Thursday 27 June 2019

Intune Basics Part 3: Modern Device Management with Android Enterprise - Personally-owned Work Profile Configuration

Welcome to part 3 of this series of posts which are intended on getting you started with managing Android devices using the Android Enterprise capabilities within Microsoft Intune. 

Part 1 can be found here and covers setting up the various Android Enterprise enrolment methods

Part 2 can be found here and covers the configuration of Azure AD groups

Part 4 can be found here and covers the configuration of Dedicated devices

Part 5 can be found here and covers the configuration of Fully Managed devices

This series will get you up and running as quickly as possible, therefore if you require further detail and explanation on Android Enterprise please refer to my previous post here which I am ensuring is kept up to date as newer functionality is supported within Intune.

This post focuses on the Work Profile solution set which is primarily designed for the enrollment of personally owned devices. When enrolled, Intune only has primary control over the apps and settings that are deployed within the profile with very limited access to the remainder of the device. This therefore creates a secure location for company apps and data and also is privacy friendly, giving the end user piece of mind when enrolling a personal device.
In my humble opinion there is / has been a valid use case for using Work Profiles with company owned devices, especially if organisations with Intune were early adopters of Android Enterprise. Initially this was the only solution set available and it also had the attraction of providing seamless app deployment to devices.
In this scenario it is also useful to pre declare a device so that it is labelled as company owned and hence you can scope it to an Azure AD device group (see my previous post here )

First of all, I will show you how to pre declare a device. Again to reiterate - this is only required if you are using Work Profiles on company owned devices;

Log into the M365 Device Management Portal. Navigate to Device Enrollment > Corporate Device Identifiers > Add > Enter Manually

Select IMEI for the identifier type and then enter the device's IMEI and a suitable description. Click Add to finish

Now the device appears in the list. Note that once it is enrolled it's status will change from "Not contacted" to "Enrolled"

So let's get started with creating some Work Profile Configuration to deploy to devices.
Navigate to Device configuration > Profiles > Create profile

Enter a suitable profile name, I like to make mine as descriptive as possible so in this example it is called "Android Work Profile Device Restrictions - Company" Also select "Android Enterprise" as the platform

Under profile type select "Device restrictions" within the "Work profile only" menu

You now have access to all of the settings available

Now this part is dependant on your organisational requirements, however as a bare minimal I would suggest at least deploying this profile with the default options selected. In this example let's have a look at some security settings, including setting different passcodes for the device itself and the work profile.

Select "Prevent any sharing across boundaries" under the "Data sharing between work and personal profile" option

Scroll down now and lets specify the option to require a Work Profile password and set the minimum password length to 8

Now under "Device Password" set the minimum length to 4

Select "OK" twice, then "Create" to save the profile

Now we need to deploy it to our device group, this policy is for company owned devices. Under the properties of the profile select Assignments > Select groups to include

Select our "Android Work Profile - Company Devices" Group > Select > Save. Thats the configuration profile deployed

Now its time to enroll the device. Install the Company Portal app from the Google Play store. Log int with your credentials

Select "Continue"

"Continue" again

Select "Next"

Accept the terms

The device will now enroll

Select "Continue" then "Done" enrollment is now complete

The deployment status can be monitored within the properties of the profile under the "Device Status" report

 The device is now prompting for a passcode to be set, select the prompt

Now I am going to select "Password" for this example to illustrate some default behaviour

Select "PIN"

You are prompted for a minimum of 4 digits, as we expect

The device now prompts for the work profile PIN to be set and also the device PIN again

This is because be default the below option will be turned on

Referring to the following article "By default, the end user can use the two separately defined PINs, or users can choose to combine the PINs into the stronger of the two PINs." So the default setting will combine the work profile PIN setting with the device PIN and use the stronger of the two. Careful consideration should be made and an effective communication plan to your end users before enabling this

The "secure work profile" option should now be selected. First the device prompts for the lock screen password

Then the Work Profile PIN can be set

Now they can proceed and set the Work Profile PIN

Well that's got you up and running with your Work Profile configuration, thanks for reading this post and stay tuned for part 4.