Part 2 can be found here and covers the configuration of Azure AD groups
Part 3 can be found here and covers the configuration of Personally-owned Work Profile devices
Part 4 can be found here and covers the configuration of Dedicated devices
Part 3 can be found here and covers the configuration of Personally-owned Work Profile devices
Part 4 can be found here and covers the configuration of Dedicated devices
This series will get you up and running as quickly as possible, therefore if you require further detail and explanation on Android Enterprise please refer to my previous post here which I am ensuring is kept up to date as newer functionality is supported within Intune.
This post will cover the enrollment and configuration of a Fully Managed device, which is well, pretty much exactly as it sounds - Intune has full control over the device and there is no facility provided for the user to have personal apps and data. If you followed my last post on Dedicated devices, you will see a similar process configuration wise, in fact the same Configuration Profile is used for both Dedicated and Fully Managed. A caveat to this statement is the setting Users and Accounts > Account Changes which is at this time not supported to be set to Blocked on Fully Managed Devices
Enabling the above will cause enrollment issues as described in Peter Egerton's blog here
There are different methods which you can use to enroll your device which is dependant on the OS as detailed in the documentation and in this example I am going to use the QR code method on an Android 7.0 device.
Ensure the device is either new out of the box or has been factory reset and at the first screen tap anywhere in the white space 6 times
Select Next
Connect to Wifi
The QR reader will now download and install
You can now scan the enrollment token
Encrypt the device if prompted.
Accept any terms then select Next
The device will commence updating Google Play Services
Accept the terms to launch Chrome
Authenticate with Azure AD credentials
I have deployed a compliance policy setting for encryption to my Android Fully Managed devices which means that secure startup must be enabled, this prevents the device from booting into the OS until a pin or password is entered. Select Start
Just to be clear - in this example we are being prompted to "enable" encryption because secure startup isnt enabled and not because the device isnt encrypted
Select Secure Startup
Select Set Screen Lock Type in this example I am setting a PIN
Select a lock screen notifications option
Set up fingerprints if required
Select Require PIN when device powers on to enable secure startup, enter your PIN when prompted
Select the back button at the top left
Follow the prompts to commence installing apps
Select START to commence device registration
Sign in to the Microsoft Intune app when prompted
Select Next
Select DONE to complete device registration
And then one more time to complete the enrollment
With Fully Managed there is the ability to enable any system apps on the device and on the handset I am testing, a Samsung Galaxy A5 (2016), I wish to enable the gallery application
To do this first I need the package name so in my example I have deployed the Package Name Viewer 2.0 application. On launching it search for Gallery you may need to try a search in both the User Apps and System Apps tabs
Within the M365 Device Management Console navigate to Client Apps > Apps
Add an app and for the app type select Android Enterprise system app
Enter the system app details including specifying the package name
Select OK then Add
Deploy the app to an AAD group
Now you can see the system app enabled on the device
That's it for this post, feel free to reach out to me if you have any questions. Thanks for reading!