Saturday, 27 April 2019

Intune Basics Part 2: Modern Device Management with Android Enterprise - Creating Groups

Welcome to part 2 of this series of posts which are intended on getting you started with managing Android devices using the Android Enterprise capabilities within Microsoft Intune.

Part 1 of this series can be found here and covers setting up the various Android Enterprise enrollment methods

This series is intent on getting you up and running as quickly as possible, therefore if you require further detail and explanation on Android Enterprise please refer to my previous post here which I am ensuring is kept up to date as newer functionality is supported within Intune.

This post will talk about the creation of Azure AD (AAD) user and device groups, and provide some recommendations and considerations for your environment.

It must be clear before commencing an implementation to understand if, along with company issued devices, your organisation will support a BYOD policy for Android Enterprise. This is crucial for some decisions that need to be made on the creation of AAD groups and in some cases creates interesting scenarios. An example of which could be that a user has a company issued phone and they wish to enroll their personally owned Android tablet which they are fully entitled to do under their organisations IT policy. Do you wish to deploy a different set of apps between personal devices and company owned? If so then some apps will need to be assigned to devices groups rather than users.

Dynamic AAD Groups can be used for the above which can be created by the following process

Log into the M365 Device Management Portal, select "Groups"



Select "New group"



Select "Security" for the group type and select an appropriate name, my recommendation for a naming convention is "Solution Set - Ownership and/or function" so in this example we will call ours "Android Enterprise Work Profile - Personal Devices" (you could consider substituting Android Enterprise for "AE" or indeed just use "Android" - depends if you have any legacy Device Admin devices existing in your environment) Select "Dynamic Device" for membership type



Click "Add dynamic query"


Select "Advanced rule" and then enter the following query


Select "Add query" then "Create"


To get you started please find below some groups names with have either advanced or simple dynamic queries for your convenience to cover what I feel are the main use cases;

Android Enterprise Work Profile - Personal Devices (device.deviceOwnership -eq "Personal") -and (device.deviceOSType -eq "AndroidForWork")

Android Enterprise Work Profile - Company Devices (device.deviceOwnership -eq "Company") -and (device.deviceOSType -eq "AndroidForWork")

Android Enterprise Dedicated - Single App Kiosk (Substitute "Single App Kiosk" with the name of your enrollment profile)

Android Enterprise Dedicated - Muti App Kiosk (Again - substitute with your appropriate enrollment profile name)

Android Enterprise Fully Managed Devices (device.deviceOSType -eq "AndroidEnterprise") -and (device.enrollmentProfileName -eq null) Note that I am open to suggestions if anyone feels there is a better query to single out Fully Managed devices

Please refer here for the AAD Dynamic Group documentation

Cool, so now we have our device groups created

The same methodology is valid for the creation of user groups, it may be a requirement to scope some user groups to different departments in order to differentiate app deployments or compliance requirements.

Another useful user query is to create an "All Intune Users" collection

This will populate the group with all AAD users and would come into play when, for example, specifying a user group for Exchange on premise access. For more information on this scenario see here

No comments:

Post a Comment