Hello, everyone. This week, let’s learn about Enrol Corporate Android Devices with Work Profile in Intune. Our previous articles taught us how to enrol Corporate Android Devices in Fully Managed mode and Kiosk Mode.
This is another mode of enrolment option that Android Enterprise provides for organizations. In fully managed mode, the entire device is managed by Intune, and users do not have the option to have a personal profile, and users cannot install apps as they wish to. They can have apps that are assigned to the users.
In Kiosk mode, the device is locked down to a single app or Multi-app as per organizational requirements. In Corporate Owned with Work profile mode, users can have personal space, similar to Android for Work scenarios. This type of enrolment is intended for corporate and personal use.
You may ask why we need this enrollment mode when Android for work is available. Android for work enrolment is for users using their devices to access corporate data. Intune has limited device management capabilities in managing the devices. In contrast, corporate-owned devices with Work Profile will provide admins with full MDM capabilities and meanwhile, segregate personal and corporate data securely.
- Enrolment Guide for Enrolling Android Devices to Corporate Owned Business Only in Intune
- Enrol Corporate Owned Android Devices into Kiosk Mode using Intune – Part 1
Device Prerequisites for Enrol Corporate Android Devices with Work Profile
Enrolling your devices to a corporate-owned device with a work profile can provide numerous benefits for your business. Not only does it allow for a secure and controlled environment, but it also enables employees to maintain a clear segregation between their personal and work-related data. Let’s see the device prerequisites before purchasing and distributing them to your users.
- Devices must be running on Android OS version 8.0 and above
- Devices must support Google Mobile Services
- The devices should be able to connect to Google Mobile Services
Methods of Enrolling to Intune
Corporate Owned Devices with a Work profile can be enrolled in multiple methods. Below are the methods that can be used to enrol the devices
- QR Code
- Zero Touch Enrolment
- Near Field Communication
Corporate Android devices can be enrolled with multiple enrollment methods. In one of the articles, we discussed the Zero Touch Enrolment method for corporate-owned, fully managed devices. Using zero-touch enrollment, we can also enrol the corporate-owned device with a work profile. In this article, we will discuss enrolling devices using QR codes.
Create Enrolment Profile Enrolling Corporate Android Devices with a Work Profile
We must create an enrollment profile to enrol devices with work profiles to corporate-owned devices. This enrolment profile contains a QR code and enrolment token, and we scan either the QR code or manually enter the enrollment token to enrol the device.
Let’s see the steps to create the enrolment profile
- Login to Microsoft Intune Admin Center
- Click on Devices > Android > Android Enrolment
- Now click on Corporate-owned devices with work profile
Click on Create Profile to create an Enrolment profile. The enrollment profile does not have any expiration date. Unless someone deletes or modifies it.
Provide the Name and description for the enrollment token on the Basics page. The details are required to identify the token if your organization uses multiple tokens for different departments.
Click Next and create the token. An enrollment token will be created in a couple of seconds. Click on the profile and click on the token, this will show you the QR code and enrollment token. Admins can share the token or—QR code with users to enrol the devices.
We have completed the first step of enabling corporate devices with the Work profile; as a next step, we need to create a dynamic group to group all the corporate devices with the work profile to assign the required configurations and applications.
Create Dynamic Group for Device
While enrolling corporate devices, it is always necessary to create dynamic device groups. Admins can easily assign the policies, configurations or restrictions to these dynamic device groups without impacting users. If we use user-based assignments, this will have an impact on users who use personal devices for accessing corporate data.
Now, let’s create a dynamic device group based on our corporate-owned devices with a work profile enrollment profile. Once created, devices enrolled using this enrolment token will be part of the group. To create, please follow the steps below.
- Login to Microsoft Entra Admin Center
- Click on Groups > All Groups
- Click on New Group
elect the Group type as Security, and Provide the Name and Description for the group. Now, select the Membership type as Dynamic device and click on Add dynamic query to add the dynamic query
Under Property, select enrollmentProfileName, set Operator to Equals, and provide the enrollment profile name we created under Value, as shown in the screenshot below. Once done, click on Save. Now click on Create. This will create a Dynamic group
We have completed the required steps to enrol the devices to intune. Let’s see how we can enrol a device to Corporate Android Devices with Work Profile in Intune.
User Experience
To enrol Corporate Android devices with work profile, we need to format the devices if they are already in use. Suppose the devices are new and haven’t been set up or formatted and ready to set up. Please follow the below steps. Turn on the device and tap 5-6 times on start to enable the camera to scan the QR code of the enrolment profile.
We can either use a QR code or enter the enrollment token manually. I have chosen a QR code for our discussion. Once the QR is scanned successfully, the user will be prompted to connect to a Wi-Fi network to validate and pull down the settings.
Once the Wi-Fi is connected, the device will validate and recognize it as a corporate device, and the user will be shown the above message as this device belongs to your organization and get the device ready. This will take a bit of time, like 3-4 minutes, to proceed to the next steps.
Using corporate-owned devices with work profiles, we will be prompted to Set up a work Profile. Click on Agree to set up a work profile. The user will be shown various screens explaining the work profile and personal profile. Once the work profile is set, the user will proceed further.
Once the work profile is completed, the Chrome browser will be installed; this is required for authentication. Click Accept & continue. In the next screen, the user needs to enter their credentials. I missed capturing the screenshot. After successful authentication, MDM will start setting up the device, and DPC will validate the code.
Now, the DPC will update the device, and the user is prompted to install mandatory work apps, such as Microsoft Authenticator and Microsoft Intune app. Microsoft Intune app is an MDM agent for corporate devices instead of a Company portal app. Click on Done once the installation is completed.
Now, the Device Policy Controller will start Registering the device. Click on Set up and click on Sign in. The next step is As Intune support Single sign-in. The user is not required to enter credentials. Click on Register.
As we have downloaded the MS Authenticator app, the user will be prompted as to whether the user can use it to sign as a warning message. Click on Continue. On the next screen, click on Register. Now, the device will be registered to Azure and Intune. With this work, the profile setup is completed.
Intune starts provisioning personal and work profiles as we enable personal profiles. Users will be prompted to set up personal accounts to configure the device. Users can use their Gmail account to set up the device; this is required for installing apps on personal profiles (just like personal devices).
The user needs to accept the Google services. The user will be prompted to set the device PIN to secure the device. The user will be prompted to install some additional apps depending on the device and brand. We can skip the installation; the user needs to Accept the EULA as a last step.
Once all the steps are completed, users can see the Work Profile and Personal profile created as segregated, similar to the Android devices enrolled with Work Profiles. You may ask why we need to enrol the device in this mode. To answer your question, devices rolled as corporate devices will have more device management capabilities.
Conclusion
So, this is how you can allow your organization to procure Android devices for corporate and personal use. Users can install all the apps and use them for personal use. Intune will not monitor the personal space on the device. With this enrolment, we can push patches and OS updates to Android devices. I hope you liked the post. We will catch up in another post. Till then Alvidaaaaaa
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here.
Author
About Author – Narendra Kumar Malepati (Naren) has 11+ years of experience in IT, working on different MDM tools. Over the last seven years, Naren has been working on various features of Intune, including migration from different MDMs to Intune. Naren mainly focuses on Android, iOS, and MacOS.
This doesn’t work if you use Google Workspace. Intune will not let you add ANY Google account to the work profile. I’d love to know if there was some kind of workaround.