Device restrictions.

  1. Click Device ConfigurationCreate profile
  2. Give the configuration a Name
  3. Give the configuration a Description (optional)
  4. Choose Android Enterprise as Platform
  5. Choose Work Profile Only – Device restrictions as Profile type

Pick the required settings on the Work profile settings, Device password, System security and Connectivity tabs. I think you should at least set Copy and paste between work and personal profiles, Add and remove accounts and Screen capture to Block. And set Require Work Profile Password to Require.
But off-course all these settings are up to you.
When finished Click OK twice and click Save.

  1. Click the Assignment tab
  2. Search for the security group you want to assign the configuration to and add it
  3. Click Save

Approve and assign Android applications

The last step in setting-up this configuration is approving and assigning Android applications from the Google Playstore.

  1. In the Device Management portal click Client appsApps
  2. Click Add
  1. Choose Managed Google Play as App type
  2. Click the Managed Google Play (Approve) tab
  3. Search for the required app and select the app

Click Approve

Click Approve

  1. Select Keep approved when app requests new permissions
  2. Click Save

Click OK

Click Sync

After a few seconds the sync is finished and the approved app is available in Intune.

  1. To assign an app, click your approved app
  2. Click the Assignments tab
  3. Click Add group
  4. Choose Required as Assignment type
  5. On the Included tab choose the required group or Yes – Make this app required on all devices
  6. Click OK twice – click Save

Repeat these steps for all Android applications you want to deploy to your Android devices.
Always approve/ deploy the Intune Company Portal app as a required app to receive the latest updates.

End-user experience

Now let`s have a look at how the enrollment looks like for the end-user.
Install the Company portal app, open the app and click Sign in.

Sign in with your company e-mail address and password.

You get an overview of the steps which will be taken to setup the device with a Work profile.
Click Continue.

You get an overview of the information which can and cannot be seen by the company administrator.
Click Continue.

Click Next.

The device needs to be encrypted. When the device isn`t already encrypted you get below screen.
Click Encrypt.

You will be redirected to the Settings page to encrypt the device. Depending on the Android OS version and supplier of the device the screen might look different.
Click Encrypt phone.

When encryption of the device is finished a message is shown at the top of the screen. Click the message to continue the setup.

Click Next.

Click OK.

The work-badged Company Portal app will be launched.

The Work profile is created, other steps need to be taken next.
Click Continue.

Every thing is set!
Click Done.

Depending on the passcode setting set for the Work profile you might get this message to update the Work profile passcode.

When everything is setup, and you open the apps view (menu) you see it is now separated in to two tabs (print screen from Samsung with Android 9). The left tab contains the personal apps and the right tab the work apps. The work apps are shown with a suitcase icon.

On older Android versions a separate Work folder is created. In this work folder all the required business apps.

When you open one of the Android apps which are part of the Work profile, you are asked to provide your PIN.

A next step in securing the companies data might me forcing the use of an approved app, like I showed in this post. By using a Compliance Policy and expanding the Access controls in the Condition Access policy with “Require device to be marked as compliant” you can block all the devices which are not managed by the company with Intune.




8 Comments

  1. Hey Peter, I work for a nonprofit, the MS society, and we’re trying to setup Intune. For the life of me I can’t figure out how to ensure that devices enrolled as AE with Work Profiles show up as compliant. I would imagine that my device compliance policy is not correct for this type of enrollment – I’ve tried the minimal setup and requirements and every possible combination that I can think of. Could you provide a sample of how to setup a device compliance policy for this enrollment type?

    The only devices I can get to show up compliant for android are enrolled through the AE Corporate-Owned, Fully Managed User Devices (Preview). But even that required a third party app “Android Device Policy” to scan the QR code -as your incredible article here described: https://www.inthecloud247.com/how-to-start-with-android-enterprise-corporate-owned-fully-managed-user-devices/“.

    Incredibly helpful website, awesome articles! Can’t thank you enough for providing some insight as to how to configure Intune.

    • Hi Nicholas,

      Thank your for the compliments 🙂

      I see I didn`t mention Compliance Policies in this article (need to update the article with it!). To get devices compliant which have a Work Profile, you need to make sure you choose Android Enterprise as Platform and Work Profile as Profile type. Using such a compliance policy should work.

      Regards,

      Peter

  2. Hi Peter,
    The article is very useful. I have one question that can we configure similar type like Work Profiles for IOS devices in Intune. Thanks.

    • Hi M. Ajax Khan,
      No Work Profiles is only available on Android. Not the same as Work profiles, but maybe you can achieve what you want with App Protection Policies.

      Regards,

      Peter

  3. Great article, really useful. We’re having difficulties finding documentation on setting up an android device to have JUST a work profile. We don’t want the device to have any personal data on it at all, just a work controlled policy. Is that even possible to your knowledge?
    Thanks in advance.

    • Hi Dave,

      Is a work profile a requirement?
      Otherwise have a look at Fully Managed. With Fully managed you have control over the Play store; you can block access to the public Play store and only allow access to apps you publish via Intune. Have a look at this article https://www.inthecloud247.com/how-to-start-with-android-enterprise-corporate-owned-fully-managed-user-devices/
      To block personal accounts in for example Outlook, you could use App Config policies combined with the Fully managed option.

      But if you want a combination of a fully managed device with Work profile, that option is not (yet) available with Intune. That management scenario is called COPE, Corporate Owned Personally Enabled. But as the name says, personally enabled. So no idea if that will give you the option to lock everything outside the Work profile container.

      Last option is the Fully managed kiosk scenario, but it is not really meant for personal use.

      Regards,

      Peter

    • You need to be in the Intune (Endpoint Manager) section to perform a wipe.
      Under devices, Android find the device from which you want to wipe the work profile. click on the device and on the Overview tab click Retire. This will remove company data (the work profile).

Leave a Reply

Your email address will not be published.


*