The last two blog articles I wrote about Android Enterprise and I showed how to start with Work profiles and Corporate owned fully managed user devices. The third management mode is Corporate owned dedicated devices. This mode is used for dedicated devices which are fully managed, but not assigned to a user. Those devices are used for a single purpose, like ticket printing for example.
To get started with Android Enterprise Corporate owned dedicated devices, your managed Google Play account needs to be connected with your Intune tenant. If you want to see the steps which needs to be taken to connect Intune with Google play, see my previous blog.
In this blog post I will shows the steps to get started with Android Enterprise Corporate owned dedicated devices. The steps involved are creating an enrollment profile, a dynamic security group, a device restrictions policy (optional) and approving and assigning Google Play apps.
Create an enrollment profile
The first configuration step we need to take is creating an enrollment profile. When we create an enrollment profile, a token and QR Code are generated which we need to use to enroll the Android devices in to Intune.
- Open the Device Management Portal and click Device enrollment
- Click Android enrollment
- Click Corporate-owned dedicated devices
Click Create Profile
- Give the profile a Name
- Give the profile a Description (Optional)
- If required change the Token expiration data (Optional)
- Click Create
When the profile is created, click the Token tab. Here you will find the token and QR Code, you need during enrollment.
Create dynamic security group
To assign configuration policies and apps to a group of dedicated Android devices, we can make use of a dynamic security group. We can create a group with group membership based on the enrollment profile name we just created at the previous step. Devices enrolled as corporate owned dedicated device are automatically added to this group en receive the assigned policies and apps.
- Click Azure Active Directory – Groups
- Click New group
- Choose Security as group type
- Give the security group a Name
- Give the group a Description (Optional)
- Choose Dynamic device as Membership type
- Click the Add dynamic query tab
- Choose enrollmentprofilename in the first drop down list below Add device where
- Choose match from the second drop down list
- In the third field enter the enrollment profile name
- Click Add query – click Create
Create a device restrictions policy
Creating and assigning a device restrictions policy is optional when using dedicated Android devices as those devices are already locked down by default. But I want to restrict at least the option to perform a factory reset by using a restriction policy.
- Click Device configuration – Profiles
- click Create profile
- Give the configuration profile a Name
- Give the profile a Description (Optional)
- Choose Android Enterprise as Platform
- Choose Device owner only – Device restrictions as Profile type
Now configure all the settings you want to apply to your dedicated devices. I set Factory reset as Block. Another setting might be for example blocking the camera.
When finished the configuration click OK twice and click Create.
- Click the Assignments tab
- Search for the previously created security group and add it
- Click Save
Approve and assign Android applications
The last step in our configuration is approving and assiging Android applications to our dedicated devices.
- Click Client apps – Apps
- Click Add
- Choose Managed Google Play as App type
- Click the Managed Google Play (Approve) tab
- Search for the required app and click on the app, in the case Microsoft Edge
Click the green Approve button (sorry for the Dutch print screens)
Click Approve
Click Save
Click OK
Click Sync
After a few seconds the approved app is available in the list with apps in Intune.
- Click the approved app
- click the Assignments tab
- Click Add group
- Select Required as Assignment type
- On the Include tab search for the security group and select the group
- click OK twice and click Save
Device enrollment experience
Now let`s have a look at how the enrollment looks like when we enroll an Android device as dedicated device.
Some of the screens below might look different to what you will see, or you will see some extra screens. That depends on the Android OS version and supplier. For example I got to accept some terms and conditions from Motorola on my test device.
After starting your Android device, tab 7 times on the screen at a white space. It will start the QR code setup which needs you to connect to a Wi-Fi network. After connecting to a Wi-Fi network, the QR Code Reader will be installed.
When the installation of the QR Code Reader is finished, scan the QR Code which we have created in the Device Management Portal under Android enrollment, Corporate owned dedicated devices. This will start the device enrollment.
Click Encrypt.
You will be redirected to Settings of the device. Encrypt your device and after encrypton is finished, setup continues.
Click OK.
Set up work device.
setting the device owner…
Updating device…
Downloading Google Play store
Registering device…
Applying your organizations`s policies.
When the policies are applied , you are logged on to the device and it shows the home screen. After installation the required app is shown on the home screen next to some default apps.
As you can see only some default apps are available besides the assigned (required) app Edge.
The Device Policy app is installed as part of the enrollment and performs the communication with Intune.
As I set in the device restrictions policy, factory reset is blocked (greyed out).
A next step in creating Android dedicated devices is creating a kiosk style device, which further locks down the Android devices. A kiosk style device can be setup to only allow a single-app or multiple apps. In a next blog I will show the configurations steps for such a device.
4 Comments
I was with you up to the Approve and assign Android applications section.
When I click on Client Apps, I just get the App Install Status screen with a bunch of apps listed (mostly from Microsoft). I don’t see any way to Add more apps to the list to be able to search the Play Store.
I’m not sure if they changed the internet or if I’m missing something but if you have any ideas, please let me know.
Thanks.
Hi Kel,
Did you connect your Managed Google Play account to Intune like described in my previous article https://inthecloud247.com/how-to-start-with-android-enterprise-work-profiles-in-microsoft-intune/
Regards,
Peter
Yep. It says the account is ‘Setup’ and has a green checkmark.
I was able to figure it out. Instead of going to ‘Client Apps’ from the Home page, I had to go to just ‘Apps’ on the left side, and then choose All Apps. I then got the Add button I was looking for. Thanks!
On a side note, what we’re trying to do is use tablets outside our conference rooms to show the schedule. We wanted to simply run Chrome and put it into fullscreen mode but there is no fullscreen mode. I was told that if we enroll the devices and manage them, we’ll be able to put them in a Kiosk mode and run Chrome fullscreen to remove all the tabs, bars, etc. Will following through these steps allow that to work?
Thanks!
do you have any experience in connected dedicated devices to eap\tls wifi configurations using cisco ISE? we use scep\wifi profiles with out fully managed and work profiles but dedicated is beating me as them devices are userless and our ISE requires a username added to the user cert, dedicated devices require a device cert as far as im aware. any help would be appreciated.