Beyond the Basics: Advanced Android Enterprise Management with Microsoft Intune

Are you using Microsoft Intune for Android Enterprise management and wondering how to unleash its full potential? Look no further! In this series, I'll guide you beyond the basics, helping you harness the power of Microsoft Intune to effectively manage your Android devices.

You will discover how to leverage Intune's capabilities to their fullest extent, ensuring efficient management, enhanced security, and increased productivity across your Android device fleet. Whether you are a beginner or an experienced user, the insights and tips will help you unlock the true potential of Microsoft Intune for Android Enterprise management.

Don't miss out on this opportunity to elevate your device management strategy to the next level. Let's dive in and harness the full potential of Microsoft Intune for Android Enterprise management. Here's a glimpse of what we'll be exploring:

1. Integrating Android Enterprise Management with MDM
2. How an Android device is enrolled & provisioned
3. Enrollment Methods for Android Devices in Intune
4. Creating and Managing Policies for Android Devices
5. Integrating Samsung Knox with Microsoft Intune
6. Automating Android Device Management with PowerShell and Graph API
7. Security and Compliance Best Practices in Intune
8. Managing App Configurations and Permissions
9. Troubleshooting Common Issues in Android Device Management
10. Real-world Case Studies of Android Enterprise Management
11. The Future of Android Management: Trends and Predictions
12. A Comprehensive Guide to Reporting and Analytics in Intune
13. End-User Training and Adoption Strategies
14. Device and App Lifecycle Management in Intune
15. Managing Remote Workforce with Android Devices and Intune
16. A Closer Look at Zero-Touch Enrollment for Android Devices

Integrating Android Enterprise Management with MDM

Android Enterprise Management is a comprehensive solution that allows organizations to effectively manage and secure their Android devices. Microsoft Intune, on the other hand, is a powerful mobile device management (MDM) platform that integrates seamlessly with Android Enterprise, providing a wide range of features and capabilities for managing Android devices.

By combining Android Enterprise with Microsoft Intune, organizations can take advantage of a robust set of tools to enroll, configure, secure, and manage Android devices. Intune offers a unified management experience, allowing IT administrators to control device settings, deploy applications, enforce security policies, and manage updates, all from a centralized console.

Intune can be used to manage Android Enterprise devices using a variety of enrollment options, including:

• Work profile for employee-owned devices (BYOD)

• Work profile for mixed-used company-owned devices

• Full management for work-only company-owned devices

• Full management for dedicated devices

An Android Enterprise solution is a combination of three components: EMM solution (MS Intune in our case), Android Device Policy, and managed Google Play.

Android Device Policy

Every Android device that an organization manages through its MDM solution must have Android Device Policy installed during the setup process. Android Device Policy, provided by Android itself, is an application that autonomously enforces the management policies established in the MDM console on the respective devices.

Managed Google Play represents the enterprise edition of Google Play, tailor-made to enhance app management within Android Enterprise solutions. It merges the well-known user interface and app store functions of Google Play with a collection of management features specifically engineered for corporate use. Managed Google Play can be embedded into your MDM console to provide features such as:

• Public app search
• Private app publishing
• Web app publishing
• App organization

On devices that are managed, Managed Google Play serves as the enterprise app store for users. Its interface bears resemblance to the regular Google Play, allowing users to browse through apps, examine their details, and proceed with the installation. However, in contrast to the public version of Google Play, Managed Google Play restricts users to installing only those apps that have been specifically approved by their organization. This ensures alignment with corporate policies and helps maintain a secure environment.

Let's dive deeper to understand how Android devices are enrolled & provisioned into MDM.

How an Android Device is Enrolled & Provisioned

Device provisioning refers to the procedure of configuring a device so that it falls under the control of an enterprise through configured policies. This process involves the installation of Android Device Policy on the device, which then serves as the medium for receiving and enforcing these policies. If the provisioning proves successful, the API forms a device object, thereby linking the device to the enterprise.

The Android Management API initiates this provisioning process by utilizing enrollment tokens.  When an enrollment token is provided to a device, it triggers the provisioning process. This procedure not only includes the installation of the Android Device Policy but also the addition of a managed Google Play account to the device. Once the device has been successfully provisioned, it is identified within the system as a Devices resource.

The enrollment token and provisioning method you use establishes a device's ownership (personally-owned or company-owned) and management mode (work profile or fully managed device).

Enrollment tokens expire after one hour by default, but you can specify a custom expiration time (duration) up to approximately 10,000 years!

An example of an enrollment token:

{
  "name": string,
  "value": string,
  "duration": string,
  "expirationTimestamp": string,
  "policyName": string,
  "additionalData": string,
  "qrCode": string,
  "oneTimeOnly": boolean,
  "user": {
    object (User)
  },
  "allowPersonalUsage": enum (AllowPersonalUsage)
}

Launch an app during setup

Within policies, it's possible to designate one application for Android Device Policy to initiate during the setup of a device or work profile. For instance, you can have your own T&Cs app that users must accept the Terms and Conditions as part of the setup procedure. To indicate that the process has been completed and to allow Android Device Policy to finish the provisioning of the device or work profile, the app must return a RESULT_OK signal.

To successfully launch an app during the setup, the following steps must be adhered to:

The app's 'installType' is set to 'REQUIRED_FOR_SETUP.' If the app fails to install or launch on the device, the provisioning process will be unsuccessful.

{
   "applications":[
      {
         "packageName":"com.my.T&C.",
         "installType":"REQUIRED_FOR_SETUP"
      }
   ]
}

{
   "setupActions":[
      {
         "title":{
            "defaultMessage":"T&C App"
         },
         "description":{
            "defaultMessage":"Please accept T&Cs to proceed."
         },
         "launchApp":{
            "packageName":"com.my.T&C."
         }
      }
   ]
}

After the app returns RESULT_OK, Android Device Policy will complete any remaining steps required to provision the device or work profile.

Conclusion

Till now, we've explored the fundamental principles behind device provisioning and the role of Android Device Policy in managing devices within an enterprise environment.

As we continue to unravel the complexities of Android Enterprise Management, the upcoming part of our series promises to delve deeper into a crucial aspect of device management: Enrollment Methods for Android Devices in Intune. Stay tuned as we guide you through various enrollment options, practical strategies, and insights that can transform the way your organization manages its Android devices.

Thank you for following along, and I look forward to welcoming you back for the next exciting installment in our comprehensive guide to Android Enterprise Management with Microsoft Intune.