I’ve been working with quite a bit of Android device management recently, of course with Microsoft Intune. Since Microsoft added support for Android Fully Managed in particular, I’ve seen a spike in demand. It seems like companies had Intune licences and Android devices, but not a great story to tie the two. Just my observations though.
A very brief history of managing Android devices is, well, confusing. You’d be forgiven to think there simply was no management available. You’d also be forgiven for using “Android for Work” in a similar conversation, as that was valid, but isn’t really now. Welcome the current (not really new) terminology – Android Enterprise.
We can’t talk about Android management without mentioning a guy called Jason Bayton, he shares a huge amount of useful info all around the Android platform and nicely explains the history and where we are with Android Enterprise.
I’m also going to call out my WMUG friend and colleague Leon Ashton-Leatherland who is somewhat of Android enthusiast and has taught me much about the platform. He has also blogged similarly on his own blog – https://leonashtonleatherland.blogspot.com/
If you’re not familiar and haven’t read Jason’s post (you should) then we have 4 main flavours of Android Enterprise, Microsoft Intune currently supports 3.
Work profile – The end user controls the whole device, you have a ‘container’ area on the device for corp applications, hence the profile. You can also temporarily disable this if you don’t want work notifications through to the device on your weekend away. Also, commonly used for BYOD purposes.
Fully Managed – As the name suggests, these are fully managed by the IT admin. Commonly these devices are company-owned and the company wish to retain a level of lock down on the device as they are handling company data.
Dedicated Device – In a nutshell, kiosk devices. This is for dedicated uses such as the kind you see for self-service order points and shared single purpose devices in other public areas. These can be dedicated to a single application or run multiple applications.
What’s missing? Well, that would be Fully Managed + Work Profile. That is, the device is fully owned and managed, often with a light policy applied to give the user a level of freedom on the device but with a work profile for handling the corporate apps and data. Microsoft Intune does not currently support this combination but may do one day.
It’s also worth noting that I’m referring to Microsoft Intune a lot, if you are reading this a few months down the line from me writing it then the product is likely called Microsoft Endpoint Manager or some variation of that due to the re-branding announced at Microsoft Ignite 2019.
I’ve worked on each configuration and blogged the how-to guides accordingly.
One thought on “Android Enterprise and Microsoft Intune”
Hi, I have found your detail through my desperation to find out just what has happened with Intune and setting up Android devices. I am fairly new to Intune (MEM) at my recent employers and have been tasked with managing our devices (many are truly mobile) basically ensuring the security is up to date as required by Cyber Essentials.
I was under the impression that mobile OSs in general kept up to date with the latest releases until they could go no further. So I’m not entirely sure what MEM can do. I have noticed in the compliance section of Android I can set the min OS version, however if memory serves me correctly this does rely on the phone age, so some phones will not be able to move from say 8 to 9, so I’d have to figure out which phone type it is and create a relevant policy, or have I got that wrong.
So, have you any advice on what to do with Android Enterprise and MEM? To be honest I’m a bit stumped and gutted.
I’m going to watch your presentation at the WMUG and see if there are any clues in there, at least it’s recent!!