This is the fifth part of the series of building your own Microsoft Intune lab. We will take some shortcuts and do some dirty tricks, just to get going. So please don’t use this as an implementation guide in a real environment. We will also skip a lot of fancy steps as getting a real domain name and having an on-premises AD. But if you already have those in your lab, that’s great!
For Android, there are a handfull of ways we can manage these. In this guide, we will configure Microsoft Intune to manage the method called “Personally owned device with work profile” which is the simplest wat to manage Android devices where we only have control over the corporate data, which is separated from the personal data.
For Android, we will setup the enrollment method, add a configuration profile, a compliance policy and add an application.
Navigate to Devices > Android and select Android Enrollment. This will list all available enrollment methods for Android.
For this lab, we will use the “Personally owned device with work profile” which is the simplest and easiest Android management method to get started with (and it doesn’t require you to reset your device to enroll).
Click on the box “Personally owned device with work profile“.
As you will see by the message you are presented with, this is enabled by default. This means that we do not need to make any further configurations.
To create a Configuration Profile navigate to Devices > Android and select Configuration profiles in the left side menu.
Click on “+ Create profile” to create a new profile. As Platform select “Android Enterprise” and as Profile type select “Device Restrictions” under the “Personally Owned Work Profile” section. Then click Create.
On the first page, give your profile a name and click Next. I use Android as a prefix to indicate that it’s a profile for Android followed by the PIN Requirements to indicate what the profile does.
Find and expand the category Device password. Here we will add similar settings as we did with iOS/iPadOS which is to use Numeric Complex password type which blocks simple password (such as 111111 and similar) and we will require the PIN to be at least six digits. Facial recognition or fingerprint sensors will be available to use instead of PIN. When you have added these settings, click Next.
Assign the profile to your user group and press Next.
On the last page, review your settings and click Create.
We have now successfully created a configuration profile which will require a PIN to be set on our enrolled devices.
As with the iOS/iPadOS configuration, we will create a compliance policy which will audit the device to make sure that the PIN requirements are met.
Navigate to Device > Android and select Compliance policies and click “+ Create policy“. Select “Android Enterprise” as Platform and “Personally owned device with work profile” as Profile type. Then click Create.
Give your policy a good name and click Next.
Find and expand the category System Security and configure the password requirements to mimic the configuration profile. Once you have added this, click Next.
On the next page, we will leave the default action but we will add the option “Send notification to end user” and leave the schedule to the default value 0 and then click Next.
On the next page, we will add our user group and click Next.
On the last page, review your settings and then click Create.
We have now successfully created a compliance policy which will audit if the user has set a PIN which meets our requirements.
In the iOS guide, we used a Guided scenario to deploy Microsoft Edge to bot iOS, iPadOS and Android. This means that the Microsoft Edge appliucation will be automatically installed on the Android devices as well.
But we need more than one application, hence we will add one more.
Navigate to Apps > Android and press “+ Add“. Select “Managed Google Play app” as App type and press Select.
Search for an application you want to add and select Approve on the application.
Once the application has been approved, press Sync in the upper left corner of the window. This will take you back to the application list.
Wait a few minutes and then click Refresh on the app list page in order to display your new applications. You will notice that the Assinged status on all new applications are set to “No” which means that no users has been assigned to the applictiaon yet.
To assign the application to a group to distribute it to your devices, click on the application and select Properties in the left side menu.
Click on Edit next to Assignments to add a group to distribute this towards. Add your user group to Available for enrolled devices and click Review + save. Then on the review page click save.
We have now successfully made the application available to all our enrolled Android devices in the Managed Google Play store.
Enroll your device
Now its time to enroll your device and in this scenario it requires the device to be rested to factory default.
On the first page where you are asked to select language, tap five times fast in order to trigger the QR code scanner.
Go to Devices > Android > Android enrollment and select the profile you created earlier. Click on Token and scan the QR which is displayed.
Follow the enrollment guide on your screen (this will vary depending on which version of Android you are running).
Once enrollment is completed, you can find your device if you go to Devices > Android > Android Devices. Click on your device to show more information and perform remote actions such as wipe or removing the PIN if the user has forgotten it.
There are many ways to manage Android, and in this guide, we went through the simplest one. There is also a method called “Corporate-owned devices with work profile” which is the most powerful method, in my honest opinion. this however requires you to reset your device before enrollment. You will also need to create new Configuration profiles and Compliance policies for this method since it operates a bit different.
I really encourage you to keep playing around with Intune and try out more stuff. We only scratched the surface in this guide, but you have a good foundation to build upon!