In the last two months I wrote some blogs regarding different type of Android Enterprise modes. It’s now time for the last mode; Android Enterprise – Corporate-owned, fully managed user devices. And as the name of this mode indicates, this mode is for user based scenario’s. The enrollment process is more or less the same as with the dedicated device mode. The enrollment process also start with scanning a QR code. However, a user needs to enter his or her credentials during enrollment and all applications and profiles needs to be published user based (see also step 6: testing the results).
In this blog I will show you step-by-step how to configure the Android Enterprise – Corporate-owned, fully managed mode within Microsoft Intune. Note that by the time of writing, this mode is still in (public) preview.
Before you can start with the configuration of this mode, make sure you have the following in place;
- Microsoft Azure tenant with Microsoft Intune up and running
- Linked your Managed Google Play account with this Azure tenant
- Android test device(s)
In this blog I will cover the following topics;
- Step 1 : Create a Corporate-owned, fully managed user device Enrollment Token
- Step 2 : Create an User Group
- Step 3 : Publish Google Managed Applications
- Step 4 : Configure App Protection Policies
- Step 5 : Create a device restriction profile
- Step 6 : Test the results
Let’s get started.
Step 1 : Create a Corporate-owned, fully managed user device Enrollment Token
For the following steps, login to the Microsoft Azure Portal first.
Navigate to Microsoft Intune > Android enrollment and click Corporate-owned, fully managed user devices (Preview)
Set Allow users to enroll corporate-owned user devices to Yes
An Enrollment token will now be generated and displayed below. During the enrollment of the corporate device, this enrollment token is needed in one of the first steps.
Step 2 : Create an User Group
As mentioned before, with Android Enterprise – Corporate-owned, fully managed mode, everything is user based. Therefor I will create a new user group to publish all resources to.
Navigate to Azure Active Directory > Groups and click the + New group button
Select Security as Group type and give the new group a name and a description. Select Assigned as Membership type.
Make the relevant users a member of this group.
Click Create
Step 3 : Publish Google Managed Applications
In Android Enterprise – Corporate-owned, fully managed mode you can publish applications as required (mandatory) or optional (available for install). For this blog I will show you both ways and how it looks like on the end point device.
Navigate to Microsoft Intune > Client apps > Apps and click the + Add button
Select Managed Google Play as App type. Click Managed Google Play / Approve and search for the application you want to publish to the end point devices.
For this blog I will publish a few Microsoft Office 365 applications, starting with Microsoft Outlook. Click Approve
Click Approve once again
Select Keep approved when app requests new permissions and click Save
Repeat these steps for every app you want to make available.
When finished with all the apps, click OK
Click Sync
Navigate to Microsoft Intune > Client apps > Apps. After the sync is finished, all new apps will appear here.
Select an application to publish it to the user group created in the previous step.
Open the Assignments page and click Add group
For the Assignment type, select Required when you want to publish the application as a mandatory application and Available or enrolled device or Available with or without enrollment if you want to publish the application as an optional application.
Click Include Groups and select the user group created in previous step.
Click OK twice and then click Save
Step 4 : Configure App Protection Policies
This step is optionally but I always configure this as my own best practice. To prevent the end user from saving Microsoft Office documents and Microsoft Outlook attachments to storage accounts like Dropbox, we need to prevent the save as option in the Microsoft Office applications. This is possible with an App Protection Policy. I will show you this step-by-step.
NOTE: If you are deploying App Protection Policies, make sure you have deployed the Intune Company Portal app as mandatory!
Navigate to: Microsoft Intune > Client apps > App protection policies. Click the + Create policy button
Fill in a name. Select Android as Platform. Set Target to all app types to NO and select Apps on Intune managed devices as App types.
Open the Select required apps page and select the Microsoft Office applications (and other apps that can be managed by Intune) and click the Select button.
Open the Settings / Default settings configured page and then the Data protection page. You can configure the settings you want. For preventing end user from saving Outlook attachments to storage accounts like Dropbox, set Save copies of Org data to Block. After this, you have the option to acceptations for OneDrive for Business and SharePoint.
Open the Access requirements page, since this profile will be applied to Android Enterprise, Corporate Owned, Fully managed user devices, I will disable the PIN for access.
Click OK twice and click Create
Open the Assignments page and select the User Security Group created in step 2. Click Save
Step 5 : Create a device restriction profile
This is an optional step in case you want to disable some features on the device or want to enforce some security settings. In this case I will disable the factory reset option for the end user and block USB file transfer.
Navigate to: Microsoft Intune > Device configuration > Profiles and click the +Create profile button
Give this profile a name and optionally a description. Select Android enterprise as Platform and select Device restrictions as Profile type. On the Settings / Configure page you can set de restrictions you want, for this blog I will disable the Factory reset function and the USB file transfer.
Click OK twice and click Create
Open the Assignments page and publish this Profile to the user security group created in step 2 of this blog.
Step 6 : Test the results
Let’s test the results by enrolling a new Android device.
Left : Start an Android device. On the “language select page”, tab 7 times a white space.
Right : Tab Next
Left : Connect with a WiFi network
Right : The QR reader will now be installed
Left : Select I have read and agree to all of the above (if you do) and tab Next
Right : Select at least End User License Agreement and tab Agree
Left : Tab Accept & Continue
Right : Login with your user credentials
Left : Tab Please click here to continue
Right : All mandatory (required) applications will be installed automatically, without the need of any Google Play Store ID
Left : When opening the Google Play Store on the device. Only the applications published from Microsoft Intune are visible, other apps cannot be installed on the device
Right : Optional (available) applications can be installed manually
Hi Robin!
Thanks for the guide. It’s very helpful! Would you have a similar guide for Iphone corporate-owned fully managed?
Regards.
Thanks! With Apple iOS it is different that with Android Enterprise. I thank you can compare “corp-owned, fully managed” best with Apple Supervised devices like with Apple DEP.
Hi Robin,
We configured fully managed and encounter two problems. Deploy weblinks dont works/arrive.
Second is if we close the Company portal the device (factory) reset.
Any idea or guidance ?
Robin,
Thank you for this guide. Do you have one written for how to migrate or re-enroll a device that has already been setup and enrolled as an Android device over to a fully managed Android Enterprise device in Intune?
Thank you in advance for any reply.
You have to te-enroll the device by reset and enroll again.
Hi Robin – this is excellent information, and thanks for sharing. Have you experimented with Microsoft Intune and Android zero-touch enrollment? It looks like Microsoft is now considered an EMM partner, so was curious if it indeed works using a carrier partner.
Hi,
Can we not use this (preview) without completely resetting the device?
We need to change 500 devices to intune and we want this mode but we do not want to reinstall each device.
Gr,
Richard
Hi Richard, unfortunately re-enrollment is needed to get a device in this mode.
Hi Robin,
in this modality I cannot use standard (for example Samsung) android app (camera, gallery, contacts) ?
i am also having this issue…
i cant see default apps on Android deivces like camera gallery and contacts.
Please help
Have you had any issues with pushing out Wireless profiles on devices in Corporate-owned, fully managed user devices (Preview) mode?
I’m using the Android Enterprise Device Owner Only option to create, this appears to work initially but after a while the network seems to stop working and asks for a password again.
Within Intune the policy just states pending.
I noticed Google Backup is not available within managed profiles, do you know how to enable this?
If a user has a personal device and a corporate device and is a member of a group for corporate owned and also a member of a group for a peronal device with work profile, how does the device know which profile to use?
Hi Mike, in this case you need the publish policies and/or applications based on device owner (dynamic groups).
Would this mean a user could then have says his own phone and have a work profile set up, then be issued with a company tablet which wpould be tied down?
Yes, that’s possible.
Hi Robin, one question on step 5 where you created the configuration profile.
There are two option for Device restrictions under Android Enterprise.
1) Device Owner Only – Device restriction
2) Work Profile Only – Device restriction
Which one to use for this scenario? There are different options under each of this.
Hi Robin,
How can we enroll an Android corporate mobile phone device into a fully manage state without having to wipe the phone, is this possible as we only appear to be able to enroll using Company Portal and not the Intune App.
Thank you
Hi Julie, at this moment this is not possible.
Thank you for the reply. Is it possible to enroll fully managed devices using a management account and then change the Device name to reflect the user the device will be assigned to, as it appears we can only change the Management name currently?
Hi Robin, we would like to go by Corporate-owned, fully managed user device, but if we create this model and user add personal google account and install some apps from google play, then after each phone restart are all personal apps removed. User cannot personalize this phone. This is feature or bad behavior?
Thanks Robin.
Hi Robin,
Excellent guide as always, have you tried deploying application configuration policies to Android Enterprise corporate-owned devices? I’m trying to configure outlook but not getting anywhere, ‘pending’ status on the app configuration policy deployment, have you had any luck?
Thanks,
Alex.
Hi Robin
Thank you for this! In this enrollment mode, does Intune automatically push and install the allowed applications to the Android device ?
If you pushed the apps as required, they are.
Hi Robin,
I have followed the instructions step by step but on my Samsung, i cant see default apps such as camera and gallery?
I created a device restriction policy and set the camera to NOT configured, and if i install the camera from Play Store (not default camera app) it works. But the default camera and gallery app are not appearing.
Is there any thing i could do?
If you add the “App ID’s” of the native apps like camera it should work (not tested myself so far)
Hi Robin,
This is great guide! thanks for that! i had a play myself but do you know if there is WIP from intune to unhide core applications (e.g. samsung email, calendar, camera and gallery) as well as enable exchange push to samsung knox instead of limiting the choice to only nineworks and gmail app?
Hi Robin, This is amazing article, thank you cery much for sahring this.
Thanks, your welcome!