Hello everyone, today we have a post from Intune Support Escalation Engineer Matt Butcher. In this post, Matt talks about the use of corporate device identifiers and how they can be used to control the enrollment of your Android Enterprise devices. If you’re tasked with managing Android devices, you’ll want to give this one a quick read.
=====
The way you use corporate device identifiers is going to vary based on device type and the scenarios you have in your environment. We get a number of questions from customers on this topic, and we understand it can be tricky as there’s device admin (legacy), Android Enterprise, fully managed (in Preview 2), and dedicated. A good overview of Android device management is here: https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/How-does-Microsoft-Intune-transform-Android-enterprise/ba-p/299289.
What are Corporate Device Identifiers for?
When people ask about corporate device identifiers, they typically want to block personal devices and only allow corporate devices into their environment. In this scenario, we can use corporate device identifiers we can predeclare (whitelist) devices based on either IMEI or serial number, so that if a user with an Intune license attempts to enroll their personal (BYOD) device they will be blocked. However, if that same user attempts enrollment of a device that has had its serial number or IMEI predeclared using the corporate device identifiers feature in Intune, it will successfully enroll and be marked as a corporate device. You can read more about this feature here: https://docs.microsoft.com/en-us/intune/corporate-identifiers-add.
How does this work for the various Android scenarios?
For the Device Admin (legacy) scenario, this is a perfectly suitable way to prevent personal devices from enrolling into the Intune service, however for Android Enterprise there are a few other considerations to take into account.
Android Work Profile is intended for personal devices enrollments as management is only achieved within the work profile. The Personal side of the device remains personal. IT admins and the Intune service only are granted authority over the Work Profile by the Android OS. With this method, there are intended management limitations and that may be new to IT admins, most notably:
- No factory reset
- No application inventory from personal profile
- No device level passcode reset
If your scenario includes corporate issued devices that are intended to be used as both a personal device to access social media, for personal calling and texting, etc., but also for accessing company resources like email and Office 365, then using corporate device identifiers to only allow these devices to enroll via Android Enterprise Work Profile is a recommended solution. If, however, the scenario is that the corporate issued devices are meant only “for work, at work” then it is not recommended to use Android Work Profile due to the limitations mentioned above, and instead we would recommend using either Dedicated or Fully Managed.
So how does a Corporate Device Identifier impact the device owner scenarios of Dedicated and Fully Managed?
The short answer is it doesn’t, for two main reasons. First, the device owner scenarios are automatically marked as corporate, so predeclaring these devices will not be necessary. Second, corporate device identifiers are only evaluated on Android scenarios when the Company Portal App is used for enrollment using Work Profiles or Device Admin (Legacy).
What is this Android Enterprise?
Android Enterprise is Google’s methods of modern management of Android devices that started with Android 5 (Lollipop) and in future releases will be the only method of management as share in here:
“Microsoft supports the Google recommendation that all partners and customers move off of device admin management, since Google has announced that they will be removing device admin capabilities in the near future.”
Matt Butcher
Intune Support Escalation Engineer
Microsoft