Microsoft is pleased to announce the ability to manage and protect data on corporate devices that run on Android Open Source Project (AOSP) is generally available with Microsoft Intune as a part of Microsoft Endpoint Manager.
What are Android (AOSP) devices?
Android devices are mainstream. Many of us are familiar and comfortable with the platform. Additionally, Android management has been a key part of the endpoint management and security value offered by Endpoint Manager for a while now. So, what is new in this announcement?
Given the flexibility of the Android platform, not all variations of the core Android Open Source Platform meet Google's certification requirements for integration with Google Mobile Services (GMS). Integration with GMS is required to enable certain capabilities, such as access to the Google Play store and Firebase Cloud Messaging-based push notifications. Many devices that are now becoming critical in enterprise scenarios do not have the ability to leverage GMS but still need to be managed alongside other devices to securely access corporate resources and protect sensitive information.
Microsoft has built a new way to manage devices that run AOSP that do not have access to GMS capabilities. This new platform for corporate devices brings devices that run AOSP alongside other mobile and desktop endpoints, all now managed under one cloud connected platform.
Supported devices
At this time, RealWear devices (running Android 10.0 and later) are the only supported devices for AOSP management in Microsoft Endpoint Manager. With this update, organizations such as American Honda Motor Company, can equip their workers with the right tools for the job and use Intune to manage purpose-built devices while protecting company information.
| "We're thrilled to see the strength of the partnership and collaboration between Microsoft and RealWear continue with the general availability of Intune AOSP enrollment support for RealWear. As Intune is our standard at Honda, having a seamless and secure experience for our IT team and frontline workers will encourage us to think even bigger about more use cases for the device in manufacturing and training." | 
In April 2022, Microsoft announced plans to bring together a series of advanced endpoint management capabilities in Microsoft Endpoint Manager. The management of specialty devices is planned to be a part of that future premium portfolio of cost-effective offerings.
For now, you will only require a subscription to Microsoft Intune to manage and protect RealWear devices. When we are ready to launch our new plans for advanced endpoint management, an additional license will be required to manage and protect specialty devices, including RealWear, as an add-on to your subscription that includes Microsoft Intune. For more information, see Managing Specialty devices with Microsoft Intune.
Streamlined provisioning
Microsoft's solution for managing Android (AOSP) devices provides two provisioning modes for corporate devices, giving organizations the flexibility to choose based on the business use case.
- Provisioning a device that is directly affiliated to a single user.
- Provisioning a shared/multi-user device that leverages Azure Active Directory Shared Device Mode and may be considered user-less.
The ability to create multiple enrollment profiles for each mode allows greater flexibility on leveraging the enrollment profile to manage the applicable set of policies.
Provisioning is initiated by scanning a QR code on a device, which downloads the Microsoft Intune app, the Authenticator app, and the Microsoft Company Portal app, everything required for a seamless enrollment process. Then, the user is guided through the set-up process so they can be productive quickly. Here is what the end user provisioning flow looks like when provisioning an Android (AOSP) device:
The user is kept within the provisioning flow until the full registration and enrollment steps are complete. This helps ensure that no corporate data can be accessed on the device prior to it being managed and protected.
Device configuration and compliance
Once provisioned, IT can create policies specific for the business scenario and the needs of the workers using AOSP devices without impacting policies created for other Android deployments. With the introduction of a new Android platform option, organizations can be comfortable in the knowledge that they are able to craft similar policies that will only impact targeted devices of this platform, and not be universally applied.
Administrators can create Android (AOSP) policies without impacting other Android deployments
Support for certificates and Wi FI profiles
Analogous to other platforms, Android (AOSP) management in Endpoint Manager allows IT to deploy specific certificates and Wi-Fi profiles to managed devices. For many organizations, it is critical to ensure network access is locked to allow only approved locations and authenticated networks.
- When deploying policies for the devices running Android (AOSP), IT has the ability to deploy root and trusted certificates, Public Key Cryptography Standards (PKCS) certificates, and Simple Certificate Enrollment Protocol (SCEP) certificates.
- Wi-Fi profiles can be crafted to support simple password authentication, or more rigorous cert-based auth. that leverages pre-deployed certificates.
Deploying a Wi-Fi profile leveraging cert-based authentication
After provisioning, this ability to define the allowable network, combined with IT-approved authentication methods, is key to successfully rolling out corporate devices in a way that aligns with Zero Trust security principles to verify explicitly and allow least privilege access.
Enforcing device restrictions and compliance requirements
With Endpoint Manager, you can enforce restrictions on what device capabilities can and cannot be used to meet your organizational standards. Further, you can also apply device compliance policies that can prevent access to corporate resources from devices that do not meet the minimum requirements.
Android (AOSP) device restrictions overview
For example, you can allow workers to use the camera and do screen captures to accomplish their assigned task but prevent them from wiping the device or installing apps from non-approved locations.
Consistent endpoint management
Once enrolled in Microsoft Intune, Android (AOSP) devices will be included in the "All Devices" inventory, allowing them to be managed alongside the rest of your devices in a single location. This provides a holistic view of your device estate and allows you to use sorting filters (e.g. by OS version, by platform, etc.) as needed.
Like managing devices from other platforms in the Endpoint Manager admin center, you will have access to the device inventory and remote actions — such as wipe, remote lock, and PIN reset — on a per-device basis
End user experiences
On a managed Android (AOSP) device, the Microsoft Intune app enables many of the same capabilities and experiences that users have access to on other devices. These include the ability for users to:
- See all their managed devices in the application.
- Validate, and remediate, if necessary, the compliance status for their current device.
- Upload logs and discover support information.
Looking ahead
In addition to the capabilities above, Endpoint Manager provides a broad range of other management and security capabilities — for example, app protection policies — that you can use with AOSP devices. We will continue to build out our platform support to enable the full range of capabilities you would expect, including, but not limited to:
- Application management
- VPN management
- Ability to locate and rename the device
We are committed to developing support for a wide variety of workloads and user scenarios in new ways. With the general availability of the platform to manage Android (AOSP) devices, organizations can now empower users to be productive on more devices than ever before. Our ongoing investment in Android (AOSP) platform support offers organizations the flexibility of choosing the right device for a specific job while maintaining the confidence it can be managed and protected.
Get started
You can start to adopt Microsoft Intune for Android (AOSP) device management today with full support from Microsoft. To learn how to provision and configure AOSP devices, documentation is available here.
As always, we want to hear from you!
You can let us know about your Endpoint Manager and Android AOSP corporate device experiences through comments on this blog post or reach out to @IntuneSuppTeam on Twitter. Tweet your feedback about Microsoft Endpoint using the hashtag #MEMpowered. Keep up with ongoing developments on Endpoint Manager by following the Microsoft Endpoint Manager Blog and @MSIntune on Twitter.