There are various ways to enroll Android devices into Intune. For instance, if your company permits using Personal Android Phones (BYOD) to access company data, the Android Enterprise personally-owned work profile is suitable. With this approach, personal data remains separate from work data, as administrators do not control personal settings or data.
On the other hand, if your company owns Android devices distributed to users and as an administrator you require full control over these devices, you can go for Android Enterprise fully managed enrollment. These devices are designated for work purposes only and not for personal use, allowing admins to manage the entire device.
These two methods (Work profile and fully managed) are commonly used when configuring Android enrollment, but there are additional options available for specific scenarios, which are listed below:
- Android Enterprise dedicated: Android Enterprise supports corporate-owned, single-use, kiosk-style devices with its dedicated device solution set. Such devices are used for a single purpose, such as digital signage, ticket printing, or inventory management, to name just a few. Admins can lock down the usage of a device to a single app, or a limited set of apps, including web apps. Users are prevented from adding other apps or taking actions on the device unless explicitly approved by admins.
- Android Enterprise corporate-owned with a work profile: For corporate-owned, single-user devices intended for corporate and personal use. It’s somewhere between BYOD and Fully Managed where Admins can control some device settings and features along with Work Profile existence which is a separate managed area on the phone that keeps personal and corporate data separate.
- Android device administrator: In areas where Android Enterprise is available, Google is encouraging movement off device administrator (DA) management by decreasing its management support in new Android releases. Therefore, it’s best to keep this disabled as most of the Android versions support Android Enterprise.
- It’s a legacy way of managing Android device. Google has deprecated Android device administrator management in 2020 and Intune will be ending support for device administrator devices with access to Google Mobile Services at the end of 2024. I would recommend keeping it blocked.
Connect Managed Google Play
Now, let’s check the steps to configure Android enrollment on Intune admin center. First step is to connect managed Google play account.
- Sign in to the Intune admin center.
- Go to Devices > Enrollment > Android enrollment and click on Managed Google Play.
- On the Managed Google Play Page, Click on I agree and then click on Launch Google to connect now.
- You’ll need a Gmail account to set up this connection. If you already have one, you can use it to sign in and proceed by clicking Get Started.
I recommend creating a dedicated Gmail account for this connection and securely storing the login credentials in your Secret Store or password vault. To create a new Gmail account for business purposes, click on Create account, then select To manage my business. Follow the prompts to complete the setup. You can refer to the screenshot below for guidance.
- Once you login using your Gmail account, you will get below page. Click on Get Started.
- Enter your Business Name.
- Skip Entering Data Protection Officer and EU Representative Information, Select the Microsoft Google Play agreement checkbox and click on Confirm.
- Click on Complete Registration.
- It will integrate your Gmail account and complete the setup process. Once it’s done, you should see a Green Check next to Setup. You can also find the registration date and time information.
Enrollment Profiles
Once the connection to Managed Google Play is successfully set up, you can now configure Enrollment Profiles for Android devices. Go to Devices > Enrollment > Android > Enrollment Profiles.
