Forum Discussion

SRPfr's avatar
SRPfr
Copper Contributor
Sep 16, 2020

Best practice for the managed Google Play Account in Intune/MEM

Hi All,

 

I'm looking for some advice on the best practice for setting the first step of Android enrollment in Microsoft Intune/MEM.

 

What is the best practice for security and management, when we choose the managed Google Play account for Intune/MEM ?
Using an AzureAD account (with or without exchange online licence), a Google account, or other external account ?
Does this account need to have access to a mailbox and MFA can be used with this account ?

 

Thanks !

  • Thijs Lecomte's avatar
    Thijs Lecomte
    Bronze Contributor
    I mostly create a general Google account that is shared across the organization and can be linked with Intune.
    The managed Google Account is not that important, if you would ever loose access. You can link it again and re-add your apps.
    In comparison, if you loose access to your Apple account, you need to re enroll your device
    • olastrom's avatar
      olastrom
      Brass Contributor

      I agree with Thijs Lecomte, the Google account is usually a generic account created only for this purpose. This account is usually something that is only used for this link with most of my customers. 

      Usually owned and stored by the team operating Intune since they are the ones who need this account. 

      Most of my customers are using a [random-name-chosen-by-customer]@gmail.com or such for this. 

    • SRPfr's avatar
      SRPfr
      Copper Contributor

      Thijs LecomteThanks for your answer !

      This gmail account doesn't receive any email we need to check for MEM/InTune or Google Play ?

      Can we change the password and add MFA for this account without breaking InTune integration ?

       

      I have read that if we loose access to the Google Play account in InTune, to change this account with a new one, we need first retire all enrolled Android device and then enroll all devices. This will have a big impact for user, or there is a easier way to do this?

       

      Thanks,

      • Thijs Lecomte's avatar
        Thijs Lecomte
        Bronze Contributor
        Hi

        You don't really need the check emails, except if you would require approval for app updates maybe.

        I haven't personally tried enabling MFA on the account. It's something to try out I guess.

Resources