Wednesday 25 September 2019

Intune Basics Part 5: Modern Device Management with Android Enterprise - Configuring Fully Managed Devices

Welcome to part 5 of this series of posts which are intended on getting you started with managing Android devices using the Android Enterprise capabilities within Microsoft Intune.

Part 1 can be found here and covers setting up the various Android Enterprise enrolment methods

Part 2 can be found here and covers the configuration of Azure AD groups

Part 3 can be found here and covers the configuration of Personally-owned Work Profile devices

Part 4 can be found here and covers the configuration of Dedicated devices

This series will get you up and running as quickly as possible, therefore if you require further detail and explanation on Android Enterprise please refer to my previous post here which I am ensuring is kept up to date as newer functionality is supported within Intune.

This post will cover the enrollment and configuration of a Fully Managed device, which is well, pretty much exactly as it sounds - Intune has full control over the device and there is no facility provided for the user to have personal apps and data. If you followed my last post on Dedicated devices, you will see a similar process configuration wise, in fact the same Configuration Profile is used for both Dedicated and Fully Managed. A caveat to this statement is the setting Users and Accounts > Account Changes which is at this time not supported to be set to Blocked on Fully Managed Devices


Enabling the above will cause enrollment issues as described in Peter Egerton's blog here

There are different methods which you can use to enroll your device which is dependant on the OS as detailed in the documentation and in this example I am going to use the QR code method on an Android 7.0 device.

Ensure the device is either new out of the box or has been factory reset and at the first screen tap anywhere in the white space 6 times

Select Next


Connect to Wifi


The QR reader will now download and install


You can now scan the enrollment token


Encrypt the device if prompted.


Accept any terms then select Next


The device will commence updating Google Play Services


Accept the terms to launch Chrome


Authenticate with Azure AD credentials


I have deployed a compliance policy setting for encryption to my Android Fully Managed devices which means that secure startup must be enabled, this prevents the device from booting into the OS until a pin or password is entered. Select Start


Just to be clear - in this example we are being prompted to "enable" encryption because secure startup isnt enabled and not because the device isnt encrypted

Select Secure Startup


Select Set Screen Lock Type  in this example I am setting a PIN


Select a lock screen notifications option


Set up fingerprints if required


Select Require PIN when device powers on to enable secure startup, enter your PIN when prompted


Select the back button at the top left


Follow the prompts to commence installing apps


Select START to commence device registration


Sign in to the Microsoft Intune app when prompted


Select Next


Select DONE to complete device registration


And then one more time to complete the enrollment


With Fully Managed there is the ability to enable any system apps on the device and on the handset I am testing, a Samsung Galaxy A5 (2016),  I wish to enable the gallery application

To do this first I need the package name so in my example I have deployed the Package Name Viewer 2.0 application. On launching it search for Gallery you may need to try a search in both the User Apps and System Apps tabs


Within the M365 Device Management Console navigate to Client Apps > Apps



Add an app and for the app type select Android Enterprise system app


Enter the system app details including specifying the package name


Select OK then Add 

Deploy the app to an AAD group

Now you can see the system app enabled on the device


That's it for this post, feel free to reach out to me if you have any questions. Thanks for reading!

No comments:

Post a Comment