This blog post focuses on the different Android Enterprise management modes available with Microsoft Intune a.k.a Microsoft Endpoint Manager.
I already did a blog post long back on the different ways of managing android devices from Intune. However, there has been new management modes introduced since when I wrote it. As such, consider this blog post as an update to it.
This is post-nos. 3 of the Android series with Joy which I started recently. Other articles of this series are listed below.
- Post #1 – Evolution of Android management for Enterprise use
- Post #2 – 9 myths regarding the use of Android in Enterprise
So let’s get started with today’s topic.
Different modes of Android Enterprise management available with MEM Intune
Android Enterprise has the capability to cater to and support all kinds of businesses and enterprise MDM use-case scenarios.
Android Enterprise fundamentally has two main management modes –
- Profile owner (or
managed profile) – Containerized solution which provisions a work profile to facilitate BYOD scenario.
- Device owner (or
managed device) – Full device management to facilitate the COD scenario.
For personal devices owned by employees [BYOD], management should be via the Profile owner management mode (Work Profile management solution).
2011 service release of Intune sees Android Enterprise Work Profile management rebranded to Personally-Owned Work Profile management.
For company-owned devices [COD], you get 3 options to choose from within the Device owner management mode to suit the needs of the business.
- Corporate Owned Fully managed [previously referred to as COBO] – Allows full device management with strict policy enforcement.
- Corporate Owned Personally Enabled [COPE] – A containerized solution to keep work and personal profiles separate on a corporate device. [Android 11 brings some changes to the behavior]
- Corporate Owned Dedicated device [also referred to as COSU] – Allows full device management which can be further locked down to limit the device usage to a specific purpose only.
The below image helps to visualize the different management modes available for Android Enterprise capable devices with Microsoft Intune a.k.a Microsoft Endpoint Manager.
Azure AD Shared mode is available in public preview as an additional enrollment under Corporate-owned dedicated devices with the October 2020 service release of Intune. Read more here.
Read my blog on Azure AD Shared Device mode with Android Enterprise Dedicated devices to know more about the provisioning process and end-user experience.
How to determine which Android Enterprise management solution to use?
Due diligence plays an important role in determining the Android Enterprise solutions (management modes) to be used for an organization.
In general, this is a three-step process as follows
- Discovery – Engage to identify detailed needs, challenges, and current situation
- Validation – Confirm to understand if the chosen path meets the client’s requirements
- Deployment – Configure the EMM environment to support the chosen management mode
The key is to properly understand the customer business requirement.
If I give my own example, the main question that I would ask to understand the client requirment is Who will be using the devices and what actions do they perform? This will help you to understand what is the primary use case of the device based on which you would be able to propose a solution. If procurement is also involved as part of the project, then you can't miss another important question Where the devices will be used? This will help the procurement team to understand whether rugged devices will be required or not.
The above is just an example that I provided. In general, you should be able to match customer requirements to an available AE solution as shown in the table below.
| Customer requirement | AE Solution which fits the need |
| Secure company data on personal devices | Personally-Owned Work Profile (BYOD) |
| Full control over the apps and data on company owned devices | Corporate-Owned Fully Managed (COBO) |
| Keep personal and corporate data separate on company-owned devices | Corporate-Owned Personally Enabled with Work Profile (COPE) |
| Lock devices down to perform a single or limited set of functions | Corporate-Owned Dedicated devices (COSU) [Default] |
| Multiple user to use a device. Secure their corporate data on user sign-in with Conditional Access based on device compliance. | Corporate-Owned Dedicated devices [Azure AD Shared mode (public preview)] |
Some more use-case to AE solution mapping is shown in the table below.
| Use-case | AE Solution which fits the need |
| Scan inventory as it leaves stick room. | Corporate-Owned Dedicated devices (COSU) provisioned as Single App KIOSK with rugged Enterprise Recommended Device. |
| Stay in touch with part-time delivery drivers who own their devices. | Personally-Owned Work Profile (BYOD) |
| Employer provided premium devices with work profile enabled | Corporate-Owned Personally Enabled with Work Profile (COPE) |
| Capture sensitive data in a high-security environment | Corporate-Owned Fully Managed (COBO) |
Irrespective of the solution that you chose, Android Enterprise gives you the benefits of secure App Deployment with Managed Google Play and the flexibility of multiple provisioning ways to suit every need.
Benefits of Android Enterprise – Secure App Deployment
Managed Google Play offers a standard and secure way which allows IT admins to whitelist apps for easy deployment, distribute private apps and perform silent app installs without requiring the need to enable app installation from unknown sources.
This helps overcome the shortcomings in security with the legacy Device Administrator mode which is otherwise required to enable unknown sources for an EMM to deploy apps to the devices.
Managed Google Play is
- Reliable due to global Google Play infrastructure with cached repositories
- Easy to administer
- Secure due to Google Play Protect which intercepts Potentially Harmful Apps (PHA) threats in real-time by automatically scanning new apps before installation and continually scans the device daily. This layer of security protects the device from potentially harmful apps in the Google Play Store and from across the web. In-house LOB apps hosted in Managed Google Play are subjected to the same security checks as public apps, ensuring security.
Benefits of Android Enterprise – Multiple ways of deployment to suit every need
Android Enterprise offers a range of options to deploy company-owned devices at scale.
From NFC, DPC Identifier (Android 6.0+) and QR Code (Android 7.0+) setup to fully automated enrollment using Zero-Touch which allows large-scale over-the-air out-of-box Android (9.0+) deployments across multiple OEM devices without the need for manual setup.
| Deployment methods for corporate enrollment schemes | How to use and availability |
| DPC Identifier [Hashtag ID] | User-driven flow. Enter afw#<EMMCode> on Google sign-in page on the initial device setup to start the provisioning process. Availability Android 6.0+ |
| QR Code | User-driven flow. Tap 8 times on blank screen space on the 1st screen post device startup to enter QR Scan mode. Scan QR Code to start the provisioning process. Requires new Out-of-Box device or Factory reset for existing devices. Availability Android 7.0+ |
| NFC Bump | User-driven flow. Bump against NFC on the 1st screen post device startup to start the device provisioning process. Requires new Out-of-Box device or Factory reset for existing devices. Availability Android 5.1+ |
| Zero Touch Enrollment | Device-driven flow. Selected devices purchased directly from an enterprise reseller or Google partner and not through a consumer store. Availability Android 7.0+ for Pixel only, select the compatible devices with Android 8.0 and any device running Android 9.0+ |
Before ending this post, I would like to address a common question regarding Android Enterprise onboarding which comes from the IT Admins starting new with Intune (a.k.a Microsoft Endpoint Manager).
Why it is required to bind Intune with Managed Google Play to use any AE device management modes?
In order for an EMM solution like Intune (a.k.a Microsoft Endpoint Manager) to manage device policies and install applications on android devices utilizing Android Management API, each device needs to have an identity that is consumable by Google. [Since AM API is provided by Google]
For this purpose, there are only two options available –
- Managed Google Play accounts [obfuscated accounts]
- G Suite or Cloud Identity accounts (Gmail) [non-obfuscated accounts]
Most EMM solutions utilize the Managed Google Play accounts due to the ease of setup, which is also the recommended way unless you are using Google Identity services.
From a high-level overview, below is explained the relevance of linking Managed Google Play with Intune.
- Creating Enterprise ID
IT admin requires a single Gmail account to start registering the EMM solution to Managed Google Play services, for the tenant.
In the backend, this is utilizing the Google Play EMM API to create an Enterprise resource (Enterprise ID) which helps Intune to identify itself to Google and use the Android Management API to manage Android Enterprise devices [COD enrolled] belonging to the organization/tenant.
Intune does not use the AM API for work profile management on personal devices. More on this will be covered in the next blog. So stay tuned!
The associated Gmail account is required to manage the Enterprise resource throughout its life cycle.
- Enterprise Service Account received in return
Intune obtains an Enterprise Service Account (ESA) based on the Enterprise resource (Enterprise ID) as created in the above step.
- Creation of obfuscated User Accounts
Intune then uses the ESA to create obfuscated user identities in that Enterprise resource. These identities have random account identifiers (not a username). E.g.: [email protected]
The device (or work profile in case of BYOD) gets provisioned using the obfuscated identity as created by Intune.
The benefits to this are
- Scalability – An EMM solution can create unlimited such obfuscated identities immediately without having to worry about managing those identities. The EMM service maps those obfuscated identities created to its own IDP-provided user identities (Azure Active Directory for Intune). Google cannot identify individual users since it will not see this mapping.
- Manage App distribution securely – The use of Managed Google Play accounts (obfuscated accounts) allows users to install and use IT-approved apps (public apps as well as LOB apps) from the Managed Play store without requiring the end-user to sign in to Google Play services using personal accounts. And since Managed Play service essentially uses Google Play services to deploy apps to the devices, the IT Admin can do silent app installs on the device (or work profile). This overcomes the security flaw of Device Admin management mode which is required to enable app installation from unknown sources for an EMM service to deploy LOB apps to an android device.
- Overcome Factory Reset Protection – The use of obfuscated accounts serves another useful functionality on corporate devices managed with Android Enterprise. IT Admin can restrict end-users from adding personal accounts on fully managed AE devices, which thereby helps to overcome the Factory Reset Protection feature, which would otherwise not allow to factory reset a device if it was set up with a user personal identity and the user returned the device without removing the personal account and left the organization.
The End
That was all for today. Hope you would find this post useful.
Do check out my other posts on Intune. You will also find many other awesome blog posts on Intune and Config Manager by other writers on this blog site.
Subscribe to get notified of new posts and be a member of the How To Managed Devices (HTMD) community.
Use the HTMD Forum to post your queries related to Intune/SCCM and get expert advice and answers from the HTMD community.
Starting 1st Jan 2021, I have started my own blog site. You will find all my latest posts here at joymalyabasuroy.com
Thank you for this post, very clear as usual 🙂
That is great. Nice to see a clear diagram of AEM with MEM. Cheers.