Tech Community Live: Endpoint Manager edition
Jul 21 2022, 08:00 AM - 12:00 PM (PDT)

Archive: Intune announces preview of support for Android corporate-owned, fully managed devices

Published Jan 17 2019 01:58 PM 49.9K Views

By Arnab Biswas | Intune Program Manager

 

Updated 12/19/19 - We have received over 300 comments on the Android preview blog posts, and in those comments and occasional subsequent support cases, you helped us deliver Android Enterprise Fully Managed as generally available. You provided over 58 pieces of actionable feature feedback based on your experience with preview.

More information about the GA release can be found in our blog here: Microsoft Intune support for Android Enterprise fully managed devices is now generally available.

As this feature is now GA, new comments on this post will be turned off. As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page or our Twitter @IntuneSuppTeam. Your continued feedback helps make the product better, we are grateful for this community, thank you!

 

Updated 7/23/19: We have made progress with our Fully Managed support. You can find more updates and discussions on these developments on the following blog posts:

 

Updated 4/17/19: You may notice a new app in Google Play – it’s called the Microsoft Intune app. This app is in preview for new functionality for fully managed devices. We are rolling out the end-to-end scenario with this app and we expect it to be live by the first part of the 4/22/2019 week. More on this expanding workflow will be posted shortly!

 

Today we are releasing a preview of Android corporate-owned fully managed (formerly called Corporate Owned, Business Only (COBO) by Google) device management scenarios in Intune. This is Intune’s newest addition to its list of Android Enterprise management capabilities preceded by work profiles and dedicated (kiosk) devices. 

 

NOTE - the preview is rolling out today - 1/17/19 and is expected to finish up by end of day. If you're on Government Cloud please note this may take until 1/18/19 to see the preview feature.

 

Android fully managed is one of the “device owner” management scenarios in the Android enterprise solution set that enables productivity scenarios for users on corporate devices while allowing IT admins to manage the entire device with an extended set of policy controls. This complements the Android Enterprise dedicated device solution set we released last year, which was focused on task workers and user-less devices. The extended policy capabilities in fully managed scenarios are only intended for corporate devices, which is why there are more controls and settings available here than on personal devices with work profiles. Combining the capabilities of these three solution sets now provides you more control over your Android device landscape.

 

Android fully managed is one of the “device owner” management scenarios in the Android Enterprise solution set that enables productivity scenarios for users while allowing IT admins to manage the entire device and enforce an extended range of policy controls, beyond that which is possible with work profiles on personal devices. Fully managed devices are company-owned general-purpose Android devices that are associated with a single user. These devices are assigned to individuals for getting their work done.

 

What is available in preview?

In today’s release, our Android fully managed preview focuses on device enrollment, configuration and app distribution scenarios. Our goal for this preview is to demonstrate the Android fully managed capabilities that we have built and gather feedback and iterate before this feature becomes generally available in Intune.

 

This preview supports the following Android fully managed scenarios in Intune:

  • Device enrollment using NFC, token entry, QR code and Zero Touch
  • Device configuration for user groups
  • App distribution and configuration for user groups
 
There are a few scenarios not supported in this preview but will be completed for general availability, including:
  • Conditional access
  • Device compliance
  • App protection policies
  • Device group targeting
  • Certificate management
  • Knox Mobile Enrollment
  • Company Portal app for end-user scenarios
 
These scenarios may not function as expected on Android fully managed devices during this preview.
 
Device enrollment for Android fully managed devices
We’ve started with enrollment since this is the first step the IT admin and user must take to bring the device under IT management. The IT admin enables enrollment for fully managed devices in the Intune tenant. This generates a single enrollment token and QR code to be used for enrolling fully managed Android devices to the tenant. This single token is valid for all your users and will not expire; note that this token is for Microsoft Intune and is not specific to your tenant. A user requires both the enrollment token and valid user credentials to authenticate and enroll a device to your organization. The enrollment token can be disabled by the IT admin to prevent enrollment of fully managed devices.

 

QRCode.png

Enable corporate-owned fully managed device enrollment to generate QR code for enrollment.

 

Android fully managed devices support a variety of enrollment methods such as NFC, token entry, QR code and Zero Touch. These enrollment methods can be initiated on a new or factory-reset device so that the device is enrolled, user affinity is established, and device configuration policies are applied when the device is being set up for the first time. Enrollment options for Android devices are in documentation here: https://docs.microsoft.com/intune/android-enroll.

 

You can see the enrollment workflow in the short clip posted below. 

 

Device configuration for Android fully managed devices

Device settings that apply to device owner in Intune are supported on Android fully managed devices. This means that IT admins can configure more advanced device-level settings on a fully managed device than on a work profile such as allow app installation only from managed Google Play, block uninstallation of managed apps, prevent users from factory resetting devices, control system update behavior, and more.

 

Note that dedicated device or kiosk settings are not applicable to Android fully managed devices. This preview supports targeting of device configuration policies to user groups only. Deploying device configuration policies to device groups may not function as expected during this preview.

 

App distribution and configuration for Android fully managed devices

Like existing Android enterprise scenarios (work profile and dedicated devices) in Intune, apps are distributed to Android fully managed devices using managed Google Play. In addition, you can use app configuration policies to supply settings to managed apps. You can configure email or VPN app settings in this manner as well.

 

Note that this preview supports deploying apps to user groups only. Deploying apps to device groups may not function as expected during this preview.

 

What are we still working on?

We are continuing to build Android fully managed support for the following key Intune features that will be announced when Android fully managed becomes generally available:

  • Conditional Access and compliance policies
  • App Protection Policies
  • Knox Mobile Enrollment
  • Certificate management
  • Device group targeting for profiles and apps
  • Dedicated user interface for configuring email, Wi-Fi or VPN
  • A new end-user app.

 

Known issues

  • You may need to tap on “Please click here to continue…” to complete device enrollment: during enrolling a fully managed device, you may see this page. Tap on “Please click here to continue…” to complete device enrollment.

 select here to continue.png

 

Customer support for this preview

Note that the preview features are implemented to Microsoft Intune production standards. However, not all Intune features are available to be used with Android fully managed user devices during the preview as outlined above. The preview features are fully supported through our usual Intune support channels and are clearly labeled with “(preview)” in the Intune console.

 

How to reach us?

As you review the Android fully managed preview scenarios, we would love to hear your feedback on IT admin's enrollment profile configuration and end-user's device enrollment experiences.

 

Keep us posted on your Android plans through comments on this blog post, through Twitter (#IntuneSuppTeam), and on UserVoice.

 

Documentation:

Blog post updates:

  • 12/19/19 with an update that this preview feature is now GA!
44 Comments
Version history
Last update:
‎Dec 19 2019 10:16 AM
Updated by: