Corporate-owned fully managed user devices (COBO) with Intune

In this Blogpost I will explain which steps to perform to configure an Android device as a Corporate-owned fully managed user devices (COBO) with Intune. This type is also known as a fully managed device or a Company-Owned Business Only device (COBO).

 

What is a Corporate-owned fully managed device

The primary use for this profile type is Android devices that will be exclusively used for work. Admins are able to manage the entire device and enforce policy controls which are unavailable to work profiles (fully managed).

Features:

  • Company managed
  • Locked down appstore (optional)
  • Device is wiped when removed from Intune.
  • Block uninstallation of managed apps
  • Prevent users from factory resetting devices.
  • Business Only (No separate layer for personal storage or profile.)

 

Setup the profile

Prerequisites:

  • The intune tenant needs to be connected to your Google Enterprise account.
  • Testdevice needs to have Android 6.0 or Higher and Google Mobile Services (GMS) needs to be working correctly

 

The setup of a Corporate-owned fully managed enrollment in Intune consists out of a few seperate parts:

  1. Enable Corporate-owned devices
  2. Create a Dynamic Device Group
  3. Configure Device Compliance policy
  4. Configure Device Configuration profile
  5. Assign additional Apps
  6. Manually Enroll and Test Configuration

These are the settings I would suggest to use, but you can also add configuration policies and/or protection policies to configure applications and protect data.

 

1. Enable Corporate-owned Fully managed devices

The first step is to enable the Corporate-owned Fully managed devices enrollment profile to enable your end users to enroll corporate-owned devices.

 

1. Login to the Microsoft Endpoint Manager admin center and browse to “Devices -> Android -> Android Enrollmente” and select “Corporate-owned, fully managed user devices” or press here

 

2. Select  “Allow users to enroll corporate-owned user devices” -> “Yes” . An Enrollment Token (String) will appear with a QR code.

 

2. Create a Dynamic Device Group

During this step a dynamic group will be created which will contain all corporate-owned fully managed devices. This group can be used for policy settings, app installations, etc.

 

3. Create a new group

 

4. Enter a name and select membership type “Dynamic device”. Press “Add dynamic query” to add the selection query.

 

5. Add the following syntax to only add Fully Managed Android Enterprise devices. Fully managed devices do not have an EnrollmentProfileName (Null) unlike Dedicated and Enterprise with Workprofile devices.

(device.deviceOSType -eq "AndroidEnterprise") and (device.enrollmentProfileName -eq Null)

 

6. Press “Save” to save the Rule syntax and “Create” to create the Dynamic group.

 

3. Configure Device Compliance Policy

These rules define requirements for devices, like minimum operating systems or the use of disk encryption. Devices must meet these rules to be considered compliant. These can be combined with app protection policies and conditional access rules for additional security.

 

7.  Select “Endpoint security” -> “Device compliancy” or click here and press “+ Create Policy”

 

8. Select platform “Android Enterprise” and policy type “Fully managed, dedicated, and corporate-owned work profile” and press “Create”.

 

9. Enter a Name and press “Next”

 

10. Select the Compliance settings and press “Next”

 

11. Select the actions for noncompliant devices and press “Next”

 

12. Add scope tags (optionally) and press “Next”

 

13. Assign the compliance policy to the dynamic device group created in step 4 and press “Next

 

14. Press “Create” to finish the creation of the compliance policy.

 

4. Configure Device Configuration profile

Devices configuration profiles can be used to configure settings for example to lock down devices or to configure configuration settings like password rules, access public Google Store, block factory reset, etc.

 

15. Select “Devices” -> “Android” -> “Configuration profiles” or click here and press “+ Create Profile”

 

16. Select platform “Android Enterprise” and select the profile which need to be configured (only use profiles for the Fully managed device)

 

17. Enter a name for the configuration profile and press “Next

 

18. Configure the required profile settings

 

19. Assign the configuration profile

 

20. Finish the creation of the configuration profile by pressing “Create”

 

5. Assign additional apps

By default the following applications will be automatically installed to fully managed devices during the device enrollment process:

  • Microsoft Company Portal (Used for App Protection Policies (APP) and Android Enterprise work profile scenarios.)
  • Microsoft Authenticator (Helps you sign-in to your accounts if you use two-factor verification.)
  • Microsoft Intune (Used for Android Enterprise fully managed scenarios.)

Next to the default applications which are installed on enrollment you probably would like to install additional apps. There are a few options to manage applications which are installed on the fully managed Android devices:

Unmanaged – Allow the users to access the Google Play store. (Device restriction -> “Allow access to all apps in Google Play store” -> “Allow”)

Managed – Do not allow users to access the Google Play store and assign the applications which can be installed.

To assign additional applications to the users you can follow the next steps:

 

21. Select “Apps” -> “Android” or click here and press “+ Add”

 

22. Select App type  “Managed Google Play app” and press “Select”.

 

23. Enter the name of the application (e.g. Outlook) and press “search”. Select the application by pressing the Icon.

 

24. Approve the application

 

25. Press “Sync” to sync the approved applications to the Intune portal.

 

26. It may take some time for the approved application to appear in the Android Apps overview. Select the application to assign.

27. There two options to assign the application

  1. Available – The application will not be installed by default, but the user needs to  to install the application from the managed app store.
  2. Required – The application will be installed by default and cannot be removed by the user.

More information about assigning apps can be found here

 

6. Enroll and Test Configuration

Now the configuration is ready to test. I will use the enrollment with QR code to prepare the device. But you can also use Samsung Knox or Google Zero Touch.

 

28. Scan the QR Code or enter the Token at step 2.

29. A Login screen will be displayed

 

30. The setup will now start. Press “Install” to start the installation of the work apps.

 

31. Wait untill the installation has finished and press “Next”.

 

32. Next step is the device registration press “Start” to continue.

 

33. Press “Sign In” and sign in with your credentials and register the device.

 

34. Press “Done” to finish registration.

 

35. Press “Done” to finish installation. The device is now ready for use.

 

36. The device is now ready. The look and feel is similar to a device which hasn’t been enrolled. The big difference is the centrally managed applications, restrictions and policies.

12 thoughts on “Corporate-owned fully managed user devices (COBO) with Intune

  1. Steve

    Hi I manage the IT of a private school and we are adding new android tablets for our middle school classes. They are Vankyo S20’s. I’ve had all of this set up from previous enrollments but for some reason these tablet will not let us enroll them fully controlled. I can get the to use work profiles, but that is not what we are looking for for the students.

    Reply
  2. Steve Mason

    Yes we were able to scan the QR code but the process would not continue after that. It would just finish setting up the tablet with 4 apps on it and no other information. When we go and add our play store account to the device and run the Android Device Policy app, it says we are not authorized to run this device in corporate fully managed mode.

    Reply
  3. Felipe Silva

    Did you realise that when you install the Company Portal for the MAM policies it does not show up on the device home screen even though when going to device settings it says the app is installed?

    As a result, App policy protection does not work 🙁

    Reply
    1. Aad Lutgert Post author

      Hi Felipe,

      I’m not sure about the context, but I assume you are talking about a fully managed Android device. During the enrollment the Intune Portal will be installed (see 5. assign additional apps in my blog). Because of this you do not need to install the Company Portal. I’ve tested app protection policies on my fully managed android device with only the Intune Portal installed and I can confirm it works.

      More information about the fully managed android see:
      https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/microsoft-intune-support-for-android-enterprise-fully-managed/ba-p/862232

      best regards, Aad

      Reply
  4. Hans Harald

    In our Intune Portal we cannot configure the enrollment profiles (we own O365 E3 Licences):

    MEM admin center > Devices > Android > Android Enrollment Enrollment Profiles

    This is greyed out:
    – Personal devices with work profile

    These are not shown at all:
    – Corprate-owned, fully managed user devices
    – Corparte-owned dedicated devices
    – Corporate-owned devices with work profile (Preview)

    Is this license related?

    Thanks in advance for ur help!

    Reply
    1. Aad Lutgert Post author

      Hi Hans,

      You need to first link you managed Googl Play account before the enrollment profiles will become available. To use Intune you will need at least a Intune license, this is not included in the Office365 E3 license. Intune is included in the following licenses:

      Microsoft 365 E5
      Microsoft 365 E3
      Enterprise Mobility + Security E5
      Enterprise Mobility + Security E3
      Microsoft 365 Business Premium
      Microsoft 365 F1
      Microsoft 365 F3
      Microsoft 365 Government G5
      Microsoft 365 Government G3

      More info can be found here: https://docs.microsoft.com/en-us/mem/intune/fundamentals/licenses

      best regards, Aad

      Reply
  5. Hans Harald

    thanks for bringing some light into this. Office365E3 license does include Intune Portal and I’m able to manage Android devices from there (personal devices with work profile) as stated before. MDM Autorithy is set to Microsoft Office 365 with corresponding, basic features.

    Reply
  6. Hans Harald

    Gotcha! Got some Microsoft 365 Business Premium test licences and now those menu entries do show up.
    Thanks for your help and this more then usefull howto. I owe u a beer!

    Reply
  7. José Carlos Batista de Oliveira Junior

    Simply the best.

    Thank you so much for sharing your knowledge with us.

    Best regards.

    Reply
  8. Thomas Deutschmann

    Thanks for the tip regarding the dynamic group assignment. Intune should have support for different enrollment profiles for COBO just like it does for COBU. A specific QR code for each profile, so I could automatically separate devices based on use cases and assign the apps and restrictions that are needed. But again, thanks for the (device.enrollmentProfileName -eq Null) tip!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *