Part 2 can be found here and covers the configuration of Azure AD groups
Part 4 can be found here and covers the configuration of Dedicated devices
Part 4 can be found here and covers the configuration of Dedicated devices
Part 5 can be found here and covers the configuration of Fully Managed devices
This series will get you up and running as quickly as possible, therefore if you require further detail and explanation on Android Enterprise please refer to my previous post here which I am ensuring is kept up to date as newer functionality is supported within Intune.
This series will get you up and running as quickly as possible, therefore if you require further detail and explanation on Android Enterprise please refer to my previous post here which I am ensuring is kept up to date as newer functionality is supported within Intune.
This post focuses on the Work Profile solution set which is primarily designed for the enrollment of personally owned devices. When enrolled, Intune only has primary control over the apps and settings that are deployed within the profile with very limited access to the remainder of the device. This therefore creates a secure location for company apps and data and also is privacy friendly, giving the end user piece of mind when enrolling a personal device.
In my humble opinion there is / has been a valid use case for using Work Profiles with company owned devices, especially if organisations with Intune were early adopters of Android Enterprise. Initially this was the only solution set available and it also had the attraction of providing seamless app deployment to devices.
In this scenario it is also useful to pre declare a device so that it is labelled as company owned and hence you can scope it to an Azure AD device group (see my previous post here )
First of all, I will show you how to pre declare a device. Again to reiterate - this is only required if you are using Work Profiles on company owned devices;
Log into the M365 Device Management Portal. Navigate to Device Enrollment > Corporate Device Identifiers > Add > Enter Manually
Select IMEI for the identifier type and then enter the device's IMEI and a suitable description. Click Add to finish
Now the device appears in the list. Note that once it is enrolled it's status will change from "Not contacted" to "Enrolled"
So let's get started with creating some Work Profile Configuration to deploy to devices.
First of all, I will show you how to pre declare a device. Again to reiterate - this is only required if you are using Work Profiles on company owned devices;
Log into the M365 Device Management Portal. Navigate to Device Enrollment > Corporate Device Identifiers > Add > Enter Manually
Now the device appears in the list. Note that once it is enrolled it's status will change from "Not contacted" to "Enrolled"
So let's get started with creating some Work Profile Configuration to deploy to devices.
Navigate to Device configuration > Profiles > Create profile
Under profile type select "Device restrictions" within the "Work profile only" menu
You now have access to all of the settings available
The device is now prompting for a passcode to be set, select the prompt
Enter a suitable profile name, I like to make mine as descriptive as possible so in this example it is called "Android Work Profile Device Restrictions - Company" Also select "Android Enterprise" as the platform
Under profile type select "Device restrictions" within the "Work profile only" menu
Now this part is dependant on your organisational requirements, however as a bare minimal I would suggest at least deploying this profile with the default options selected. In this example let's have a look at some security settings, including setting different passcodes for the device itself and the work profile.
Select "Prevent any sharing across boundaries" under the "Data sharing between work and personal profile" option
Scroll down now and lets specify the option to require a Work Profile password and set the minimum password length to 8
Now under "Device Password" set the minimum length to 4
Select "OK" twice, then "Create" to save the profile
Now we need to deploy it to our device group, this policy is for company owned devices. Under the properties of the profile select Assignments > Select groups to include
Select our "Android Work Profile - Company Devices" Group > Select > Save. Thats the configuration profile deployed
Now its time to enroll the device. Install the Company Portal app from the Google Play store. Log int with your credentials
Select "Continue"
"Continue" again
Select "Next"
Accept the terms
The device will now enroll
Select "Continue" then "Done" enrollment is now complete
The deployment status can be monitored within the properties of the profile under the "Device Status" report
The device is now prompting for a passcode to be set, select the prompt
Now I am going to select "Password" for this example to illustrate some default behaviour
Select "PIN"
You are prompted for a minimum of 4 digits, as we expect
The device now prompts for the work profile PIN to be set and also the device PIN again
This is because be default the below option will be turned on
Referring to the following article https://docs.microsoft.com/en-us/intune/device-restrictions-android-for-work#work-profile-password "By default, the end user can use the two separately defined PINs, or users can choose to combine the PINs into the stronger of the two PINs." So the default setting will combine the work profile PIN setting with the device PIN and use the stronger of the two. Careful consideration should be made and an effective communication plan to your end users before enabling this
The "secure work profile" option should now be selected. First the device prompts for the lock screen password
Then the Work Profile PIN can be set
Now they can proceed and set the Work Profile PIN
Well that's got you up and running with your Work Profile configuration, thanks for reading this post and stay tuned for part 4.
No comments:
Post a Comment