Android for Work Device Restriction Policies Deployment is nothing but the Security Policy for Android Devices. The security policies are important to secure the corporate data and applications in those devices. In this post, we will how to create and deploy Security Policy for Android Devices via Intune blade in the Azure portal. Intune compliance policies are the another set of policies which we need to setup for Android devices security. I have a post about setting up compliance policies for Android devices “How to Plan and Design Intune Compliance Policy for Android Devices“.
How to Create Security Policy for Android Devices
You can create Intune device restriction policy for Android for Work from Microsoft Intune – Device Configuration – Profiles – Create New Profile. I selected Android for Work as the platform and Selection of the platform in very important. Also, you need to select the profile type while creating Intune Configuration Restriction policy, in my scenario, it’s Device restriction policy. Name of the policy is Android Restriction policy as you can see in the video.
There are two categories to configure device restriction settings for Android for Work devices. Work profile settings and Device password are the two-setting available. Again, I won’t suggest to setup device password policy as part of configuration policy when you have a compliance policy settings for Device password.
Data sharing between work and personal profiles settings specifies whether apps in work profile can share data with apps in the personal profile. Microsoft Intune recommended value for this setting is prevent any sharing across the boundaries.
We can block the Work profile notifications while device is in a locked state. Default app permission is another Android for Work security setting. I don’t recommend to configure the password settings as part of Intune configuration policies rather password settings should be part of compliance policies for Android for Work devices.
Deploy Security Policy for Android Devices
Deploying Android for Work device restriction policy is straight forward. But it’s important to take care some of the points before deploying Security Policy for Android devices. Click on assignment after settings up the policy and select the AAD User/Device group. Click on Save button and you are done. Best recommended way is to assign policies to Azure AD dynamic device group for Android devices. However, the AAD device groups are still in preview; we may better off using user groups for deploying device restriction policies to Android Devices.
One thing to remember is that you can’t apply Android device platform policies to Android for Work devices. You should rather use Android for Work device platform policies for A4W. Another useful option while deploying device restriction policies in Intune is EXCLUDE option. This is very useful when you want to exclude some of the devices or users from this particular security policies.
User Experience of Security Policy for Android devices
The user experience of Android for Work devices can vary depending upon the manufacturers of the devices. As I mentioned in the previous post here, Samsung and Nexus are the best-experienced devices which I tested till now. But I would admit the user experience of Android for Work is far better than Android devices! As Android devices have different variants, it’s better to make sure all the Security Policy for Android devices experience is nice for all the manufacturers.