Monday 22 April 2019

Intune Basics Part 1: Modern Device Management with Android Enterprise - Enable Enrollment

Last updated: 24/08/21

Welcome to part 1 of this series of posts which are intended on getting you started with managing Android devices using the Android Enterprise capabilities within Microsoft Intune.

Part 2 can be found here and covers the configuration of Azure AD groups

Part 3 can be found here and covers the configuration of Personally-owned Work Profile devices

Part 4 can be found here and covers the configuration of Dedicated devices

Part 5 can be found here and covers the configuration of Fully Managed devices

This series will get you up and running as quickly as possible, therefore if you require further detail and explanation on Android Enterprise please refer to my previous post here which I am ensuring is kept up to date as newer functionality is supported within Intune.

This post will be discussing the steps required to associate your Intune tenant with Google, along with any other initial mandatory steps required before you can commence enrolling and configuring Android devices within Android Enterprise, utilising all of the available solution sets.

In preparation, create a Google account with a suitable generic name for the sole purpose of binding your Intune Tenant with the Managed Google Play store. You could consider using a shared mailbox or distribution group within your organisation for this 

Log in to the Endpoint Manager admin center

Navigate to Devices > Android > Android Enrollment select Managed Google Play

Check the box to agree the terms and then select Launch Google to connect now

Select Complete sign up enter your Google account credentials if prompted

Setup is now complete and now you will have access to configure the various enrolment methods

Personally-owned Work Profile

Now to ensure that users are able to enrol their Android devices using the Personally-owned Work Profile method (typically for BYOD use case scenarios) this will need to be enabled within enrolment restrictions. In addition, unless there are any specific reasons to do so, the Android Device Administrator enrolment should be disabled

Navigate to Devices > Enroll devices > Enrollment Restrictions. Select the All Users policy within Device type restrictions

Click Properties then Edit next to Platform settings.

Select Allow for Android Enterprise (work profile) and Block for Android device administrator. Note that these settings only effect devices that are enrolled from this point forward and not any existing devices

Select Review + save then Save to finally complete the configuration.


Next up, lets create an enrolment token for enrolling "Dedicated Devices" typically designed for devices that are for single use, without any user association.

Navigate to Devices > Android > Android Enrollment > Corporate-owned Dedicated Devices

Select Create profile

Enter a suitable name then select an appropriate Token type would should be Corporate-owned dedicated device (default) unless specifically configuring shared mode. Select Next then Create

Create as many profiles as you need for different configurations. All will become clear in part 2 of this series on how these can be used to scope configurations to different device groups

Fully Managed

To enable Fully Managed device enrolment functionality, navigate to Devices > Android > Android Enrollment > Corporate-owned, Fully Managed user devices

Select Yes to enable the enrolment token

Corporate-Owned Work Profile

To conclude, a profile needs to be created for facilitating this enrolment method in the following manner:

Navigate to Devices > Android > Android Enrollment > Corporate-owned devices with work profile

Select Create profile

Enter a suitable name for the profile then select Next followed by Create. You can create multiple profiles if necessary

That concludes this part of the series, meaning that the various enrolment methods have been set up.

Many thanks for reading this post!

1 comment:

  1. Thanks very much for posting this, I was missing this part and wondering why my Android wanting being managed as an MDM device.