Android Enterprise: An ultimate use-case guide for the different management modes available with Intune [3]

This blog post focuses on the different Android Enterprise management modes available with Microsoft Intune a.k.a Microsoft Endpoint Manager.

I already did a blog post long back on the different ways of managing android
devices from Intune. However, there has been new management modes introduced
since when I wrote it. As such, consider this blog post as an update to it.

This is post nos. 3 of the Android series with Joy which I started recently. Other articles of this series are listed below.

So let’s get started with today’s topic.

Different modes of Android Enterprise management available with MEM Intune

Android Enterprise has the capability to cater to and support all kind of businesses and enterprise MDM use-case scenarios.

Android Enterprise fundamentally has two main management modes

  • Profile owner (or managed profile) – Containerized solution which provisions a work profile to facilitate BYOD scenario.
  • Device owner (or managed device) – Full device management to facilitate COD scenario.

For personal devices owned by employees [BYOD], management should be via the Profile owner management mode (Work Profile management solution).

2011 service release of Intune sees Android Enterprise Work Profile management rebranded to Personally-Owned Work Profile management.

For company-owned devices [COD],  you get 3 options to choose from within the Device owner management mode to suit the needs of the business.

  • Corporate Owned Fully managed [previously referred to as COBO] – Allows full device management with strict policy enforcement.
  • Corporate Owned Personally Enabled [COPE] – A containerized solution to keep work and personal profile separate on a corporate device. [Android 11 brings some changes to the behavior]
  • Corporate Owned Dedicated device [also referred to as COSU] – Allows full device management which can be further locked-down to limit the device usage to a specific purpose only.

The below image helps to visualize the different management modes available for Android Enterprise capable devices with Microsoft Intune a.k.a Microsoft Endpoint Manager.

Different modes of Android Enterprise management available with MEM Intune
Different modes of Android Enterprise management available with MEM Intune
A visual representation of the different modes of Android Enterprise management available with MEM Intune in terms of endpoints
A visual representation of the different modes of Android Enterprise management available with MEM Intune in terms of endpoints

Azure AD Shared mode is available in public preview as an additional enrollment under Corporate-owned dedicated devices with the October 2020 service release of Intune. Read more here.

Read my blog on Azure AD Shared Device mode with Android Enterprise Dedicated devices to know more about the provisioning process and end-user experience.

How to determine which Android Enterprise management solution to use?

Due diligence plays an important role in determining the Android Enterprise solutions (management modes) to be used for an organization.

In general, this is a three step process as follows

  • Discovery – Engage to identify detailed needs, challenges and current situation
  • Validation – Confirm to understand if the chosen path meets the client requirements
  • Deployment – Configure the EMM environment to support the chosen management mode

The key is to properly understand the customer business requirement.

If I give my own example, the main question that I would ask to understand the
client requirment is

Who will be using the devices and what actions do they perform?

This will help you to understand what is the primary use case of the device based
on which you would be able to propose a solution.

If procurement is also involved as part of the project, then you can't miss 
another important question

Where the devices will be used?

This will help the procurement team to understand whether rugged devices will be
required or not.

The above is just an example which I provided. In general, you should be able to match customer requirements to an available AE solution as shown in the table below.

Customer requirementAE Solution which fits the need
Secure company data on personal devicesPersonally-Owned Work Profile (BYOD)
Full control over the apps and data on company owned devicesCorporate-Owned Fully Managed (COBO)
Keep personal and corporate data separate on company-owned devicesCorporate-Owned Personally Enabled with Work Profile (COPE)
Lock devices down to perform a single or limited set of functionsCorporate-Owned Dedicated devices (COSU) [Default]
Multiple user to use a device. Secure their corporate data on user sign-in with Conditional Access based on device compliance.Corporate-Owned Dedicated devices [Azure AD Shared mode (public preview)]
Table 1: Android Enterprise management solution use-case mapping.

Some more use-case to AE solution mapping is shown in the table below.

Use-caseAE Solution which fits the need
Scan inventory as it leaves stick room.Corporate-Owned Dedicated devices (COSU) provisioned as Single App KIOSK with rugged Enterprise Recommended Device.
Stay in touch with part-time delivery drivers who own their devices.Personally-Owned Work Profile (BYOD)
Employer provided premium devices with work profile enabledCorporate-Owned Personally Enabled with Work Profile (COPE)
Capture sensitive data in a high-security environmentCorporate-Owned Fully Managed (COBO)
Table 2: Some more Android Enterprise management solution use-case mapping.

Irrespective of the solution that you chose, Android Enterprise gives you the benefits of secure App Deployment with Managed Google Play and the flexibility of multiple provisioning ways to suit every need.

Benefits of Android Enterprise – Secure App Deployment

Managed Google Play offers a standard and secure way which allows IT admins to whitelist apps for easy deployment, distribute private apps and perform silent app installs without requiring the need to enable app install from unknown sources.

This helps overcome the shortcomings in security with the legacy Device Administrator mode which otherwise required to enable unknown sources for an EMM to deploy apps to the devices.

Managed Google Play is

  • Reliable due to global Google Play infrastructure with cached repositories
  • Easy to administer
  • Secure due to Google Play Protect which intercepts Potentially Harmful Apps (PHA) threats in real-time by automatically scanning new apps before installation and continually scans the device daily. This layer of security protects the device from potentially harmful apps in the Google Play Store and from across the web. In-house LOB apps hosted in Managed Google Play are subjected to the same security checks as public apps, ensuring security.

Benefits of Android Enterprise – Multiple ways of deployment to suit every need

Android Enterprise offers a range of options to deploy company-owned devices at scale.

From NFC, DPC Identifier (Android 6.0+) and QR Code (Android 7.0+) setup to fully automated enrollment using Zero-Touch which allows large-scale over-the-air out-of-box Android (9.0+) deployments across multiple OEM devices without the need for manual setup.

Deployment methods for corporate enrollment schemesHow to use and availability
DPC Identifier [Hashtag ID]User driven flow. Enter afw#<EMMCode> on Google sign-in page on initial device setup to start provisioning process. Availability Android 6.0+
QR CodeUser driven flow. Tap 8 times on blank screen space on the 1st screen post device startup to enter QR Scan mode.  Scan QR Code to start provisioning process. Requires new Out-of-Box device or Factory reset for existing devices. Availability Android 7.0+
NFC BumpUser driven flow. Bump against NFC on the 1st screen post device startup to start device provisioning process. Requires new Out-of-Box device or Factory reset for existing devices. Availability Android 5.1+
Zero Touch EnrollmentDevice driven flow. Selected device purchased directly from an enterprise reseller or Google partner and not through a consumer store. Availability Android 7.0+ for Pixel only, select compatible device with Android 8.0 and any device running Android 9.0+
Table 3: Android Enterprise provisioning methods on offer.

Before ending this post, I would like to address a common question regarding Android Enterprise onboarding which comes from the IT Admins starting new with Intune (a.k.a Microsoft Endpoint Manager).

Why it is required to bind Intune with Managed Google Play to use any AE device management modes?

In order for an EMM solution like Intune (a.k.a Microsoft Endpoint Manager) to manage device policies and install applications on android devices utilizing Android Management API, each device needs to have an identity that is consumable by Google. [Since AM API is provided by Google]

For the purpose, there are only two options available –

  • Managed Google Play accounts [obfuscated accounts]
  • G Suite or Cloud Identity accounts (Gmail) [non-obfuscated accounts]

Most EMM solutions utilize the Managed Google Play accounts due to the ease of setup, which is also the recommended way unless you are using Google Identity services.

From a high-level overview, below is explained the relevance of linking Managed Google Play with Intune.

  • Creating Enterprise ID

IT admin requires a single Gmail account to start registering the EMM solution to Managed Google Play services, for the tenant.

In the backend, this is utilizing the Google Play EMM API to create an Enterprise resource (Enterprise ID) which helps Intune to identify itself to Google and use the Android Management API to manage Android Enterprise devices [COD enrolled] belonging to the organization/tenant.

Intune does not use the AM API for work profile management on personal devices. More on this will be covered in the next blog. So stay tuned!

The associated Gmail account is required to manage the Enterprise resource throughout its life-cycle.

  • Enterprise Service Account received in return

Intune obtains an Enterprise Service Account (ESA) based on the Enterprise resource (Enterprise ID) as created in the above step.

  • Creation of obfuscated User Accounts

Intune then uses the ESA to create obfuscated user identities in that Enterprise resource. These identities have random account identifiers (not a username). E.g.: [email protected]

The device (or work profile in case of BYOD) gets provisioned using the obfuscated identity as created by Intune.

Work profile (or managed device in case of full device management) gets provisioned with obfuscated managed Google Play accounts
Work profile (or managed device in case of full device management) gets provisioned with obfuscated managed Google Play accounts

The benefits to this are

  • Scalability – An EMM solution can create unlimited such obfuscated identities immediately without having to worry about managing those identities. The EMM service maps those obfuscated identities created to its own IDP provided user identities (Azure Active Directory for Intune). Google cannot identify individual users since it will not see this mapping.
An overall view of the Android Enterprise management with MEM Intune
An overall view of the Android Enterprise management with MEM Intune
  • Manage App distribution securely – The use of Managed Google Play accounts (obfuscated accounts) allows users to install and use IT approved apps (public apps as well as LOB apps) from the Managed Play store without requiring the end-user to sign-in to Google Play services using personal accounts. And since Managed Play service essentially uses Google Play services to deploy apps to the devices, IT Admin can do silent app installs on the device (or work profile). This overcomes the security flaw of Device Admin management mode which required to enable app install from unknown sources for an EMM service to deploy LOB apps to an android device.
  • Overcome Factory Reset Protection – The use of obfuscated accounts serves another useful functionality on corporate devices managed with Android Enterprise. IT Admin can restrict end-users from adding personal accounts on fully managed AE devices, which thereby helps to overcome the Factory Reset Protection feature, which would otherwise not allow to factory reset a device if it was set up with a user personal identity and the user returned the device without removing the personal account and left the organization. 

The End

That was all for today. Hope you would find this post useful.

Do check out my other posts on Intune. You will also find many other awesome blog posts on Intune and Config Manager by other writers on this blog site.

Subscribe to get notified of new posts and be a member of the How To Managed Devices (HTMD) community.

Use the HTMD Forum to post your queries related to Intune/SCCM and get expert advice and answers from the HTMD community.

Starting 1st Jan 2021, I have started my own blog site. You will find all my latest posts here at joymalyabasuroy.com

Sharing is caring!

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.