In this Blogpost I will explain which steps to perform to configure an Android device as a Corporate-owned fully managed user devices (COBO) with Intune. This type is also known as a fully managed device or a Company-Owned Business Only device (COBO).
What is a Corporate-owned fully managed device
The primary use for this profile type is Android devices that will be exclusively used for work. Admins are able to manage the entire device and enforce policy controls which are unavailable to work profiles (fully managed).
- Company managed
- Locked down appstore (optional)
- Device is wiped when removed from Intune.
- Block uninstallation of managed apps
- Prevent users from factory resetting devices.
- Business Only (No separate layer for personal storage or profile.)
Setup the profile
- The intune tenant needs to be connected to your Google Enterprise account.
- Testdevice needs to have Android 6.0 or Higher and Google Mobile Services (GMS) needs to be working correctly
The setup of a Corporate-owned fully managed enrollment in Intune consists out of a few seperate parts:
- Enable Corporate-owned devices
- Create a Dynamic Device Group
- Configure Device Compliance policy
- Configure Device Configuration profile
- Assign additional Apps
- Manually Enroll and Test Configuration
These are the settings I would suggest to use, but you can also add configuration policies and/or protection policies to configure applications and protect data.
1. Enable Corporate-owned Fully managed devices
The first step is to enable the Corporate-owned Fully managed devices enrollment profile to enable your end users to enroll corporate-owned devices.
2. Select “Allow users to enroll corporate-owned user devices” -> “Yes” . An Enrollment Token (String) will appear with a QR code.
2. Create a Dynamic Device Group
During this step a dynamic group will be created which will contain all corporate-owned fully managed devices. This group can be used for policy settings, app installations, etc.
3. Create a new group
4. Enter a name and select membership type “Dynamic device”. Press “Add dynamic query” to add the selection query.
5. Add the following syntax to only add Fully Managed Android Enterprise devices. Fully managed devices do not have an EnrollmentProfileName (Null) unlike Dedicated and Enterprise with Workprofile devices.
(device.deviceOSType -eq "AndroidEnterprise") and (device.enrollmentProfileName -eq Null)
6. Press “Save” to save the Rule syntax and “Create” to create the Dynamic group.
3. Configure Device Compliance Policy
These rules define requirements for devices, like minimum operating systems or the use of disk encryption. Devices must meet these rules to be considered compliant. These can be combined with app protection policies and conditional access rules for additional security.
7. Select “Endpoint security” -> “Device compliancy” or click here and press “+ Create Policy”
8. Select platform “Android Enterprise” and policy type “Fully managed, dedicated, and corporate-owned work profile” and press “Create”.
9. Enter a Name and press “Next”
10. Select the Compliance settings and press “Next”
11. Select the actions for noncompliant devices and press “Next”
12. Add scope tags (optionally) and press “Next”
13. Assign the compliance policy to the dynamic device group created in step 4 and press “Next
14. Press “Create” to finish the creation of the compliance policy.
4. Configure Device Configuration profile
Devices configuration profiles can be used to configure settings for example to lock down devices or to configure configuration settings like password rules, access public Google Store, block factory reset, etc.
15. Select “Devices” -> “Android” -> “Configuration profiles” or click here and press “+ Create Profile”
16. Select platform “Android Enterprise” and select the profile which need to be configured (only use profiles for the Fully managed device)
17. Enter a name for the configuration profile and press “Next
18. Configure the required profile settings
19. Assign the configuration profile
20. Finish the creation of the configuration profile by pressing “Create”
5. Assign additional apps
By default the following applications will be automatically installed to fully managed devices during the device enrollment process:
- Microsoft Company Portal (Used for App Protection Policies (APP) and Android Enterprise work profile scenarios.)
- Microsoft Authenticator (Helps you sign-in to your accounts if you use two-factor verification.)
- Microsoft Intune (Used for Android Enterprise fully managed scenarios.)
Next to the default applications which are installed on enrollment you probably would like to install additional apps. There are a few options to manage applications which are installed on the fully managed Android devices:
Unmanaged – Allow the users to access the Google Play store. (Device restriction -> “Allow access to all apps in Google Play store” -> “Allow”)
Managed – Do not allow users to access the Google Play store and assign the applications which can be installed.
To assign additional applications to the users you can follow the next steps:
21. Select “Apps” -> “Android” or click here and press “+ Add”
22. Select App type “Managed Google Play app” and press “Select”.
23. Enter the name of the application (e.g. Outlook) and press “search”. Select the application by pressing the Icon.
24. Approve the application
25. Press “Sync” to sync the approved applications to the Intune portal.
26. It may take some time for the approved application to appear in the Android Apps overview. Select the application to assign.
27. There two options to assign the application
- Available – The application will not be installed by default, but the user needs to to install the application from the managed app store.
- Required – The application will be installed by default and cannot be removed by the user.
More information about assigning apps can be found here
6. Enroll and Test Configuration
28. Scan the QR Code or enter the Token at step 2.
29. A Login screen will be displayed
30. The setup will now start. Press “Install” to start the installation of the work apps.
31. Wait untill the installation has finished and press “Next”.
32. Next step is the device registration press “Start” to continue.
33. Press “Sign In” and sign in with your credentials and register the device.
34. Press “Done” to finish registration.
35. Press “Done” to finish installation. The device is now ready for use.
36. The device is now ready. The look and feel is similar to a device which hasn’t been enrolled. The big difference is the centrally managed applications, restrictions and policies.