Enterprise IT administrators manage a wide range of mobile devices, including corporate-owned, employee-owned, and a mix of corporate-owned, personally enabled COPE devices. With all of these varying levels of device ownership, organizations need a way to ensure business apps and data are secure on any device used for work — regardless of who owns the device.
Thanks to new capabilities introduced in Android 8. This means Mobileiron customers can now support employee privacy and personal apps even on fully managed corporate devices. InGoogle introduced Android enterprise to help IT organizations meet these security and management needs across a broad range of devices. With Android enterprise, admins can configure a device in one of two ways, both of which are deployed through a unified endpoint management UEM platform like MobileIron:.
Now, starting with version 8. This means admins can configure the entire device as a managed device and deploy enterprise apps to a work profile that remains separate from a personal profile on the device. For MobileIron customers, this is especially great news because MobileIron is currently one of the only UEM providers that enables customers to deploy managed devices with a work profile on Android 8 devices. As a result, organizations can enhance control over business apps and data while giving employees more flexibility to access personal apps and data on Android devices — even if the device is owned by the company.
MobileIron customers can start using this capability today with MobileIron Core 9. By deploying managed devices with work profiles, IT can now provide these capabilities on a single device:. One Android device, two modes: managed device with work profile.
April 12, Device-wide controls, such as a complete device wipe and reset to factory default settings are available on managed devices. Business apps managed by the work profile have a clear icon that distinguishes them from personal apps. Employees can safely use their personal devices for work without being restricted from accessing their personal apps and data. IT also has limited control over the device itself, and cannot view, access, or delete any personal apps or data. The work profile also remains protected by container-level security policies, such as preventing users from pasting enterprise data into unauthorized apps such as a personal Google Drive account.
This diagram illustrates how these capabilities work on Android 8 devices. Android Device Management. Mobile Device Management.This article lists and describes the different settings you can control on Android Enterprise devices. As part of your mobile device management MDM solution, use these settings to allow or disable features, run apps on dedicated devices, control security, and more.
Create a device configuration profile. These settings apply to Android Enterprise enrollment types where Intune controls the entire device, such as Android Enterprise Fully Managed or Dedicated devices. Screen capture : Block prevents screenshots or screen captures on the device. It also prevents the content from being shown on display devices that don't have a secure video output. When set to Not configured defaultIntune doesn't change or update this setting.
By default, the OS might let users capture the screen contents as an image. Camera : Block prevents access to the camera on the device. By default, the OS might allow access to the camera. Default permission policy : This setting defines the default permission policy for requests for runtime permissions. Your options. Date and Time changes : Block prevents users from manually setting the date and time. By default, the OS might allow users to the set date and time on the device. Volume changes : Block prevents users from changing the device's volume, and also mutes the master volume.
By default, the OS might allow using the volume settings on the device. Factory reset : Block prevents users from using the factory reset option in the device's settings.
By default, the OS might allow users to use this setting on the device. Safe boot : Block prevents users from rebooting the device into safe mode. By default, the OS might allow users to reboot the device in safe mode. Status bar : Block prevents access to the status bar, including notifications and quick settings.
By default, the OS might allow users access to the status bar. Roaming data services : Block prevents data roaming over the cellular network. By default, the OS might allow data roaming when the device is on a cellular network. Wi-Fi setting changes : Block prevents users from changing Wi-Fi settings created by the device owner.This document explains how your device policy controller DPC can provide work profiles on fully managed devices. Fully managed devices allow IT admins to enforce a wide range of mobile policy controls.
Work profiles separate work and personal apps and data. Work profiles on fully managed devices combine the advantages of both solutions to offer work and personal separation on a company-owned device. A work profile keeps the organization's apps and data secure and separate from the user's personal apps. The organization still manages the device and can enforce a wide range of policies or turn on device-wide features, such as network logging, if required.
The system user interface separates the apps and data of the work profile from the personal profile. The profile's label is Work and the system badges app icons and panels using the briefcase icon. The system uses the label Personal to group apps from the personal profile. Device users with a work profile on a fully managed device can check their organization's access using the Managed device info panel in Settings.
Work profiles on fully managed devices increase the policy options for organizations. Because the wider choice might appear more complex, we recommend following these best practices when presenting policy options or decisions to organizations and device users. Present a simple settings model to an organization's IT admins. Use your default settings to encourage IT admins to keep work policies, apps, and data in the work profile.
Design your EMM console to encourage IT admins to set policies as close as possible to the work data. If an IT admin can apply a policy to just the work profile, then apply it there and not to the whole device. This helps ensure the protection of work data while use of the device isn't unduly restricted. Importantly, it simplifies the task of administering work profiles on fully managed devices. You might need to make an override available if a particular policy must instead apply device-wide.
The following table shows where to apply UserManager restrictions. Show one instance of your DPC in the user's launcher. Because the user might add or delete work profiles, show the DPC in the personal profile and hide the DPC in the work profile. Call DevicePolicyManager. Allow the device user to add accounts in their personal profile. A device owner, in the absence of a work profile, might typically add an account creation restriction. When the user has a work profile, your DPC shouldn't restrict account creation.
As with policy management, organizations should concentrate their app management in the work profile. An organization that needs to push apps into the personal profile, should use managed Google Play device accounts. These accounts aren't visible to the device users who browse apps in Google Play using their personal Google Account.
Using a single managed Google Play store in the work profile avoids any confusion.When I speak with organizations who are considering Android devices there's usually the question of, "which management option should we choose?
The answer to the question requires a clear understanding of the scenarios the organization would like to bring under management such as personal devices or corporate devices or even purpose-built devices e. There are many different versions of Android from many different OEMs and choosing and supporting each version can be challenging. However, as I'll discuss later in this post, Android enterprise aims to address OEM fragmentation while providing a variety of management options.
Fortunately, Microsoft Intune will address various Android management methods available today including those offered with Android enterprise, so let's look at how Android management is accomplished with Intune.
The table below walks through each available Android device management scenario, how Microsoft Intune supports it, as well as items to evaluate when considering each option.
Work profiles on fully managed devices
Up to this this point we've reviewed traditional management methods available on Android as well as enrolling and managing Android devices with Intune. However, if you've noticed, there seems to be a theme throughout and it's around Android enterprise. It appears all paths are leading to Android enterprise so let's learn about what Android enterprise is and how Intune will assist with managing devices enrolled using Android enterprise. There are two primary modes of management under Android enterprise AE.
Choosing an enrollment option really depends on the scenario and what your business requires. Since Android enterprise appears to be OEM agnostic, if the plan is to have various device OEMs deployed, devices supporting Android enterprise may be an option. However, if devices are used for kiosk, digital signage, ticket printing, inventory scanning, Android enterprise would be something to investigate as well.
Lastly, before selection consider the short- and long-term ramifications of one option over another. That's it! We've reviewed the options available for Android enrollment and Intune, documentation on how to enroll Android devices, and the future of Android management through Android enterprise.
Skip to main content. Exit focus mode. The issue with device admin is there are only so many management APIs available, the user experience is challenging, and according to Google, device admin will be depreciated in With Android Q, device admin will not be available at all. Device Admin requires an Android device to be enrolled via an MDM and requires various administrator permissions during certain enrollment scenarios.
As such, device admin offers insufficient privacy for BYOD, insufficient management capabilities for corporate owned devices, and a poor user experience all around. In addition, device admin is less secure than Android enterprise and device admin is not ideal for an environment requiring minimal or no touch enrollment. An example is managing the email profile for the native email app on a Samsung device.
KME is supported starting with Android 2. After which, users will experience a streamlined enrollment process which removes the touch points required by device admin. Android enterprise There are two primary modes of management under Android enterprise AE. Although Android enterprise is supported on Android 5. Once a device is enrolled in an MDM such as Intune, Android enterprise has the concept of a work profile formerly Android for Work that separates or containerizes corporate applications and data on a personal device.
The managed profile contains corporate data and allows only applications within the work profile to access the data within while leaving personal data separate.
Previous versions of Android such as 5. Consider the ramifications of already deployed devices to end users and in the workplace before beginning a migration.
A strategy of enrolling new devices with device owner while continuing to manage existing devices enrolled with device admin may be an option. Through attrition, devices will onboard using Android enterprise.
As mentioned earlier, with Android Q, device admin will not be an option. Intune supports Android enterprise purpose-built device management including single-use and work profiles which aligns with many organizational use cases. Details on how to configure Intune to and manage devices supporting Android enterprise are below. Selecting an enrollment option Choosing an enrollment option really depends on the scenario and what your business requires.
Related Articles.Intune helps you deploy apps and settings to Android Enterprise work profile devices to make sure work and personal information are separate. For specific details about Android Enterprise, see Android Enterprise requirements. The default set to Allow is true for new tenants as of July All previous tenants will experience no change to their Enrollment Restrictions, and will see whatever policies they have set in Enrollment Restrictions. For previous tenants that never had Enrollment Restrictions changes, Block will still be the default for Android Enterprise work profiles.
If you want to enroll devices using Android Enterprise work profiles, but those devices were already enrolled with Android device administrator, those devices must first unenroll and then re-enroll. As an administrator, you can accomplish this remotely using the Retire function. This function can be found in the actions menu after selecting the device from the All Devices blade.
If you're enrolling Android Enterprise work profile devices by using a Device Enrollment Manager account, there is a limit of 10 devices that can be enrolled per account.
For more information, see Data Intune sends to Google. Configuring and troubleshooting Android Enterprise devices in Microsoft Intune. You may also leave feedback directly on GitHub. Skip to main content. Exit focus mode. To set up Android Enterprise work profile management, follow these steps: Connect your Intune tenant account to your Android Enterprise account.
Specify Android Enterprise work profile enrollment settings. Android Enterprise work profiles are supported on only certain Android devices. Any device that supports Android Enterprise work profiles also supports Android device administrator management. Intune lets you specify how devices that support Android Enterprise work profiles should be managed from within Enrollment Restrictions. Block : All Android devices, including devices that support Android Enterprise work profiles, will be enrolled as Android device administrator devices, unless Android device administrator enrollment is also blocked.
Allow set by default : All devices that support Android Enterprise work profiles are enrolled as Android Enterprise work profile devices.Android Enterprise, is the feature developed by Google to make Android devices running 5. Android Enterprise provides several features and configurations, which secure the device and make the device cater to the needs of an organization. Install apps both Play Store and enterprise apps silently without user intervention as explained here.
In case of Android Enterprise Android Enterpriseit is recommended to provision personal devices as Profile Owner and corporate devices as Device Owner. You can know more Profile Owner and Device Owner as explained below:. In case of Corporate-owned devices, provisioning the devices as Device Owner ensures the organization has full control of the device as it "owns the device" and provides more features to ensure the device and the confidential data in the device are secure and away from any unauthorized access.
Device Owner supports all the Profile Owner-supported features as well as additional features. Useful for large-scale out-of-the-box enrollment similar to Apple Business Manager ABM but applicable only on certain devices as listed here.
Useful in case the number of devices to be managed are less in number, as the devices need to be unboxed to initiate enrollment. Also, if you want to enroll devices without Google services as Device Owner. Applicable for devices running Android 5. Useful in case the number of devices to be managed are less in number, as the devices need to be unboxed to initiate provisioning after which enrollment needs to be carried out separately.
Additional restrictions such as restricting device reset, modifying Settings etc. Configuring Exchange ActiveSync. In case of personal devices, Android Enterprise creates a "Work profile", a logical container which demarcates the personal space and the corporate space in a device. Organizations can fully control the work profile but have zero control over the personal profile, as organization "owns only the profile".
Unlike Device Owner which supports several features, Profile Owner supports fewer features when compared to Device Owner. Preventing sharing of data from workspace profile to personal profile. Restricting screen capture in workspace profile. The complete set of restrictions supported by Profile Owner can be viewed here. All Rights Reserved. A significant advantage in silent installation of apps is that, for devices provisioned as Device OwnerProfile Ownerand for Samsung devices, the users cannot uninstall these silently installed apps from the managed devices.
Turn your work profile on or off
EMM Token Enrollment. The devices are factory reset before setting up Android Enterprise to prevent malware from potentially acting as a device owner and taking over the device. Refer to this link for the non-exhaustive list of devices supporting Android Enterprise.With Android Enterprise Device Owner enrollments, have you ever wondered where all the system apps go when enrolling with Android Enterprise Device Owner? The good news is with the Intune release, system apps may be whitelisted as well!
An example of a system app is the dialer or some OEM specific app such as a battery monitoring app or barcode scanner app. The package IDs for those are: com. Under Assignments, assign the app to the device group where the device lives.
Policy sync should only take a few seconds and on the device the battery manager is whitelisted and is available for users to access from the Managed Home Screen.
Courtenay is a technology professional with expertise in aligning traditional software and cloud services to strategic business initiatives. He has over 20 years of experience in the technology field as well as industry experience working with distribution centers, call centers, manufacturing, retail, restaurant, software development, engineering, and consulting. View all posts by Courtenay Bernier.
You are commenting using your WordPress. You are commenting using your Google account. You are commenting using your Twitter account. You are commenting using your Facebook account. Notify me of new comments via email. Notify me of new posts via email. This site uses Akismet to reduce spam. Learn how your comment data is processed. Skip to content With Android Enterprise Device Owner enrollments, have you ever wondered where all the system apps go when enrolling with Android Enterprise Device Owner?
Search for the app name, e. Again, system apps can be whitelisted now using Intune. Like this: Like Loading Author: Courtenay Bernier Courtenay is a technology professional with expertise in aligning traditional software and cloud services to strategic business initiatives. Leave a Reply Cancel reply Enter your comment here Fill in your details below or click an icon to log in:. Email required Address never made public. Name required. Post was not sent - check your email addresses!
Sorry, your blog cannot share posts by email.