In this blog post, let us discuss how we can Enroll Android Devices to Android for Work in Intune. In today’s world, It became mandatory for organizations to provide access to their corporate data on mobile devices like Android devices, iPhones, etc., for Employees. This became an urge for any organization to provide access to corporate while protecting their data on users’ devices. Intune plays a major role in fulfilling an organization’s needs.
Google introduced Android Device Admin with Android 2.2(Froyo), which supports device management. With Android 5.0(Lollipop), Google introduced Android Enterprise, which supports Fully managed devices and Work Profile. With Android 6.0 (Marshmallow), Google mandates manufacturers to have Enterprise components to get GMS certified for their devices.
Google reduced the support to add new features in Device Administrator with every new OS release and encourages organizations to adapt to Android Enterprise. If your organization supports devices with Android 10.0 and above, Android Enterprise is the best solution.
If your organization falls in a country where Android Enterprise/Google services are unavailable(Ex: China), suggest using Android Device Administrator.
In this article, let’s learn how to enroll personal Android devices to Android for Work in Intune manages Andriod devices. Intune supports Android Enterprise with various options for managing corporate Android devices like Corporate Owned Fully managed (COBO), Corporate Owned with Work Profile(COPU), and Corporate Owned Dedicated EEnrolment (COSU).
| Device Type | Type of Enrolment Advised |
|---|---|
| Personal Devices | Android Device Admin / Android for Work |
| Corporate Device | Corporate Owned Fully managed (COBO) Corporate Owned with Work Profile(COPU) Corporate Owned Dedicated enrolment(COSU) |
- Download Mobile App Diagnostics in Intune Admin Portal
- Prevent Enabling Lock Screen Camera Using Intune
Enrolling Personal Android devices to Intune with Work Profile
If an organization allows BYOD devices to access the org data, the best solution is to enable Android for Work. Android for Work creates a Work profile that creates managed organization profile on the same device with separate encrypted storage. Let’s see how an Administrator enables/enforces users to enroll in work profiles.
Prerequisites
Let’s discuss what are the prerequisites required for enabling Android for Work and enrolling the device with Work Profile. Below are the prerequisites:
- Managed Google play account.
- Devices running Android 8.0 and above and GMS-certified devices.
- Enrolment Device Platform Restrictions
- The user must have Intune license
Managed Google Play Account
In order to enable Android for Work for end users, you need to have an integration between your Managed Google Play Account to your Intune. If you have an organization’s Google account, you can use it to integrate with Intune. Else we can create a new managed google play account.
- Login to Microsoft Intune Admin Center
- Click Devices > Enroll devices > Android Enrollment
- Click on Managed Google Play
Now select the check box under “I grant Microsoft permission to send both user and device information to Google” and click on launch Google to Connect now( make sure you enable popups for the browser)
This will open a new window, asking you to sign in to a google account to integrate your Managed play account to Intune (If you do not have an organization Gmail account, please create a new business Gmail account).
After Successful sign in with Organization’s Gmail account(make sure you use an Organization account instead of a personal account). Click on Get Started
Once click on Get Started, you will be presented with a screen to provide your Business details. Where you have to provide your Domain/Business name, please provide your organization name. Under Domain/Business name, you can verify that EMM Provider is Microsoft Intune
As a part of Data Protection Regulations, Google requests the Data protection officer and EU representative details(if you do not have details, we can leave the fields blank) and click on confirm.
Click on Complete Registration. This will take a minute or two complete the integration, and the managed Play Store tab will be closed.
Once integrated with Intune, we can see the status as Setup, Organization details, and Email used for integration under Organization details and Google Account, respectively.
Now we have completed the integration with Managed Play store. We need to create Device restrictions so that the new device will enroll with Work Profile when enrolled.
Enrolment Device Platform Restrictions
Enrolment device platform restrictions are the policies that will restrict the devices from enrolling to Intune based on device platform, device manufacturer, OS version, and ownership. Now, let’s create a Device Platform restriction, which will allow users to enroll the device to Android for Work.
- Login to Microsoft Intune Admin Cente.
- Click Devices > Enroll devices > Enrollment device platform restrictions
- Click on Create new restriction under Android restrictions
Provide a Name and Description for the restrictions by clicking on Next. Now Click on Allow on Android Enterprise (work profile) and click on Block for Android device administrator. Define, Minimum and Maximum OS version for enrolling in Intune.
Click on Next, and select scope tags, if required. After selecting scope tags, click on ext to assign the device platform restrictions to specified user groups. Click next Review and create the restrictions.
Now we have integrated managed play store and created Device platform restrictions, and we are ready to enroll the devices in Android Work.
Enroll Android device to Android for Work
Before enrolling the devices, ensure the device supports Android Enterprise and must be encrypted( With Android 10 and above, by default, devices are encrypted). Let’s see how an end user can enroll the device in Intune.
- Download the Company Portal app from Google Play Store.
- Open the company portal app and sign in with your organization credentials
After successful authentication, the user is prompted to Create Work Profile, Activate a work profile, Update the device Settings click on Begin.
The user is prompted with privacy details like what data Intune and your organization have access to on your device and data that Intune and Organization do not have access to, Read the privacy details and click on Continue if you agree to the privacy details.
On Samsung devices, the user is prompted with Knox Privacy Policy(This screen may not show for every device). Click on Agree.
Now, Intune has started creating the Work profile. Intune checks for the device are encryption. If the device is not encrypted, the user is prompted to encrypt the device.
The company portal app on the personal profile will be disabled, and a new Company Portal will be created with a work badge(briefcase symbol) in the Work profile. The Company Portal will continue setting up the work profile. This will also create a managed Playstore app with a managed play account and other required work apps in Work Profile with a work badge.
Now work profile has been created, and it has to be activated. Click on continue, and this will register the device to Intune and Activate the Work Profile on the device.
Once the Work Profile has been finished, we need to update the device settings based on the compliance policies created(in our case, we didn’t assign any compliance policy). If you have created categories user is presented to select the category for the device. Select the category and Click on Done.
The Enrolment is completed. Users can access all the work-related apps in the Work profile. All the organization applications can be downloaded from Managed Play Store, available under Work Profile.
Users can access all personal apps under their profile. There is no change in the apps of the Personal profile. Users can switch from a personal profile to Work Profile by clicking on the bottom of the app drawer.
Now that we enrolled the device to Work Profile, as Admin, you should create compliance and App Protection policies. Data transfer between Personal and Work profiles can be managed with Data transfer policies and App Protection Policies.
Conclusion
In this article, we have learned the steps required for enabling Android for Work for users in Intune from the Admin view. Also, we have seen how an end user can enroll their devices with Work Profile. Let’s learn how to create compliance policies for Android Work and how we can deploy apps to users in another article.
Author
About Author – Narendra Kumar Malepati (Naren) has 11+ years of experience in IT, working on different MDM tools. Over the last seven years, Naren has been working on various features of Intune, including migration from different MDMs to Intune. Naren mainly focuses on Android, iOS, and MacOS.