Saturday, 27 April 2019

Intune Basics Part 2: Modern Device Management with Android Enterprise - Creating Groups

Welcome to part 2 of this series of posts which are intended on getting you started with managing Android devices using the Android Enterprise capabilities within Microsoft Intune.

Part 1 of this series can be found here and covers setting up the various Android Enterprise enrollment methods

This series is intent on getting you up and running as quickly as possible, therefore if you require further detail and explanation on Android Enterprise please refer to my previous post here which I am ensuring is kept up to date as newer functionality is supported within Intune.

This post will talk about the creation of Azure AD (AAD) user and device groups, and provide some recommendations and considerations for your environment.

It must be clear before commencing an implementation to understand if, along with company issued devices, your organisation will support a BYOD policy for Android Enterprise. This is crucial for some decisions that need to be made on the creation of AAD groups and in some cases creates interesting scenarios. An example of which could be that a user has a company issued phone and they wish to enroll their personally owned Android tablet which they are fully entitled to do under their organisations IT policy. Do you wish to deploy a different set of apps between personal devices and company owned? If so then some apps will need to be assigned to devices groups rather than users.

Dynamic AAD Groups can be used for the above which can be created by the following process

Log into the M365 Device Management Portal, select "Groups"

Select "New group"

Select "Security" for the group type and select an appropriate name, my recommendation for a naming convention is "Solution Set - Ownership and/or function" so in this example we will call ours "Android Enterprise Work Profile - Personal Devices" (you could consider substituting Android Enterprise for "AE" or indeed just use "Android" - depends if you have any legacy Device Admin devices existing in your environment) Select "Dynamic Device" for membership type

Click "Add dynamic query"

Select "Advanced rule" and then enter the following query

Select "Add query" then "Create"

To get you started please find below some groups names with have either advanced or simple dynamic queries for your convenience to cover what I feel are the main use cases;

Android Enterprise Work Profile - Personal Devices (device.deviceOwnership -eq "Personal") -and (device.deviceOSType -eq "AndroidForWork")

Android Enterprise Work Profile - Company Devices (device.deviceOwnership -eq "Company") -and (device.deviceOSType -eq "AndroidForWork")

Android Enterprise Dedicated - Single App Kiosk (Substitute "Single App Kiosk" with the name of your enrollment profile)

Android Enterprise Dedicated - Muti App Kiosk (Again - substitute with your appropriate enrollment profile name)

Android Enterprise Fully Managed Devices (device.deviceOSType -eq "AndroidEnterprise") -and (device.enrollmentProfileName -eq null) Note that I am open to suggestions if anyone feels there is a better query to single out Fully Managed devices

Please refer here for the AAD Dynamic Group documentation

Cool, so now we have our device groups created

The same methodology is valid for the creation of user groups, it may be a requirement to scope some user groups to different departments in order to differentiate app deployments or compliance requirements.

Another useful user query is to create an "All Intune Users" collection

This will populate the group with all AAD users and would come into play when, for example, specifying a user group for Exchange on premise access. For more information on this scenario see here

Monday, 22 April 2019

Intune Basics Part 1: Modern Device Management with Android Enterprise - Enable Enrollment

Welcome to part 1 of this series of posts which are intended on getting you started with managing Android devices using the Android Enterprise capabilities within Microsoft Intune.

Part 2 can be found here and covers the setting up of various Azure AD groups

This series will get you up and running as quickly as possible, therefore if you require further detail and explanation on Android Enterprise please refer to my previous post here which I am ensuring is kept up to date as newer functionality is supported within Intune.

This post will be discussing the steps required to associate your Intune tenant with Google, along with any other initial mandatory steps required before you can commence enrolling and configuring Android devices within Android Enterprise, utilising all of the available solution sets.

In preparation, create a Google account with a suitable generic name for the sole purpose of binding your Intune Tenant with the Managed Google Play store.

Log in to the M365 Device Management Portal.

Navigate to Device Enrollment > Android Enrollment > Managed Google Play

Check the box to agree the terms and then select "Launch Google to connect now"

Log in using the previously created Google account

Enter your organisation name and agree the terms when prompted, select "Complete Registration"

Setup is now complete

The next steps are nicely explained within the portal, select Device Enrollment > Android Enrollment > Personal Devices with Work Profile

Review the information presented. The first mandatory step is to approve the Company Portal, ensuring that the app continues to recieve updates within the Work Profile (typically called the "Managed Company Portal") You will notice the instructions provide you a link directly to the Managed Google Play store. There is no need to do this now and you can go ahead and approve any Managed Google Play app direct from the console

Navigate to Client Apps > Apps > Select the + icon

Select "Managed Google Play" for the app type and then search for the Intune Company Portal


Leave the default option and then click "Save"

Select "OK" then "Sync"

Ensure that the App appears in the Client Apps > Apps node. Note that you do not need to assign this app to any devices

Now in order to ensure that users are able to enroll thier Android devices with Work Profiles (typically for BYOD use case scenarios) this will need to be enabled within enrollment restrictions. Be aware here on the difference between just "Android" and "Android Work Profile" - the former meaning legacy Device Admin Android enrollment, and the latter being Android Enterprise Work Profile Enrollment. Again I will reiterate - Work Profile enrollment is only a single element of the Android Enterprise story which is designed with the personally owned BYOD devices in mind.

Navigate to Device Enrollment > Enrollment Restrictions

In this scenario I wish to block the enrollment of Device Admin and allow Work Profile for all users. Edit the default device type restrictions

Click "Properties" then "Select Platforms". Select "Block" for Android and "Allow" for Android Work Profile. Note that these settings only effect devices that are enrolled from this point forward and not any existing devices

Note the prompt at the top right hand side of the screen for platform configurations, after saving the changes by clicking "Ok", select the option below and consider as a minimum setting a minimum platform version. 

Android Enterprise requires at least a minimum of 5.0 Lollipop however my suggestion would be to consider raising this to 6.0 Marshmallow or indeed 7.0 Nougat. Taking into consideration how old devices are likely to be running on these older versions of the OS, it is unlikely they are any longer receiving security updates hence bringing into question how secure that are for effective use within the enterprise.

Select "Save" to finally complete the configuration.

Next up, lets create an enrollment token for enrolling "Dedicated Devices" typically designed for devices that are for single use, without any user association.

Device Enrollment > Android Enrollment > Corporate-owned Dedicated Devices

Select "Create Profile"

Enter a suitable name then click "Create"

Create as many profiles as you need for different configurations. All will become clear in part 2 of this series on how these can be used to scope configurations to different device groups

Finally, to enable Fully Managed device enrollment funtionality navigate to Device Enrollment > Android Enrollment > Corporate-owned Fully Managed user devices (Preview)

Select "Yes"

That completes this part of the series and means you are now in a position to commence your Android Enterprise configuration.

Stay tuned for part 2!

Thursday, 28 February 2019

OEM Config Demystified

At the end of a previous blog post - Android Enterprise and Intune: An Overview I mentioned that there were other exciting developments within the Android space. I was referring to an initiative which strives to completely transform the way Android devices are managed within the enterprise, namely OEM Config. I just thought I would spend a few moments trying to spread the word on this especially within the Intune world.

What prompted me to write this post is the latest announcement of the partnership between Samsung and Google to support the above, which for me was unexpected.

OEM Config is essentially a way of delivering new functionality for a specific OEM, such as Samsung,  to an EMM solution via the app config channels. What this would means is less time and I am assuming almost zero day support in new features being available. There would be no delay in feature release due to waiting for, in the case of Intune - the Azure / Device Management portal having interface changes made. Once the initial changes are made to support the design of OEM Config this would be all that was needed.

The above is then delivered to the device by a single app, which I think we can expect to see all sorts of weird and wonderful names made up from each OEM, Samsung's being called the Knox Service Plugin. Note that, if you hadn't read the above Samsung announcement, this is due to be released in the Spring.

So when will Intune support this? There is no indication yet, but I would be very surprised if after the latest Samsung announcement eyebrows within the Intune product group haven't been raised.

I have included additional resources below which are authored by Android expert Jason Bayton that will go into further depth;

Sunday, 20 January 2019

Intune Android Enterprise Fully Managed Devices

Microsoft have recently announced the public preview release for the initial support of the Fully Managed Device solution set within Intune, I thought that for a change I would write up a little something on this 😁

As a recap, this is now the 3rd solution set to be supported, to see how the different solutions are applicable for different use case scenarios I would recommend as a refresher to take a look at my previous post on Intune and Android Enterprise

Now just to be clear, at the time of writing, this is what is currently supported along with the caveat  of the public preview tag;
  • App config and deployment
  • Device restriction config profiles
  • Deployment of the above config to user groups only
Now this doesn't sound a lot to get excited about but actually the device restrictions are the same  settings as what has been available for the dedicated device solution set which has matured over the past 6 months. So there are ample options to get started with a small test group of users, also I am sure you will see support for more features in the coming months.

Now at this point I would like explain a term you will see within the Intune portal associated to creating config with AE devices, Device Owner. 

On an Android device, the App that applies policies to the device is called the Device Policy Controller. When the DPC is operating in a way that it has control over the whole device, this is called Device Owner. It now kind of makes sense that the same device restrictions are available for both Fully Managed and Dedicated, one would assume the same group of settings for Fully Managed with Work Profile / COPE
The term "Work Profile Only" in the screenshot above I believe is actually incorrect and should be changed to "Profile Owner Only". This the correct term for when the DPC is operating in a mode which only controls the Work Profile and has limited access to the remainder of the device.

Okay so lets give this a whirl along with deploying some additional config to the device

Navigate in the M365 Device Management Portal to Device Enrollment > Android Enrollment > Corporate owned, fully managed user devices (Preview)

Select yes

Now remembering at the moment we can only scope configurations to users, let's create a user group, navigate to Groups > New Group

Populate using the below information, also ensuring that the group has the appropriate users added to it

Click create

Now lets provision two apps so we deploy both an available and required app deployment to the device to observe the experience. Log into the Managed Google Play store, lets find the Outlook and Edge apps. Approve them.

Back in the portal navigate to Client Apps > Managed Google Play and select Sync

The apps with now be available in Client Apps > Apps

Now deploy them by selecting the app, Assignments > Add group > Specify the assignment type (required for one app and available for the other)

Now lets create some devices restrictions config and deploy it to the user group. Device Configuration > Profiles > Create profile.

Input a suitable name, select Android Enterprise for the platform and then select device restrictions under the device owner only menu

Select settings, I have included various settings in this profile but I would just like to highlight the block factory reset option I have selected here

Click on OK then assign the profile to the same group we created previously.

Now lets enrol the device, ensure that it is in a state where it has been recently been factory reset, or is brand new out of the box. I will enrol the device use the QR code reader method, which requires Android 7.0 or newer

Tap on the screen multiple times to reveal the QR code reader setup. Select next

Connect to a Wifi network

Wait for a few seconds and the QR reader will now install

Now its ready to go and scan the QR code from the portal, which we enabled previously

Follow through the wizard and enrolment will commence

Accept the terms

Enrolment will continue

Accept the terms for chrome and then you are prompted for credentials. Enter the username and password.

Click the link when prompted

The device is then enrolled

You will now see the required app install

On launching the Google play store you can see the available app we deployed, so literally the only apps that a user can install on the device are what have been made available by the organisation

You will also notice that there are no apps with the badge symbol on them, like you may have already seen with a Work Profile enrolled device.

Okay so lets check our device config and attempt to factory reset the device

Cool, so the restriction has applied.

Now remember, this feature is in public preview so it is not recommended for production deployments, I would recommend reviewing the documented considerations here

Thanks for reading!