How to Enable Android Enterprise and configure Personal devices with a Work Profile in Microsoft Intune – The ultimate Step-By-Step Guide

This year Google will stop with the support of Android Device Admin API’s with the release of Android 10. This means that the traditional way to manage Android devices is no longer possible with new Android 10 devices or older Android devices that are upgrading to Android 10 (or higher). Android Enterprise is the new way to manage Android devices.

With Microsoft Intune you can manage Android devices with Android Enterprise in different modes. In this blog I will show you step-by-step how to enable Android Enterprise and configure the Work Profile mode (I will write a separate blog for the other modes).

There are a lot of things that needs to be taken into account and I want to deal with them all in this blog. It has become quite a long blog and I think I have included all the necessary steps. That is why I have labeled this blog as The ultimate Step-by-Step guide.

Topics in this blog

In this blog I will cover the following topics;

  1. Link a Google Account with Microsoft Intune
  2. Approve, Sync and Assign applications
  3. Create and assign an Android Enterprise Work Profile
  4. Configure App Protection Policies (MAM)
  5. Configure Device Compliance settings
  6. Configure Conditional Access
  7. Enable Android Enterprise in Microsoft Intune
  8. Test the results by enrolling an Android device

What is Android Work Profile?

Android Work Profile is an Android Enterprise mode to manage corporate data and apps on a personal enabled Android devices. With an Android Enterprise Work Profile, a work container is created on the device in which all business applications end up. You can secure this work container to protect corporate data with security settings like, conditional access, disable the Copy and Past actions between applications inside and outside the work container and an access passcode.

Preparation / Requirements

The following requirements are needed for the steps in this blog;

  • An Azure tenant
  • Microsoft EM+S licenses (E3 or E5)
  • A Google account that has not been assigned to a MDM solution
  • An Android test device

1.  Link a Google Account with Microsoft Intune

The first step is to link a Google Account to Microsoft Intune. Login to the Microsoft Azure portal for the following steps.

Navigate to Microsoft Intune > Device enrollment > Android enrollment. Click Managed Google Play – Link your managed Google Play account to Intune

Checkmark I agree (if you do) and click Launch Google to connect now

Click Get started

Fill in your Company/Business name and click Next

This form is optional, you can skip it or fill it in. Scroll down this page.

Select I have read and agree to the Managed Google Play agreement (if you do) and click Confirm

Click Complete Registration

2.  Approve, Sync and Assign applications

Go back to the Microsoft Azure portal.

Navigate to; Microsoft Intune > Client apps > Managed Google Play. Click Open the managed Google Play store

Search for an application you want to publish / push to Android devices. In this example I will add Microsoft Word to My managed apps.

Click Approve

Click Approve

Select Keep approved when app requests new permissions and click Save

Note 1: Repeat this step for all applications you want to push/publish to Android devices.

Note 2: Add the Intune Company Portal app and push this app mandatory to all Android devices. This is required to get the latest updates automatically.

Go back to the Microsoft Intune console and click Sync

When the sync is finished (status: success) open the Apps page. Here you can see all the apps that you approved in the previous step (App type is Managed Google Play app). The next step is to assign the application to a group.

Click on the app and open the Assignment page. Click Add group

Select the Assignment type and click Included Groups. Select the group you want to publish this application to. Click OK twice and click Save

3.  Create and assign an Android Enterprise Work Profile

The next step is to create the Android Enterprise Work Profile itself.

Navigate to; Microsoft Intune > Device Configuration > Profiles and click the + Create profile button.

Fill in a Name and a Description (optional). Select Android enterprise as Platform and select Work Profile Only – Device restrictions as Profile type.

Now you can configure the Work profile settings, Device password, System security and Connectivity. I always block Copy and Past between work and personal profiles, block Add and remove accounts and Require Work Profile Password. However, what and how to configure settings is depending on the customer use cases.

Click OK twice and click Save

Open the Assignment page and add the group you want to publish this profile to.

4.  Configure App Protection Policies (MAM)

When you include Microsoft Office 365 applications in your Android Enterprise Work Profile, it is also necessary to configure App Protection Policies, a.k.a. Mobile Application Management (MAM) policies. The Microsoft Office 365 applications are enabled for multi account use, meaning that you can add other accounts next to your business account. And not only email accounts, you can, for example, in Microsoft Word add Storage Accounts like Dropbox. With App Protection Policies you can prevent users from saving business mail attachments to private Storage accounts like Dropbox. In the following steps I show you how to configure this.

Navigate to Microsoft Intune > Clients apps > App protection policies and click the +Create policy button.

Give the App protection policy a name and a description you like. Select Android as the Platform.

Set Target to all app types to No and select Apps in Android Work Profile as App type.

Click Select required apps and select the applications that you are making available within the Android Enterprise Work Profile.

Click Settings. On the Data protection page set Save copies of Org data to Block. Next to Allow users to save copies to selected services select OneDrive for Business and SharePoint (when it applies for your company).

Since this App protection policy will only apply within the Android Enterprise Work Profile (which is protected with a own password) I disable a PIN for this managed applications on the Access requirements page. Click OK twice and click Create.

Click the just created App protection policy.

Open the Assignment tab and assign this policy to the group with the Android users.

5.  Configure Device Compliance settings

In steps 6 of this blog we are going to create Conditional Access policies. One of the checks that we are going to configure will be when the devise is Marked As Compliant. Before we can configure that, we have to determine when a devices really is compliant. Let’s start by looking at the standard behavior settings.

Navigate to: Microsoft Intune > Device compliance > Compliance policy settings

On this page you can configure conditions to mark a device compliant or not.

The fist setting is Mark devices with no compliance policy assigned as (Compliant or Not Compliant). This depends on the company requirements. If there are some security baselines that needs to be applied to every mobile device, you can configure these guidelines into a Compliance Policy and apply this policy to all the devices. If the device meets the requirements, the device is marked as compliant and otherwise not. But if there is no need to configure a Compliance Policy, make sure that the answer to the first option is set to Compliant.

Second option is to Enhanced jailbreak detection (Enabled or Disabled). I think, for security reasons, this should always be set to Enabled (jailbroken devices will be marked as not compliant device).

Last option is Compliance status validity period (days). After how many days of inactivity must a device be marked as not compliant? In my case I will fill in 90 days.

6.  Configure Conditional Access

With this current configuration so far, we have secured the Android Enterprise Work container. Now we have to make sure that company data is not accessible outside this work container on a Android device. Therefor we need to configure Azure AD Conditional Access.

Navigate to: Microsoft Intune > Conditional access > Policies and click the + New policy  button

Give the new Conditional Access policy a name (in my case Android Enterprise CA). Click on Users and groups to target this Conditional Access to a group of users (in my case the same group as all the other resources I publish for Android Enterprise). Click OK.

Click on Cloud apps and select the Cloud Applications you use within your company and where you want to avoid that these applications can access corporate data outside the secure Android container. Most common are Office 365 Exchange Online (for access to email) and Office 365 SharePoint Online (which also includes OneDrive for Business).

Click OK

Open the Conditions tab and open the Device platforms settings. In my case I only select Android as platforms. You can select multiple platforms or just select Any device, but if you select different platforms, make sure that you at least select Android in this case.

Click on Client apps (preview). Here you can select which client apps this policy must apply to. In my case I select every option except “Apply policy only to supported platforms”. In this way every kind of email application outside the Android Secure Container is blocked from accessing corporate email. Even with an  unmanaged browser. Click OK

Under Access controls open the Grant tab. Select Grant access and make sure you select both Require device to be marked as compliant and Require approved client apps. In this way, the device must be enrolled with Intune (and be compliant) and the Intune Managed apps must be used to access the corporate data (assuming that Outlook will be used as mail client, otherwise don’t select the last option). Make sure that Require all the selected controls is selected.

Make sure that Enable policy is set to On and click Create

7.  Enable Android Enterprise in Microsoft Intune

The final step is to enable Android Enterprise so that new devices will be enrolled with a Android Enterprise Work Profile.

Navigate to: Microsoft Intune > Enrollment restrictions and open the Default restriction profile.

Click Properties and then Select platforms.

Make sure Android is set to Block, and Android work profile is set to Allow

8.  Test the results by enrolling an Android device

Final step is to test the results of the just created configuration. Therefor I will enroll a new Android 8 device to see if everything is working fine.

Left: Search for the Intune Company Portal app and click Install

Right: After the installation, click Open

Left: Click Sign in

Right: Fill in your email address and password and login

Left: Click Continue

Right: Click Continue

Left: Click Next

Right: Select U have read and agree to all of the above (if you do) and click Next

Left: Click Continue

Right: Click Continue

Left: I did not have configured a pincode on the device (for this demo) so at this point I’m forced to create a pincode before I can continue with the device enrollment.

Right: Set a pincode

Left: Click Continue to re-check the device settings requirements

Right: Click Done

Left: The device is now enrolled and mandatory apps will now be installed in the background

Right: A Workspace folder is created. Open this folder to see all the business applications.

Left: When opening a managed application (with an App Protection policy applied to it) for the first time (like Microsoft Outlook of Microsoft Word) this message will appear once. After this, the configured App protection policies are applied.

Right: For the test I have added my Dropbox storage account to Microsoft Word and try to save a business document to it. As you can see, this action is blocked bij the App protection policies.

Left: As a test, I will now install the Microsoft Outlook application outside the secure Android Enterprise Work profile to see if the conditional access policies are working. Open the app store, search for Microsoft Outlook and click Install

Right: After the installation, click Open

Left: Click Get Started

Right: Fill in your email address and password to Sign in

Access to corporate email is blocked as expected.

5 comments

  • When I enroll a device as an Android Enterprise with a work profile, the device is never marked as compliant even with compliance policies at a bare minimum.

    I was taught by a prior coworker that they found a third party app called “Device Policy” they use. They open and then scan the QR code in the Android Enrollment blade. Then my android device shows up as compliant. What am I missing? Is this a normal setup? I didn’t see that in your instructions which were GREAT by the way, the best I’ve seen yet all in one document.

  • Hi, for a start this is great article and very helpful. however i I follow the steps in this article, everything is working fine…. can not copy from managed app, screen capture is disable in managed app, but when I start outlook in work profile and click add account – I get a massage: “Something went wrong, please try again or contact your IT Admin” . What can be the problem, I followed the instruction above…
    Thanks

About Robin Hobo

Robin Hobo

I work as a Senior Solution Architect with focus on the Modern Workspace. I am specialized in Azure Virtual Desktop (AVD), Windows 365 and Microsoft EM+S (including Microsoft Endpoint Manager - Microsoft Intune).

For my full bio, check the About Me page. You can also join me on the following social networks:

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close