Sunday 20 January 2019

Intune Android Enterprise Fully Managed Devices

Microsoft have recently announced the public preview release for the initial support of the Fully Managed Device solution set within Intune, I thought that for a change I would write up a little something on this 😁

As a recap, this is now the 3rd solution set to be supported, to see how the different solutions are applicable for different use case scenarios I would recommend as a refresher to take a look at my previous post on Intune and Android Enterprise

Now just to be clear, at the time of writing, this is what is currently supported along with the caveat  of the public preview tag;
  • App config and deployment
  • Device restriction config profiles
  • Deployment of the above config to user groups only
Now this doesn't sound a lot to get excited about but actually the device restrictions are the same  settings as what has been available for the dedicated device solution set which has matured over the past 6 months. So there are ample options to get started with a small test group of users, also I am sure you will see support for more features in the coming months.

Now at this point I would like explain a term you will see within the Intune portal associated to creating config with AE devices, Device Owner. 



On an Android device, the App that applies policies to the device is called the Device Policy Controller. When the DPC is operating in a way that it has control over the whole device, this is called Device Owner. It now kind of makes sense that the same device restrictions are available for both Fully Managed and Dedicated, one would assume the same group of settings for Fully Managed with Work Profile / COPE
The term "Work Profile Only" in the screenshot above I believe is actually incorrect and should be changed to "Profile Owner Only". This the correct term for when the DPC is operating in a mode which only controls the Work Profile and has limited access to the remainder of the device.

Okay so lets give this a whirl along with deploying some additional config to the device

Navigate in the M365 Device Management Portal to Device Enrollment > Android Enrollment > Corporate owned, fully managed user devices (Preview)


Select yes


Now remembering at the moment we can only scope configurations to users, let's create a user group, navigate to Groups > New Group


Populate using the below information, also ensuring that the group has the appropriate users added to it


Click create

Now lets provision two apps so we deploy both an available and required app deployment to the device to observe the experience. Log into the Managed Google Play store, lets find the Outlook and Edge apps. Approve them.


Back in the portal navigate to Client Apps > Managed Google Play and select Sync


The apps with now be available in Client Apps > Apps


Now deploy them by selecting the app, Assignments > Add group > Specify the assignment type (required for one app and available for the other)


Now lets create some devices restrictions config and deploy it to the user group. Device Configuration > Profiles > Create profile.




Input a suitable name, select Android Enterprise for the platform and then select device restrictions under the device owner only menu



Select settings, I have included various settings in this profile but I would just like to highlight the block factory reset option I have selected here


Click on OK then assign the profile to the same group we created previously.

Now lets enrol the device, ensure that it is in a state where it has been recently been factory reset, or is brand new out of the box. I will enrol the device use the QR code reader method, which requires Android 7.0 or newer


Tap on the screen multiple times to reveal the QR code reader setup. Select next


Connect to a Wifi network


Wait for a few seconds and the QR reader will now install


Now its ready to go and scan the QR code from the portal, which we enabled previously


Follow through the wizard and enrolment will commence


Accept the terms


Enrolment will continue


Accept the terms for chrome and then you are prompted for credentials. Enter the username and password.


Click the link when prompted


The device is then enrolled


You will now see the required app install


On launching the Google play store you can see the available app we deployed, so literally the only apps that a user can install on the device are what have been made available by the organisation


You will also notice that there are no apps with the badge symbol on them, like you may have already seen with a Work Profile enrolled device.


Okay so lets check our device config and attempt to factory reset the device


Cool, so the restriction has applied.

Now remember, this feature is in public preview so it is not recommended for production deployments, I would recommend reviewing the documented considerations here

Thanks for reading!

2 comments:

  1. Does a fully managed enrolled device get corporate or personal status in intune ?

    ReplyDelete
    Replies
    1. Hi there, apologies for the very late reply! A Fully Managed Device will always be tagged with the ownership of "Company"

      Delete