Later this year with the introduction of Android 10, Google will stop the support of Android Device Admin on this new Android OS. This means we can no longer use the traditional way of managing Android devices when you purchase new Android devices or upgrade your existing devices to Android 10. For Android 10 we need to use Android Enterprise to start managing our Android devices.
With Microsoft Intune we have three Android Enterprise deployment scenarios; Work Profile (BYOD), Dedicated (Corporate owned kiosk devices) and Fully managed (Corporate owned).
In this blog post I will show how to get started with Android Enterprise Work Profile using Intune. We start with connecting Intune with Android Enterprise, enabling Android Enterprise in Intune and creating an Android Enterprise Work Profile. When these steps are finished we approve some Android applications from the Managed Google Playstore to deploy to the Work profile. And the last step is showing the end-user experience.
Link your Managed Google Play account to Intune
The first thing we need to do is linking a Managed Google Play account which isn`t already used to Intune. Follow the below steps to set this up.
- Open the Device Management Portal and click Device enrollment
- Click Android enrollment
- Click Managed Google Play (Link your managed Google Play account to Intune)
- Check I agree
- Click Launch Google to connect now
Click Get started
- Enter your Business name
- Click Next
- Fill in the requested information (you can skip this, it`s optional)
- Check I have read and agree to the Managed Google Play agreement
- Click Confirm
Click Complete Registration
Enable Android Enterprise
The next step is enabling Android Enterprise Work Profile in Microsoft Intune to allow users to use Android Enterprise as enrollment platform.
- Click Device enrollment – Enrollment Restrictions
- Click Default under Device Type Restrictions
- Click Properties – Select platforms
- Click Block behind Android
- Click Allow behind Android work profile
- Click OK – Save
Create an Android Enterprise Work Profile
The third step is creating and assigning an Android Enterprise Work Profile with Device restrictions.
- Click Device Configuration – Create profile
- Give the configuration a Name
- Give the configuration a Description (optional)
- Choose Android Enterprise as Platform
- Choose Work Profile Only – Device restrictions as Profile type
Pick the required settings on the Work profile settings, Device password, System security and Connectivity tabs. I think you should at least set Copy and paste between work and personal profiles, Add and remove accounts and Screen capture to Block. And set Require Work Profile Password to Require.
But off-course all these settings are up to you.
When finished Click OK twice and click Save.
- Click the Assignment tab
- Search for the security group you want to assign the configuration to and add it
- Click Save
Approve and assign Android applications
The last step in setting-up this configuration is approving and assigning Android applications from the Google Playstore.
- In the Device Management portal click Client apps – Apps
- Click Add
- Choose Managed Google Play as App type
- Click the Managed Google Play (Approve) tab
- Search for the required app and select the app
- Select Keep approved when app requests new permissions
- Click Save
After a few seconds the sync is finished and the approved app is available in Intune.
- To assign an app, click your approved app
- Click the Assignments tab
- Click Add group
- Choose Required as Assignment type
- On the Included tab choose the required group or Yes – Make this app required on all devices
- Click OK twice – click Save
Repeat these steps for all Android applications you want to deploy to your Android devices.
Always approve/ deploy the Intune Company Portal app as a required app to receive the latest updates.
Now let`s have a look at how the enrollment looks like for the end-user.
Install the Company portal app, open the app and click Sign in.
Sign in with your company e-mail address and password.
You get an overview of the steps which will be taken to setup the device with a Work profile.
You get an overview of the information which can and cannot be seen by the company administrator.
The device needs to be encrypted. When the device isn`t already encrypted you get below screen.
You will be redirected to the Settings page to encrypt the device. Depending on the Android OS version and supplier of the device the screen might look different.
Click Encrypt phone.
When encryption of the device is finished a message is shown at the top of the screen. Click the message to continue the setup.
The work-badged Company Portal app will be launched.
The Work profile is created, other steps need to be taken next.
Every thing is set!
Depending on the passcode setting set for the Work profile you might get this message to update the Work profile passcode.
When everything is setup, and you open the apps view (menu) you see it is now separated in to two tabs (print screen from Samsung with Android 9). The left tab contains the personal apps and the right tab the work apps. The work apps are shown with a suitcase icon.
On older Android versions a separate Work folder is created. In this work folder all the required business apps.
When you open one of the Android apps which are part of the Work profile, you are asked to provide your PIN.
A next step in securing the companies data might me forcing the use of an approved app, like I showed in this post. By using a Compliance Policy and expanding the Access controls in the Condition Access policy with “Require device to be marked as compliant” you can block all the devices which are not managed by the company with Intune.