cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Best practice for the managed Google Play Account in Intune/MEM

SRPfr
Copper Contributor

‎Sep 16 2020 05:28 AM

‎Sep 16 2020 05:28 AM

Best practice for the managed Google Play Account in Intune/MEM

Hi All,

 

I'm looking for some advice on the best practice for setting the first step of Android enrollment in Microsoft Intune/MEM.

 

What is the best practice for security and management, when we choose the managed Google Play account for Intune/MEM ?
Using an AzureAD account (with or without exchange online licence), a Google account, or other external account ?
Does this account need to have access to a mailbox and MFA can be used with this account ?

 

Thanks !

Labels:
9,622 Views
0 Likes
10 Replies
Reply
10 Replies
Thijs Lecomte

‎Sep 17 2020 12:44 AM

‎Sep 17 2020 12:44 AM

Re: Best practice for the managed Google Play Account in Intune/MEM

I mostly create a general Google account that is shared across the organization and can be linked with Intune.
The managed Google Account is not that important, if you would ever loose access. You can link it again and re-add your apps.
In comparison, if you loose access to your Apple account, you need to re enroll your device
2 Likes
Reply
olastrom

‎Sep 17 2020 03:28 AM

‎Sep 17 2020 03:28 AM

Re: Best practice for the managed Google Play Account in Intune/MEM

I agree with @Thijs Lecomte, the Google account is usually a generic account created only for this purpose. This account is usually something that is only used for this link with most of my customers. 

Usually owned and stored by the team operating Intune since they are the ones who need this account. 

Most of my customers are using a [random-name-chosen-by-customer]@gmail.com or such for this. 

1 Like
Reply
SRPfr

‎Sep 18 2020 12:46 AM

‎Sep 18 2020 12:46 AM

Re: Best practice for the managed Google Play Account in Intune/MEM

@Thijs LecomteThanks for your answer !

This gmail account doesn't receive any email we need to check for MEM/InTune or Google Play ?

Can we change the password and add MFA for this account without breaking InTune integration ?

 

I have read that if we loose access to the Google Play account in InTune, to change this account with a new one, we need first retire all enrolled Android device and then enroll all devices. This will have a big impact for user, or there is a easier way to do this?

 

Thanks,

0 Likes
Reply
Thijs Lecomte

‎Sep 27 2020 06:20 AM

‎Sep 27 2020 06:20 AM

Re: Best practice for the managed Google Play Account in Intune/MEM

Hi

You don't really need the check emails, except if you would require approval for app updates maybe.

I haven't personally tried enabling MFA on the account. It's something to try out I guess.
1 Like
Reply
SRPfr

‎Oct 26 2020 03:44 PM

‎Oct 26 2020 03:44 PM

Re: Best practice for the managed Google Play Account in Intune/MEM

@Thijs Lecomte When we want to use Android Zero-Touch, do we need to use the same account (Intune Google Play Account) or this can be 2 different account ?

Apparently Google is asking to use a professionnal account to access to Zero-Touch portal.

If we use a professional account, this account need also to have an Exchange Online licence always activated with an enabled mailbox ?

 

Thanks !

0 Likes
Reply
Thijs Lecomte

‎Oct 29 2020 11:22 AM

‎Oct 29 2020 11:22 AM

Re: Best practice for the managed Google Play Account in Intune/MEM

Yeah, you can use a different account. They are essentially two different things
0 Likes
Reply
SRPfr

‎Nov 02 2020 02:47 PM

‎Nov 02 2020 02:47 PM

Re: Best practice for the managed Google Play Account in Intune/MEM

@Thijs Lecomte 

Thanks, but what will be the best practice for you, with Android Zero-Touch and Intune Google Play Account :

- Two Professional Accounts.

- Two Gmail Accounts (Apparently not recommended by Google : is asking to use a professionnal account to access to Zero-Touch portal).

- Two Accounts (1 Gmail & 1 Pro) : 1 gmail Account for Intune Google Play Account & 1 Professional Accounts for Android Zero-Touch

- One unique Professional Account. So only one ExO licence and one account to secure. Any disadvantage ?

 

If we use a professional account, this account need also to have an Exchange Online licence always activated with an enabled mailbox or we don't need a mailbox ?

 

Do you know if we use also iOS and Samsung Knox : Best practice will be to use one different account for each or the same for all ? (Google Play, iOS AppStore, Android Zero-Touch, Knox) 

 

Thanks,

 

0 Likes
Reply
best response confirmed by SRPfr (Copper Contributor)
Thijs Lecomte

‎Nov 03 2020 07:41 AM

‎Nov 03 2020 07:41 AM

Solution

Re: Best practice for the managed Google Play Account in Intune/MEM

@SRPfr 

There isn't a real, outlined best practices here.

 

You don't need a Exchange license per say, you could use this solution - https://msendpointmgr.com/2020/08/08/2-for-1-mail-enable-unlicensed-admin-accounts/

 

I would use one Professional account if possible, will be the easiest way

1 Like
Reply
SRPfr

‎Dec 21 2020 03:59 PM

‎Dec 21 2020 03:59 PM

Re: Best practice for the managed Google Play Account in Intune/MEM

@Thijs LecomteThanks,

An a very usefull article !

0 Likes
Reply
MichaelOliv

‎Dec 22 2023 03:14 AM

‎Dec 22 2023 03:14 AM

Re: Best practice for the managed Google Play Account in Intune/MEM

Hello,

Sorry I refresh an old post. ;)

But it's the one that I find for my research.

Is it a good thing to use the same account for managed Google Play and for the factory reset protection please?
I ask this because when I trie to connect to my Managed Google play account, it ask me to verify my account with phones that I don't have anymore. I think it's phones where the account was used to do a factory reset.

So I think it's better to have 2 differents accounts but I need your advice on this. ;)

And other question that was not answer here 2 years ago but now maybe. Is there an impact of adding an MFA method to the Managed Google play account? To avoid this problem of verification with phones that I don't have.
I thinks there is no problem but I need to be sure. If I remember correctly it's not possible to have no more MFA configuration in gmail if we had one previously.
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by SRPfr (Copper Contributor)
Thijs Lecomte

‎Nov 03 2020 07:41 AM

‎Nov 03 2020 07:41 AM

Solution

Re: Best practice for the managed Google Play Account in Intune/MEM

@SRPfr 

There isn't a real, outlined best practices here.

 

You don't need a Exchange license per say, you could use this solution - https://msendpointmgr.com/2020/08/08/2-for-1-mail-enable-unlicensed-admin-accounts/

 

I would use one Professional account if possible, will be the easiest way

View solution in original post

1 Like
Reply