This blog post focuses on the Android Enterprise management modes available with Microsoft Intune, a.k.a Microsoft Endpoint Manager.
I wrote a blog post long ago on the different ways of managing Android devices from Intune. However, new management modes have been introduced since then, so consider this post an update.
This is the third post of the “Android with Joy” series, which I started recently. Other articles in this series are listed below.
- Post #1 – Evolution of Android management for Enterprise use
- Post #2 – 9 myths regarding the use of Android in Enterprise
So, let’s get started with today’s topic.
Different Modes of Android Enterprise Management are Available with MEM Intune
Android Enterprise can cater to and support various businesses and enterprise MDM use-case scenarios.
Android Enterprise fundamentally has two main management modes –
- Profile owner (or
managed profile) – A containerized solution that provides a work profile to facilitate the BYOD scenario.
- Device owner (or
managed device) – Full device management will be used to facilitate the COD scenario.
For personal devices employees own [BYOD], management should be via the Profile owner management mode (Work Profile management solution).
2011 service release of Intune sees Android Enterprise Work Profile management rebranded to Personally Owned Work Profile management.
For company-owned devices [COD], the device owner management mode offers three options to suit the business’s needs.
- Corporate Owned Fully managed [previously referred to as COBO] – Allows complete device management with strict policy enforcement.
- Corporate Owned Personally Enabled [COPE] – A containerized solution to separate work and personal profiles on a corporate device [Android 11 brings some changes to the behavior]
- Corporate-owned dedicated device [also called COSU]: This type allows total device management and can be further locked down to limit device usage to a specific purpose only.
The image below helps visualize the different management modes available for Android Enterprise-capable devices with Microsoft Intune, a.k.a Microsoft Endpoint Manager.
![Android Enterprise: An Ultimate Use-case Guide for the Different Management Modes Available with Intune [3]- Fig.1](https://www.anoopcnair.com/wp-content/uploads/2020/11/aememjoypic1.png "Android Enterprise: An Ultimate Use-case Guide for the Different Management Modes Available with Intune [3] 1")
![Android Enterprise: An Ultimate Use-case Guide for the Different Management Modes Available with Intune [3]- Fig.2](https://www.anoopcnair.com/wp-content/uploads/2020/11/aememjoy2-1024x570.png "Android Enterprise: An Ultimate Use-case Guide for the Different Management Modes Available with Intune [3] 2")
Azure AD Shared mode is available in public preview as an additional enrollment under Corporate-owned dedicated devices with Intune’s October 2020 service release. Read more here.
Please read my blog on Azure AD Shared Device mode with Android Enterprise Dedicated devices to know more about the provisioning process and end-user experience.
How do you Determine which Android Enterprise Management Solution to Use?
Due diligence plays a vital role in determining the Android Enterprise solutions (management modes) that an organization should use.
In general, this is a three-step process as follows
- Discovery – Engage to identify detailed needs, challenges, and current situation
- Validation – Confirm to understand if the chosen path meets the client’s requirements
- Deployment – Configure the EMM environment to support the management mode selected
The key is to understand the customer’s business requirements properly.
If I give my own example, the main question that I would ask to understand the
client requirment is
Who will be using the devices and what actions do they perform?
This will help you to understand what is the primary use case of the device based on which you would be able to propose a solution.
If procurement is also involved as part of the project, then you can't miss another important question
Where the devices will be used?
This will help the procurement team to understand whether rugged devices will be required or not.
The above is just an example that I provided. In general, you should be able to match customer requirements to an available AE solution, as shown in the table below.
| Customer requirement | AE Solution which fits the need |
|---|---|
| Full control over the apps and data on company-owned devices | Personally-Owned Work Profile (BYOD) |
| Corporate-Owned Dedicated Devices (COSU) [Default] | Corporate-Owned Fully Managed (COBO) |
| Keep personal and corporate data separate on company-owned devices | Corporate-Owned Personally Enabled with Work Profile (COPE) |
| Lock devices down to perform a single or limited set of functions | Corporate-Owned Dedicated devices (COSU) [Default] |
| Multiple users can use a device. Secure their corporate data on user sign-in with Conditional Access based on device compliance. | Corporate-Owned Dedicated devices [Azure AD Shared mode (public preview)] |
Some more use cases for AE solution mapping are shown in the table below.
| Use-case | AE Solution, which fits the need |
|---|---|
| Employer-provided premium devices with work profile enabled | Scan inventory as it leaves the stick room. |
| Stay in touch with part-time delivery drivers who own their devices. | Personally-Owned Work Profile (BYOD) |
| Employer-provided premium devices with work profile enabled | Corporate-Owned Personally Enabled with Work Profile (COPE) |
| Capture sensitive data in a high-security environment | Corporate-Owned Fully Managed (COBO) |
Irrespective of your chosen solution, Android Enterprise gives you the benefits of secure App Deployment with Managed Google Play and the flexibility of multiple provisioning ways to suit every need.
Benefits of Android Enterprise – Secure App Deployment
Managed Google Play offers a standard and secure way that allows IT admins to whitelist apps for easy deployment, distribute private apps and perform silent app installs without requiring the need to enable app installation from unknown sources.
This helps overcome the shortcomings in security with the legacy Device Administrator mode, which is otherwise required to enable unknown sources for an EMM to deploy apps to the devices.
Managed Google Play is
- Reliable due to global Google Play infrastructure with cached repositories
- Easy to administer
- Secure due to Google Play Protect, which intercepts Potentially Harmful App (PHA) threats in real-time by automatically scanning new apps before installation and continually scanning the device daily. This layer of security protects the device from potentially harmful apps in the Google Play Store and across the web. In-house LOB apps hosted in Managed Google Play are subjected to the same security checks as public apps, ensuring security.
Benefits of Android Enterprise – Multiple Ways of Deployment to Suit Every Need
Android Enterprise offers a range of options to deploy company-owned devices at scale.
From NFC, DPC Identifier (Android 6.0+), and QR Code (Android 7.0+) setup to fully automated enrollment using Zero-Touch, which allows large-scale over-the-air out-of-box Android (9.0+) deployments across multiple OEM devices without the need for manual setup.
| Deployment methods for corporate enrollment schemes | How to use and availability |
|---|---|
| DPC Identifier [Hashtag ID] | User-driven flow. Bump against NFC on the 1st screen post device startup to start the device provisioning process. It requires a new out-of-box device or factory reset for existing devices. Availability Android 5.1+ |
| QR Code | User-driven flow. Tap 8 times on the blank screen space on the 1st screen post device startup to enter QR Scan mode. Scan the QR Code to start the provisioning process. It requires a new out-of-box device or factory reset for existing devices. Availability Android 7.0+ |
| NFC Bump | Device-driven flow. Selected devices purchased directly from an enterprise reseller or Google partner and not through a consumer store. Availability Android 7.0+ for Pixel only. Select the compatible devices with Android 8.0 and any device running Android 9.0+. |
| Zero Touch Enrollment | Device-driven flow. Selected devices purchased directly from an enterprise reseller or Google partner and not through a consumer store. Availability Android 7.0+ for Pixel only Select the compatible devices with Android 8.0 and any device running Android 9.0+. |
Before ending this post, I want to address a common question regarding Android Enterprise onboarding from IT Admins starting new with Intune (a.k.a. Microsoft Endpoint Manager).
Why is it required to bind Intune with Managed Google Play to use any AE Device Management Modes?
For an EMM solution like Intune (a.k.a Microsoft Endpoint Manager) to manage device policies and install applications on Android devices utilizing Android Management API, each device needs to have an identity that is consumable by Google [Since Google provides AM API]
For this purpose, there are only two options available –
- Managed Google Play accounts [obfuscated accounts]
- G Suite or Cloud Identity accounts (Gmail) [non-obfuscated accounts]
Most EMM solutions utilize the Managed Google Play accounts due to the ease of setup, which is also recommended unless you use Google Identity services.
The relevance of linking Managed Google Play with Intune is explained below from a high-level overview.
- Creating Enterprise ID
The IT admin requires a single Gmail account to register the tenant’s EMM solution with Managed Google Play services.
In the backend, this is utilizing the Google Play EMM API to create an Enterprise resource (Enterprise ID), which helps Intune to identify itself to Google and use the Android Management API to manage Android Enterprise devices [COD enrolled] belonging to the organization/tenant.
Intune does not use the AM API to manage work profiles on personal devices. The following blog will cover this more, so stay tuned!
The associated Gmail account is required to manage the Enterprise resource throughout its life cycle.
- Enterprise Service Account received in return.
Intune obtains an Enterprise Service Account (ESA) based on the Enterprise resource (Enterprise ID) created in the above step.
- Creation of obfuscated User Accounts
Intune then uses the ESA to create obfuscated user identities in that Enterprise resource. These identities have random account identifiers (not a username), E.g., 53774933432@gaccounts.google.com
The device (or work profile in the case of BYOD) gets provisioned using the obfuscated identity created by Intune.
![Android Enterprise: An Ultimate Use-case Guide for the Different Management Modes Available with Intune [3] - Fig.3](https://www.anoopcnair.com/wp-content/uploads/2020/11/aememjoypic4.png "Android Enterprise: An Ultimate Use-case Guide for the Different Management Modes Available with Intune [3] 3")
The benefits of this are
- Scalability: An EMM solution can immediately create unlimited obfuscated identities without worrying about managing them. The EMM service maps those obfuscated identities created to its own IDP-provided user identities (Azure Active Directory for Intune). Google cannot identify individual users since it will not see this mapping.
![Android Enterprise: An Ultimate Use-case Guide for the Different Management Modes Available with Intune [3] - Fig.4](https://www.anoopcnair.com/wp-content/uploads/2020/11/aememjoypic5.png "Android Enterprise: An Ultimate Use-case Guide for the Different Management Modes Available with Intune [3] 4")
- Manage App distribution securely: The use of Managed Google Play accounts (obfuscated accounts) allows users to install and use IT-approved apps (public apps as well as LOB apps) from the Managed Play store without requiring the end-user to sign in to Google Play services using personal accounts. Since Managed Play essentially uses Google Play services to deploy apps to the devices, the IT Admin can install silent apps on the device (or work profile). This overcomes the security flaw of Device Admin management mode, which is required to enable app installation from unknown sources for an EMM service to deploy LOB apps to an Android device.
- Overcome Factory Reset Protection: Obfuscated accounts serve another proper functionality on corporate devices managed with Android Enterprise. IT Admin can restrict end-users from adding personal accounts on fully managed AE devices, which thereby helps to overcome the Factory Reset Protection feature, which would otherwise not allow to factory reset a device if it was set up with a user personal identity and the user returned the device without removing the individual account and left the organization.
The End
That was all for today. I hope you will find this post helpful.
Please check out my other posts on Intune. On this blog site, you will also find many other excellent blog posts on Intune and Config Manager by different writers.
Subscribe to get notified of new posts and join the How To Managed Devices (HTMD) community.
Use the HTMD Forum to post your queries related to Intune/SCCM and get expert advice and answers from the HTMD community.
Starting 1st Jan 2021, I have started my blog site. You will find all my latest posts here at joymalyabasuroy.com
We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.
Author
Joymalya Basu Roy is an experienced IT service professional with almost five years of experience working with Microsft Intune. He is currently a Senior Consultant – Architect at Atos India. He is an ex-MSFT, where he worked as a Premiere Support Engineer for Microsoft Intune. He was also associated with Wipro and TCS in the early stages of his career. He was awarded the Microsoft MVP award for Enterprise Mobility in 2021. You can find all his latest posts on his blog site, MDM Tech Space, at https://joymalya.com
Thank you for this post, very clear as usual 🙂
That is great. Nice to see a clear diagram of AEM with MEM. Cheers.