Android for Work enrollment to Enterprise Mobility Management (EMM) solution or Intune is a bit different if you compare it with iOS and Windows device enrollment. This difference is not because of your EMM solution rather this is the process/framework Google implemented to complete Android for Work enrollment. We need to configure Intune to support Android for Work, and I have post which explains the prerequisites. More details here. Android
Android for Work Enrollment process experience has explained in the video here
First of all, we need to make sure that the Android for Work (A4W) is enabled for your Intune tenant and then configure your Intune to support A4W. Do you want allow only android for work supported devices to enroll into Intune? This option is not available as out of box in Intune. I’m sure Microsoft will come up with new option in new Azure porta as I noted here in the previous blog post about enrollment restriction rule in Intune. Android for Work is currently supported on devices running Android 5.0 Lollipop and later that support a work profile.
The second step is to ensure that you have configured Android for Work configuration policies in Intune along with Android configuration policies. There are different set of policies in Intune which only support Android for Work. Intune Compliance policies are same for “Classic” Android management and Android for Work management. If you are planning to deploy VPN and Wi-Fi profiles to Android for Work supported devices then, there are some custom configuration policies (OMA-URI) which are supported by Intune.
As a third step, you need to confirm whether your device has support for “Android for Work” or not. Where is the list of Android for Work supported devices? OK, no worries Google has already published the list here. If your device has not supported then, Intune will automatically enroll the device for “classic” Android management. So you won’t be able to see any work profile is being created on your phone.
Once you have identified that the device you are trying to enroll is supported then, the process is to open “Google Play Store” and Install Intune company portal. Once company portal is installed, you can login to the portal with your corporate credentials, it will start the first phase of the setup and that is creating Work profile for Android. Once Work profile has ben created then, the company portal application will ask you to go to Work profile and launch the company portal from work profile to continue setup. So you need to login to company portal twice as part of Android for work enrollment. The work profile will be controlled by organization which you have enrolled to, and Company Portal app will have access to Work profile related data.
Half of the enrollment process has completed in the above step. Intune company portal application initiated the creation of work profile. Once the work profile has been created then, you need to login to another instance of company portal app which resides in work profile. The company portal app in work profile does the 2nd half of the enrollment process. Company portal helps device to complete Work Place join, Azure AD join and Intune enrollment as you can see in the above video.
Once you complete Company access setup then, you can access company resources and apps depending on the Conditional access, compliance and configuration policies. The android device must be in compliance with compliance policies and it should also meet the conditions mentioned in the conditional access policies by the Intune Admin. Once everything ok then, you can browse the applications from “Google Play Store for Work“. Browse and Install applications from Google play store for work. I will cover the Android application deployment scenarios in an upcoming blog here (coming soon).
Outlook is one of the application you can directly deploy as “available” or “required” from Intune portal. Once Outlook app has installed then, you can directly configure your official mail without any particular configuration. Email profile deployment via Intune has not required for automatic corporate mail configuration. You just need to put in the email ID, no other configuration is required, rather everything is automatically configured. You can add applications to Google play store for work with existing Gmail account as I mentioned in the blog post here. Once these apps are synced with Intune then, you can deploy these apps to groups.