How to configure Android Enterprise – Corporate-owned, fully managed user devices mode with Microsoft Intune

In the last two months I wrote some blogs regarding different type of Android Enterprise modes. It’s now time for the last mode; Android Enterprise – Corporate-owned, fully managed user devices. And as the name of this mode indicates, this mode is for user based scenario’s. The enrollment process is more or less the same as with the dedicated device mode. The enrollment process also start with scanning a QR code. However, a user needs to enter his or her credentials during enrollment and all applications and profiles needs to be published user based (see also step 6: testing the results).

In this blog I will show you step-by-step how to configure the Android Enterprise – Corporate-owned, fully managed mode within Microsoft Intune. Note that by the time of writing, this mode is still in (public) preview.

Before you can start with the configuration of this mode, make sure you have the following in place;

  • Microsoft Azure tenant with Microsoft Intune up and running
  • Linked your Managed Google Play account with this Azure tenant
  • Android test device(s)

In this blog I will cover the following topics;

  • Step 1 : Create a Corporate-owned, fully managed user device Enrollment Token
  • Step 2 : Create an User Group
  • Step 3 : Publish Google Managed Applications
  • Step 4 : Configure App Protection Policies
  • Step 5 : Create a device restriction profile
  • Step 6 : Test the results

Let’s get started.

Step 1 : Create a Corporate-owned, fully managed user device Enrollment Token

For the following steps, login to the Microsoft Azure Portal first.

Navigate to Microsoft Intune > Android enrollment and click Corporate-owned, fully managed user devices (Preview)

Set Allow users to enroll corporate-owned user devices to Yes

An Enrollment token will now be generated and displayed below. During the enrollment of the corporate device, this enrollment token is needed in one of the first steps.

Step 2 : Create an User Group

As mentioned before, with Android Enterprise – Corporate-owned, fully managed mode, everything is user based. Therefor I will create a new user group to publish all resources to.

Navigate to Azure Active Directory > Groups and click the + New group button

Select Security as Group type and give the new group a name and a description. Select Assigned as Membership type.

Make the relevant users a member of this group.

Click Create

Step 3 : Publish Google Managed Applications

In Android Enterprise – Corporate-owned, fully managed mode you can publish applications as required (mandatory) or optional (available for install). For this blog I will show you both ways and how it looks like on the end point device.

Navigate to Microsoft Intune > Client apps > Apps and click the + Add button

Select Managed Google Play as App type. Click Managed Google Play / Approve and search for the application you want to publish to the end point devices.

For this blog I will publish a few Microsoft Office 365 applications, starting with Microsoft Outlook. Click Approve

Click Approve once again

Select Keep approved when app requests new permissions and click Save

Repeat these steps for every app you want to make available.

When finished with all the apps, click OK

Click Sync

Navigate to Microsoft Intune > Client apps > Apps. After the sync is finished, all new apps will appear here.

Select an application to publish it to the user group created in the previous step.

Open the Assignments page and click Add group

For the Assignment type, select Required when you want to publish the application as a mandatory application and Available or enrolled device or Available with or without enrollment if you want to publish the application as an optional application.

Click Include Groups and select the user group created in previous step.

Click OK twice and then click Save

 Step 4 : Configure App Protection Policies

This step is optionally but I always configure this as my own best practice. To prevent the end user from saving Microsoft Office documents and Microsoft Outlook attachments to storage accounts like Dropbox, we need to prevent the save as option in the Microsoft Office applications. This is possible with an App Protection Policy. I will show you this step-by-step.

NOTE: If you are deploying App Protection Policies, make sure you have deployed the Intune Company Portal app as mandatory!

Navigate to: Microsoft Intune > Client apps > App protection policies. Click the + Create policy button

Fill in a name. Select Android as Platform. Set Target to all app types to NO and select Apps on Intune managed devices as App types.

Open the Select required apps page and select the Microsoft Office applications (and other apps that can be managed by Intune) and click the Select button.

Open the Settings / Default settings configured page and then the Data protection page. You can configure the settings you want. For preventing end user from saving Outlook attachments to storage accounts like Dropbox, set Save copies of Org data to Block. After this, you have the option to acceptations for OneDrive for Business and SharePoint.

Open the Access requirements page, since this profile will be applied to Android Enterprise, Corporate Owned, Fully managed user devices, I will disable the PIN for access.

Click OK twice and click Create

Open the Assignments page and select the User Security Group created in step 2. Click Save

Step 5 : Create a device restriction profile

This is an optional step in case you want to disable some features on the device or want to enforce some security settings. In this case I will disable the factory reset option for the end user and block USB file transfer.

Navigate to: Microsoft Intune > Device configuration > Profiles and click the +Create profile button

Give this profile a name and optionally a description. Select Android enterprise as Platform and select Device restrictions as Profile type. On the Settings / Configure page you can set de restrictions you want, for this blog I will disable the Factory reset function and the USB file transfer.

Click OK twice and click Create

Open the Assignments page and publish this Profile to the user security group created in step 2 of this blog.

Step 6 : Test the results

Let’s test the results by enrolling a new Android device.

Left : Start an Android device. On the “language select page”, tab 7 times a white space.

Right : Tab Next

Left : Connect with a WiFi network

Right : The QR reader will now be installed

Left : Select I have read and agree to all of the above (if you do) and tab Next

Right : Select at least End User License Agreement and tab Agree

Left : Tab Accept & Continue

Right : Login with your user credentials

Left : Tab Please click here to continue

Right : All mandatory (required) applications will be installed automatically, without the need of any Google Play Store ID

Left : When opening the Google Play Store on the device. Only the applications published from Microsoft Intune are visible, other apps cannot be installed on the device

Right : Optional (available) applications can be installed manually

29 comments

  • Hi Robin!

    Thanks for the guide. It’s very helpful! Would you have a similar guide for Iphone corporate-owned fully managed?

    Regards.

    • Thanks! With Apple iOS it is different that with Android Enterprise. I thank you can compare “corp-owned, fully managed” best with Apple Supervised devices like with Apple DEP.

  • Hi Robin,
    We configured fully managed and encounter two problems. Deploy weblinks dont works/arrive.
    Second is if we close the Company portal the device (factory) reset.
    Any idea or guidance ?

  • Robin,
    Thank you for this guide. Do you have one written for how to migrate or re-enroll a device that has already been setup and enrolled as an Android device over to a fully managed Android Enterprise device in Intune?
    Thank you in advance for any reply.

  • Hi Robin – this is excellent information, and thanks for sharing. Have you experimented with Microsoft Intune and Android zero-touch enrollment? It looks like Microsoft is now considered an EMM partner, so was curious if it indeed works using a carrier partner.

  • Hi,

    Can we not use this (preview) without completely resetting the device?
    We need to change 500 devices to intune and we want this mode but we do not want to reinstall each device.

    Gr,

    Richard

  • Hi Robin,
    in this modality I cannot use standard (for example Samsung) android app (camera, gallery, contacts) ?

    • i am also having this issue…
      i cant see default apps on Android deivces like camera gallery and contacts.

      Please help

  • Have you had any issues with pushing out Wireless profiles on devices in Corporate-owned, fully managed user devices (Preview) mode?

    I’m using the Android Enterprise Device Owner Only option to create, this appears to work initially but after a while the network seems to stop working and asks for a password again.

    Within Intune the policy just states pending.

    • I noticed Google Backup is not available within managed profiles, do you know how to enable this?

  • If a user has a personal device and a corporate device and is a member of a group for corporate owned and also a member of a group for a peronal device with work profile, how does the device know which profile to use?

  • Hi Robin, one question on step 5 where you created the configuration profile.
    There are two option for Device restrictions under Android Enterprise.
    1) Device Owner Only – Device restriction
    2) Work Profile Only – Device restriction
    Which one to use for this scenario? There are different options under each of this.

  • Hi Robin,
    How can we enroll an Android corporate mobile phone device into a fully manage state without having to wipe the phone, is this possible as we only appear to be able to enroll using Company Portal and not the Intune App.

    Thank you

      • Thank you for the reply. Is it possible to enroll fully managed devices using a management account and then change the Device name to reflect the user the device will be assigned to, as it appears we can only change the Management name currently?

  • Hi Robin, we would like to go by Corporate-owned, fully managed user device, but if we create this model and user add personal google account and install some apps from google play, then after each phone restart are all personal apps removed. User cannot personalize this phone. This is feature or bad behavior?

    Thanks Robin.

  • Hi Robin,

    Excellent guide as always, have you tried deploying application configuration policies to Android Enterprise corporate-owned devices? I’m trying to configure outlook but not getting anywhere, ‘pending’ status on the app configuration policy deployment, have you had any luck?

    Thanks,
    Alex.

  • Hi Robin
    Thank you for this! In this enrollment mode, does Intune automatically push and install the allowed applications to the Android device ?

  • Hi Robin,

    I have followed the instructions step by step but on my Samsung, i cant see default apps such as camera and gallery?

    I created a device restriction policy and set the camera to NOT configured, and if i install the camera from Play Store (not default camera app) it works. But the default camera and gallery app are not appearing.

    Is there any thing i could do?

  • Hi Robin,

    This is great guide! thanks for that! i had a play myself but do you know if there is WIP from intune to unhide core applications (e.g. samsung email, calendar, camera and gallery) as well as enable exchange push to samsung knox instead of limiting the choice to only nineworks and gmail app?

About Robin Hobo

I am a Technology Specialist working for Microsoft with focus on the Modern Workplace. I am specialized in Microsoft Intune, Azure Virtual Desktop (AVD), Windows 365, Windows 11 and Azure AD. Also interested in mental health, NLP and personal development.

For more information, see the About Me page or my LinkedIn profile.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close