Updated 20-07: Updated information Corporate-owned devices with work profile in public preview.
At this moment you can use Intune to support, enroll and manage Android devices in multiple management scenarios. In the past you could only manage Android devices with Android device administrator which was a limited experience. With the addition of Knox additional options became available but only for Samsung devices. With the release of Android for Work the support for additional features and deployment options. In this post I will not mention Android device administrator because Google is encouraging movement off of device administrator management by decreasing its management support in new Android releases.
Intune supports multiple ways of enrollment for company use. At this moment there are 4 ways to manage Android devices with Intune. In this post I will dive into the different management scenarios and show what the advantages and disadvantages are for each scenario from Mam to fully managed devices. In the following image (1) I’ve created an overview of all the Android Deployment Scenarios supported with Intune. There is also one scenario (fully managed with work profile) supported by Android which is currently in Public Preview. As you can see in the overview Microsoft (Red) and Google (Black) use different names for the management scenarios, also Microsoft uses “corporate” instead of “company” owned devices.
picture 1: Android Management Scenarios with Intune.
How to choose?
It’s wise to be careful when choosing which profile(s) you want to support. Do you want to support employees using their own phones (BYOD) or do you want to use only company owned phones which are fully managed and may not be used for personal use (COBO)? Does the employee needs to sync contacts to their personal contacts. Some profiles support Personal use of a device and others only support business use of a device.
As you can see in the previous text there are many acronyms in use to describe the different enrollment profiles and ownership of the device. In this table you can see some acronyms which are used in mobile management:
BYOD | Bring Your Own Device (Personal) |
COD | Company Owned Device |
CYOD | Choose Your Own Device |
COBO | Company Owned Business Only |
COSU | Company Owned Single Use |
COPE | Company Owned Personally Enabled |
Management Scenarios
To help choosing the right management scenario for your company, I’ve added a paragraph for each management scenario currently supported by Intune. Each paragraph contains a short description and some (dis)advantages.
Personally Owned devices (BYOD)
Using Intune there two ways to support BYOD devices: Personal-Owned without enrollment (MAM-WE) and Personal-Owned with Work profile (MAM+MDM). With App Protection Policies you protect the company data within an app. A work profile is company managed bubble on your personal phone.
Picture 2: Personal-owned devices (BYOD)
App Protection Policy (MAM-WE)
With MAM-WE management company data is protected with App Protection Policies. This prevents data relocation e.g Restrict printing, save copies, cut, copy, and paste. Also additional access security can be set like require a pincode and prevent opening on a jailbroken device. The mobile device is not required to enroll, but the Company portal is required for the deployment of the App Protection Policies.
Picture 3: App Protection Policy (MAM-WE)
Advantages:
- Can be used when a device is already enrolled with a different Intune tenant
- Outlook widgets can be used. (optional)
- Outlook address book can be synced with personal contacts. (This is important if you used Whatsapp)
- Company data protected at app level
Disadvantages:
- Every application needs to be configured before it will be protected.
- Not all apps support App Protection policies, this can be added by using the Intune App Wrapping Tool.
- Software needs to be installed manually by the user
- Company Portal is required for MAM-WE.
Personal device with work profile (MAM+MDM)
With MAM+MDM management company contacts, data and apps are stored in an isolated bubble called the work profile. The work profile is managed by MDM. There a some passthroughs to the personal profile, but this is limited. For fine-grained security App protection policies can be added. Applications can be deployed as required or available in the Managed Google Store.
Picture 4: Personal device with work profile (MAM+MDM)
Advantages:
- Required apps can be installed without interaction of the end-user.
- All company contacts, data and apps are stored in the work profile.
- App protection policies are not required but can be added for additional protection.
- Outlook Company contacts are searchable and incoming numbers are recognized.
- Only the work profile can be wiped using Intune. Personal data is not removed.
Disadvantages:
- Only one work profile can be created per device.
- Outlook Contacts cannot be synced with Personal contacts outside work profile. (Needed for WhatsApp)
Company Owned Devices (COD)
Using Intune there are currently two ways to fully manage company owned devices: Corporate-Owned Fully Managed (COBO) and Corporate-Owned dedicated devices (COSU). The Corporate-Owned with work profile (COPE) is currently in Public Preview with Intune.
Corporate-owned fully managed user devices (COBO)
For devices used exclusively for work and not personal use you can use the Corporate-owned fully managed enrollment profile. Admins can manage the entire device and enforce policy controls which are unavailable to work profiles.
Picture 6: Corporate-owned fully managed (COBO)
Advantages
- Company managed
- Locked down appstore (optional)
- Device is wiped when removed from Intune.
- Block uninstallation of managed apps
- Prevent users from factory resetting devices.
Disadvantages
- No options for personal storage or profile.
Corporate-owned devices with work profile (COPE)
This management type is currently in Public Preview with a subset of the features that will be included in the generally available release. (The description below is based on the current (20-07-20) available features and may change over time.) Read the Microsoft blog for the latest info.
This profile is similar to the personal device with work profile, but instead of being a personal device its corporate owned. Because of this difference Admins can whipe the entire device and also manage some settings and features for the entire device like:
- Setting requirements for the device password
- Controlling Bluetooth and data roaming
- Configuring factory reset protection
Just as on the personal device the Work Profile is fully managed and controlled by Intune.
Picture 6: Corporate-owned fully managed (COBO)
Advantages:
- Required apps can be installed without interaction of the end-user in the work profile.
- All company contacts, data and apps are stored in the work profile.
- App protection policies are not required but can be added for additional protection.
- Outlook Company contacts are searchable and incoming numbers are recognized.
- The entire device can be whiped.
Disadvantages:
- If the device is already in use it needs to be reset to enroll as a fully managed device.
- Outlook Contacts cannot be synced with Personal contacts outside work profile. (Needed for WhatsApp)
- Outlook widgets cannot be used.
Corporate-Owned Dedicated devices (COSU)
For corporate-owned, single use devices, such as digital signage, ticket printing, or inventory management. Admins lock down the usage of a device for a limited set of apps and web links. It also prevents users from adding other apps or taking other actions on the device. The devices are not user assigned.
There are two dedicated deployment options:
- Single app kiosk mode – In this mode only the configured app will be displayed. If the app is closed it will be reopened automatically.
- Multi app kiosk mode – In this mode the configured apps are displayed on the managed home screen.
Picture 7: Corporate-owned dedicated device (COSU)
Advantages
- Select which applications are available
- Device is locked down
- fully managed by Intune
Disadvantages
- In single app mode some settings are still accessible and therefore an additional restriction policy maybe required.
I hope you like this post, let me know if you have additional (Dis)advantages for a deployment profile. I like to hear what you think.
Hi Aad,
At the “Personal device with work profile (MAM+MDM)” section of your blog you write that one of the disadvantages is that “Outlook Contacts cannot be synced with native contacts app. (Needed for WhatsApp)”.
Can this be resolved by putting WhatsApp for Business and Outlook Contacts both in the Work Profile?
Hi Menno,
This is possible, however when you do this you will only be able to use the contacts in your Work Profile. Another disadvantage is that you can only register one Whatsapp client with a mobile number. For Example: After you register Whatsapp for Business with the same number as used outside of the work profile, the Whatsapp outside of your work profile gets deregistered and will no longer work. To avoid this you could use a dualsim device, in this scenario a personal number is used for Whatsapp and the other (business) number for Whatsapp for Business.
Or when you are using Work-Profile install this app in your personal profile to sync all your business contacts to your personal profile.
https://play.google.com/store/apps/details?id=com.zaanweg.synccontacts