How to start with Android Enterprise work profiles in Microsoft Intune

Later this year with the introduction of Android 10, Google will stop the support of Android Device Admin on this new Android OS. This means we can no longer use the traditional way of managing Android devices when you purchase new Android devices or upgrade your existing devices to Android 10. For Android 10 we need to use Android Enterprise to start managing our Android devices.
With Microsoft Intune we have three Android Enterprise deployment scenarios; Work Profile (BYOD), Dedicated (Corporate owned kiosk devices) and Fully managed (Corporate owned).

In this blog post I will show how to get started with Android Enterprise Work Profile using Intune. We start with connecting Intune with Android Enterprise, enabling Android Enterprise in Intune and creating an Android Enterprise Work Profile. When these steps are finished we approve some Android applications from the Managed Google Playstore to deploy to the Work profile. And the last step is showing the end-user experience.

Link your Managed Google Play account to Intune

The first thing we need to do is linking a Managed Google Play account which isn`t already used to Intune. Follow the below steps to set this up.

1. Open the Device Management Portal and click Device enrollment
2. Click Android enrollment
3. Click Managed Google Play (Link your managed Google Play account to Intune)

1. Check I agree
2. Click Launch Google to connect now

Click Get started

1. Enter your Business name
2. Click Next

1. Fill in the requested information (you can skip this, it`s optional)
2. Check I have read and agree to the Managed Google Play agreement
3. Click Confirm

Click Complete Registration

Enable Android Enterprise

The next step is enabling Android Enterprise Work Profile in Microsoft Intune to allow users to use Android Enterprise as enrollment platform.

1. Click Device enrollment – Enrollment Restrictions
2. Click Default under Device Type Restrictions
3. Click Properties – Select platforms
4. Click Block behind Android
5. Click Allow behind Android work profile
6. Click OK – Save

Create an Android Enterprise Work Profile

The third step is creating and assigning an Android Enterprise Work Profile with Device restrictions.

1. Click Device Configuration – Create profile
2. Give the configuration a Name
3. Give the configuration a Description (optional)
4. Choose Android Enterprise as Platform
5. Choose Work Profile Only – Device restrictions as Profile type

Pick the required settings on the Work profile settings, Device password, System security and Connectivity tabs. I think you should at least set Copy and paste between work and personal profiles, Add and remove accounts and Screen capture to Block. And set Require Work Profile Password to Require.
But off-course all these settings are up to you.
When finished Click OK twice and click Save.

1. Click the Assignment tab
2. Search for the security group you want to assign the configuration to and add it
3. Click Save

Approve and assign Android applications

The last step in setting-up this configuration is approving and assigning Android applications from the Google Playstore.

1. In the Device Management portal browse to Apps – All Apps
2. Click Add

1. Choose Managed Google Play App as App type
2. Click Select

• Search for the app
• Select the app

Click Approve

Click Approve

1. Select Keep approved when app requests new permissions
2. Click Done

Click Sync

After a few seconds the sync is finished and the approved app is available in Intune.

Don`t forget to assign the app as required or available to a security group, or all users/ devices.

Repeat these steps for all Android applications you want to deploy to your Android devices.
Always approve/ deploy the Intune Company Portal app as a required app to receive the latest updates.

End-user experience

Now let`s have a look at how the enrollment looks like for the end-user.
Keep in mind below screens might look different, based on Android OS version, device vendor and PIN/ encryption requirements.

Install the Company portal app, open the app and click Sign in.

Sign in with your company e-mail address and password.

You get an overview of the steps which will be taken to setup the device with a Work profile.
Click Begin

You get an privacy overview of the information which can and cannot be seen by the company administrator.
Click Continue.

On most devices you get a Terms screen which you need to accept.
Click Accept & Continue

Every thing is set!
Click Done.

When everything is setup, and you open the apps view (menu) you see it is now separated in to two tabs (print screen from a Nokia device with Android 9). The left tab contains the personal apps and the right tab the work apps. The work apps are shown with a suitcase icon.

On (some) older Android versions a separate Work folder is created. In this work folder all the required business apps are available.

When you open one of the Android apps which are part of the Work profile, you are asked to provide your PIN (if set as required in the Device Configuration profile).

A next step in securing the companies data might me forcing the use of an approved app, like I showed in this post. By using a Compliance Policy and expanding the Access controls in the Condition Access policy with “Require device to be marked as compliant” you can block all the devices which are not managed by the company with Intune.