As a recap, this is now the 3rd solution set to be supported, to see how the different solutions are applicable for different use case scenarios I would recommend as a refresher to take a look at my previous post on Intune and Android Enterprise
Now just to be clear, at the time of writing, this is what is currently supported along with the caveat of the public preview tag;
- App config and deployment
- Device restriction config profiles
- Deployment of the above config to user groups only
Now this doesn't sound a lot to get excited about but actually the device restrictions are the same settings as what has been available for the dedicated device solution set which has matured over the past 6 months. So there are ample options to get started with a small test group of users, also I am sure you will see support for more features in the coming months.
Now at this point I would like explain a term you will see within the Intune portal associated to creating config with AE devices, Device Owner.
On an Android device, the App that applies policies to the device is called the Device Policy Controller. When the DPC is operating in a way that it has control over the whole device, this is called Device Owner. It now kind of makes sense that the same device restrictions are available for both Fully Managed and Dedicated, one would assume the same group of settings for Fully Managed with Work Profile / COPE
The term "Work Profile Only" in the screenshot above I believe is actually incorrect and should be changed to "Profile Owner Only". This the correct term for when the DPC is operating in a mode which only controls the Work Profile and has limited access to the remainder of the device.
Okay so lets give this a whirl along with deploying some additional config to the device
Navigate in the M365 Device Management Portal to Device Enrollment > Android Enrollment > Corporate owned, fully managed user devices (Preview)
Now remembering at the moment we can only scope configurations to users, let's create a user group, navigate to Groups > New Group
Populate using the below information, also ensuring that the group has the appropriate users added to it
Now lets provision two apps so we deploy both an available and required app deployment to the device to observe the experience. Log into the Managed Google Play store, lets find the Outlook and Edge apps. Approve them.
Back in the portal navigate to Client Apps > Managed Google Play and select Sync
The apps with now be available in Client Apps > Apps
Now deploy them by selecting the app, Assignments > Add group > Specify the assignment type (required for one app and available for the other)
Input a suitable name, select Android Enterprise for the platform and then select device restrictions under the device owner only menu
Select settings, I have included various settings in this profile but I would just like to highlight the block factory reset option I have selected here
Click on OK then assign the profile to the same group we created previously.
Now lets enrol the device, ensure that it is in a state where it has been recently been factory reset, or is brand new out of the box. I will enrol the device use the QR code reader method, which requires Android 7.0 or newer
Tap on the screen multiple times to reveal the QR code reader setup. Select next
Connect to a Wifi network
Wait for a few seconds and the QR reader will now install
Now its ready to go and scan the QR code from the portal, which we enabled previously
Follow through the wizard and enrolment will commence
Accept the terms
Enrolment will continue
Accept the terms for chrome and then you are prompted for credentials. Enter the username and password.
Click the link when prompted
The device is then enrolled
You will now see the required app install
On launching the Google play store you can see the available app we deployed, so literally the only apps that a user can install on the device are what have been made available by the organisation
You will also notice that there are no apps with the badge symbol on them, like you may have already seen with a Work Profile enrolled device.
Okay so lets check our device config and attempt to factory reset the device
Cool, so the restriction has applied.
Now remember, this feature is in public preview so it is not recommended for production deployments, I would recommend reviewing the documented considerations here
Thanks for reading!