Android device management with Microsoft Intune – Part 1

In this article we will talk about the management of Android devices through the Microsoft Intune solution in such a way as to be able to determine a common management strategy for all the devices in the company.

Overview

As reiterated during the last Ignite, in recent years, we have witnessed an epochal change in the way people work with an exponential increase in remote activity by employees; this is why hybrid work has become the “new normal”, in fact:

  • Over 60% of users use multiple devices to access corporate resources;
  • This obviously has led to nearly 90% of companies having to manage and protect two or more operating systems;
  • Finally, the way of working has changed and these changes are likely to remain.

With the introduction of these devices in the company, what are the reasons that could push companies to define an efficient endpoint management path?
The first aspect that IT administrators must consider is certainly the fact of preventing personal devices from exposing the network and corporate information to a wide range of threats; Furthermore, it is vital to ensure that the devices and apps that are used by employees comply with the company’s security requirements.
The last-but-not-least reduce management costs and redundant costs related to the management of different endpoints (think of some time ago where to manage the various types of devices it was necessary to use multiple tools or solutions).

Microsoft Intune

To meet the needs that emerged from the digital transformation process to which we were forced, Microsoft has made available the Microsoft Intune solution that allows you to manage all types of devices in the company in a unified way.

The Microsoft Intune family encompasses several technologies, including Configuration Manager for managing clients/servers and Microsoft Intune itself for managing Windows 10/Windows 11 devices and mobile devices.

Why should comapanies choose Microsoft Intune to manage mobile devices?

The first reason is linked to the fact that the Microsoft Intune solution was again recognized by Gartner as a leader among Unifiend Endpoint Management solutions; Furthermore, another reason that could push companies to adopt Microsoft Intune is the full integration of management, identity and security within the ecosystem of Microsoft 365 solutions and services.
Finally, as also previously reported, the last reason is related to the reduction in terms of costs inherent in the adoption of a single management tool for all types of devices in the company; the adoption of a single tool also allows to reduce the costs associated with the continuous re-training of IT operators.

Through Microsoft Intune, I can manage the entire life cycle of devices which consists of 4 steps:

  • Provisioning
  • Configuration
  • Protection
  • Support and Retire

In this first article, we will analyze the first 2 steps of the device view cycle: the part of registering devices on the Microsoft Intune platform and their configuration.

Provisioning

The first step of the device lifecycle consists precisely in registering new devices; on Intune we have the possibility to register devices with Android versions higher than 8.0 (included) in the following ways:

Personally-owned with work profile

The Personally-owned with work profile management mode allows you to enroll an Android device through the Company Portal application; at this point, the device will be registered on the MDM authority and will apply the configurations associated with it.
This management mode is ideal for scenarios of managing personal devices or corporate devices already assigned to employees.

Figure 1 – Personally-owned with work profile
ProCons
No device reset to enroll on IntuneDifferent User Experience on the device
Possibility of personalization and configuration of the devicePossibility for the user to remove the device from Intune (loss of the managed device)
Separation of personal apps and work appsDivision of the address book (Personal / Work) – eg: inability of personal apps (eg: WhatsApp) to access company contacts
Separate management of identities within the same app (if present in both profiles)
Selective wipe of company data (device removal from Intune = removal of the work profile only)
IT Admins cannot perform a Factory Reset
Table 1 – Pro and Cons Personally-owned with work profile

Corporate-owned with work profile

The User Experience in the Corporate-owned with work profile (COPE) management mode is the same as in the previous management scenario; the difference between the two appears to be in the possibility for IT Admins to apply higher security criteria in the Corporate scenario.
Furthermore, device registration in COPE mode can be performed in Out-of-the-box/Factory reset mode or in Zero Touch mode (Google or Samsung Knox Mobile Enrollment).
This management mode is ideal for the management scenarios of new corporate devices on which users want to leave more autonomy.

Figure 2 – Corporate-owned with work profile
ProCons
User cannot remove the device from IntuneDevice reset to enroll on Intune
Freedom on the part of the user in customizing and configuring the deviceDifferent User Experience on the device
Division of the address book (Personal / Work)
Ability to apply higher security criteria than in the Personal scenarioPossibility for IT Admin to perform a Factory Reset (deletion of personal data)
Table 2 – Pro and Cons Corporate-owned with work profile

Fully Managed

Android Enterprise fully managed devices are corporate-owned devices associated with a single user and used exclusively for work and not personal use. Admins can manage the entire device and enforce policy controls unavailable to personally-owned/corporate-owned work profiles.

The User Experience appears to be the same as compared to an unmanaged device.
Again, the registration can be performed in Out-of-the-box / Factory reset mode or in Zero Touch mode (Google or Samsung Knox Mobile Enrollment).
This management mode is ideal for the management scenarios of new company devices on which you want to leave a reduced autonomy on the part of the users.

Figure 3 – Fully Managed
ProCons
User cannot remove the device from IntuneDevice reset to enroll on Intune
Ability to apply higher security policies than other management scenariosNo separation between personal apps and work apps
Same User Experience on the device
Possibility of inhibiting access to the public Google Play Store
Reduced freedom in device customization and configuration
Possibility for IT Admins to perform a Factory Reset
Ability to inhibit access to the public Google Play Store – high effort to manage apps allowed
Table 3 – Pro and Cons Fully Managed

Dedicated – Dedicated Azure AD Shared devices

The dedicated device solution is designed for company-owned devices that fulfill a specific purpose; Admins can lock down the usage of a device to a single app, or a limited set of apps, inclusive of web apps. Users are prevented from adding other apps or taking actions on the device that unless explicitly approved by admins. Also these devices are enrolled into Intune without a user account and are not associated with any end user.

This scenario is ideal for management scenarios of kiosk devices or shared devices dedicated to first-line workers.

Figure 4 – Dedicated and Dedicated Azure AD Shared devices
ProCons
Integration with Azure Active Directory (AAD Shared scenario)Device reset to enroll on Intune
User cannot remove the device from IntuneNo personalization and configuration of the device
Possibility to inhibit any modification to the devicePossibility for IT Admins to perform a Factory Reset
Running only the applications distributed by the IT Admin
Table 4 – Pro and Cons Dedicated – Dedicated Azure AD Shared devices

Configuration

Once the provisioning process is complete, we need to predict the configuration of the Android endpoints based on what the company policies are. This phase is intended to manage access and use of company services and information from Android devices.

On Microsoft Intune I have the ability to convey configurations through Configuration Profiles (or Configuration Policies); on Android devices I have the possibility to apply the following types of profiles:

  • Device restrictions: through the Device Restrictions type, IT Admins are able to control security, hardware, data sharing and other settings on the device (eg: PIN request, encryption, etc…).
  • Access configuration: the Access configuration type provides configurations for accessing company resources (eg: email profiles, VPN profiles, Wi-Fi profiles, certificates, etc…).
  • Custom: through the Custom type it is possible to apply configurations on the device that are not natively present on Microsoft Intune.

An integral part of the configuration of a device is also the distribution of applications; through Microsoft Intune I have the ability to manage the life cycle of apps which on Android devices is divided into 2 macro-areas: the first concerns devices registered in the Android Enterprise mode and the second concerns devices registered in Device Admin mode (deprecated mode by Google starting with Android version 10).

In the first case, the distribution of the apps takes place through Managed Google Play: this portal is the alter-ego of Apple Business Manager or the Microsoft Store for Business but for Android devices; within this portal I can find all the public applications in the Play Store; I can also upload personal apks and web links that I want to make available on my devices.
Once I have selected the application or applications concerned, through the Sync button, I have the possibility to connect the two portals (Play Store on one side and Intune on the other) so that the selected apps can be visible and therefore distributable through our MDM solution.

Figure 5 – Managed Google Play

In the second case, however, the one dedicated to devices registered in the Device Admin mode. App deployment can be performed by selecting one of the dedicated items from the drop-down menu available on the Microsoft Intune portal.

Figure 6 – Device Admin app deployment

In addition to device configuration, with Microsoft Intune, you can configure the applications that are deployed with the tool; the App Configuration Policies allow you to customize and improve the user experience while using the app.
Let’s take for example one of the most used apps in the company Microsoft Outlook, through the app configuration policy I can for example:

  • Simplify corporate account setup.
  • Allow only a corporate account and not a personal account.
  • Forcing the sync of contacts so that the user * cannot * deactivate it.
Figure 7 – MS Outlook App Configuration Policy

References

Here are some useful references to the official documents:

Conclusions

In this article, the first 2 steps related to the device lifecycle have been reported; in the second part of the article, we will go into the last steps concerning the securing of the devices, the support and the eventual withdrawal in the face of the decommissioning of the device.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: