Hello, Everyone. In today’s blog post, we will learn how to Pre-provision Android Corporate Devices using Intune’s device Staging enrollment. Intune introduced Device Staging Enrollment in the 2405 release.
In this post, we will explore the step-by-step process for configuring staging enrollment for corporate Android devices using Microsoft Intune. Managing a fleet of corporate Android devices in an organization can be quite challenging.
IT admins want to ensure all devices are enrolled and that user onboarding and configurations are consistent. Zero Touch enrollment has reduced most of the complexity for organisations, but user has to set up the device once they receive.
Suppose your organization has frontline workers and does not want them to go through the initial setup and enrollment of the devices into Intune. You may have considered an easier and better way to set up the devices before shipping them to end users. The Microsoft Intune Device Stage Enrollment method enables IT admins and third-party vendors to pre-configure corporate Android devices prior to shipping them to users.
Table of Contents
What is Device Staging Enrollment?
Device Staging allows IT admins to pre-configure corporate devices and reduces the steps needed to set up the device for end-users. With the help of a staging enrollment profile, we can prepare the enrollment and complete all necessary steps, handing the devices over to end users or frontline workers. This method of enrollment supports the
- Android Enterprise Corporate owned fully managed devices(COBO)
- Android Enterprise Corporate Owned personally enabled devices(COPE)
The entire device enrollment process involves three steps when creating the staging enrollment. Step 1 is Completed by the admin, who creates an Enrollment token. Step 2 is Completed by the admin or Vendor. In this step, either the Admin or the Vendor(who supplies the device) completes the device onboarding. Step 3, Completed by the User, involves receiving the device and completing the enrollment.
- Manage Microsoft Edge Browser on Android Devices using Intune
- Publish Sensitivity Labels in Microsoft 365 to Protect Corporate Data
Create Enrollment Profile
As mentioned above, an Intune admin creates an Enrollment profile. Let’s see the steps involved in creating the Enrollment profile for Staged Enrollment.
- Login to Microsoft Intune Admin Center
- Click Devices > Enroll devices > Android Enrollment > Corporate-owned, fully managed user devices
Click on ‘Create Policy.’ Then, please provide a Name for the enrollment token and add a Description. Under ‘Token type,’ select ‘Corporate-owned, fully managed, via Staging.’ This highlights the difference between normal enrollment and staging enrollment. Finally, set an expiry date for the token under ‘Token expiration date.’
Click on Next and add scope tags if you have any. Click on Next and then Review + create the Enrollment token. Validate the settings before creating the token.
The enrollment token will be created and ready for use. Now click on the enrollment token and then on the Token, where you can view the token and QR Code for enrollment. For our discussion, I have selected the Corporate Owned Fully Managed devices enrollment type.
With this Stage 1 is completed i.e., The admin task is completed. Now, let’s look at Stage 2, preprovisioning or initial device set up which has to be completed by the admin or vendor before being handed over to the users.
Enrolling the device by Admin/Vendor(Stage 2)
To enroll the device, it has to be a new device, or we need to format the device, which is already set up. Once the device is formatted, tap on the Get Started screen 6-7 times to enable the QR code scanner. Alternatively, you can proceed to set up the device and enter afw#setup in the email field to enroll the device using Token.
In this example, I have chosen the QR Code method for enrollment. Please scan the enrollment token. The admin can do this. Suppose your organization ships the devices directly to your users or employees from vendors. In that case, your admin can share the QR Code or token, and the vendor can set up the devices.
As soon as I scanned the QR code, the device started fetching the enrollment information and showed the information that the device belongs to your organisation. Click on image 5 to proceed with the setup of the device. Once the required details are fetched, the admin/vendor will be presented to accept the terms. Click on Accept & Continue.
Now, the device gets ready for work, and it will validate the token once again and start registering the devices. These steps will vary from device to device(for example, Samsung, Pixel, Motorola).
Intune will install the Microsoft Intune and Microsoft Authenticator app as part of the enrollment. If this device was part of user enrollment, the user will be prompted to enter credentials to enroll the device into Intune after installing the apps.
As we are doing staging enrollment, Admin/Vendor will be taken directly to the home screen. With this Stage 2 is completed. The device is ready to ship to users. Admins/Vendors should turn off the device, repack it, and ship it to the end user.
Device in Intune
The device is registered in Intune and no user is assigned to the device and we can view the device. The device name starts with “Staging” as shown in the screenshot below. You can view the device Ownership also as Corporate.
Once the user enrolls the device, its name will change. We don’t need to change the device’s name. Intune will take care of that, and the primary user will be connected to the device.
End User Experience
Now, let’s examine the end-user experience, specifically how the end user will set up the device. The user can turn it on immediately upon receiving the device. Users will not see a device setup screen. The Microsoft Intune app will open, and users will be prompted to enroll the device.
This constitutes Stage 3, wherein the end users finalize the process. Users are required to input their credentials to complete the registration procedure. Upon successful registration, the device will be prepared for use.
This way, staging enrollment can reduce the steps a user has to take to set up the device. This is similar to pre-provisioning in Windows devices. Organisations with frontline workers can utilise this mode to the full extent.
Conclusion
Staging enrollment in Intune enables organisations with the capacity to manage Android devices at scale. It facilitates organisations in ensuring that their devices are appropriately configured, secure, and prepared for use with minimal steps required for end-user device setup.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
About Author – Narendra Kumar Malepati (Naren) has 12+ years of experience in IT, working on different MDM tools. Over the last seven years, Naren has been working on various features of Intune, including migration from different MDMs to Intune. Naren mainly focuses on Android, iOS, and MacOS.