If you are new to managing Android Enterprise device with Microsoft Intune or trying to get enhance your understanding of with options is possible for you then this is the article for you. To get the most out of your investment in Android Enterprise devices regardless if that’s dedicated kiosk devices or handheld devices for your front line workers its important that they are managed correctly in Microsoft Intune as part of the life cycle management for your devices.
It’s crucial to distinguish between personal-owned devices (BYOD) and company-owned devices, as each category demands unique management strategies. By the end of this article, you should have a clear understanding of the potential within your management approach and a defined strategy for your specific devices and user needs.
Decision tree
The idea behind a decision tree is to illustrate the different management options and have a visual and easy process for deciding on which one to choose based on a few simple questions.
This has helped me and many of my customers through out the years and hopefully it can help you as well.
The first and most important question is, who owns the device ? This question often throws people off because they might not have even considered this in the first place and maybe not in the way you might first think. Most organizations think they own all the devices but even if they own them its not uncommon that they have managed them in a bring your own device (BYOD) scenario without realizing it.
Being clear about ownership is vital because fully owning the devices typically allows access to a broader range of features and management options. Conversely, if the devices are not owned by the organization, assuming that they can enjoy the same benefits as owned devices often leads to unmet expectations from either the end-user or administrators.
The decision tree image is also available for download over at my github repo
https://github.com/timmyit/Intune/blob/master/Android%20Enterprise%20decision%20tree.jpg
Management options
The different paths in this decision tree is not just Android Enterprise specific but some are Intune specific. For example App protection Policies is an Microsoft thing and not related directly to Android Enterprise. But it still used together with managing the device so it has its place and makes sense when you need to figure out how to manage the device or not. Same goes for Microsoft Entra shared mode which is an Microsoft Entra feature and not an Android Enterprise or Intune specific feature but it still part of the solution to consider when thinking of how to manage your devices.
Personally Owned
Personally owned device, is a device not owned by the organization. Some organizations does simply not allow personal devices to access company data or resources and others do. For example it could be the case that the user wants to access work email on their personal phone. In order to access the email you as the organization might require certain security policies to apply or be enforced to be sure that the user is accessing their work email in a secure way that has been approved by the organization.
Work Profile
Work Profile for personally owned devices is something you can consider if you need to have limited device level controls. When the Work Profile is created on the device, the user has access to their “Personal” profile which the organization can not see or alter. The user also have access to the newly created Work profile on the device. This profile can be managed and controlled by the organization.
https://learn.microsoft.com/en-us/mem/intune/user-help/what-happens-when-you-create-a-work-profile-android
App Protection Policies – APP (MAM)
App protection Policies or Mobile Application Management (MAM) are the two common names used for talking about when there is no device level control but instead Application level control.
For example, lets say that a user is using Outlook on their personal phone to access work emails. When they open up Outlook and try to add their work account to get access to their work email they will be prompted and informed that the application in this case Outlook is protected and there are a few policies that needs to apply. This could be that the user needs to configure a pin-code to access Outlook or it could be that the user is not allowed to copy data from outlook to another app on the device if that app is not managed by the organization.
This gives organizations controls and security policies on the application and not the device for data that is work related. Using this together with Conditional Access is often the first step for securing Android Enterprise Bring-Your-Own-Device (BYOD).
Many organizations also use App protection policies together with the other management options so its not like you can’t use it even its not a BYOD scenario.
https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy
Company Owned
Company owned devices are devices that’s bought and fully owned by the organization. This in turn gives the organization the most control of the device and make sure you have a good plan for the Life cycle management of said device. One thing I will not cover in this specific article is the enrollment and onboarding steps. Topics like Android Zero Touch and Samsung Knox Mobile enrollment (KME) will be coverd in a seperate article.
Corporate Owned device with Work Profile
This scenario is for devices that is owned by the organization and where a single user is associated with the specific device and where the user also should be able to use the device outside of work for personal things.
Here the organization can manage and control the device and apps in the Work related profile and in the Personal profile the user has full control.
https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enrollment-android#android-enterprise-corporate-owned-work-profile
Managed Device
Corporate owned, fully managed user device is meant to be used when the device is associated with a specific user but not meant for personal use outside of work. This might be a user that needs a phone for work but once their shift is over the device is turned off or left at work for the next day. The organization have full control over the device and might be locked down so the user can’t install any private apps on it or take photos of their dog.
https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enrollment-android#android-enterprise-fully-managed
Dedicated
A dedicated device is often a single or specific purpose device meant for a specific workload or function. This could be a KIOSK device running one specific application, think ordering food or registration in a lobby or hotel. These devices does not have a specific user tied to the device.
It could also be a barcode scanner used in a warehouse or a tablet.
https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enrollment-android#android-enterprise-dedicated-devices
Dedicated device with Microsoft Entra Shared Mode
This is technically not its own management option because its the same as Dedicated devices but with the added capability of being able to handle user specific scenarios when it comes to applications that might require user authentication.
Entra Shared mode is something to consider if you have either an in-house developed application that uses Entra ID credentials or 3rd party apps that requires the user to sign in and out after use. Shared mode helps with providing SSO capabilities and the capability to remove / add user data when someone signs in or out.
https://learn.microsoft.com/en-us/mem/solutions/frontline-worker/frontline-worker-overview-android?tabs=ae#microsoft-entra-shared-device-mode-for-android-enterprise-dedicated-devices
https://learn.microsoft.com/en-us/mem/solutions/frontline-worker/frontline-worker-overview#microsoft-entra-shared-device-mode-for-flw
Conditional Access
Something that has not been mentioned yet but is a crucial part regardless of what management option you go for is to make sure you have Conditional Access in place. It should go without saying but you really need this and you need to make sure that the policies you have in Conditional Access aligns with the different management options you go for when you want to use Android Enterprise and Intune together.
Conditional Access is a feature within Entra ID to enforce access controls to apps and data based on specific conditions set by administrators. It allows organizations to create and enforce policies that can assess the risk context (like user location, device health, and sign-in risk) when attempting to access resources, granting or blocking access accordingly. This ensures that only authenticated and authorized users can access company data under the conditions set, significantly enhancing organizational security.
https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview
That’s it for this time, Don’t forget to follow me on X (twitter) @timmyitdotcom or connect with me on LinkedIn