Microsoft adds Android Open Source Project device management

Keeping frontline workers digitally connected is a strategic differentiator for many organizations. They need the tools and resources to be productive.

Microsoft is pleased to announce the ability to manage devices that run on Android Open Source Project (AOSP) in a Microsoft Endpoint Manager public preview. With an increasing number of these purpose-built, mobile devices used by workers in the enterprise on the frontline, organizations need an easy way to enable workers to safely use collaboration and productivity apps, like Teams, while protecting company data that is shared when performing critical workflows.

RealWear is the first Android (AOSP) device that will be supported by Endpoint Manager for corporate AOSP management. With the Teams integration on RealWear devices announced last year, Microsoft customers can add RealWear devices to their digital estate at scale and use the Endpoint Manager to manage and protect the endpoint experience for their frontline workers in the same place that they manage endpoints for their information workers.   

Devices that run Android (AOSP) do not have access to Google Mobile Services (GMS) – such as the Google Play store and capabilities delivered in Google’s Android Enterprise management offering -- and therefore require a new management approach in Microsoft Endpoint Manager.

Unified cloud management for Android devices

Endpoint Manager is a market leader in providing unified, cross platform cloud management of devices used by workers in remote or hybrid work environments as well as those on the frontline. 

Today, Endpoint Manager currently supports the following Android device management methods:

• Android Enterprise solutions - personally-owned devices with a work profile, corporate-owned devices with a work profile, fully managed devices, and dedicated devices.
  • Android Enterprise solutions require that devices reliably connect to GMS and as a result are not a viable management option for devices running AOSP.
• Device Administrator management
  • Starting with Android 10, Google is gradually decreasing the management functionality  associated with the Device Administrator mode. This limits the ability for administrators to manage the devices as device manufacturers (OEMs) develop new capabilities.

Without support from Endpoint Manager, organizations will not be able to bring AOSP devices into their device management fold. The launch of AOSP management for corporate devices will help bring the specialty, or purpose-built devices, used on the frontline and across the organization together in one cloud connected platform with their other mobile and desktop endpoints.

Simplified enrollment and compliance

Microsoft is launching support for managing Android (AOSP) in preview in the 2110 release of Endpoint Manager. This includes:

• Device provisioning via QR code for user affiliated devices and shared/multi-user devices
• Device configuration
• Device compliance and conditional access

Device Provisioning

With the new AOSP management option for corporate devices, the device can either be provisioned as a device assigned to a single user (or a user-associated) device or as a shared device.  This is important because it gives organizations the flexibility about how they deploy the device. For example, for RealWear devices, these devices can now be deployed to allow a fleet of frontline workers who may work at a common location to share devices. This may reduce the total cost of endpoint ownership. Alternatively, RealWear devices can be provisioned for single use should the frontline workers be widely dispersed, enabling each worker to effectively complete their specific tasks when required and providing organizations the choice on how to securely manage the device.  

Figure 1: Android AOSP enrollment profiles in Endpoint Manager admin console

In both scenarios, you can create multiple enrollment profiles with unique tokens. The enrollment profile will allow you to include the network needed to initiate and complete provisioning.

Figure 2: Sample enrollment profile for Android (AOSP) devices

Once the profile has been created, the QR code can be retrieved and sent to the end user to complete the provisioning. The end-to-end experience is aligned with how other corporate Android devices are provisioned in Endpoint Manager today.

End user enrollment

During the first run experience on the RealWear device, the end user will be guided to scan the admin-provided QR code and to accept the prompt to continue the enrollment process.    

Figure 3:  End user is prompted to scan the QR code to initiate the first run experience

Figure 4:  End user is notified and prompted to accept provisioning as a corporate device

After the end user accepts and starts the enrollment process, the Microsoft Intune app and the Microsoft Authenticator app are downloaded to the device and the user is guided through the provisioning experience. As illustrated below, the Microsoft experience for AOSP management ensures a shared device can be easily registered and provisioned without requiring any user credentials, allowing the device to be managed in a user-agnostic fashion.

Figure 5:  Microsoft Authenticator provisioning process is initiated

Figure 6:  Device enrollment is automatically initiated during provisioning

Figure 7:  User is notified when the device is provisioned and ready for use

During the entire process, the user will be locked into the Intune provisioning flow until registration and enrollment are complete. This ensures that no corporate data is accessed on the device before it is managed. This also prevents end user confusion if management policies interrupt or disrupt an ongoing session, resulting in a better end to end experience. Once provisioning is complete, the user can access the RealWear home screen.

Figure 8:  End-user accesses the device home page to start using the device

Device Configuration and Compliance

Endpoint Manager also provides flexibility to manage Android (AOSP) devices independent of how they manage devices with other Android device management modes. This means that they can configure the Android (AOSP) devices in a way that is compliant based on their policies and practices for data protection for specific user scenarios and specialty device use without impacting policies created for scenarios that use Android Device Administrator and Android Enterprise managed devices.

Figure 9: Administrators can create Android (AOSP) policies without impacting other Android deployments

For example, organizations can apply compliance policies to ensure that only RealWear devices with have a minimum approved OS version of at least Android 10.0 can access corporate data.

Figure 10:  Android (AOSP) compliance policy overview

Additionally, the organization can configure the device to block Bluetooth on the device or prevent the user from factory resetting the device on their own.

Figure 11: Android (AOSP) device restrictions policy overview

Consistent approach to endpoint management

Once a device is enrolled it can be managed from the Endpoint Manager portal. This means that Android AOSP devices will be included in the “All Devices” inventory in the Endpoint Manager portal. With filters, administrators can choose to selectively view just the Android AOSP devices.

Figure 12:  Filter Android (AOSP) devices in the All Devices list

Additionally, Endpoint Manager allows the administrator to see the device properties and provides access to remote actions, such as Wipe and Delete, for added protection of potentially sensitive information.

Coming soon

There are a few scenarios not yet supported in this preview release but will be completed when we roll this capability out for general availability, including:

• Certificate and Wi Fi management
• App protection policies on user-associated devices
• End user experiences - such as providing device compliance information in the Microsoft Intune app
• Filters and scope tags
• Additional remote actions e.g. pin reset

At present, RealWear devices (running Android 10.0 or later) are the only supported devices for AOSP management in Endpoint Manager. We are working to expand the portfolio of supported devices and will share more details as appropriate. We are committed to empowering organizations to support a wide variety of workloads and user scenarios in new ways. For example, many virtual or augmented reality devices also run AOSP. With endpoint management, onsite training scenarios or remote assistance for technicians across dispersed locations can be delivered in a way that is configured and deployed to meet the evolving need for single and shared use specialty devices.

Get started

You can try out the new capabilities to manage your RealWear devices running Android (AOSP) knowing that you have the full support from Microsoft. To learn how to provision and configure AOSP devices, documentation is available here. For more information on the Endpoint Manager public preview program, check out our Public preview overview in Microsoft Intune documentation page.

As always, we want to hear from you! 

You can let us know about your Endpoint Manager and Android AOSP corporate device experiences through comments on this blog post or reach out to @IntuneSuppTeam on Twitter. Tweet your feedback about Microsoft Endpoint using the hashtag #MEMpowered. Keep up with ongoing developments on Endpoint Manager by following the Microsoft Endpoint Manager Blog  and @MSIntune on Twitter.