Setup Android MDM management in Intune

      2 Comments on Setup Android MDM management in Intune

In this post I will explain how to setup Android MDM management in Intune. I will show you how to setup the requirements in Intune to manage Android enterprise. Let’s start with Android management. Currently there are two Android enterprise management solutions supported with Intune. There is “Android device administrator” and “Android Enterprise”. Android device administrator is the oldest of the two and was released with AnIn droid 2.2. Although it is still supported with Intune the support for this management solution is decreased by Google and is considered legacy management. Google is actively removing functions from the latest Android releases to support the transition to Android Enterprise which has become available since Android 5.0.

 

Android Enterprise

Therefore Android Device administrator is not the way to go and I will focus in this guide on how to setup Android MDM management using Android Enterprise. Although you might think otherwise, with Android Enterprise there are multiple ways to manage a device ranging from personal-owned, single use to fully managed corporate devices. There are also ways to enroll devices manually using a qr code or Automatically with Samsung Knox.

 

How to setup

Prerequisites

  • Intune licenses
  • Availability of Android Enterprise in your country (See here for the full list)

 

1. Set MDM authority

In the past you needed to set the tenant authority in Intune. If you’re tenant is service release 1911 or later you don’t have to do this anymore.  (more info)

 

2. Configure Device restrictions

To allow Android devices to be enrolled we first need to check the device restrictions. In the MEM admin center browse to: Devices -> Enrollment restrictions. Select the Default type restrictions or create a new restriction.

 

Select manage “properties” and press “Edit” to modify the platform settings.

 

Make sure “Android Enterprise (work profile)” platform is allowed. If you want to allow personal devices (MAM+MDM) also check if “Personally owned” is allowed. I personally also like to block “Android device administrator”, but this is not necessary because if both Enterprise and device administrator are allowed for users the devices will be enrolled as Android Enterprise devices. (more info). Press “review + save” to save the settings.

 

Press “Save” once again to finish the device restriction setup.

 

3. Setup Android Enrollment

In the final step we’re going to link a managed Google Play account to Intune. This account will be used to manage Android Enterprise devices and also to sync and assign Google Managed store apps to devices. In the MEM admin center browse to: Devices -> Android -> Android enrollment. Select “Managed Google Play” to connect Intune to a managed Google Play account.

 

Check the box “I agree” to grant Microsoft the permission to share information with Google. Press the button “Launch Google to connect now”.

 

This will open a pop-up where you can press the button “Sign in” to connect your Google account.

 

You can use an existing Google account but you can also create an account using the “Create account” button.

 

After the link is successfully made you will see a notification in Intune and the status will change from “Not Setup” to “Setup”. You will also see the organization name, which Google account was used and when the link was created.

 

What next?

Now that you’ve linked your account you will be able to use the following Android Enterprise Enrollment profiles and manage Android Enterprise devices which are enrolled in Intune:

  • Personally-owned devices with work profile – Can be used without additional setup, make sure you’ve allowed personally-owned in the enrollment restrictions.
  • Corporate-owned dedicated devices – You need to setup enrollment profiles to enroll
  • Corporate-owned, fully managed user devices – You need to allow enrollment
  • Corporate-owned devices with work profile – You need to setup enrollment profiles to enroll

 

The Managed Google Play store is available and can be used to add the following apps:

  • Public apps – Applications from the public store.
  • Custom Apps – Custom apps created by third party developers and shared with your managed store.
  • Private apps – Upload and publish private apps to employees.
  • Weblinks – Create and publish weblinks to employees

 

I hope you liked this post about how to setup Android MDM management in Intune. If you have any questions or comments about this post, please let me know in the comment section.

2 thoughts on “Setup Android MDM management in Intune

  1. Paul Creedy

    The google account that you are connecting, could you explain what account that is? Is that a Company google account that has been set up for a specific reason? For a company who would be the ‘owner’ of that google account within the company be, particularly now that Google have switched on MFA for all accounts.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *