Friday, 27 August 2021

Intune Basics Part 6: Modern Device Management with Android Enterprise - Configuring Corporate-Owned Work Profile Devices

Welcome to part 6 of this series of posts which are intended on getting you started with managing Android devices using the Android Enterprise capabilities within Microsoft Intune.

Part 1 can be found here and covers setting up the various Android Enterprise enrolment methods

Part 2 can be found here and covers the configuration of Azure AD groups

Part 3 can be found here and covers the configuration of Personally-owned Work Profile devices

Part 4 can be found here and covers the configuration of Dedicated devices

Part 5 can be found here and covers the configuration of Fully Managed devices

This series will get you up and running as quickly as possible, therefore if you require further detail and explanation on Android Enterprise please refer to my previous post here which I am ensuring is kept up to date as newer functionality is supported within Intune.

Well, its admittedly been a while however this post will be picking up again the series to discuss this latest Android Enterprise enrolment type, which was announced as generally available as of the 2106 Intune service release.

Some Background Info

Many of you no doubt will have already tested this, or even deployed into production as it has been available in public preview since being first announced on 17th July 2020 and is typically the most sought after enrolment type due to its flexibility. It is commonly referred to as "COPE" within the mobility community, describing its intended use case (Corporate Owned, Personally Enabled). 

Its definitely worth mentioning at this stage that the implementation of COPE on some other MDM platforms for certain versions of Android, may be different to that of COPE within Intune. You should take this into consideration in migration scenarios as there will be differences in what is visible on the device to Intune than in these scenarios to the respective MDM solutions. This newer iteration is privacy friendly by design, as stated by Google and was mandated as of Android 11. Note that does not mean Android 11 is specifically required to support COPE on devices in Intune, as the functionality was back ported to be supported from Android 8 and newer, this support statement clearly defined in the documentation.

So what does this look like then both to the end user and from an Admin perspective? Well end user wise, almost identical to that of a Personally-Owned Work Profile (COPE) device, in fact it is designed to provide the user with access to an area for their own personal apps and data. From an Admin perspective, along with the previously mentioned point with COPE on other MDM platforms, it is also important to know that there is no way to retire just the Work Profile in this scenario, only a full wipe. Bear that in mind when allowing your users to access personal apps and data on company owned devices.
Finally I would also add that in my experience, the time it takes to enrol the device in comparison to all of the other Android Enterprise methods is quite a bit longer. Bear that in mind when expecting your users to set up their devices themselves and spec your hardware generously.

Configuration

Let's take a look at a Device Restrictions profile which would probably be your first port of call when configuring a COPE device

Navigate in the Endpoint Manager admin center to Devices > Android > Configuration profiles select Create profile



Select Android Enterprise for the platform and then Device restrictions within the heading Fully Managed, Dedicated and Corporate-Owned Work Profile


Enter a name for the profile and then select Next. You will now be presented with all of the available configuration options



As you are probably aware by now, there is a standardised layout which is prevalent for most configuration profiles across all platforms. Settings are grouped by applicability to the different enrolment types that are available


It is important to remember this to save both bloating you profile with unnecessary settings, but also you can create some unintended behaviour. If you really want to confuse yourself, like I did within Device experience set the Enrolment profile type to Fully Managed. The device will indeed be enrolled as COPE but the profile will give it the characteristics of a Fully Managed device.
So essentially, do not set the below, leave it as Not configured


I also just wanted to point out some more settings, firstly if you need to enable USB debugging, perhaps for screen sharing your device, then you will need to within the General section set Debugging features to Allow


Also note that there are two different places to block Screen capture and the Camera which can be done for apps within the Work Profile only


Also within the personal profile (remainder of the device) this restriction can be applied


Enrolment

As a reminder, back in part 1 of this serious we configured the various enrolment methods including this one, so lets have a look at what an enrolment looks like. Note that this is being tested on a Samsung Galaxy A12 with Android 11 as the Operating System

Tap anywhere in the blank space multiple times, note that this is on a device that is either brand new or has been factory reset


Select a Language then Next


Scan the QR code version of the associated COPE Enrolment token


Connect to Wi-Fi


Select Next


The enrolment process will start


Agree the terms


The Work Profile will start being created


Select Accept & continue


Sign in with credentials


Select Install


Select Next


Select Set up


Sign In


Enter the password again


Register


Done


Next



The end user can now enter their personal Google account details if they wish, facilitating access to personal apps and data within the personal profile of the device


Review the terms, scroll down and select an option



Review and set the date and time then select Next


Review the Google services, scroll down then select Accept


Select a security option


Select an option for Google Assistant


Review and remove any additional apps as desired, scroll down then select OK



Review and accept the terms as desired, select Next


Select an option


Further review recommended apps, select Install / Finish


The device is now enrolled. If you swipe up from the bottom you will see that the personal and work apps are separated, with the same experience as per on a Personally-owned Work Profile device



That's all for this post, many thanks for reading