Learn How to Create Deploy Security Policies for Android Devices using Endpoint Manager Intune? Android for Work Device Restriction Policies Deployment is nothing but the Security Policy for Android Devices. The security policies are important to secure the corporate data and applications in those devices.
In this post, we will how to create and deploy Security Policy for Android Devices via Intune blade in the Azure portal. Intune compliance policies are another set of policies that we need to set up for Android devices’ security.
I have a post about setting up compliance policies for Android devices “How to Plan and Design Intune Compliance Policy for Android Devices“. Latest post – How To Configure Intune Enrollment Setup For Android Enterprise Device Management – HTMD Blog #2 (howtomanagedevices.com).
How to Create Security Policy for Android Devices
You can create Intune device restriction policy for Android for Work from Microsoft Intune – Device Configuration – Profiles – Create New Profile. I selected Android for Work as the platform and the Selection of the platform is very important.
Also, you need to select the profile type while creating Intune Configuration Restriction policy, in my scenario, it’s the Device restriction policy. The name of the policy is Android Restriction policy as you can see in the video.
There are two categories to configure device restriction settings for Android for Work devices. Work profile settings and Device password are the two settings available. Again, I won’t suggest setting up a device password policy as part of the configuration policy when you have a compliance policy setting for the Device password.
Data sharing between work and personal profiles settings specify whether apps in the work profile can share data with apps in the personal profile. Microsoft Intune recommended value for this setting is to prevent any sharing across the boundaries.
We can block the Work profile notifications while the device is in a locked state. Default app permission is another Android for the Work security setting. I don’t recommend configuring the password settings as part of Intune configuration policies rather password settings should be part of compliance policies for Android for Work devices.
Deploy Security Policy for Android Devices
Deploying the Android for Work device restriction policy is straightforward. But it’s important to take care of some of the points before deploying Security Policy for Android devices. Click on assignment after settings up the policy and select the AAD User/Device group.
Click on the Save button and you are done. The best-recommended way is to assign policies to the Azure AD dynamic device group for Android devices. However, the AAD device groups are still in preview; we may better off using user groups for deploying device restriction policies to Android Devices.
One thing to remember is that you can’t apply Android device platform policies to Android for Work devices. You should rather use Android for Work device platform policies for A4W. Another useful option while deploying device restriction policies in Intune is EXCLUDE option.
This is very useful when you want to exclude some of the devices or users from these particular security policies. Learn How to Create Deploy Security Policies for Android Devices using Endpoint Manager Intune?
User Experience of Security Policy for Android devices
The user experience of Android for Work devices can vary depending upon the manufacturers of the devices. As I mentioned in the previous post here, Samsung and Nexus are the best-experienced devices that I tested till now.
But I would admit the user experience of Android for Work is far better than Android devices! As Android devices have different variants, it’s better to make sure all the Security Policy for Android devices experience is nice for all the manufacturers. Learn How to Create Deploy Security Policies for Android Devices using Endpoint Manager Intune?
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…