Intune Basics Part 2: Modern Device Management with Android Enterprise - Creating Groups

Last updated: 24/08/21

Welcome to part 2 of this series of posts which are intended on getting you started with managing Android devices using the Android Enterprise capabilities within Microsoft Intune.

Part 1 can be found here and covers setting up the various Android Enterprise enrolment methods

Part 3 can be found here and covers the configuration of Personally-owned Work Profile devices

Part 4 can be found here and covers the configuration of Dedicated devices

Part 5 can be found here and covers the configuration of Fully Managed devices

This series will get you up and running as quickly as possible, therefore if you require further detail and explanation on Android Enterprise please refer to my previous post here which I am ensuring is kept up to date as newer functionality is supported within Intune.

This post will talk about the creation of Azure AD (AAD) user and device groups, and provide some recommendations and considerations for your environment.

It must be clear before commencing an implementation to understand if, along with company issued devices, your organisation will support a BYOD policy for Android Enterprise. This is crucial for some decisions that need to be made on the creation of AAD groups and in some cases creates interesting scenarios. An example of which could be that a user has a company issued phone and they wish to enrol their personally owned Android tablet which they are fully entitled to do under their organisations IT policy. Do you wish to deploy a different set of apps between personal devices and company owned? If so then some apps will need to be assigned to devices groups rather than users.

Dynamic AAD Groups can be used for the above which can be created by the following process

Log into the Endpoint Manager admin center and select Groups

Select New group

Select Security for the group type and select an appropriate name with the Membership type of  Dynamic Device

Select Add dynamic query

Use the rule builder to add the following Properties, Operators and Values:

deviceOSType Equals AndroidForWork

And deviceOwnership Equals Personal

Select Save to complete the changes

Note that you can also Edit the rule syntax directly

For convenience, I have added some queries below with which you can use to build some groups for yourself to cover most use cases. The names I have used are just suggestions, however the queries will need to be copied.

Personally-Owned Work Profile Devices

So I am going to start with the most confusing due to the terminology that is being used, which will highlight an important point - this enrolment type can indeed be used in Corporately owned scenarios.

Name: Android_Personally_Owned_Work_Profile_BYOD

Query: (device.deviceOSType -eq "AndroidForWork") and (device.deviceOwnership -eq "Personal")

Name: Android_Personally_Owned_Work_Profile_Corp

Query: (device.deviceOSType -eq "AndroidForWork") and (device.deviceOwnership -eq "Company")

Dedicated and Corporate-Owned Work Profile Devices

These can  be created using the rule builder by very simply referencing the enrollmentProfileName property and then the name of the profile that was created back in part 1 of this series

Create as many as you need for each of your enrolment profiles

Fully Managed Devices

Name: Android_Fully_Managed

Query: (device.deviceOSType -eq "AndroidEnterprise") -and (device.enrollmentProfileName -eq null)

Please refer here for the AAD Dynamic Group documentation

The same methodology is valid for the creation of user groups, it may be a requirement to scope some user groups to different departments in order to differentiate app deployments or compliance requirements.

Another useful user query is to create an Intune_Users group

That concludes this post, many thanks for reading!

Intune Basics Part 1: Modern Device Management with Android Enterprise - Enable Enrollment

Last updated: 24/08/21

Welcome to part 1 of this series of posts which are intended on getting you started with managing Android devices using the Android Enterprise capabilities within Microsoft Intune.

Part 2 can be found here and covers the configuration of Azure AD groups

Part 3 can be found here and covers the configuration of Personally-owned Work Profile devices

Part 4 can be found here and covers the configuration of Dedicated devices

Part 5 can be found here and covers the configuration of Fully Managed devices

This series will get you up and running as quickly as possible, therefore if you require further detail and explanation on Android Enterprise please refer to my previous post here which I am ensuring is kept up to date as newer functionality is supported within Intune.

This post will be discussing the steps required to associate your Intune tenant with Google, along with any other initial mandatory steps required before you can commence enrolling and configuring Android devices within Android Enterprise, utilising all of the available solution sets.

In preparation, create a Google account with a suitable generic name for the sole purpose of binding your Intune Tenant with the Managed Google Play store. You could consider using a shared mailbox or distribution group within your organisation for this 

Log in to the Endpoint Manager admin center

Navigate to Devices > Android > Android Enrollment select Managed Google Play

Check the box to agree the terms and then select Launch Google to connect now

Select Complete sign up enter your Google account credentials if prompted

Setup is now complete and now you will have access to configure the various enrolment methods

Personally-owned Work Profile

Now to ensure that users are able to enrol their Android devices using the Personally-owned Work Profile method (typically for BYOD use case scenarios) this will need to be enabled within enrolment restrictions. In addition, unless there are any specific reasons to do so, the Android Device Administrator enrolment should be disabled

Navigate to Devices > Enroll devices > Enrollment Restrictions. Select the All Users policy within Device type restrictions

Click Properties then Edit next to Platform settings.

Select Allow for Android Enterprise (work profile) and Block for Android device administrator. Note that these settings only effect devices that are enrolled from this point forward and not any existing devices

Select Review + save then Save to finally complete the configuration.

Dedicated

Next up, lets create an enrolment token for enrolling "Dedicated Devices" typically designed for devices that are for single use, without any user association.

Navigate to Devices > Android > Android Enrollment > Corporate-owned Dedicated Devices

Select Create profile

Enter a suitable name then select an appropriate Token type would should be Corporate-owned dedicated device (default) unless specifically configuring shared mode. Select Next then Create

Create as many profiles as you need for different configurations. All will become clear in part 2 of this series on how these can be used to scope configurations to different device groups

Fully Managed

To enable Fully Managed device enrolment functionality, navigate to Devices > Android > Android Enrollment > Corporate-owned, Fully Managed user devices

Select Yes to enable the enrolment token

Corporate-Owned Work Profile

To conclude, a profile needs to be created for facilitating this enrolment method in the following manner:

Navigate to Devices > Android > Android Enrollment > Corporate-owned devices with work profile

Select Create profile

Enter a suitable name for the profile then select Next followed by Create. You can create multiple profiles if necessary

That concludes this part of the series, meaning that the various enrolment methods have been set up.

Many thanks for reading this post!