A few days ago I wrote a blog on How to Enable Android Enterprise and configure Personal devices with a Work Profile in Microsoft Intune. After posting this blog I got some questions from people who asked me how to migrate the current enrolled devices to Android Enterprise.
Unfortunately, this process cannot be fully automated. Current Android managed devices needs to be re-enrolled before you can manage them via Android Enterprise. In this blog I will tell you my best-practice on how to migrate for Android Device Admin (DA) to Android Enterprise in 3 easy steps.
Step 1: Create a Pilot security group
The Android Enterprise Profiles / Policies differ from the current Device Admin (legacy) profiles. Therefore, a complete new policy set needs to be created. And with every new policy set, my advise is to test it first on a select group of pilot users. So the first step is to create an (Azure) AD Security group, if you have not already done so, and make the relevant pilot users a member of it.
Step 2: Configure the Profiles, Apps and Conditional Access
Second step is to create the new Profiles, Publish the Play Store Managed Apps, App Protection policies and Conditional Access policies as step-by-step described in one of my previous blogs (click here). Make sure that you assign everything to the (Azure) AD Security group created in step one.
Step 3: Configuring the Microsoft Intune Enrollment restrictions
If you take a look at the Device enrollment Restrictions within your Microsoft Intune console, you properly see that Android is Allowed and Android work profile is Blocked for the All Users profile. Like in the screenshot below;
If we turn this around (block Android, Allow Android work profile), this would mean that every new Android device that enrolls with Microsoft Intune will automatically be enrolled with an Android Enterprise work profile. Because it’s recommended to test the new Android Enterprise configuration first for a selected group of test users, you can leave this as it is for now.
For the test user group a new restriction profile must be created with a higher priority. To do so, follow the next steps.
Open the Microsoft Azure Portal and navigate to: Microsoft Intune > Device enrollment > Enrollment restrictions and click + Create restriction
Enter a Name and a Description and select Device Type Restriction as Restriction type. Open the Select platforms page and make sure Android is set to Block and Android work profile is set to Allow
Open the Configure platform page. You can change any setting like minimum or maximum OS version. Click OK and click Create
Final step is to Assign this profile to the group with test/pilot users. Click Assignments and select the Android Enterprise Pilot user group created in step 1
Go back to the Enrollment restrictions page. As you can see, the new Restrictions profile is created with Priority 1. The following has now been realized;
- Users who are member of the Pilot / Test group and enroll their Android device with Microsoft Intune get an Android Enterprise work profile pushed.
- Users who are NOT member of the Pilot / Test group will still get the old Device Admin profiles
- Users in the Pilot / Test group that already have their Android devices enrolled with Microsoft Intune with the Device Admin profiles first needs to un-enroll and re-enroll to get the Android Enterprise work profile.
When Android Enterprise test phase is successful you change the All Users Restrictions profile to block Android and Allow Android work profile. You can also delete the Restriction profile created in Step 3 and the Security group created in Step 1.
After that every new Android device that enrolls or re-enrolls with Microsoft Intune will then get the Android work profile pushed.