Corporate-owned fully managed user devices (COBO) with Intune

In this Blogpost I will explain which steps to perform to configure an Android device as a Corporate-owned fully managed user devices (COBO) with Intune. This type is also known as a fully managed device or a Company-Owned Business Only device (COBO).


What is a Corporate-owned fully managed device

The primary use for this profile type is Android devices that will be exclusively used for work. Admins are able to manage the entire device and enforce policy controls which are unavailable to work profiles (fully managed).


  • Company managed
  • Locked down appstore (optional)
  • Device is wiped when removed from Intune.
  • Block uninstallation of managed apps
  • Prevent users from factory resetting devices.
  • Business Only (No separate layer for personal storage or profile.)


Setup the profile


  • The intune tenant needs to be connected to your Google Enterprise account.
  • Testdevice needs to have Android 6.0 or Higher and Google Mobile Services (GMS) needs to be working correctly


The setup of a Corporate-owned fully managed enrollment in Intune consists out of a few seperate parts:

  1. Enable Corporate-owned devices
  2. Create a Dynamic Device Group
  3. Configure Device Compliance policy
  4. Configure Device Configuration profile
  5. Assign additional Apps
  6. Manually Enroll and Test Configuration

These are the settings I would suggest to use, but you can also add configuration policies and/or protection policies to configure applications and protect data.


1. Enable Corporate-owned Fully managed devices

The first step is to enable the Corporate-owned Fully managed devices enrollment profile to enable your end users to enroll corporate-owned devices.


1. Login to the Microsoft Endpoint Manager admin center and browse to “Devices -> Android -> Android Enrollmente” and select “Corporate-owned, fully managed user devices” or press here


2. Select  “Allow users to enroll corporate-owned user devices” -> “Yes” . An Enrollment Token (String) will appear with a QR code.


2. Create a Dynamic Device Group

During this step a dynamic group will be created which will contain all corporate-owned fully managed devices. This group can be used for policy settings, app installations, etc.


3. Create a new group


4. Enter a name and select membership type “Dynamic device”. Press “Add dynamic query” to add the selection query.


5. Add the following syntax to only add Fully Managed Android Enterprise devices. Fully managed devices do not have an EnrollmentProfileName (Null) unlike Dedicated and Enterprise with Workprofile devices.

(device.deviceOSType -eq "AndroidEnterprise") and (device.enrollmentProfileName -eq Null)


6. Press “Save” to save the Rule syntax and “Create” to create the Dynamic group.


3. Configure Device Compliance Policy

These rules define requirements for devices, like minimum operating systems or the use of disk encryption. Devices must meet these rules to be considered compliant. These can be combined with app protection policies and conditional access rules for additional security.


7.  Select “Endpoint security” -> “Device compliancy” or click here and press “+ Create Policy”


8. Select platform “Android Enterprise” and policy type “Fully managed, dedicated, and corporate-owned work profile” and press “Create”.


9. Enter a Name and press “Next”


10. Select the Compliance settings and press “Next”


11. Select the actions for noncompliant devices and press “Next”


12. Add scope tags (optionally) and press “Next”


13. Assign the compliance policy to the dynamic device group created in step 4 and press “Next


14. Press “Create” to finish the creation of the compliance policy.


4. Configure Device Configuration profile

Devices configuration profiles can be used to configure settings for example to lock down devices or to configure configuration settings like password rules, access public Google Store, block factory reset, etc.


15. Select “Devices” -> “Android” -> “Configuration profiles” or click here and press “+ Create Profile”


16. Select platform “Android Enterprise” and select the profile which need to be configured (only use profiles for the Fully managed device)


17. Enter a name for the configuration profile and press “Next


18. Configure the required profile settings


19. Assign the configuration profile


20. Finish the creation of the configuration profile by pressing “Create”


5. Assign additional apps

By default the following applications will be automatically installed to fully managed devices during the device enrollment process:

  • Microsoft Company Portal (Used for App Protection Policies (APP) and Android Enterprise work profile scenarios.)
  • Microsoft Authenticator (Helps you sign-in to your accounts if you use two-factor verification.)
  • Microsoft Intune (Used for Android Enterprise fully managed scenarios.)

Next to the default applications which are installed on enrollment you probably would like to install additional apps. There are a few options to manage applications which are installed on the fully managed Android devices:

Unmanaged – Allow the users to access the Google Play store. (Device restriction -> “Allow access to all apps in Google Play store” -> “Allow”)

Managed – Do not allow users to access the Google Play store and assign the applications which can be installed.

To assign additional applications to the users you can follow the next steps:


21. Select “Apps” -> “Android” or click here and press “+ Add”


22. Select App type  “Managed Google Play app” and press “Select”.


23. Enter the name of the application (e.g. Outlook) and press “search”. Select the application by pressing the Icon.


24. Approve the application


25. Press “Sync” to sync the approved applications to the Intune portal.


26. It may take some time for the approved application to appear in the Android Apps overview. Select the application to assign.

27. There two options to assign the application

  1. Available – The application will not be installed by default, but the user needs to  to install the application from the managed app store.
  2. Required – The application will be installed by default and cannot be removed by the user.

More information about assigning apps can be found here


6. Enroll and Test Configuration

Now the configuration is ready to test. I will use the enrollment with QR code to prepare the device. But you can also use Samsung Knox or Google Zero Touch.


28. Scan the QR Code or enter the Token at step 2.

29. A Login screen will be displayed


30. The setup will now start. Press “Install” to start the installation of the work apps.


31. Wait untill the installation has finished and press “Next”.


32. Next step is the device registration press “Start” to continue.


33. Press “Sign In” and sign in with your credentials and register the device.


34. Press “Done” to finish registration.


35. Press “Done” to finish installation. The device is now ready for use.


36. The device is now ready. The look and feel is similar to a device which hasn’t been enrolled. The big difference is the centrally managed applications, restrictions and policies.

Leave a Reply

Your email address will not be published. Required fields are marked *