The newly created AVD, from our last post, should be managed within Microsoft Intune. Microsoft Intune provides a range of options for managing and securing Android devices. Some of the key features include:
- Device enrollment: Allows users to easily enroll their Android devices in Microsoft Intune and access corporate data.
- Policy management: Enables administrators to configure policies that control how devices can be used. E.g. password policies and enforcing encryption.
- Compliance monitoring: Provides the ability to monitor compliance with corporate policies and take action if any devices are not compliant.
- Mobile application management: Allows organizations to securely distribute and manage corporate apps on Android devices.
- Remote actions: Provides the ability to remotely wipe data from a device or perform other actions if necessary.
There will be more in-depth guides on the capabilities of Microsoft Intune. In this article we will keep it simple and start with how to enroll an Android device.
Android Device Management
Enrolling an Android device into Microsoft Intune is a simple process. This will directly enable you to manage and secure mobile devices.
There are three main methods of enrolling a device:
- Android Enterprise (AE): Most up-to-date and secure method
- Android Device Administrator (DA): It is encouraged to migrate to AE
- AOSP: Method for devices that aren’t integrated with Google Mobile services
The focus here will be on Android Enterprise. Because this is the most versatile method with applications for BYOD, personal- and corporate-owned devices.
Android Enterprise
Android Enterprise is a set of features and services provided by Google. This will enable organizations to manage and secure Android devices used by their employees. This can include features such as the ability to remotely lock or wipe a device, enforce password policies, or restrict access to certain apps or data. With Intune, you can take advantage of these features to manage and secure their Android devices. Additionally, you ensure that they are used in a way that aligns with the security and compliance policies. This can help organizations protect their data and prevent unauthorized access to sensitive information. Next to this, it allows employees to use their own Android devices for work purposes. When using Android Enterprise, there are two main modes of deployment: fully managed devices and work profiles.
Fully Managed
This method allows users to enroll their Android device as a fully managed device. This gives the organization complete control over the device and access to all of its features and functions.
Fully managed devices are completely owned and controlled by the organization. This means that the organization can install any app, configure any settings, and enforce any policies on the device. This is typically used for devices that are provided by the organization and used exclusively for work purposes.
Work Profile
A work profile is a separate, secure profile on the device used for work purposes. In this mode, the employee still has their own personal space on the device. The organization can only manage and control the work profile. It cannot access or modify the personal space on the device. This is typically used for employee-owned devices. Enabling them to use their own device for both work and personal purposes.
The main difference between the two modes is the level of control the organization has over the device. With fully managed devices, the organization has complete control over the device. With a work profile, the organization only has control over the work profile. Allowing employees to maintain their privacy on their own devices. In the meantime, still allowing the organization to manage and secure their work data.
Microsoft Intune
Android Enterprise
Prerequisites
Before starting with an enrollment profile, you must link a “Managed Google Play” account to Microsoft Intune. For this, you must have set up a managed Google Play account.
Afterwards, you can use Intune to manage and distribute apps from Managed Google Play to your Android devices.
Enrollment Profiles
There are four different sorts of enrollment profiles to enroll devices in Microsoft Intune:
By default the “Personally-owned devices with work profile”-option is enabled. We need no additional configuration for this.
Android Device Enrollment
User-Drive Enrollment
To enroll an Android device using the Intune Company Portal app, users simply need to download the app from the Google Play Store and sign in with their organizational credentials. Once logged in, the app will guide users through the enrollment process. Afterwards, allowing them to enroll their device in a matter of minutes.
Automated Enrollment
Zero-touch enrollment is a method of automated enrollment that allows organizations to enroll Android devices in Intune directly from the manufacturer or reseller. In this method, the organization provides the manufacturer or reseller with their enrollment configuration. You can automatically enroll devices in your mobile device management (MDM) solution when shipped to the user. This pre-configures the devices with their desired settings and policies. This ensures that they are ready for use as soon as received.
In conclusion, enrolling an Android device into Microsoft Intune is a simple process. It can be done using user-driven or automated enrollment. Each of these methods provides organizations with the ability to manage and secure their mobile devices. Ensuring that sensitive data is protected and that employees have access to the tools they need to be productive.
Leave a Reply