Monday, 22 April 2019

Intune Basics Part 1: Modern Device Management with Android Enterprise - Enable Enrollment

Welcome to part 1 of this series of posts which are intended on getting you started with managing Android devices using the Android Enterprise capabilities within Microsoft Intune.

This series will get you up and running as quickly as possible, therefore if you require further detail and explanation on Android Enterprise please refer to my previous post here which I am ensuring is kept up to date as newer functionality is supported within Intune.

This post will be discussing the steps required to associate your Intune tenant with Google, along with any other initial mandatory steps required before you can commence enrolling and configuring Android devices within Android Enterprise, utilising all of the available solution sets.

In preparation, create a Google account with a suitable generic name for the sole purpose of binding your Intune Tenant with the Managed Google Play store.

Log in to the M365 Device Management Portal.

Navigate to Device Enrollment > Android Enrollment > Managed Google Play



Check the box to agree the terms and then select "Launch Google to connect now"


Log in using the previously created Google account



Enter your organisation name and agree the terms when prompted, select "Complete Registration"

Setup is now complete




The next steps are nicely explained within the portal, select Device Enrollment > Android Enrollment > Personal Devices with Work Profile


Review the information presented. The first mandatory step is to approve the Company Portal, ensuring that the app continues to recieve updates within the Work Profile (typically called the "Managed Company Portal") You will notice the instructions provide you a link directly to the Managed Google Play store. There is no need to do this now and you can go ahead and approve any Managed Google Play app direct from the console

Navigate to Client Apps > Apps > Select the + icon



Select "Managed Google Play" for the app type and then search for the Intune Company Portal


"Approve"



Leave the default option and then click "Save"



Select "OK" then "Sync"


Ensure that the App appears in the Client Apps > Apps node. Note that you do not need to assign this app to any devices



Now in order to ensure that users are able to enroll thier Android devices with Work Profiles (typically for BYOD use case scenarios) this will need to be enabled within enrollment restrictions. Be aware here on the difference between just "Android" and "Android Work Profile" - the former meaning legacy Device Admin Android enrollment, and the latter being Android Enterprise Work Profile Enrollment. Again I will reiterate - Work Profile enrollment is only a single element of the Android Enterprise story which is designed with the personally owned BYOD devices in mind.

Navigate to Device Enrollment > Enrollment Restrictions

In this scenario I wish to block the enrollment of Device Admin and allow Work Profile for all users. Edit the default device type restrictions


Click "Properties" then "Select Platforms". Select "Block" for Android and "Allow" for Android Work Profile. Note that these settings only effect devices that are enrolled from this point forward and not any existing devices


Note the prompt at the top right hand side of the screen for platform configurations, after saving the changes by clicking "Ok", select the option below and consider as a minimum setting a minimum platform version. 



Android Enterprise requires at least a minimum of 5.0 Lollipop however my suggestion would be to consider raising this to 6.0 Marshmallow or indeed 7.0 Nougat. Taking into consideration how old devices are likely to be running on these older versions of the OS, it is unlikely they are any longer receiving security updates hence bringing into question how secure that are for effective use within the enterprise.

Select "Save" to finally complete the configuration.

Next up, lets create an enrollment token for enrolling "Dedicated Devices" typically designed for devices that are for single use, without any user association.

Device Enrollment > Android Enrollment > Corporate-owned Dedicated Devices


Select "Create Profile"


Enter a suitable name then click "Create"


Create as many profiles as you need for different configurations. All will become clear in part 2 of this series on how these can be used to scope configurations to different device groups




Finally, to enable Fully Managed device enrollment funtionality navigate to Device Enrollment > Android Enrollment > Corporate-owned Fully Managed user devices (Preview)



Select "Yes"

That completes this part of the series and means you are now in a position to commence your Android Enterprise configuration.

Stay tuned for part 2!






1 comment:

  1. Thanks very much for posting this, I was missing this part and wondering why my Android wanting being managed as an MDM device.
    Thanks,

    Fult.

    ReplyDelete