Friday 4 January 2019

Android Enterprise and Intune: An Overview

Last updated: 23/08/21

The purpose of this post is to act as a main point of reference for anyone wanting to understand the Android Enterprise functionality that is supported within Microsoft Intune. It was initially based on a presentation that I gave at the Windows Management User Group in London at the end of October 2018, however the platform is developing all of the time so my aim is to keep this post as up to date as possible. I will also link any appropriate posts I create to provide you further information in specific areas

History

It has always been promoted that the open source Android OS is very flexible which makes it an attractive prospect for use within the Enterprise, it also enables OEM's such as Sony or Samsung to add their own value adds to the OS before shipping it with their devices. This in itself brings its own challenges and has been a contributing factor to the fragmentation we see within the Android space today.
For an EMM  to be able to control things on a device, such as disable the Bluetooth or camera, requires access to Device Management API's. These were traditionally not included within the source code of Android, hence the inclusion of this kind of functionality would not only be at the discretion of the OEM's, but also would mean additional development time for the EMM vendor to support the functionality, if indeed it would at all. This has led to inconsistent behaviour across devices when trying to manage them by an EMM within the enterprise

Device Admin / "Legacy" Android Device Management

Device Admin API's were introduced as far back as Android 2.2 which were originally designed to give certain apps admin privileges on a device. For example facilitating remote wipe when configuring a device to connect to Exchange Active Sync. Other than a few basic settings, on a Non-Samsung device, there was very little available. Samsung on the other hand over the years have developed their Knox API set on top of the Android OS and provide far more management functionality than any other OEM. You only have to look in the Intune console at the "Knox Only" settings that are available and ultimately only applicable to Samsung devices;


 Device Admin is now considered as legacy Android device management with Google deprecating certain functionality in Android 9 with it being removed in Android 10. Microsoft made a statement here which also explains the current stance on this and in addition further considerations are discussed here where there is still some scenarios where Device Admin is currently the only option for managing a device

Android Enterprise

So what does this solution bring to the table? Well in a nutshell, lots. Also I just want to add at this stage from an Intune perspective that Microsoft, even though they are very late (in comparison to other EMM's) to the game in releasing some AE features, they seem to be making some sensible moves. An example being that they have utilised the Android Management API for leveraging native management functionality provided and developed natively by Google. This is applicable to the Fully Managed scenarios. I am going to echo the words of a super cool Android guru I have met called Jason Bayton "This makes me happy"

Solution Sets

Probably the most important thing to understand with AE is there are various ways of managing devices through different "Solution Sets", which address common enterprise scenarios rather than the single way of management we had previously with the "one size fits all" of Device Admin. I will explain what these are;

Personally-Owned Work Profile


This was the first solution set to be supported within Intune and is primarily designed for use in BYOD / Employee owned device scenario. A profile containing apps and company data is deployed to the device


Key points
  • The device is not fully managed by Intune
  • You cannot carry out a full factory reset / wipe
  • Simple to control access to and from the profile - so may be suitable for a company owned use case in some organisations

Dedicated Devices


This solution set is designed for use in kiosk scenarios, both customer facing (e.g. kiosk tablet in a hotel room) and employee facing (e.g. field service management)

Key points
  • Not for use in scenarios where users affinity is required (no emails, device isn't assigned to a specific user)
  • AKA COSU (Corporate Owned Single Use)

Fully Managed Device


This solution set is designed for managing company owned devices and gives the ability to fully control the device, also the administrator has the option of allowing access to the Public Google Play store. In addition system apps can be enabled on the device at the package level.



Key Points
  • To transition to this from company owned devices enrolled with Work Profiles will mean factory resetting the device
  • AKA COBO (Corporate Owned Business Only)

Work Profile on Fully Managed Device


This is designed for company owned scenarios where the organisation wants to be able to secure company apps within a profile but have the ability to be able to give the user limited access for personal use. This is not supported within the Android Management API and therefore not available within Intune. Google have announced that as of Android 11 this specific solution set will no longer be supported


Key points
  • AKA COPE (Corporate Owned Personally Enabled)
  • Not supported in Intune

Corporate-Owned Work Profile


This recently implemented solution set has been back ported to support Android 8 and later and also also designed for scenarios where personal usage is permitted on company owned devices. It is similar to the Work Profile solution other than the provisioning process is different and further control is available within the personal profile of the device



Key points
  • Available in public preview for Intune
  • Is also a COPE use case
  • Intune's iteration of COPE is different to the Work Profile on Fully Managed Device functionality that is available on other MDM platforms

Managed Google Play

Another significant benefit of AE is the integration available with the Managed Google Play store. This prevents the need for a Google account to be created on the device in order to install company apps, in addition it also provides a silent app deployment experience for required deployments. Also managed configs are available which enable provisioned settings to be deployed with apps in order to pre configure them.
Improvements to the way managed Google Play integrates with Intune have now been implemented which facilitate the approval or unapproval of apps within the Managed Google Play Store, directly from the Intune portal.

Zero-Touch Enrolment

The Android Enterprise ZTE program introduces the ability to purchase devices from an approved reseller and the devices are provisioned within the Zero Touch portal, thus facilitating bulk enrolment. It is an equivalent of Apple's Device Enrolment Program. Note that only certain OEM's are supported for this and not Samsung - they have their own equivalent to this called Knox Mobile Enrollment, which is also supported within Intune

OEM Config

OEM Config is now supported within Intune across various platforms and with it brings a whole new concept of Android device configuration. It is a standard that has been developed by the app config community and its is based around the concept of a single app developed by the OEM which is deployed via Managed Google Play. Various device configuration settings are then bundled with the app via the standard app config channels in order to configure the device, bringing new functionality to Intune pretty much as soon as the OEM has released it without the delay for development time usually required.

2 comments:

  1. Hi , if we have Samsung TAB with Knox and we install company portal on it the device will enroll with legacy android device admin, right? it will also be Knox capable meaning that we can use the Intune knox policies, correct ? If we use KME will it also enroll with legacy android device admin ?

    ReplyDelete
    Replies
    1. Hi there, appreciate this response is VERY late, but for anyone following I will try and answer this;
      1. The device will enroll either as Device Admin OR Android Enterprise Work Profile if you enroll by downloading the Company Portal app. It depends what you have set up in your device restrictions
      2. If it enrolls as Device Admin you can use the Knox configurations that are available within Intune, if not you will need to use the Work Profile settings, which are based on the Android Enterprise API set
      3. If you use KME you can set up enrollment profiles for either Device Admin or Device Owner

      I would add though now that we are 6 months down the line we really are getting close to the removal of Device Admin support on devices once Android Q is released so I would recommend exploring Android Enterprise wherever possible

      Delete