Hi Community,
I’m getting a lot of questions these days regarding the different ways about Android Intune Enrollment. I will try to unconfuse the confusion. You can have lot’s of enrollment profiles as well as configuration profiles with different device experiences which can make things complicated and hard to get your head around it.
Also Microsoft has a very good guide on how to configure app protection and created a framework for this, see below for more information.
I hope this guide will give you a more clear vision of the different types of enrollment and for which use cases you can use them. Android Open Source Project (AOSP) & zero touch will not be in this blogpost.
In this guide I assume that your Intune tenant is setup and everything is ready to set-up Android devices.
The Different Android Enrollment Profiles
We have 7 general enrollment profiles from which we can start.
- Personally-owned devices with work profile
- Corporate-owned dedicated devices Default
- Corporate-owned dedicated devices with Entra shared mode
- Corporate-owned, fully managed (default)
- Corporate-owned, fully managed, via staging
- Corporate-owned devices with work profile (Default)
- Corporate-owned devices with work profile, via staging
Below i will explain each different enrollment method, you will see that they each have their own purpose and needs.
Let’s dive in!
Personally-owned devices with work profile
Enrollment profile settings
For the Personally-owned devices with work profile there are no specific settings to setup, this is the most common of the enrollment profiles.
Set up enrollment for bring-your-own-device (BYOD) and personal device scenarios using the Android Enterprise personally owned work profile management solution. During enrollment, a work profile is created on the device to house work apps and work data. The work profile can be managed by Microsoft Intune policies. Personal apps and data stay separate in another part of the device and remain unaffected by Intune.
Configuration profile settings
I have configured some baseline settings on the Android-DR-Personally-owned with work profile.json file.
How to enroll a Personally-owned devices with work profile
Your users must do the following steps. For the specific user experience, go to enroll the device.
- Go to the Google Play store, and install the Company Portal app.
- Users open the Company Portal app, and sign in with their organization credentials (user@contoso.com). After they sign in, your enrollment profile applies to the device.
Users may have to enter more information. For more specific steps, go to enroll the device.
Communicate enrollment steps to device users. Users typically don’t like enrolling themselves, and aren’t familiar with the Intune Company Portal app. Be sure to provide guidance, including what information to enter. For some guidance on communicating with your users, see here.
Users must be signed in to the primary user account on their device when enrolling. Enrollment isn’t supported on secondary user accounts. Personal devices previously enrolled with Android device administrator can unenroll, and then re-enroll using the work profile solution.
You can find the full end-user experience here.
Corporate-owned dedicated devices Default
Enrollment profile settings
This profile you would use in this case:
Android Enterprise supports corporate-owned, single-use, kiosk-style devices with its dedicated devices solution. These devices are used for a single purpose, such as digital signage, ticket printing, or inventory management. Admins can lock down the usage of a device to a single app, or a limited set of apps, inclusive of web apps. Users are prevented from adding other apps or taking actions on the device unless explicitly approved by admins.
As a standard Android Enterprise dedicated device. These devices are enrolled into Intune without a user account and aren’t associated with a user. These devices aren’t intended for personal apps, or apps such as Outlook or Gmail that require user-specific account data.
To create this profile go to this section click Create profile, give it a name e.g. Corporate-owned dedicated devices Default select the token type and an expiration date
The Microsoft article is found here
Click next and create. A token will be created for you to scan when enrolling a device.
Configuration profile settings
I have configured some baseline settings on the Android-DR-Dedicated Multi App.json or Android-DR-Dedicated Multi App.json file.
How to Enroll by using the QR code
Intune admins can scan the QR code directly from the enrollment profile to enroll a device. We recommend this enrollment method for most customer scenarios.
- After you wipe the device, tap the first screen you see repeatedly to launch the QR reader.
- If prompted to, install a QR reader on your device. Devices running Android 9.0 and later are preinstalled with a QR reader.
- Scan the enrollment profile QR code, and then follow the on-screen prompts to complete enrollment
Corporate-owned dedicated devices with Entra shared mode
As a standard Android Enterprise dedicated device that’s automatically set up with Microsoft Authenticator and configured for Microsoft Entra shared device mode during enrollment. These devices are enrolled in Intune without a user account and aren’t associated with a user. These devices are intended for use with apps that integrate with Microsoft Entra shared device mode, and allow for single sign-in and sign-out between users across participating apps.
The Microsoft article is found here
Enrollment profile settings
To create this profile go to this section click Create profile, give it a name e.g. Corporate-owned dedicated devices with Entra Shared mode select the token type and an expiration date.
Configuration profile settings
I have configured some baseline settings on the Android-DR-Dedicated Multi App.json or Android-DR-Dedicated Multi App.json file.
How to Enroll by using the QR code
Intune admins can scan the QR code directly from the enrollment profile to enroll a device. We recommend this enrollment method for most customer scenarios.
- After you wipe the device, tap the first screen you see repeatedly to launch the QR reader.
- If prompted to, install a QR reader on your device. Devices running Android 9.0 and later are preinstalled with a QR reader.
- Scan the enrollment profile QR code, and then follow the on-screen prompts to complete enrollment
Corporate-owned, fully managed (Default) & Corporate-owned, fully managed, via staging
Enrollment profile settings
This profile you would use in this case:
Set up the Android Enterprise fully managed device solution in Microsoft Intune to enroll and manage corporate-owned devices. A fully managed device is associated with a single user and is intended for work, not personal use. As an Intune admin, you can manage the whole device and enforce policy controls that aren’t available with Android Enterprise work profile, such as:
- Allow app installation from Managed Google Play only.
- Block users from uninstalling managed apps.
- Prevent users from factory resetting devices.
Corporate-owned, fully managed (Default)
The Microsoft article is found here
Corporate-owned, fully managed, via staging
The device staging token, Corporate-owned, fully managed, via staging, enrolls devices into Microsoft Intune in a staging mode so that you or a third party vendor can complete all pre-provisioning steps. End users complete the last step of provisioning by signing into the Microsoft Intune app with their work or school account. Devices are ready to use upon sign-in. Intune supports device staging for Android Enterprise devices running Android 8 or later.
For more information, see Device staging overview.
The Microsoft article is found here
To create this profile go to this section click Create profile, give it a name e.g. Corporate-owned, fully managed (Default) or Corporate-owned, fully managed, via staging and select the token type.
Configuration profile settings
I have configured some baseline settings on the Android-DR-Fully Managed.json file.
How to Enroll by using the QR code
Intune admins can scan the QR code directly from the enrollment profile to enroll a device. We recommend this enrollment method for most customer scenarios.
After you wipe the device, tap the first screen you see repeatedly to launch the QR reader.
If prompted to, install a QR reader on your device. Devices running Android 9.0 and later are preinstalled with a QR reader.
Scan the enrollment profile QR code, and then follow the on-screen prompts to complete enrollment
Corporate-owned devices with work profile (Default) & Corporate-owned devices with work profile, via staging
Enrollment profile settings
This profile you would use in this case:
Android Enterprise corporate-owned devices with a work profile are single user devices intended for corporate and personal use.
End users can keep their work and personal data separate and are guaranteed that personal data and applications will remain private. Admins can control some settings and features for the entire device, including:
- Setting requirements for the device password
- Controlling Bluetooth and data roaming
- Configuring factory reset protection
Corporate-owned devices with work profile (Default)
The default token, corporate-owned work profile, enrolls devices into Microsoft Intune as standard Android Enterprise corporate-owned devices with work profiles. This token requires you to complete pre-provisioning steps before you distribute the devices. End users complete the remaining steps on the device when they sign in with their work or school account.
Corporate-owned devices with work profile, via staging
The device staging token, Corporate-owned work profile, via staging, enrolls devices into Microsoft Intune in a staging mode so that you or a third party vendor can complete all pre-provisioning steps. End users complete the last step of provisioning by signing into the Microsoft Intune app with their work or school account. Devices are ready to use upon sign-in. Intune supports device staging for Android Enterprise devices running Android 8 or later.
For more information, see Device staging overview.
The Microsoft article is found here
To create this profile go to this section click Create profile, give it a name e.g. Corporate-owned devices with work profile and select the token type.
Configuration profile settings
I have configured some baseline settings on the Android-DR-Personally-owned with work profile.json file.
How to Enroll by using the QR code
Intune admins can scan the QR code directly from the enrollment profile to enroll a device. We recommend this enrollment method for most customer scenarios.
After you wipe the device, tap the first screen you see repeatedly to launch the QR reader.
If prompted to, install a QR reader on your device. Devices running Android 9.0 and later are preinstalled with a QR reader.
Scan the enrollment profile QR code, and then follow the on-screen prompts to complete enrollment
When to use the Managed Home Screen App VS the Launcher app
Microsoft Launcher is an Android application that lets users personalize their phone, stay organized on the go, and transfer from working from their phone to their PC. On Android Enterprise fully managed devices, Launcher allows enterprise IT admins to customize managed device home screens by selecting the wallpaper, apps, and icon positions. This standardizes the look and feel of all managed Android devices across different OEM devices and system versions.
The Managed Home Screen is the application used for corporate-owned Android Enterprise dedicated devices enrolled via Intune and running in multi-app kiosk mode. For these devices, the Managed Home Screen acts as the launcher for other approved apps to run on top of it. The Managed Home Screen provides IT admins the ability to customize their devices and to restrict the capabilities that the end user can access.
The are used in different scenarios. We can choose one according to our enrollment type. We can see more details in the following links:
- https://learn.microsoft.com/en-us/mem/intune/apps/app-configuration-managed-home-screen-appÂ
- https://techcommunity.microsoft.com/t5/intune-customer-success/how-to-setup-microsoft-launcher-on-android-enterprise-fully/ba-p/1482134
- https://learn.microsoft.com/en-us/mem/intune/apps/configure-microsoft-launcher
The 3 levels of security – Microsoft Data Protection Framework using app protection policies
As more organizations implement mobile device strategies for accessing work or school data, protecting against data leakage becomes paramount. Intune’s mobile application management solution for protecting against data leakage is App Protection Policies (APP). APP are rules that ensure an organization’s data remains safe or contained in a managed app, regardless of whether the device is enrolled.
When configuring App Protection Policies, the number of various settings and options enable organizations to tailor the protection to their specific needs. Due to this flexibility, it may not be obvious which permutation of policy settings are required to implement a complete scenario. To help organizations prioritize client endpoint hardening endeavors, Microsoft has introduced a new taxonomy for security configurations in Windows 10, and Intune is leveraging a similar taxonomy for its APP data protection framework for mobile app management.
The APP data protection configuration framework is organized into three distinct configuration scenarios:
- Level 1 enterprise basic data protection – Microsoft recommends this configuration as the minimum data protection configuration for an enterprise device.
- Level 2 enterprise enhanced data protection – Microsoft recommends this configuration for devices where users access sensitive or confidential information. This configuration is applicable to most mobile users accessing work or school data. Some of the controls may impact user experience.
- Level 3 enterprise high data protection – Microsoft recommends this configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (users who handle highly sensitive data where unauthorized disclosure causes considerable material loss to the organization). An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration.
In my personal opinion we can use these polices for these different user profiles:
- Level 1: user profiles with very little to none sensitive/private or only public corporate data on their devices.
- Level 2: user profiles with sensitive/private corporate corporate data on their devices –> for me this is the profile to use for general user profiles
- Level 3: Sensitive user profiles, e.g HR, Accounting, Management, ….
Check out the full Microsoft article here for more information.
Level 1 enterprise basic data protection
Level 1 is the minimum data protection configuration for an enterprise mobile device. This configuration replaces the need for basic Exchange Online device access policies by requiring a PIN to access work or school data, encrypting the work or school account data, and providing the capability to selectively wipe the school or work data. However, unlike Exchange Online device access policies, the below App Protection Policy settings apply to all the apps selected in the policy, thereby ensuring data access is protected beyond mobile messaging scenarios.
The policies in level 1 enforce a reasonable data access level while minimizing the impact to users and mirror the default data protection and access requirements settings when creating an App Protection Policy within Microsoft Intune.
Level 2 enterprise enhanced data protection
Level 2 is the data protection configuration recommended as a standard for devices where users access more sensitive information. These devices are a natural target in enterprises today. These recommendations don’t assume a large staff of highly skilled security practitioners, and therefore should be accessible to most enterprise organizations. This configuration expands upon the configuration in Level 1 by restricting data transfer scenarios and requiring a minimum operating system version.
The policy settings enforced in level 2 include all the policy settings recommended for level 1. However, Level 2 only lists those settings that have been added or changed to implement more controls and a more sophisticated configuration than level 1. While these settings may have a slightly higher impact to users or to applications, they enforce a level of data protection more commensurate with the risks facing users with access to sensitive information on mobile devices.
Level 3 enterprise high data protection
Level 3 is the data protection configuration recommended as a standard for organizations with large and sophisticated security organizations, or for specific users and groups who will be uniquely targeted by adversaries. Such organizations are typically targeted by well-funded and sophisticated adversaries, and as such merit the additional constraints and controls described. This configuration expands upon the configuration in Level 2 by restricting additional data transfer scenarios, increasing the complexity of the PIN configuration, and adding mobile threat detection.
The policy settings enforced in level 3 include all the policy settings recommended for level 2 but only lists those settings below that have been added or changed to implement more controls and a more sophisticated configuration than level 2. These policy settings can have a potentially significant impact to users or to applications, enforcing a level of security commensurate with the risks facing targeted organizations.
Check out these policies here
Also implement the steps in Block legacy authentication to block legacy authentication capable iOS and Android apps.
These policies leverage the grant controls Require approved client app and Require app protection policy.
I hope this will give you a clearer view on the different enrollment methods for Android devices. And as always if you feel there is something in error or you want to add some stuff from your own experience don’t hesitate to contact me!
0 Comments