Controlling those devices

Intune/Endpoint Manager is Microsoft's implementation for modern Mobile Device Management (MDM) and Mobile Application Management. The primary use cases include device provisioning, configuration and preventing accidental data leakage. Some example operations would be pushing a WiFi profile to a device, requiring a passcode to access corporate email, or installing a custom Line Of Business app.

Enrollment

Enrollment is the term for bringing a device (Android in this case) under MDM management. It is somewhat similar to joining a Windows device to a domain, and using group policy to modify system settings etc. There are four main enrollment types along with a legacy type.

Personally owned devices with a work profile

  • For BYOD devices.
  • Installs work apps into an isolated work profile.
  • Administratively limits the information gathered, and control over device.
  • Examples: You can require a passcode, but it will apply to apps in the work profile, not the whole device. | Personal apps/data will not be visible to Intune.

Corporate owned , fully managed user devices

  • Adds management for the whole device.
  • Examples: You can apply a passcode globally to the device. | Factory reset the entire device.
  • All apps/data visible to Intune.

Corporate owned devices with a work profile

  • Fully managed.
  • For corporate owned devices that allow personal use.
  • Enhances user privacy by isolating work from work data.

Corporate owned dedicated devices

  • Typically for single use devices (Kiosks etc)

• Device administrator

  • Legacy, mostly deprecated as of Android 5.
  • May be required if Android Enterprise is not available in your region(includes China).
  • Some devices require this enrollment type(includes: HoloLenses, Teams phones).

Enrolling a personally owned Android device

Prerequisites

  1. A user account with an Intune license (Microsoft Intune licensing). I use E3 which runs about 9$ a month.
  2. Linked managed google play account (Connect your Intune account to your Managed Google Play account)

In Microsoft Endpoint Manager admin center:

  • Under Devices > Enroll devices > Enrollment restrictions click the All users link image1
  • Click the Properties link in the next page.
  • Verify that Personally owned is set to allow. image-2 On your Android device: Download the Intune company portal. Enter the credentials for your user and complete the enrollment process (Mostly involves clicking next and continue.) Once the enrollment is complete we can see the Android work apps.

These are identified by the briefcase icon. image-3 Personal devices in the Microsoft Endpoint Manager console Before we wrap this up lets take a quick look at the device from the Admin side. image-4 One of the differences between a corporate owned device and personal is that much of the information obfuscated. This includes apps. On a Corp device the Discovered apps would contain a list of all apps on the device, including pre-installed and system apps. image-5 From here we can begin assigning policies, apps, etc for testing. I will take a look at Email profiles and Conditional access in a future post. This is where most organizations start with MDM(Assigning Email profiles and creating a secure framework around email access).