Configuring and troubleshooting Android enterprise devices in Microsoft Intune

Applies to: Microsoft Intune

What does this guide do?
This guide helps administrators understand how to configure and troubleshoot Android enterprise devices in a Microsoft Intune environment. 

Who is it for?
Administrators who implement and oversee a Microsoft Intune environment that manages Android enterprise devices.

How does it work?
This guide covers common scenarios including onboarding to Google, application deployment, enabling work profile enrollment, configuring conditional access, the work profile enrollment end-user experience, and issuing a work profile passcode reset. It helps you decide which management capability is the best for your organization and provides a FAQ about Android enterprise.

Estimated time of completion:
20-30 minutes.

Select one of the following, or start with Evaluate your needs – BYOD or dedicated devices and follow each step in order:

Select one of the following, or start with Evaluate your needs – BYOD or dedicated devices and follow each step in order:

Before you enable Android enterprise devices in Microsoft Intune, you must determine whether you want to enroll those devices as personal devices (BYOD or Bring Your Own Device) or as dedicated devices (formerly known as COSU, or Corporate Owned Single Use). The example used in this guide focuses on BYOD scenarios. For more information about dedicated devices (COSU) scenarios, see COSU Configuration and Enrollment using the QR code enrollment method.

BYOD devices are set up with an Android Enterprise work profile which is a feature built into Android 5.1 and later versions. This feature allows work apps and data to be stored in a separate, self-contained, company managed space on the device. Because personal apps and data remain on the device inside the user’s personal profile, employees can continue to use their device as they usually would. 

Dedicated devices are typically locked to a single app or set of apps (also known as kiosk mode) which allows the administrator to control things such as the status bar, keyboard layouts, the lock screen and other settings on the device. It prevents users from enabling other apps or changing certain settings on dedicated devices. Be aware that devices that you manage in this manner are enrolled in Intune without a user account and aren't associated with any end-user. They aren't intended for personal use applications or apps that have a strong requirement for user-specific account data such as Outlook or Gmail. 

When you decide how to enroll your devices, also be aware that not all features are available for both methods. The following table shows some key differences.

Feature Set

Work Profile (BYOD)

Dedicated (Kiosk)

Managed Email Profile

×

Managed Wi-Fi Profile

Managed VPN Profile

×

SCEP Certificate Profile

×

PKCS Certificate Profile

×

Trusted Certificate Profile

×

Custom Profile

×

Prevent Factory Reset

×

Block Camera & Screen capture

Block Volume Buttons

×

Block Copy and Paste / Data Sharing

Managed Password

Managed Applications (Required)

Managed Applications (Available)

×

Containerized Profile

×

Kiosk Level Device Management

×

Personal Device Management

×

NFC-Based Enrollment

×

Token-Based Enrollment

×

QR Code-Based Enrollment

×

Zero Touch

×

Compliance/Conditional Access

×

The first step in configuring Android enterprise in your environment is to connect your Intune tenant account to your Android enterprise account. To do this, follow these steps:

  1. Create a Google service account (@gmail.com). This account will be associated with all Android enterprise management tasks for your tenant and is the Google account that your company's IT admins will share to manage and publish apps in the Google Play console. You can use an existing Google account or create a new one, the account that you use must not be associated with a G-Suite domain.
  2. Sign in to the Azure Portal with your Intune licensed Global Administrator account.
  3. Go to Intune > Device Enrollment > Android Enrollment > Managed Google Play, select I agree, and then click Launch Google to connect now to open the Managed Google Play website.

    Android enrollment
  4. Sign in to your Google account, click Get started.

    Get started
  5. Enter your business name, and then click Next.

    Business name
  6. Accept the terms, and then click Confirm.
  7. Click Complete Registration.

    Complete registration

For more information about this step, see Connect your Intune account to your Android enterprise account.

After your Intune account is connected to your Android enterprise account, you can deploy some applications by following these steps: 

  1. Sign in to the Azure Portal with your Intune licensed Global Administrator account.
  2. Go to Intune > Device Enrollment > Android Enrollment > Managed Google Play, and then click Open Company Portal in the managed Google Play store.

    Open company portal
  3. On the page of the Intune Company Portal app, click Approve.

    Intune Company Portal
  4. Click Approve to accept the app permissions.

    App permission
  5. Select an option for handling new app permission requests, and then click Save. Microsoft recommends that you keep the app approved to limit end-user impact.

    App approval setting
  6. To verify that the app approval is successful, go back to Azure Portal, and then go to Intune > Mobile Apps > Setup > Managed Google Play. The page displays the time and status of the last sync. Click Sync.

    Before sync


    After sync is completed, it updates the time and status of the last sync.

    After sync


    Note The app sync between Intune and the Managed Google Play store is manual. Therefore, you must click the Sync button every time that you approve new apps.
  7. After the app is added to Microsoft Intune, you can assign the app to users and devices. From the Intune portal, go to Mobile Apps, select Apps under Manage, you can see the app displayed in the list.

    App list
  8. To create groups, see the following articles:

    Assign apps to groups with Microsoft Intune
    Learn about access management using Azure Active Directory groups
  9. To assign the app to a group, select the app, select Assignments under Manage, and then click Add Group to open the Add group pane.

    Add group
  10. Select Required in Assignment type, select Included Groups, select groups to include, and then click Select.

    Select group
  11. In the Assign pane, click OK to complete the included groups selection.
  12. In the Add group pane, click OK.
  13. In the Assignments pane, click Save to save your changes.

    Save assignment
  14. Go back to the Apps blade, and then click Refresh.

    Refresh


    You will see that the Assigned column is changed from No to Yes.

For more information about app deployment, see Assign apps to Android work profile devices with Intune.

To do this, follow these steps:

  1. From the Intune portal, go to Device Enrollment > Enrollment Restrictions, and then click Default under Device Type Restrictions.

    Enrollment restrictions
  2. Click Properties > Select platforms, select Block for Android, select Allow for Android work profile, click OK, and then click Save to save your changes.

    Set properties

Note Default restrictions have the lowest priority and apply to all users, this can’t be edited. When you create additional custom restrictions, be aware of the groups to which they are assigned so that you don’t create a conflict with this configuration. 

For more information about enrollment restrictions, see Set enrollment restrictions.

To do this, follow these steps:

  1. Deploy the Gmail app or the Nine Work app as Required.
  2. Create an email profile to the app by following these steps:
    1. In the Intune Azure portal, select Device configuration > Profiles > Create profile, and then enter Name and Description for the email profile.
    2. Select Android enterprise from the Platform drop-down list.
    3. In Profile Type > Work Profile Only, select Email.
    4. Configure the email profile settings.

      Gmail profile


      For more information about these settings, see Email profile settings for devices running Android and Android Enterprise – Intune.
  3. After you create the email profile, assign it to groups.

    Assign profile
  4. Set up device-based conditional access.

To do this, follow these steps:

  1. Sign in with your work account, and then tap Enroll now.

    Enroll now
  2. On the Access Setup screen, tap Continue.

    Continue
  3. On the privacy statement screen, tap Continue.

    Privacy
  4. On the What's next screen, tap Next.

    What's Next
  5. On the Set up a work profile screen, tap Accept.

    Set up work profile
  6. On the Activate work profile screen, tap Continue.

    Continue setup


    Note You can see a badge icon at the top, which means that you're now inside the work profile.
  7. On the You're all set screen, tap Done.

    Done
  8. You can now sign in to Gmail. When you are prompted to update security settings, tap UPDATE NOW.

    Update security setting
  9. Tap Activate to activate Gmail as Device Administrator.

    Activate device administrator

For more information about Android enrollment, see Set up enrollment of Android work profile devices.

To do this, follow these steps:

  1. Create a device profile that requires a work profile passcode by following these steps:
    1. In the Intune Azure portal, select Device configuration > Profiles > Create profile, enter Name and Description for the profile.
    2. Select Android enterprise from the Platform drop-down list.
    3. In Profile Type > Work Profile Only, select Device Restrictions.
    4. In Work profile settings, select Require in Require Work Profile Password.

      Require work profile password
  2. On the Android enterprise device, you will be prompted to set a work profile passcode if you haven't set one.
  3. Wait until you receive a second prompt that says "Secure your Work Profile - Authorize your company support to remotely reset your work profile password". Enter your passcode to authorize reset. This activates the reset password token that Intune needs to perform this action successfully.

    Notification


    Note If you skip any of these steps, you will receive the following error message:
  4.  Select Reset passcode.

    Initiate reset
  5. After reset is completed, the temporary passcode is displayed.

    Reset completes
  6. Enter this temporary passcode on your device.
  7. When you’re required to set your new PIN, you must re-enter this temporary passcode, and then enter your new PIN.

For more information about passcode reset, see Reset Android work profile passcodes.

  • Question: Why are apps that I unapproved from the Google Play for Work store not being removed from the Mobile Apps page in the Intune Admin Portal?

    Answer: This is expected behavior.
  • Question: Why are managed Google Play apps not reporting under the Discovered Apps blade in the Intune portal?

    Answer: This is expected behavior.
  • Question: Why are managed Google Play apps that aren’t deployed through Intune displayed in the work profile?

    Answer: System apps can be enabled in the work profile by the device OEM at the time that the work profile is created. This isn't controlled by the MDM provider.

    To troubleshoot, follow these steps:
    1. Collect Company Portal logs.
    2. Note apps that appear in the work profile unexpectedly.
    3. Unenroll device from Intune and uninstall Company Portal.
    4. Install the Test DPC app which allows creation of a work profile without an EMM for testing.
    5. Follow the instructions in Test DPC to create a work profile on the device.
    6. Review apps that appear in the work profile. 
    7. If the same applications show in the Test DPC app, the apps are expected by the OEM for that device.
  • Question: Why is the Wipe (Factory Reset) option not available for my work profile enrolled device?

    Answer: This is expected behavior. In the work profile scenario, the MDM provider doesn’t have full control over the device. The only option available is Retire (Remove Company Data) which removes the whole work profile and all its contents.
  • Question: Why can’t I find file path Internal storage/Android/Data.com.microsoft.windowsintune.companyportal/files on my work profile enrolled device to manually collect Company Portal Logs?

    Answer: This is expected behavior. This path is only created for the Device Admin (Legacy Android Enrollment) scenario.

    To collect logs, follow these steps:
    1. In the Company Portal app with the badge, tap Menu > Help > Email Support, and then tap Send Email & Upload logs
    2. When you are prompted Send help request with, select one of the Email apps.
    3. An email is generated to your IT admin with an incident ID that can be provided to Microsoft product support.
  • Question: I checked the Managed Google Play Last Sync time and it hasn't been updated in days. Why?

    Answer: This is expected behavior. The sync is only triggered when you manually do so.
  • Question: Are Web Applications supported for work profile enrolled devices?

    Answer: Not currently.
  • Question: Is System Center Configuration Manager hybrid supported?

    Answer: It's supported with Configuration Manager 1702 and later versions for work profile management. Dedicated devices (COSU) aren't supported in a hybrid scenario.
  • Question: Is device passcode reset supported?

    Answer: For work profile enrolled devices, you can only reset the work profile passcode on devices running Android 8.0+ when the work profile passcode is managed and the end-user has allowed you to reset it. For Dedicated devices (COSU), device passcode reset is supported.
  • Question: My device is required to be encrypted upon enrollment, is there an option to turn it off?

    Answer: No, encryption is required from Google for the work profile. 
  • Question:  Why are Samsung devices blocking the use of third-party keyboards like SwiftKey?

    Answer: Samsung began enforcing this on Android 8.0+ devices. Microsoft is currently working with Samsung on this issue and will post new information when it’s available.

For more information about configuring and managing Android enterprise devices, see the following documents:

You can also post a question in our Microsoft Intune forum here. Many support engineers, MVPs and members of our development team frequent the forums. So, there’s a good chance that you can find someone with the information you need.

If all else fails and you want to open a support request with the Microsoft Intune product support team, you can find information on how to do that here:

How to get support for Microsoft Intune

For all the latest news, information and tech tips, visit our official Intune blogs: