Sep 16 2020 05:28 AM
Sep 16 2020 05:28 AM
I'm looking for some advice on the best practice for setting the first step of Android enrollment in Microsoft Intune/MEM.
What is the best practice for security and management, when we choose the managed Google Play account for Intune/MEM ?
Using an AzureAD account (with or without exchange online licence), a Google account, or other external account ?
Does this account need to have access to a mailbox and MFA can be used with this account ?
Sep 17 2020 12:44 AM
Sep 17 2020 03:28 AM
I agree with @Thijs Lecomte, the Google account is usually a generic account created only for this purpose. This account is usually something that is only used for this link with most of my customers.
Usually owned and stored by the team operating Intune since they are the ones who need this account.
Most of my customers are using a [random-name-chosen-by-customer]@gmail.com or such for this.
Sep 18 2020 12:46 AM
@Thijs LecomteThanks for your answer !
This gmail account doesn't receive any email we need to check for MEM/InTune or Google Play ?
Can we change the password and add MFA for this account without breaking InTune integration ?
I have read that if we loose access to the Google Play account in InTune, to change this account with a new one, we need first retire all enrolled Android device and then enroll all devices. This will have a big impact for user, or there is a easier way to do this?
Sep 27 2020 06:20 AM
Oct 26 2020 03:44 PM
@Thijs Lecomte When we want to use Android Zero-Touch, do we need to use the same account (Intune Google Play Account) or this can be 2 different account ?
Apparently Google is asking to use a professionnal account to access to Zero-Touch portal.
If we use a professional account, this account need also to have an Exchange Online licence always activated with an enabled mailbox ?
Oct 29 2020 11:22 AM
Nov 02 2020 02:47 PM
Thanks, but what will be the best practice for you, with Android Zero-Touch and Intune Google Play Account :
- Two Professional Accounts.
- Two Gmail Accounts (Apparently not recommended by Google : is asking to use a professionnal account to access to Zero-Touch portal).
- Two Accounts (1 Gmail & 1 Pro) : 1 gmail Account for Intune Google Play Account & 1 Professional Accounts for Android Zero-Touch
- One unique Professional Account. So only one ExO licence and one account to secure. Any disadvantage ?
If we use a professional account, this account need also to have an Exchange Online licence always activated with an enabled mailbox or we don't need a mailbox ?
Do you know if we use also iOS and Samsung Knox : Best practice will be to use one different account for each or the same for all ? (Google Play, iOS AppStore, Android Zero-Touch, Knox)
Nov 03 2020 07:41 AMSolution
There isn't a real, outlined best practices here.
You don't need a Exchange license per say, you could use this solution - https://msendpointmgr.com/2020/08/08/2-for-1-mail-enable-unlicensed-admin-accounts/
I would use one Professional account if possible, will be the easiest way