Wednesday 25 September 2019

Intune Basics Part 5: Modern Device Management with Android Enterprise - Configuring Fully Managed Devices

Welcome to part 5 of this series of posts which are intended on getting you started with managing Android devices using the Android Enterprise capabilities within Microsoft Intune.

Part 1 can be found here and covers setting up the various Android Enterprise enrolment methods

Part 2 can be found here and covers the configuration of Azure AD groups

Part 3 can be found here and covers the configuration of Personally-owned Work Profile devices

Part 4 can be found here and covers the configuration of Dedicated devices

This series will get you up and running as quickly as possible, therefore if you require further detail and explanation on Android Enterprise please refer to my previous post here which I am ensuring is kept up to date as newer functionality is supported within Intune.

This post will cover the enrollment and configuration of a Fully Managed device, which is well, pretty much exactly as it sounds - Intune has full control over the device and there is no facility provided for the user to have personal apps and data. If you followed my last post on Dedicated devices, you will see a similar process configuration wise, in fact the same Configuration Profile is used for both Dedicated and Fully Managed. A caveat to this statement is the setting Users and Accounts > Account Changes which is at this time not supported to be set to Blocked on Fully Managed Devices

Enabling the above will cause enrollment issues as described in Peter Egerton's blog here

There are different methods which you can use to enroll your device which is dependant on the OS as detailed in the documentation and in this example I am going to use the QR code method on an Android 7.0 device.

Ensure the device is either new out of the box or has been factory reset and at the first screen tap anywhere in the white space 6 times

Select Next

Connect to Wifi

The QR reader will now download and install

You can now scan the enrollment token

Encrypt the device if prompted.

Accept any terms then select Next

The device will commence updating Google Play Services

Accept the terms to launch Chrome

Authenticate with Azure AD credentials

I have deployed a compliance policy setting for encryption to my Android Fully Managed devices which means that secure startup must be enabled, this prevents the device from booting into the OS until a pin or password is entered. Select Start

Just to be clear - in this example we are being prompted to "enable" encryption because secure startup isnt enabled and not because the device isnt encrypted

Select Secure Startup

Select Set Screen Lock Type  in this example I am setting a PIN

Select a lock screen notifications option

Set up fingerprints if required

Select Require PIN when device powers on to enable secure startup, enter your PIN when prompted

Select the back button at the top left

Follow the prompts to commence installing apps

Select START to commence device registration

Sign in to the Microsoft Intune app when prompted

Select Next

Select DONE to complete device registration

And then one more time to complete the enrollment

With Fully Managed there is the ability to enable any system apps on the device and on the handset I am testing, a Samsung Galaxy A5 (2016),  I wish to enable the gallery application

To do this first I need the package name so in my example I have deployed the Package Name Viewer 2.0 application. On launching it search for Gallery you may need to try a search in both the User Apps and System Apps tabs

Within the M365 Device Management Console navigate to Client Apps > Apps

Add an app and for the app type select Android Enterprise system app

Enter the system app details including specifying the package name

Select OK then Add 

Deploy the app to an AAD group

Now you can see the system app enabled on the device

That's it for this post, feel free to reach out to me if you have any questions. Thanks for reading!