This post has been republished via RSS; it originally appeared at: Enterprise Mobility + Security articles.
(This post is co-authored by Priya Ravichandran, Senior Program Manager, Microsoft 365)
We are pleased to announce that Microsoft Intune support for Android Enterprise fully managed devices is now generally available.
Android Enterprise fully managed is one of the “device owner” management scenarios in the Android Enterprise solution set. This scenario enables user productivity on corporate devices while allowing IT admins to manage capabilities needed by the organization. We have seen an overwhelming uptake of this management capability throughout the multiple phases of public preview making this the most widely adopted preview for Android management thus far. In preview, we have tens of thousands of devices across global customers already using it configure and manage their Android devices. In addition to this extensive adoption, we have received significant feedback from the community and customers alike. With this release, customers can deliver a high quality and feature-rich productivity scenario for users on corporate-owned devices while maintaining an extended set of policy controls over the devices.
Onboarding a fully managed device
Intune supports popular provisioning technologies with Android Enterprise devices running Android 6.0 and later, including:
- Knox Mobile Enrollment
- QR Code
- Token Entry
- Zero Touch Enrollment
Deploying fully managed devices start when a new device is acquired and unboxed, or an existing device is factory reset. Using Intune’s enrollment token with your preferred choice of deployment technology, the fully managed provisioning workflow will launch the out of the box experience (OOBE) that will then guide the user though the necessary steps to complete the onboarding process.
Once the user enters their corporate credentials, the onboarding process starts with guiding the user through the process of setting up a device PIN based on the organization policy. Having this set up during OOBE ensures that the device is protected against misuse from the start.
Figure 1: Fully managed OOBE guides user to set up PIN
OOBE will automatically download the Microsoft Intune app, Microsoft Authenticator app and the Microsoft Intune Company Portal app. Additionally, the user is also made aware of the full list of required apps that the organization is pushing to their device, making the process more transparent to the end user.
Figure 2: OOBE installs the two required apps and shows the user the rest of the mandatory apps being installed
Since the download of these additional apps start immediately in the background, the user gets a head start having the right tools for the job.
The final piece of the OOBE is registering the device with Azure Active Directory. Device registration during OOBE ensures that the device is compliant with the organization’s requirements before being able to access any corporate resources on the device.
Figure 3: User starts device registration in OOBE
Figure 4: Device registration completes during OOBE
At the end of the onboarding workflow, the user now has a device that has all the policies and apps they need to be productive and secure.
Multi Factor Authentication with fully managed devices
Multi Factor Authentication (MFA) is a key part of the authentication process for many organizations. With this GA release, the fully managed device will be able to support MFA policies that have been put in place by the organization.
Configuring certificates and resource access policies
On a fully managed device, you can deploy both root certificates and SCEP certificates for authentication. Along with certificate profiles, resource access profiles are also now supported with the full spectrum of authentication options. Email, Wi-Fi and VPN profiles can also be created to leverage the certificate profiles needed for your organization.
This support allows your organization to determine which resources are used on a device and how the user can authenticate before using it. For example, you can allow a device to use a specific Wi-Fi profile and authenticate with a certificate that has been pushed to the device, in this case a SCEP certificate you deployed.
Enabling corporate and personal applications on the device
On a fully managed device, Intune provides a locked down approach to apps. By preventing the sideloading of apps on the device, the device maintains its security posture. Organizations do not have to enable installing apps from untrusted sources, which is a concern with the previous device administrator management mode. To ensure that only apps from approved sources are installed on the device, organizations can leverage the Managed Google Play store to distribute corporate apps to managed devices.
An organization may deploy additional policies to allow users to install other apps from the public Play store on the device, if they wish to, allowing users to personalize their work device. By default, access to the public Play store is blocked on a fully managed device.
Figure 5:Enabling end user access to the consumer store on fully managed devices
System apps – like the camera and the dialer – are key apps that are required by many organizations for their users to do their jobs as expected. Intune enables granular control over system apps on Android Enterprise corporate devices. Admins can manage system apps at the package level to ensure that only key apps needed for productivity are enabled on the device, excluding other system apps that are not relevant to the organization.
Figure 6: Adding and managing system apps - like the Samsung Clock app - on fully managed devices
In addition, since these are post-provisioning policy deployments, the list of enabled system apps can be adjusted over the life of the device to meet the organization’s needs.
Configuration and compliance
The fully managed device supports all the Android Enterprise Device Owner settings offered in the Intune console. Additionally, Intune now supports the ability to create compliance policies on fully managed devices, including:
- Support for enforcement of PIN complexity requirements
- Support for specifying a threat level threshold for the device and leveraging Mobile Threat Defense providers
- Support for SafetyNet Attestation, which will incorporate the jailbreak detection as well.
As with other Intune managed devices, when a device does not meet the compliance requirements, the user is notified and provided with guidelines on how to mitigate the issue. For fully managed devices, end user experiences are now surfaced in the new Microsoft Intune app.
Redesigned end user experience in the Microsoft Intune app
This new modern and light-weight app, simply called ‘Microsoft Intune’, enables the experiences that end users know and love in the Company Portal app for fully managed devices, including managing compliance for their devices, getting support from their organization, and viewing notifications.
Figure 7: View devices, update settings when needed, and view notifications
Figure 8: Get support when needed, view organizational terms, and view user profile
The latest release of Microsoft Intune app for Android has the following updates:
- Improved layout with bottom navigation for the most important actions.
- Added an additional page that shows the user's profile.
- Added the display of actionable notifications in the app to inform the user, such as the need to update their device settings.
- Added the display of custom push notifications, aligning the app with the support recently added in the Company Portal app for iOS and Android.
Today, this new app is only for the fully managed scenario; in all other Android management scenarios, Company Portal will continue to be the end user app.
App protection policies
Intune app protection policies are wholly supported on fully managed devices, at parity with support on other platforms. The Microsoft Company Portal is automatically deployed in the background to enable the additional layer compliance control.
Intune has full support for the OEMConfig framework, including an intuitive configuration designer UI that allows organizations to easily leverage supported OEM-specific settings on their fully managed devices. For more details, see this blog post on the OEMConfig configuration designer or refer to the Intune documentation on OEMConfig.
Microsoft Launcher for Enterprises
Another key aspect of managing a corporate device – like a Fully Managed device – is to ensure that all end users have a consistent home screen experience on the device. This includes being able to clearly brand the device as well as ensure that the key apps needed for their role are accessible and discoverable on the device. The Microsoft Launcher is a key partner in enabling this well-defined end user experience on corporate devices. When the Microsoft Launcher is deployed to a device, the Launcher is able to detect that the device is a corporate device and will then enable enforce any app config settings that the admin has specified. This includes being able to set a device wallpaper as well as the list and order of applications on the home screen.
Figure 9 Microsoft Launcher home screen experience on work-managed Android device
While the launcher configuration is currently only exposed via the App config workflow, we are partnering with the Microsoft Launcher team to deliver a first class configuration experience in the Intune Admin Console – to match the experience that is available for the Managed Home Screen today. Watch this space for updates.
We’re excited to share this milestone with our Microsoft Intune customers who can now deliver a premier manageability and security experience to their end users on Android Enterprise devices. As we continue to innovate on the Android Enterprise platform, we look forward to your ongoing usage and feedback.
Fully managed support is the next step in Intune's commitment to full Android Enterprise support. Also look for new support for private publishing within the Intune console, as well as web link support launching at the same time as Fully managed. We're committed to a full set of Android Enterprise scenarios that meet high standards of manageability and privacy, so stay tuned for more on this in the coming months.
- Technical article on Android Enterprise fully managed device management
- Technical article on Android Enterprise dedicated device management
Previous blogs in this series:
- First public preview announcement
- Second public preview introducing Microsoft Intune app
- Final public preview with supportability enhancements
More info and feedback
As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.
Follow @MSIntune on Twitter