Support Tip: Using Corporate Device Identifiers for Android Enterprise
Published May 16 2019 06:59 AM 11.6K Views
Microsoft

Hello everyone, today we have a post from Intune Support Escalation Engineer Matt Butcher. In this post, Matt talks about the use of corporate device identifiers and how they can be used to control the enrollment of your Android Enterprise devices. If you’re tasked with managing Android devices, you’ll want to give this one a quick read. 

 

=====

 

The way you use corporate device identifiers is going to vary based on device type and the scenarios you have in your environment. We get a number of questions from customers on this topic, and we understand it can be tricky as there’s device admin (legacy), Android Enterprise, fully managed (in Preview 2), and dedicated. A good overview of Android device management is here: https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/How-does-Microsoft-Intune-transf....

 

What are Corporate Device Identifiers for?
When people ask about corporate device identifiers, they typically want to block personal devices and only allow corporate devices into their environment. In this scenario, we can use corporate device identifiers we can predeclare (whitelist) devices based on either IMEI or serial number, so that if a user with an Intune license attempts to enroll their personal (BYOD) device they will be blocked. However, if that same user attempts enrollment of a device that has had its serial number or IMEI predeclared using the corporate device identifiers feature in Intune, it will successfully enroll and be marked as a corporate device. You can read more about this feature here: https://docs.microsoft.com/en-us/intune/corporate-identifiers-add.

 

How does this work for the various Android scenarios?
For the Device Admin (legacy) scenario, this is a perfectly suitable way to prevent personal devices from enrolling into the Intune service, however for Android Enterprise there are a few other considerations to take into account.

 

Android Work Profile is intended for personal devices enrollments as management is only achieved within the work profile.  The Personal side of the device remains personal.  IT admins and the Intune service only are granted authority over the Work Profile by the Android OS.  With this method, there are intended management limitations and that may be new to IT admins, most notably:

  • No factory reset
  • No application inventory from personal profile
  • No device level passcode reset

If your scenario includes corporate issued devices that are intended to be used as both a personal device to access social media, for personal calling and texting, etc., but also for accessing company resources like email and Office 365, then using corporate device identifiers to only allow these devices to enroll via Android Enterprise Work Profile is a recommended solution. If, however, the scenario is that the corporate issued devices are meant only “for work, at work” then it is not recommended to use Android Work Profile due to the limitations mentioned above, and instead we would recommend using either Dedicated or Fully Managed.

So how does a Corporate Device Identifier impact the device owner scenarios of Dedicated and Fully Managed?
The short answer is it doesn’t, for two main reasons. First, the device owner scenarios are automatically marked as corporate, so predeclaring these devices will not be necessary. Second, corporate device identifiers are only evaluated on Android scenarios when the Company Portal App is used for enrollment using Work Profiles or Device Admin (Legacy).

 

What is this Android Enterprise?

Android Enterprise is Google’s methods of modern management of Android devices that started with Android 5 (Lollipop) and in future releases will be the only method of management as share in here:

“Microsoft supports the Google recommendation that all partners and customers move off of device admin management, since Google has announced that they will be removing device admin capabilities in the near future.”

 

Matt Butcher

Intune Support Escalation Engineer

Microsoft

 

 

 

2 Comments
Microsoft

Thanks Matt. Great stuff. 

Brass Contributor

Hi,

 

Good article.  However, I have one quick question.  We are currently trialing the the 'Corporate-owned, fully managed user devices (Preview)' part of Intune and we would like to only allow corporately issued devices to be fully enrolled.  I was hoping to use the 'Corporately device identifiers' feature to enforce this but after speaking to Microsoft and reading this article this it would seem this will not be possible.   Currently our work around is only approved admins can enrol devices but going forward we would like to offer a 'self-service' style enrolment option for our end users.  In other words the phone gets sent out directly from our mobile provide and then the users follows some basic instructions to enrol their corporately issued device.

Version history
Last update:
‎May 16 2019 06:59 AM
Updated by: