A few days ago I wrote about setting up Android Enterprise Work profiles. Today I will show how to get started with a second management mode; Corporate owned, fully managed user devices. With this management mode the IT admin takes full control of the device, unlike with Work profiles.
To get started with Android Enterprise Corporate owned, fully managed devices your managed Google Play account needs to be connected with your Intune tenant. If you want to see the steps which needs to be taken to connect Intune with Google play, see my previous blog.
Enable Corporate owned devices
When the connection is set between Intune and Google Play, the next thing we need to do is enabling Corporate owned devices.
- Open the Device Management Portal and click Device Enrollment
- Click Android enrollment
- Click Corporate owned, fully managed user devices (Preview)
Set Allow users to enroll corporate-owned devices to Yes.
An enrollment token will be created. During enrollment this token is needed to let your users scan the code and enroll their device.
Create a device restrictions profile
The second step is creating a device restrictions profile for Device owner only.
- Click Device configuration – Profiles
- Click Create profile
- Give the configuration a Name
- Give the configuration a Description (Optional)
- Choose Android Enterprise as Platform
- Choose Device Owner Only – Device restrictions as Profile type
Pick the right settings for your environment on all the configuration tabs. For my test I only blocked Factory reset.
A new tab since the second preview is the Applications tab. On this tab you can choose to allow access to all the apps in the Google Play store.
When finished the settings click OK twice and click Create.
- Click the Assignments tab
- Search for your security group and add it
- Click Save
Create a Device Owner Compliance policy
Since the second preview of Corporate owned, fully managed user devices the Device Owner Compliance policy option is available. So from now on we can create a compliance policy and use that for example in a Conditional Access policy to allow or block access to company data.
To create a compliance policy, follow below steps.
- Click Device Compliance – Policies
- Click Create Policy
- Give the compliance policy a Name
- Dive the policy a Description (optional)
- Choose Android Enterprise as Platform
- Choose Device Owner as Profile Type
- Click the Settings tab – Device properties tab to configure devices requirements like minimum OS versions
- Click OK
On the System security tab you set requirements like Require a password and the password type.
Click OK twice and Create when finished.
- Click the Assignments tab
- Search for the security group of choice and select the group
- Click Save to assign the compliance policy
Approve and assign Android applications
The next step in this configuration is approving and assigning Android applications from the Managed Google Play store.
- In the Device Management Portal click Client apps – Apps
- Click Add
- Choose Managed Google Play as App type
- Click the Managed Google Play (Approve) tab
- Search for the required app and click the app
Click Approve
Click Approve
- Click Keep approved when app requests new permissions
- Click Save
Click OK
Click Sync
After a few seconds the approved apps are available in Intune.
- To assign the approved app, click the app
- Click the Assignments tab
- Click Add group
- Select Required as Assignment type
- On the Include tab search for the security group you want to assign the policy to and select the group
- Click OK twice – click Save
Repeat these steps for all Android applications you want to deploy to your managed devices.
End-user Experience
Now let`s have a look at this end-user experience. For this test using the QR code scanner, you need an Android device with Android 7 or higher.
The enrollment is started by tapping on the screen seven times.
Depending on the device/ Android version it will install a QR code reader if that isn`t already available on the device by default.
Some of the screens below might look different the you will see, or you will see some extra screens. That depends on the Android OS version and supplier. For example I got to accept some terms and conditions from Motorola on one device, but haven`t such conditions on a Nokia.
Scan the QR Code which we have in the Device Management Portal. This will start the device enrollment.
The setup of the work device is started.
Accept the Chrome Terms of service and Privacy notice by clicking Accept & Continue.
Sign in with your corporate credentials.
Setting up device
If you require a PIN to unlock the device, than the first step is to set a PIN.
Click START.
You`re redirected to the settings where you can set the required PIN code. When finished, you`re redirected back to the enrollment wizard.
When device encryption is set as a requirement, the second step is to enable secure start-up. Click START.
Settings is opened again where you can enable Secure startup.
Back at the wizard, click INSTALL to start the installation of the assigned apps
Wait for the required apps Microsoft Authenticator and Intune which are installed. Those apps are installed by default, without the need to assign them manually.
Click Next when the apps are installed.
The next step is to register your device. It is done by signing in to the Microsoft Intune app.
Click START.
Click SIGN IN.
Click NEXT to register the device in Intune.
Click DONE.
The setup and registration is finished.
Click DONE.
You are now logged on to the Android device.
We can see all the applications assigned as required are installed, or will be installed shortly.
Installation of those applications is done without the need of a (personal) Google Play account. You`re signed in to the Google Play store with a Google for Work account automatically.
When we open the Microsoft Intune app all the user owned devices are shown.
Applying Intune policies is handled by the Device Policy app which is installed by default, but not shown between the apps. You can open the app from the Play Store or via Settings, Google, Device Policy.
When you open the app you can perform a manual sync and see an overview of (some of the) applied settings and installed apps.
If we open the settings, we can see Factory reset is not available as set in the Device Restrictions policy.
That`s it for Android Enterprise Corporate owned, Fully managed user devices.
Are you also interested in using Android Enterprise combined with Samsung Knox Mobile Enrollment (KME)? Have a look at my article about Samsung KME.
15 Comments
Thanks for this article, it is really helpful. I have some questions still. At which part do you as an admin hand over the device to the end-user? Is it before entering the Microsoft Account? Can a device be turned off and on again and proceed with that step? Also, are there any options to enroll the device on behalf of an end-user (that doesn’t require you having the password)? Thanks in advance!
Hi Cheeko,
I think that depends on your environment and the kind of service you want to provide to your end-users. It`s not a solutions like Apple DEP, you don`t register the device as corporate owned before handover it to the user. There are a lot of steps to be taken by the user and yes you can reset the device during setup. Even during the new on-boarding flow you can reset the device.
So I think you hand-over the device as soon as the user is logged on to the device.
But if you have a CA policy in place which requires a managed/ compliant device to access corp data, your users have no other option than enrolling the device and maybe you can hand-over the device to some handy users to enroll themselves.
Another option is creating a Zero Touch auto provisioning deployment. Not yet available in the Intune portal, but available through the Zero Touch portal of Google. Haven`t tried that option myself. That`s seems more like a solution like DEP, purchase devices at a zero-touch reseller, assign the device to the user and when turned on enrollment begins. Have a look at this page https://www.android.com/enterprise/management/zero-touch/
I was able to log in to the Microsoft Intune app. But as soon as I opened Outlook, it said I needed the Company Portal to access it. Under ALl Devices in Intune, I had one entry for name_AndroidEnterprise_date. After installing the Company Portal, that disappeared and just had the name_Android_date and Not Compliant. Although the device is in the Device Security Group, the compliance policy associated with it has not attached itself.
Hi Bill,
Yes, I`m now able to sign in to the Intune app and register the device successfully.
I don`t have the issue with Outlook. Have you assigned App Protection Policies? I haven`t because those are not supported at this moment. Maybe AP Policy is causing your issue.
Hi Peter, We managed to setup a working device compliance and configuration policy.
The only problem is that we can’t register the device with the Intune app when all “User and account” settings are set to “block”. Did you test this settings as well? All other settings seems to work well. Do you use Samsung Knox to ennroll your android devices?
Looking forward to a reply!
Hi Roy,
No I haven`t tested this with these settings, but let me give it a try and get back to you.
No I`m not using KME, it`s just a lab environment. Used the QR code to enroll the device.
Hi Roy,
I can confirm when applying these three ‘Users and accounts’ settings, I`m not able to register the device using the Intune app. It gives me an error: This change isn`t allowed by your administrator.
Hi I have tried this and it works 2 out of 4 times…hence public preview – but all in all it works a treat and the way corp devices should be deployed.
hi
new to using in tune for android enterprise, do you assign Apps to user group or Device groups
Hi Stuart,
Completely depends on your needs. If an app is required/ available for everyone, you could assign it to all users or all devices.
If an app is only available for a group of users, use user assignment. If there is a reason that an app is only available for example for a device model, use a device group.
But keep in mind, (at this moment) you can not exclude an user group when a device assignment is used and vice versa.
Hi,
I am getting an error “Invalid QR code” even after scanning the code directly from Intune. I tried to enter the token manually as well but it’s giving the same error. Can anyone tell me what can be the issue? And how can I fix this?
Hi,
I just followed the steps but at the user experience I wont get the step:
– Set a screen lock
I only got the steps for install work apps and Register your device. I tried the setup from Knox > Intune and from afw#setup. Created a configuration profile (assigned to a dynamic device group) and only selected the pincode to deploy with 4 digits. All my devices are Corporate and AndroidEnterprise.
Did I miss something?
Is there a way for me to restrict what mobiles can enrol. For example if I want to deny phones that are below Android v11 from enrolling can I stop them but allow anything over v11
Hi, I am trying to find out if it is absolutely necessary to use dynamic device groups for enrolment. I like the idea and would prefer to use them however pins are not enforced during enrolment but is left to the user post enrolment which to me defeats the whole purpose of fully managed devices. If I use user assigned groups everything is done during enrolment perfectly. Are there any risks or consequences of using user assigned groups for example if people have the company portal on their personal device would being in that group change anything. I have 1000 android devices to go into production and this a major concern. Would this also mean the enrolment profile would not be needed and qr code would be default?
Hi, is there any danger of using user assigned groups to other devices? I have configured profiles, policies etc for Android enterprise fully managed devices, however when I use dynamic groups the pin is not enforced during enrollment and it only shows as an update in the intune app on the phone afterwards which means the user can just bypass setting up a pin. I can’t get around this and even microsoft states this is the case. When I use user assigned gourps eveything works perfectly during enrollment, however I am worried that these configurations and policies will follow the users onto other devices for example personal devices with the company portal on them. This has happened n the past on apple devices and a s a result a personal device was wiped. I have tested this for Android and there doesn’t appear to be any effect but I don’t want 1000 devices going out with this as a risk.