Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work? Android for Work enrollment to Enterprise Mobility Management (EMM) solution or Intune is slightly different if you compare it with iOS and Windows device enrollment.
This difference is not because of your EMM solution rather. This is the process/framework Google implemented to complete Android for Work enrollment. We need to configure Intune to support Android for Work, and I have a post that explains the prerequisites. More details here.
Video Intune How to Enroll Android for Work Supported Devices?
Android for Work Enrollment process experience has explained in the video here
Details Google Play Store for Work
First, we need to make sure that the Android for Work (A4W) is enabled for your Intune tenant and then configure your Intune to support A4W. Do you want to allow only android for work-supported devices to enroll in Intune? This option is not available as out of the box in Intune.
I’m sure Microsoft will come up with a new option in the new Azure portal, as I noted here in the previous blog post about the enrollment restriction rule in Intune. Android for Work is currently supported on devices running Android 5.0 Lollipop and later that support a work profile.
The second step is to ensure that you have configured Android for Work configuration policies in Intune and Android configuration policies. There are different sets of policies in Intune that only support Android for Work.
Intune Compliance policies are the same for “Classic” Android management and Android for Work management. Suppose you plan to deploy VPN and Wi-Fi profiles to Android for Work supported devices. In that case, there are some custom configuration policies (OMA-URI) supported by Intune.
Android for Work?
As a third step, you need to confirm whether your device has support for “Android for Work” or not. Where is the list of Android for Work supported devices? OK, no worries, Google has already published the list here.
If your device has not been supported, Intune will automatically enroll the device for “classic” Android management. So you won’t be able to see any work profile being created on your phone. Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work?
Once you have identified that the device you are trying to enroll in is supported, the process is to open the “Google Play Store” and Install Intune company portal. Once the company portal is installed, you can log in to the portal with your corporate credentials, and it will start the first phase of the setup, creating a Work profile for Android.
Once the Work profile has been created then, the company portal application will ask you to go to the Work profile and launch the company portal from the work profile to continue setup. So you need to log in to the company portal twice as part of Android for work enrollment.
The work profile will be controlled by an organization you have enrolled in, and the Company Portal app will have access to Work profile-related data.
Half of the enrollment process has been completed in the above step. Intune company portal application initiated the creation of the work profile. Once the work profile has been created, you need to log in to another instance of the company portal app, which resides in the work profile.
The company portal app in the work profile does the 2nd half of the enrollment process. The company portal helps the device complete Work Place Join, Azure AD Join, and Intune enrollment, as you can see in the above video.
Google Play Store for Work
Once you complete the Company access setup, you can access company resources and apps depending on the Conditional access, compliance, and configuration policies. The android device must be in compliance with compliance policies, and it should also meet the conditions mentioned in the conditional access policies by the Intune Admin.
Once everything ok then, you can browse the applications from “Google Play Store for Work“. Browse and install applications from the Google play store for work. I will cover the Android application deployment scenarios in an upcoming blog here (coming soon).
Outlook is one of the applications you can directly deploy as “available” or “required” from Intune portal. Once the Outlook app has been installed, you can directly configure your official mail without any particular configuration. Email profile deployment via Intune has not required for automatic corporate mail configuration.
You need to put in the email ID. No other configuration is required; rather, everything is automatically configured. You can add applications to the google play store for work with the existing Gmail account, as I mentioned in the blog post here. Once these apps are synced with Intune, you can deploy these apps to groups.
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…