MSDN Documentation

Integrating Microsoft Intune with Android Enterprise

This document provides comprehensive guidance on integrating Microsoft Intune with Android Enterprise to effectively manage Android devices in your organization. Android Enterprise offers a robust framework for device management, and Intune leverages this framework to provide a seamless and secure mobile device management (MDM) solution.

Key Concepts

• Android Enterprise: A unified Android experience for work and personal use, providing enhanced security and management capabilities for IT administrators.
• Work Profile: A separate, managed profile on a device that contains only work-related apps and data. This ensures separation between personal and work information.
• Dedicated Devices: Devices locked down to a single app or a set of apps, ideal for kiosks, task-specific devices, or point-of-sale systems.
• Fully Managed Devices: Devices owned by the organization that are fully controlled by IT, with no separation of work and personal data.
• Corporate-Owned, Personally Enabled (COPE): A mode that combines fully managed devices with a work profile, offering a balance between IT control and user flexibility.

Setting Up Android Enterprise in Intune

The initial setup involves linking your Intune tenant to your Google Play Admin account. This process is straightforward and allows Intune to manage Android Enterprise devices and apps.

Steps:

1. Log in to the Microsoft Endpoint Manager admin center (endpoint.microsoft.com).
2. Navigate to Devices > Android > Android enrollment.
3. Under Program enrollment, select Managed Google Play.
4. Click I agree to the terms and conditions.
5. Click Launch Managed Google Play to open the Managed Google Play website in a new browser tab.
6. Sign in with your organization's Google account.
7. Accept the terms and conditions.
8. Once done, return to the Microsoft Endpoint Manager admin center. You should see that the connection is now active.

Enrollment Methods

Intune supports various Android Enterprise enrollment methods:

1. Work Profile Enrollment (Android 5.0 and later)

This method allows users to enroll their personal Android devices and create a managed work profile. Apps and data within the work profile are encrypted and managed separately from personal apps and data.

• User-driven: Users enroll their devices by downloading the Intune Company Portal app and following the prompts.
• Admin-driven (Zero-touch enrollment): For corporate-owned devices, IT can pre-configure enrollment to automatically set up a work profile upon initial device setup.

2. Fully Managed Device Enrollment (Android 6.0 and later)

Ideal for devices that are entirely owned by the organization. IT has full control over the device's settings, apps, and data.

• Zero-touch enrollment: Devices are shipped directly to users, and upon first boot, they connect to Google services and are automatically enrolled into Intune.
• QR Code Enrollment: Users can scan a QR code during device setup to initiate enrollment.
• NFC Enrollment: For devices that support NFC, enrollment can be initiated by tapping two devices together.

3. Dedicated Device Enrollment (Android 6.0 and later)

This method is used for single-purpose devices. You can configure these devices to launch specific apps automatically and restrict access to other features.

• Zero-touch enrollment: Similar to fully managed devices, providing an automated setup.
• QR Code Enrollment: A simple way to enroll dedicated devices.

4. Corporate-Owned, Personally Enabled (COPE) Enrollment

A hybrid approach offering full management of the device with a separate, managed work profile for personal use. This provides enhanced security for corporate data while allowing users to use their devices for personal tasks.

• Enrollment typically uses the Zero-touch enrollment process for a seamless setup.

Deploying Apps

Managed Google Play allows you to approve and deploy apps directly to your Android Enterprise devices through Intune. You can deploy:

• Public apps: From the Google Play Store.
• Private apps: Your organization's internal Android applications.
• Web apps: Links to web applications.

Steps to deploy an app:

1. In the Microsoft Endpoint Manager admin center, go to Apps > All apps.
2. Click Add.
3. Under App type, select Managed Google Play app.
4. Click Select app. This will open the Managed Google Play store.
5. Search for the desired app and click on it.
6. Click Approve to approve the app for your organization.
7. Review the permissions requested by the app and approve them if necessary.
8. Click Select to add the app to Intune.
9. Configure app information, assignments, and make it available or required for your users or devices.

Configuration Profiles

Intune provides a rich set of configuration profiles for Android Enterprise devices, allowing you to enforce security policies, manage Wi-Fi and VPN settings, configure email accounts, and much more.

Common Configuration Settings:

• Password policies: Minimum length, complexity, expiration.
• Device encryption: Enforce encryption for all devices.
• App access control: Control which apps can be installed.
• System app management: Allow or disallow specific system apps.
• Wi-Fi and VPN profiles: Pre-configure network access.
• Email profiles: Automatically configure email clients like Outlook.

To create a configuration profile:

1. In the Microsoft Endpoint Manager admin center, navigate to Devices > Android > Configuration profiles.
2. Click Create profile.
3. Select Android Enterprise as the platform.
4. Choose the profile type (e.g., Fully managed, dedicated, and COPE devices or Work profile).
5. Configure the settings according to your organization's requirements.
6. Assign the profile to the relevant user groups or devices.

Compliance Policies

Ensure your Android Enterprise devices meet your organization's security standards by creating and assigning compliance policies. These policies define the requirements devices must meet to be considered compliant.

Example Compliance Settings:

• Device must be encrypted.
• Device must have a passcode.
• Minimum OS version.
• Jailbroken or rooted devices are non-compliant.

Troubleshooting Common Issues

While Intune and Android Enterprise integration is robust, occasional issues may arise. Here are a few common scenarios:

• Enrollment failures: Verify network connectivity, ensure the correct enrollment method is selected, and check if the device meets the minimum OS requirements.
• App deployment issues: Confirm the app is approved in Managed Google Play and assigned correctly. Check app store connectivity.
• Policy enforcement problems: Ensure the configuration profile is assigned to the correct group and that there are no conflicting policies.

For detailed troubleshooting, refer to the Troubleshooting section.

Conclusion

By effectively leveraging the integration between Microsoft Intune and Android Enterprise, organizations can achieve a high level of security, control, and flexibility in managing their Android device fleet. This empowers IT administrators to streamline device deployment, application management, and policy enforcement, ensuring a productive and secure mobile workforce.