How to start with Android Enterprise work profiles in Microsoft Intune

Later this year with the introduction of Android 10, Google will stop the support of Android Device Admin on this new Android OS. This means we can no longer use the traditional way of managing Android devices when you purchase new Android devices or upgrade your existing devices to Android 10. For Android 10 we need to use Android Enterprise to start managing our Android devices.
With Microsoft Intune we have three Android Enterprise deployment scenarios; Work Profile (BYOD), Dedicated (Corporate owned kiosk devices) and Fully managed (Corporate owned).

In this blog post I will show how to get started with Android Enterprise Work Profile using Intune. We start with connecting Intune with Android Enterprise, enabling Android Enterprise in Intune and creating an Android Enterprise Work Profile. When these steps are finished we approve some Android applications from the Managed Google Playstore to deploy to the Work profile. And the last step is showing the end-user experience.

Link your Managed Google Play account to Intune

The first thing we need to do is linking a Managed Google Play account which isn`t already used to Intune. Follow the below steps to set this up.

  1. Open the Device Management Portal and click Device enrollment
  2. Click Android enrollment
  3. Click Managed Google Play (Link your managed Google Play account to Intune)
  1. Check I agree
  2. Click Launch Google to connect now

Click Get started

  1. Enter your Business name
  2. Click Next
  1. Fill in the requested information (you can skip this, it`s optional)
  2. Check I have read and agree to the Managed Google Play agreement
  3. Click Confirm

Click Complete Registration

Enable Android Enterprise

The next step is enabling Android Enterprise Work Profile in Microsoft Intune to allow users to use Android Enterprise as enrollment platform.

  1. Click Device enrollmentEnrollment Restrictions
  2. Click Default under Device Type Restrictions
  3. Click PropertiesSelect platforms
  4. Click Block behind Android
  5. Click Allow behind Android work profile
  6. Click OKSave

Create an Android Enterprise Work Profile

The third step is creating and assigning an Android Enterprise Work Profile with Device restrictions.

  1. Click Device ConfigurationCreate profile
  2. Give the configuration a Name
  3. Give the configuration a Description (optional)
  4. Choose Android Enterprise as Platform
  5. Choose Work Profile Only – Device restrictions as Profile type

Pick the required settings on the Work profile settings, Device password, System security and Connectivity tabs. I think you should at least set Copy and paste between work and personal profiles, Add and remove accounts and Screen capture to Block. And set Require Work Profile Password to Require.
But off-course all these settings are up to you.
When finished Click OK twice and click Save.

  1. Click the Assignment tab
  2. Search for the security group you want to assign the configuration to and add it
  3. Click Save

Approve and assign Android applications

The last step in setting-up this configuration is approving and assigning Android applications from the Google Playstore.

  1. In the Device Management portal browse to Apps All Apps
  2. Click Add
  1. Choose Managed Google Play App as App type
  2. Click Select
  • Search for the app
  • Select the app

Click Approve

Click Approve

  1. Select Keep approved when app requests new permissions
  2. Click Done

Click Sync

After a few seconds the sync is finished and the approved app is available in Intune.

Don`t forget to assign the app as required or available to a security group, or all users/ devices.

Repeat these steps for all Android applications you want to deploy to your Android devices.
Always approve/ deploy the Intune Company Portal app as a required app to receive the latest updates.

End-user experience

Now let`s have a look at how the enrollment looks like for the end-user.
Keep in mind below screens might look different, based on Android OS version, device vendor and PIN/ encryption requirements.

Install the Company portal app, open the app and click Sign in.

Sign in with your company e-mail address and password.

You get an overview of the steps which will be taken to setup the device with a Work profile.
Click Begin

You get an privacy overview of the information which can and cannot be seen by the company administrator.
Click Continue.

On most devices you get a Terms screen which you need to accept.
Click Accept & Continue

Every thing is set!
Click Done.

When everything is setup, and you open the apps view (menu) you see it is now separated in to two tabs (print screen from a Nokia device with Android 9). The left tab contains the personal apps and the right tab the work apps. The work apps are shown with a suitcase icon.

On (some) older Android versions a separate Work folder is created. In this work folder all the required business apps are available.

When you open one of the Android apps which are part of the Work profile, you are asked to provide your PIN (if set as required in the Device Configuration profile).

A next step in securing the companies data might me forcing the use of an approved app, like I showed in this post. By using a Compliance Policy and expanding the Access controls in the Condition Access policy with “Require device to be marked as compliant” you can block all the devices which are not managed by the company with Intune.

15 Comments

  1. Hey Peter, I work for a nonprofit, the MS society, and we’re trying to setup Intune. For the life of me I can’t figure out how to ensure that devices enrolled as AE with Work Profiles show up as compliant. I would imagine that my device compliance policy is not correct for this type of enrollment – I’ve tried the minimal setup and requirements and every possible combination that I can think of. Could you provide a sample of how to setup a device compliance policy for this enrollment type?

    The only devices I can get to show up compliant for android are enrolled through the AE Corporate-Owned, Fully Managed User Devices (Preview). But even that required a third party app “Android Device Policy” to scan the QR code -as your incredible article here described: https://www.inthecloud247.com/how-to-start-with-android-enterprise-corporate-owned-fully-managed-user-devices/“.

    Incredibly helpful website, awesome articles! Can’t thank you enough for providing some insight as to how to configure Intune.

    • Hi Nicholas,

      Thank your for the compliments 🙂

      I see I didn`t mention Compliance Policies in this article (need to update the article with it!). To get devices compliant which have a Work Profile, you need to make sure you choose Android Enterprise as Platform and Work Profile as Profile type. Using such a compliance policy should work.

      Regards,

      Peter

  2. Hi Peter,
    The article is very useful. I have one question that can we configure similar type like Work Profiles for IOS devices in Intune. Thanks.

    • Hi M. Ajax Khan,
      No Work Profiles is only available on Android. Not the same as Work profiles, but maybe you can achieve what you want with App Protection Policies.

      Regards,

      Peter

  3. Great article, really useful. We’re having difficulties finding documentation on setting up an android device to have JUST a work profile. We don’t want the device to have any personal data on it at all, just a work controlled policy. Is that even possible to your knowledge?
    Thanks in advance.

    • Hi Dave,

      Is a work profile a requirement?
      Otherwise have a look at Fully Managed. With Fully managed you have control over the Play store; you can block access to the public Play store and only allow access to apps you publish via Intune. Have a look at this article https://www.inthecloud247.com/how-to-start-with-android-enterprise-corporate-owned-fully-managed-user-devices/
      To block personal accounts in for example Outlook, you could use App Config policies combined with the Fully managed option.

      But if you want a combination of a fully managed device with Work profile, that option is not (yet) available with Intune. That management scenario is called COPE, Corporate Owned Personally Enabled. But as the name says, personally enabled. So no idea if that will give you the option to lock everything outside the Work profile container.

      Last option is the Fully managed kiosk scenario, but it is not really meant for personal use.

      Regards,

      Peter

  4. Very good article.
    I have one question, is there any option to wipe work profile remotely, from Azure portal?

    • You need to be in the Intune (Endpoint Manager) section to perform a wipe.
      Under devices, Android find the device from which you want to wipe the work profile. click on the device and on the Overview tab click Retire. This will remove company data (the work profile).

  5. Thanks for this
    Can you configure a Email Profile to use the Outlook app when using the
    Corporate-owned dedicated devices enrollment option?

    • Hi Dan,

      You should give the App Configuration Policy a try. As Device enrollment type choose Managed devices and choose Microsoft Outlook as Targeted app.
      It will give you an overview of what can be configured with Intune for Outlook.

      Regards,

      Peter

  6. Hi brother
    No doubt your article is very useful. But u have a scenario in which I have to setup two situations.
    1. The user when login to intune gets automatically logged in to outlook account.
    2. The user in outlook cannot share the files outside of work profile but can attach files outside work profile in outlook email message.

  7. Hi Peter

    I have a requirement where i need to deploy MDM+MAM for all the company and owned devices and only MAM for personal devices.

    I can deploy MAM for personal devices however not able to find out a way of deploying MDM+MAM for company owned devices.

    Any help would be highly appreciated.

    Regards,
    Bilal Khan

  8. Thanks for all this information. I am having a small issue. I have tried to make apps available but not required. Its been 24 hours and they are not showing up in the google play app in the work profile yet.
    I have tested a few apps. some i made available to enrolled and one available to Available with or without enrollment.
    This has been tested on a Note 8, Galaxy tab s4 and a Fold 3

Leave a Reply

Your email address will not be published.


*