Hello everyone, we are back with a new and an interesting topic: How to Add New Google Domain for Android Work Devices in Intune Android Enterprise personally-owned devices with a work profile. Intune recently released this feature with the 2305 release of Intune.
Intune currently allows to Add or Remove a Google account to Work Profile. Users can add a Google Domain to their Work Profile when this setting is enabled. By default, users cannot add any additional account to their Work Profile.
In Our previous blogs, we have learned how to integrate Android Enterprise to Intune, Enroll devices to Android for Work, create Compliance policies for Android for Work devices, and create Configuration policies. In this article, we will enable users to add the new Google Domains to Work Profile using the same device Configuration profile.
- Enroll Android Devices to Android for Work in Intune
- Create a Compliance Policy for Android Devices in Intune
Create a Device Configuration Policy to Add New Google Domain for Android
Intune allows admins to configure device configuration profiles that control the behavior of the device. Using these configuration policies, we can define certain restrictions like allowing or blocking device features on Work Profile. Let’s see how we can create a new configuration profile.
- Sign in to Microsoft Intune Admin Center
- Click on Devices > Android > Configuration profiles
- Click on Create Profile
- Select Andoird Enterprise under Platform
- Select the profile type as Device Restrictions under Personally-Owned Work Profile and click on Create.
Now on the Basics page, provide the Name for Profile and the Description for the Profile. Click Next to the Configuration Settings page. Now on the Configuration Settings page, click Work Profile settings. This will expand various device restrictions to configure for Work Profile.
Using these controls, we can manage the Data Transfer between the Work Profile and the Personal Profile of the device, App notifications for the work profile, copy and paste data between the Work and Personal Profile, and many more.
As we are discussing how to add a new Google domain, let’s see what options are provided to Intune Admins by Intune. Under Work Profile Settings, scroll down to Add and Remove Accounts, this setting will define whether to Allow or Block adding new accounts.
By default, the value is set to “Allow all account types, except for Google Accounts.” Click on the settings and choose Allow all Accounts. This will enable users to add any Domain accounts to their Work Profile. When we select the option, Intune allows admins to control further, which Google Domains can be allowed. Admin can view “Google domain allow-list” enabled.
If you want to restrict users to certain Google Domains, we can define the domains under the Google domain allow-list. We can add the domains manually or import the .csv file with all the allowed Google domains. While preparing a .csv file with Domains, the first row will be treated as Header, and Intune will not consider it as Domain and will leave the first row. So define Domains from the second row of the sheet.
The domains should be defined in contoso.com format. If Admins leave the fields blank, Intune will allow all Google Domains to be configured on Work Profile. These Google accounts are blocked from Installing apps from Managed Play Store. Intune also allows Admins to Block all kinds of Accounts.
Let’s see below table the of available settings.
|Settings Name||Settings Allowed|
|Allow all account types except Google accounts||This is the default value, and Intune will not change the device settings, by default, the device OS might allow adding accounts in Work Profile.|
|Allo All Account type||This setting will allow users to configure All Accounts, including Google accounts|
|Block All Accounts||This restriction will block users from adding or removing Google accounts from their Work Profile|
Now that we have defined the restriction click Next and assign to Scope tags, if you have any, and click Next to the Assignment page and Assign the profiles to required groups. Click Next Review and Create the Profile.
End User Experience
Let’s see the end-user experience of how the devices behave when the profile is not assigned to users and after assigning the profile to the users. Users can Enroll their devices in Android For Work, once the devices are enrolled. Click on Managed PlayStore and click on Add an account in the top left corner and click on Manage your Google Account.
Now click on Add account; users will get an error stating “Action not allowed“, as shown in the below screenshot.
Now, let’s see the behavior once the device profile is assigned to users. In the same way above, try to add a Google account, and users can add an account.
This is how we can add a New Google Domain to Intune for Android for Work devices in Intune. I hope you like the article, and we will be back soon. Stay tuned for more interesting topics we will share with you in the future.
About Author – Narendra Kumar Malepati (Naren) has 11+ years of experience in IT, working on different MDM tools. Over the last seven years, Naren has been working on various features of Intune, including migration from different MDMs to Intune. Naren mainly focuses on Android, iOS, and MacOS.