In this Blogpost I will explain which steps to perform to configure an Android device as a Corporate-owned fully managed user devices (COBO) with Intune. This type is also known as a fully managed device or a Company-Owned Business Only device (COBO).
What is a Corporate-owned fully managed device
The primary use for this profile type is Android devices that will be exclusively used for work. Admins are able to manage the entire device and enforce policy controls which are unavailable to work profiles (fully managed).
Features:
- Company managed
- Locked down appstore (optional)
- Device is wiped when removed from Intune.
- Block uninstallation of managed apps
- Prevent users from factory resetting devices.
- Business Only (No separate layer for personal storage or profile.)
Setup the profile
Prerequisites:
- The intune tenant needs to be connected to your Google Enterprise account.
- Testdevice needs to have Android 6.0 or Higher and Google Mobile Services (GMS) needs to be working correctly
The setup of a Corporate-owned fully managed enrollment in Intune consists out of a few seperate parts:
- Enable Corporate-owned devices
- Create a Dynamic Device Group
- Configure Device Compliance policy
- Configure Device Configuration profile
- Assign additional Apps
- Manually Enroll and Test Configuration
These are the settings I would suggest to use, but you can also add configuration policies and/or protection policies to configure applications and protect data.
1. Enable Corporate-owned Fully managed devices
The first step is to enable the Corporate-owned Fully managed devices enrollment profile to enable your end users to enroll corporate-owned devices.
1. Login to the Microsoft Endpoint Manager admin center and browse to “Devices -> Android -> Android Enrollmente” and select “Corporate-owned, fully managed user devices” or press here
2. Select “Allow users to enroll corporate-owned user devices” -> “Yes” . An Enrollment Token (String) will appear with a QR code.
2. Create a Dynamic Device Group
During this step a dynamic group will be created which will contain all corporate-owned fully managed devices. This group can be used for policy settings, app installations, etc.
3. Create a new group
4. Enter a name and select membership type “Dynamic device”. Press “Add dynamic query” to add the selection query.
5. Add the following syntax to only add Fully Managed Android Enterprise devices. Fully managed devices do not have an EnrollmentProfileName (Null) unlike Dedicated and Enterprise with Workprofile devices.
(device.deviceOSType -eq "AndroidEnterprise") and (device.enrollmentProfileName -eq Null)
6. Press “Save” to save the Rule syntax and “Create” to create the Dynamic group.
3. Configure Device Compliance Policy
These rules define requirements for devices, like minimum operating systems or the use of disk encryption. Devices must meet these rules to be considered compliant. These can be combined with app protection policies and conditional access rules for additional security.
7. Select “Endpoint security” -> “Device compliancy” or click here and press “+ Create Policy”
8. Select platform “Android Enterprise” and policy type “Fully managed, dedicated, and corporate-owned work profile” and press “Create”.
9. Enter a Name and press “Next”
10. Select the Compliance settings and press “Next”
11. Select the actions for noncompliant devices and press “Next”
12. Add scope tags (optionally) and press “Next”
13. Assign the compliance policy to the dynamic device group created in step 4 and press “Next
14. Press “Create” to finish the creation of the compliance policy.
4. Configure Device Configuration profile
Devices configuration profiles can be used to configure settings for example to lock down devices or to configure configuration settings like password rules, access public Google Store, block factory reset, etc.
15. Select “Devices” -> “Android” -> “Configuration profiles” or click here and press “+ Create Profile”
16. Select platform “Android Enterprise” and select the profile which need to be configured (only use profiles for the Fully managed device)
17. Enter a name for the configuration profile and press “Next
18. Configure the required profile settings
19. Assign the configuration profile
20. Finish the creation of the configuration profile by pressing “Create”
5. Assign additional apps
By default the following applications will be automatically installed to fully managed devices during the device enrollment process:
- Microsoft Company Portal (Used for App Protection Policies (APP) and Android Enterprise work profile scenarios.)
- Microsoft Authenticator (Helps you sign-in to your accounts if you use two-factor verification.)
- Microsoft Intune (Used for Android Enterprise fully managed scenarios.)
Next to the default applications which are installed on enrollment you probably would like to install additional apps. There are a few options to manage applications which are installed on the fully managed Android devices:
Unmanaged – Allow the users to access the Google Play store. (Device restriction -> “Allow access to all apps in Google Play store” -> “Allow”)
Managed – Do not allow users to access the Google Play store and assign the applications which can be installed.
To assign additional applications to the users you can follow the next steps:
21. Select “Apps” -> “Android” or click here and press “+ Add”
22. Select App type “Managed Google Play app” and press “Select”.
23. Enter the name of the application (e.g. Outlook) and press “search”. Select the application by pressing the Icon.
24. Approve the application
25. Press “Sync” to sync the approved applications to the Intune portal.
26. It may take some time for the approved application to appear in the Android Apps overview. Select the application to assign.
27. There two options to assign the application
- Available – The application will not be installed by default, but the user needs to to install the application from the managed app store.
- Required – The application will be installed by default and cannot be removed by the user.
More information about assigning apps can be found here
6. Enroll and Test Configuration
Now the configuration is ready to test. I will use the enrollment with QR code to prepare the device. But you can also use Samsung Knox or Google Zero Touch.
28. Scan the QR Code or enter the Token at step 2.
29. A Login screen will be displayed
30. The setup will now start. Press “Install” to start the installation of the work apps.
31. Wait untill the installation has finished and press “Next”.
32. Next step is the device registration press “Start” to continue.
33. Press “Sign In” and sign in with your credentials and register the device.
34. Press “Done” to finish registration.
35. Press “Done” to finish installation. The device is now ready for use.
36. The device is now ready. The look and feel is similar to a device which hasn’t been enrolled. The big difference is the centrally managed applications, restrictions and policies.
Hi I manage the IT of a private school and we are adding new android tablets for our middle school classes. They are Vankyo S20’s. I’ve had all of this set up from previous enrollments but for some reason these tablet will not let us enroll them fully controlled. I can get the to use work profiles, but that is not what we are looking for for the students.
Hi Steve,
I’ve never worked with these type of devices. Did you check the technical requirements on the Microsoft site? I’m willing to help but I need some more information. Are you able to scan the QR code (step 28)?
Yes we were able to scan the QR code but the process would not continue after that. It would just finish setting up the tablet with 4 apps on it and no other information. When we go and add our play store account to the device and run the Android Device Policy app, it says we are not authorized to run this device in corporate fully managed mode.
Did you realise that when you install the Company Portal for the MAM policies it does not show up on the device home screen even though when going to device settings it says the app is installed?
As a result, App policy protection does not work 🙁
Hi Felipe,
I’m not sure about the context, but I assume you are talking about a fully managed Android device. During the enrollment the Intune Portal will be installed (see 5. assign additional apps in my blog). Because of this you do not need to install the Company Portal. I’ve tested app protection policies on my fully managed android device with only the Intune Portal installed and I can confirm it works.
More information about the fully managed android see:
https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/microsoft-intune-support-for-android-enterprise-fully-managed/ba-p/862232
best regards, Aad
In our Intune Portal we cannot configure the enrollment profiles (we own O365 E3 Licences):
MEM admin center > Devices > Android > Android Enrollment Enrollment Profiles
This is greyed out:
– Personal devices with work profile
These are not shown at all:
– Corprate-owned, fully managed user devices
– Corparte-owned dedicated devices
– Corporate-owned devices with work profile (Preview)
Is this license related?
Thanks in advance for ur help!
Hi Hans,
You need to first link you managed Googl Play account before the enrollment profiles will become available. To use Intune you will need at least a Intune license, this is not included in the Office365 E3 license. Intune is included in the following licenses:
Microsoft 365 E5
Microsoft 365 E3
Enterprise Mobility + Security E5
Enterprise Mobility + Security E3
Microsoft 365 Business Premium
Microsoft 365 F1
Microsoft 365 F3
Microsoft 365 Government G5
Microsoft 365 Government G3
More info can be found here: https://docs.microsoft.com/en-us/mem/intune/fundamentals/licenses
best regards, Aad
thanks for bringing some light into this. Office365E3 license does include Intune Portal and I’m able to manage Android devices from there (personal devices with work profile) as stated before. MDM Autorithy is set to Microsoft Office 365 with corresponding, basic features.
Office365 contains a basic built-in mdm solution this is called “Basic Mobility and Security”. Here is the link to the FAQ page were you can also find the differences between Intune and Basic Mobility and Security. https://docs.microsoft.com/en-us/microsoft-365/admin/basic-mobility-security/frequently-asked-questions?view=o365-worldwide.
Gotcha! Got some Microsoft 365 Business Premium test licences and now those menu entries do show up.
Thanks for your help and this more then usefull howto. I owe u a beer!
Simply the best.
Thank you so much for sharing your knowledge with us.
Best regards.
Thanks for the tip regarding the dynamic group assignment. Intune should have support for different enrollment profiles for COBO just like it does for COBU. A specific QR code for each profile, so I could automatically separate devices based on use cases and assign the apps and restrictions that are needed. But again, thanks for the (device.enrollmentProfileName -eq Null) tip!
Hi – i tried to enroll a device but in the first steps it tells me “Can’t setup device”. This is my personal tenant, at work we use another one with same settings and i don’t know why here it’s not working. Any idea? Thanks in advance
Hi Enrico,
At which step do you see an error? You may want to check your enrollment restrictions, CA policies and licenses. This page is also helpfull https://docs.microsoft.com/en-us/troubleshoot/mem/intune/troubleshoot-device-enrollment-in-intune
best regards, Aad
Found out i didn’t setup Intune as the tenant’s mdm authority! Solved, thank you.
Quick Question…can you set a minimum OS enrolment on a COBO device, so if I don’t want a mobile lower than Android v10 enrolling can I block it….if that makes sense
Hi Jon,
You can change the enrollment restrictions. You can change the default or add an additional Enrollment device platform restrictions for the group whom will use COBO devices.
regards, Aad
What I don’t understand is how you ONLY allow COBO enrollments, so no other. How do you enforce that?
Hi Sil,
This can be done by configuring enrollment restrictions. When you block personal enrollment devices will only be able to enroll as a corporate device.
best regards,
Aad Lutgert
Hi, is there any danger of using user assigned groups to other devices? I have configured profiles, policies etc for Android enterprise fully managed devices, however when I use dynamic groups the pin is not enforced during enrollment and it only shows as an update in the intune app on the phone afterwards which means the user can just bypass setting up a pin. I can’t get around this and even microsoft states this is the case. When I use user assigned gourps eveything works perfectly during enrollment, however I am worried that these configurations and policies will follow the users onto other devices for example personal devices with the company portal on them. This has happened n the past on apple devices and a s a result a personal device was wiped. I have tested this for Android and there doesn’t appear to be any effect but I don’t want 1000 devices going out with this as a risk.
Hi David,
Nowaday with the availability of filters I would recommend to use filters when you assign policies. The issue with dynamic groups is that changes may take up to 24 hours to be processed. That’s why some rules may not be enforced during enrollment. When you use assigned or filters they will work instant. Another advantage of filters is that you can assign a policy to all users, but can apply it based on an enrollment profile, for example. This eliminates the need to change users’ groups when they start using a different type of device.
Regards, Aad
Hi Aad, thanks so much for responding I have been waiting for responces on multipul blogs etc. You have answered a lot of my questions but I would like to clarify a few of them if that’s ok.
As to your first comment regarding Dynamic groups, does this mean if I finish configuring everything it will work during enrollment 24 hours after or does it mean it will happen 24 hours after the device is actulaly enrollent (which doesn’t make sense)?
As to filters, as it happens that is what I have done and pointed it to the enrollment profile so I am happay I was right. It is a little annoying, and I may be wrong, you can only assign one filter to a group. My main concern is I want to be 100% sure that other devices (personal with the company portal on them which they shouldn’t anyway but..) will not be affected as in wiped or enrolled as managed.
I noticed that there is a filter to exclude personal devices which is great but if you can only use one filter per group I will then not be able to use the enrollment profile filter and I want to have sevceral profiles for different regions. If I use the enrollment profile filter does that by default exclude personal devices?
Sorry for all the questions but it is an important project.
Most of this seems to work for me, but I have one problem the device doesn’t go into the dynamic group would this be down to some of the changes that are now in intune?
Have you created the Enrolment profile? If you have make sure the profile name is correctly copied into the enrollmentprofilename rule in the group. When enrolling the device scan with QR code and it should appear.