Integrating Android Enterprise with Intune device management
Organizations that deploy Android devices should look to Android Enterprise APIs to provide control of managed devices, but they require integration with a management platform.
IT administrators that manage Android devices will need to integrate the proper APIs with their management platform to ensure they have the necessary control over these end-user devices.
Android device management in the enterprise started with the Device Administration API -- also known as Device Admin -- but its features were very limited. To provide a complete approach to Android device management, Google introduced Android Enterprise with Android 5.0. Android Enterprise provides APIs that IT admins can easily integrate with any mobile device management, unified endpoint management or other management platforms.
Requirements for integrating with Android Enterprise
Device management platforms can use the Google Play EMM API and the Android Management API to address the different Android Enterprise APIs. The former enabled platforms to create their Device Policy Controller (DPC) -- the on-device agent -- to apply the required configurations. The latter completely relies on new APIs and a DPC provided by Google.
Even though the different APIs don't have complete feature parity, Google prefers the Android Management API. It's also no longer possible to register a new DPC that uses the Google Play EMM API. Some management platforms, such as Microsoft Endpoint Manager's Intune, already rely on the Android Management API. These platforms rely on Google for new functionalities related to that API.
For any platform to manage Android Enterprise devices, the only requirement is a managed Google Play account. It can even be a personal Google account, but the best practice should be to use a company account to avoid privacy issues. If IT administrators use Microsoft Intune as a part of Microsoft Endpoint Manager, they can connect their Intune account to the managed Google Play account.
Benefits of the Android Enterprise integration
Android Enterprise provides organizations with many benefits, especially with the managed device (device owner) and work profile (profile owner) modes. These modes provide different management options, each with unique security and privacy capabilities. Android Enterprise also provides a great out-of-box experience for corporate-owned devices, a smooth app installation experience and a standardized configuration method for OEMs. That out-of-box experience automatically guides the user through the device enrollment process, and the app installation experience enables IT administrators to silently install apps without the need for a personal Google account on the device. It also standardizes configuration methods and provides OEMs with an easy way to enable additional APIs.
Android Enterprise's flexibility via the different management modes is the most eye-catching benefit because they support multiple deployment scenarios.
Personally-owned devices with a work profile
This deployment scenario provides access to company data on personal devices via the profile owner mode. With this deployment scenario, the users must install the organization's device management platform DPC app and walk through the steps in the app to enroll their device into the platform. After the enrollment, the DPC creates a separate work profile on the device. The profile creates a clear separation between personal data and apps and corporate data and apps.
This separation provides privacy for the user in the personal profile and control for the IT administrators in the work profile. The separation is also very clear for the user, as it shows a separate tab for personal and corporate apps -- the corporate apps are even marked with a small briefcase icon. By default, the corporate data is protected within the work profile. If needed, the IT administrator can wipe the work profile from the device without removing a user's personal data.
Corporate-owned devices with a work profile
This deployment scenario provides privacy to the user on a corporate-owned device via an enhanced profile owner mode. Users still have some privacy, but the IT administrators maintain a notable amount of device-level controls. With this deployment scenario, the out-of-box experience guides the user to enroll the device into the organization's management platform. After enrollment, the platform creates a separate work profile and personal profile on the corporate-owned device. The profile separation offers the same basic protections, functions and UI elements as a personally-owned device with a work profile.
Fully managed devices
This deployment scenario provides the user with a corporate-owned device intended exclusively for work by using device owner mode. The corporate-owned device provides users with a personal touch and provides the IT administrator with full control. Like the previous two categories, the management platform walks users through the enrollment process.
There are no separate profiles, as the device is completely managed. The IT administrator can allow the user to install some personal apps, but there isn't a focus on the user's privacy. The entire app install base is visible to the IT administrator. If needed, the IT administrator can perform a remote wipe on the whole device.
This deployment scenario provides a single-purpose experience on a corporate-owned device via the device owner mode. This mode provides the user with a targeted and limited interface that focuses on a single purpose, which the IT administrators preset. With this deployment scenario, the out-of-box experience automatically enrolls the device into the required device management platform.
After enrollment, IT restricts the device to a limited set of apps that relate to the single purpose of the device. These devices are not associated with a user and are not intended for use with personal apps. If needed, the IT administrator can wipe the entire device.
Setup process for the Android Enterprise integration with a device management platform
Configuring the integration between a device management platform, such as Microsoft Intune, and Managed Google Play enables organizations to manage Android Enterprise devices. IT administrators can configure this integration with Microsoft Intune -- part of Microsoft Endpoint Manager -- by walking through a few simple steps.
- Open the Microsoft Endpoint Manager admin center and sign in.
- Navigate to Devices > Android > Android Enrollment > Managed Google Play.
- On the Managed Google Play blade, select I agree with the statement I grant Microsoft permission to send both user and device information to Google.
- On the Managed Google Play blade, click Launch Google to connect now with Connect your Intune tenant to an administrative Google account to enable Android Enterprise enrollment.
- On the Google sign-in page, click SIGN IN and provide the credentials of the earlier mentioned Google account.
- On the Bring Android to Work page, provide a Business name and verify that Microsoft Intune is displayed as Enterprise mobility management (EMM) provider and click Next.
- (Optional) On the Contact details page, provide the contact details of the Data Protection Officer, select I have read and agree to the Managed Google Play agreement and click Confirm.
- On the Set up complete page, click Complete Registration.
After connecting Microsoft Intune with Managed Google Play, the IT administrator can deploy apps via the Managed Google Play store and manage devices in the different Android Enterprise deployment scenarios. Depending on the deployment scenario, there may be some additional configuration steps that IT admins must take. Those steps are typically quite simple: switching a slider or walking through a basic setup wizard. The main purpose of these actions is to create an enrollment token that can trigger the correct deployment scenario for the device.