Welcome to part 6 of this series of posts which are intended on getting you started with managing Android devices using the Android Enterprise capabilities within Microsoft Intune.
Part 1 can be found
here and covers setting up the various Android Enterprise enrolment methods
Part 2 can be found
here and covers the configuration of Azure AD groups
Part 3 can be found
here and covers the configuration of Personally-owned Work Profile devices
Part 4 can be found
here and covers the configuration of Dedicated devices
Part 5 can be found
here and covers the configuration of Fully Managed devices
This series will get you up and running as quickly as possible, therefore if you require further detail and explanation on Android Enterprise please refer to my previous post
here which I am ensuring is kept up to date as newer functionality is supported within Intune.
Well, its admittedly been a while however this post will be picking up again the series to discuss this latest Android Enterprise enrolment type, which was announced as generally available as of the 2106 Intune service release.
Some Background Info
Many of you no doubt will have already tested this, or even deployed into production as it has been available in public preview since being first
announced on 17th July 2020 and is typically the most sought after enrolment type due to its flexibility. It is commonly referred to as "COPE" within the mobility community, describing its intended use case (Corporate Owned, Personally Enabled).
Its definitely worth mentioning at this stage that the implementation of COPE on some other MDM platforms for certain versions of Android, may be different to that of COPE within Intune. You should take this into consideration in migration scenarios as there will be differences in what is visible on the device to Intune than in these scenarios to the respective MDM solutions. This newer iteration is privacy friendly by design, as stated by
Google and was mandated as of Android 11. Note that does not mean Android 11 is specifically required to support COPE on devices in Intune, as the functionality was back ported to be supported from Android 8 and newer, this support statement clearly defined in the
documentation.
So what does this look like then both to the end user and from an Admin perspective? Well end user wise, almost identical to that of a Personally-Owned Work Profile (COPE) device, in fact it is designed to provide the user with access to an area for their own personal apps and data. From an Admin perspective, along with the previously mentioned point with COPE on other MDM platforms, it is also important to know that there is no way to retire just the Work Profile in this scenario, only a full wipe. Bear that in mind when allowing your users to access personal apps and data on company owned devices.
Finally I would also add that in my experience, the time it takes to enrol the device in comparison to all of the other Android Enterprise methods is quite a bit longer. Bear that in mind when expecting your users to set up their devices themselves and spec your hardware generously.
Configuration
Let's take a look at a Device Restrictions profile which would probably be your first port of call when configuring a COPE device
Navigate in the Endpoint Manager admin center to Devices > Android > Configuration profiles select Create profile
Select Android Enterprise for the platform and then Device restrictions within the heading Fully Managed, Dedicated and Corporate-Owned Work Profile
Enter a name for the profile and then select Next. You will now be presented with all of the available configuration options
As you are probably aware by now, there is a standardised layout which is prevalent for most configuration profiles across all platforms. Settings are grouped by applicability to the different enrolment types that are available
It is important to remember this to save both bloating you profile with unnecessary settings, but also you can create some unintended behaviour. If you really want to confuse yourself, like I did within Device experience set the Enrolment profile type to Fully Managed. The device will indeed be enrolled as COPE but the profile will give it the characteristics of a Fully Managed device.
So essentially, do not set the below, leave it as Not configured
I also just wanted to point out some more settings, firstly if you need to enable USB debugging, perhaps for screen sharing your device, then you will need to within the General section set Debugging features to Allow
Also note that there are two different places to block Screen capture and the Camera which can be done for apps within the Work Profile only
Also within the personal profile (remainder of the device) this restriction can be applied
Enrolment
As a reminder, back in
part 1 of this serious we configured the various enrolment methods including this one, so lets have a look at what an enrolment looks like. Note that this is being tested on a Samsung Galaxy A12 with Android 11 as the Operating System
Tap anywhere in the blank space multiple times, note that this is on a device that is either brand new or has been factory reset
Select a Language then Next
Scan the QR code version of the associated COPE Enrolment token
Connect to Wi-Fi
Select Next
The enrolment process will start
Agree the terms
The Work Profile will start being created
Select Accept & continue
Sign in with credentials
Select Install
Select Next
Select Set up
Sign In
Enter the password again
Register
Done
Next
The end user can now enter their personal Google account details if they wish, facilitating access to personal apps and data within the personal profile of the device
Review the terms, scroll down and select an option
Review and set the date and time then select Next
Review the Google services, scroll down then select Accept
Select a security option
Select an option for Google Assistant
Review and remove any additional apps as desired, scroll down then select OK
Review and accept the terms as desired, select Next
Select an option
Further review recommended apps, select Install / Finish
The device is now enrolled. If you swipe up from the bottom you will see that the personal and work apps are separated, with the same experience as per on a Personally-owned Work Profile device
That's all for this post, many thanks for reading