top of page
Writer's pictureALIF Consulting

How to set up an Android work profile in Intune.

Updated: Dec 13

I'll demonstrate how to set up an Android Enterprise Work Profile using Intune in this blog article. We begin by integrating Android Enterprise with Intune, turning on Android Enterprise in Intune, and setting up an Android Enterprise Work Profile. After completing these procedures, we provide select Android apps permission to be deployed to the Work profile from the Managed Google Play store. The last phase is to demonstrate the end-user experience. You may control Android devices running Android Enterprise in a variety of ways using Microsoft Intune. I'll walk you through the process of enabling Android Enterprise and setting up the Work Profile mode with Intune in this blog post.


Description

In this course, we go through the choices and procedures for enrolling Android devices in Microsoft 365.

Learning Intentions

  • A summary of the many enrollment possibilities for Android devices

  • Before adding Android devices to Microsoft 365 through Intune, learn the requirements.

  • Address Android Business

Anyone interested in learning more about enrolling Android devices in Microsoft 365 should take this course.

Prerequisites

You must have a fundamental grasp of Microsoft 365's Mobile Device Management.


Android Work Profile: What is it?

Android Work Profile is an Android Enterprise profile that manages business data and applications on an Android smartphone with personal capabilities. A working container is formed on the device with an Android Enterprise Work Profile, where all business apps ultimately end up. With security options like conditional access, disabling Copy and Paste operations between programs within and outside the work container, and an access passcode, you may secure this work container to safeguard business data. The following prerequisites must be met for the steps to work.



  • A tenant of Azure

  • Licenses for Microsoft EMS (E3 or E5)

  • •A Google account that is not linked to an MDM program

  • A test Android device

  • Fundamentally, Android Enterprise offers two management modes:

  • Profile owner (also known as controlled profile) - A containerized solution that sets up a work profile to support BYOD scenarios.

  • Device owner (or control device) - Complete device administration to support COD.

  • Management for employee-owned personal devices should take place via the Profile owner management mode (Work Profile management solution).

  • You have three choices to select from in the Device owner management mode for company-owned devices [COD] to meet your requirements as a business.

  • Corporate Owned, Fully Managed, often known as COBO, allows for stringent policy enforcement and comprehensive device monitoring.

  • Corporate Owned Personally Enabled [COPE] - A containerized approach to maintaining distinct user profiles for business and personal use on corporate devices. [Android 11 introduces several behavioural adjustments]

  • Corporate Owned Dedicated Devices (also known as COSUs) - These devices allow for complete device administration and may be further locked down to restrict use to a single use.

Your Managed Google Play account should be connected to Intune

The first step is to connect a Managed Google Play account that has not yet been utilized to Intune. To set this up, adhere to the procedures below.

  1. Launch the endpoint management site.

  2. endpoint.microsoft.com 2.

  3. Select Devices from the All Services menu.

  4. Next, choose Android.

  5. Click "Enroll in Android"

  6. Select Managed Play (Link your managed Google Play account to Intune)

Device enrollment in intune

7. Check I agree

8. Click Launch Google to connect now

manage Google play

Click Get started


Play store app
  1. Enter your business name.

  2. Click Next

  3. Fill in the requested information (you can skip this, it's optional)

  4. Check I have read and agree to the Managed Google Play agreement

  5. Click Confirm


Android device management

6. Click Complete Registration

How to Enrol Android Device into MDM with Intune Company Portal

Here are instructions for installing Intune on an Android device. Please make sure you are using the latest OS.

  • Tap Home > Play Store.

  • Search for and install the Intune Company Portal.

Microsoft Intune company portal
  • When prompted about app permissions, tap ACCEPT.

  • Next, enrol the device.

During enrollment, you might be asked to choose a category that best describes how you use your device. Your company support uses your answer to check the apps that you have access to.

  • Open the Company Portal app and sign in with your work or school account.

  • If you're prompted to accept your organization's terms and conditions, tap ACCEPT ALL.

  • Review what to expect in the upcoming steps. Tap ACCEPT ALL, then CONTINUE. Lastly, tap NEXT.


Intune company profile terms
  • Depending on your version of Android, you might be prompted to allow access to certain parts of your device. These prompts are required by Google and not controlled by Microsoft.

Tap Allow for the following permissions:

Activate the device admin app.

  • Company Portal needs device administrator permissions to manage your device securely. Activating the app lets your organization identify possible security issues, such as repeated failed attempts to unlock your device, and respond appropriately.


Activate device admin app
  • On the Company Access Setup screen, check that your device is enrolled. Then tap CONTINUE


Intune company access setup
  • Tap DONE once the configuration is complete.

Finally, you may enrol in specific devices. The Microsoft Intune app is immediately installed on the designated devices upon enrollment. It's crucial to remember that the Microsoft Intune software cannot be deleted and is necessary for enrollment.


Microsoft Intune Security Features

One of the core advantages of using Android Work Profiles in Microsoft Intune is security. Intune integrates seamlessly with Microsoft’s Zero Trust Security Model, ensuring every user and device is constantly verified before granting access to corporate data. This model continuously checks security posture, ensuring your organization’s resources are protected from unauthorized access.

Additionally, the integration of Microsoft Defender for Endpoint enhances security by providing advanced threat protection, monitoring, and alerts for potential risks. Intune also helps mitigate data loss through built-in policies that manage encryption, access control, and remote data wipes if needed, ensuring your organization is always secure.

Mobile Application Management (MAM) Insights

Managing mobile apps securely is another powerful feature of Android Work Profiles. Intune enables businesses to deploy apps within the work profile, ensuring that corporate data remains protected. App Protection Policies enforce restrictions such as preventing copy-paste actions between personal and work apps, reducing the chances of accidental data exposure. Additionally, you can deploy line-of-business apps directly to the work profile, ensuring they are managed and secured without interfering with personal apps.

Comparing Android Work Profiles with Other Mobile Management Solutions

While Microsoft Intune’s Android Work Profiles offer robust functionality, it’s important to compare them with other mobile management solutions. VMware Workspace ONE and IBM MaaS360 are also popular options, but Intune stands out due to its seamless integration with Microsoft 365 and Azure Active Directory. Intune’s tight integration with the Microsoft ecosystem enables a unified experience for both IT admins and end users. Compared to traditional full-device management, Android Work Profiles offer a less intrusive solution, giving employees the flexibility to use their devices for both work and personal purposes without compromising security.

Integration with Microsoft Services

Android Work Profiles in Intune are even more powerful when integrated with Microsoft’s broader cloud services. For instance, by linking Intune with Azure AD Conditional Access, businesses can ensure that only compliant devices with active work profiles can access sensitive resources. Additionally, the integration with Microsoft 365 applications allows employees to seamlessly access productivity tools like Outlook, Teams, and OneDrive, all while ensuring data remains isolated within the work profile.

Using Power Automate, organizations can also create custom workflows triggered by specific actions in the Android Work Profile. For example, you can automatically send alerts to administrators when a device goes out of compliance, ensuring prompt intervention before security risks escalate.

Managing Employee Privacy and Data Compliance

Balancing data security with employee privacy is a common concern for organizations adopting mobile device management solutions. Android Work Profiles in Intune offers a clear distinction between work and personal apps, ensuring that employees' personal data remains private. Organizations can manage corporate apps, data, and settings while respecting employee autonomy over personal apps and content. This is especially important for businesses that need to comply with strict data privacy regulations, such as GDPR.

Furthermore, Intune provides mechanisms for secure data deletion when an employee leaves the company or when a device is lost. Admins can remotely wipe corporate data from the work profile, ensuring that sensitive business information is protected at all times.

Troubleshooting Common Issues

While setting up Android Work Profiles in Intune is straightforward, you may encounter challenges such as device enrollment errors or conflicts between work and personal apps. A helpful tip is to ensure that devices are properly registered with Azure AD and that Intune’s enrollment process is correctly followed. Additionally, providing clear instructions to employees about the separation of personal and work apps can minimize potential issues.

Future Trends in Mobile Device Management

AI and automation shape the future of mobile device management. Emerging technologies, like predictive analytics and behavior monitoring, are being integrated into MDM solutions to provide more proactive security measures and data-driven insights. Additionally, as the workplace becomes increasingly mobile and decentralized, Android Work Profiles will evolve to offer even more granular control and automation to meet the dynamic needs of modern businesses.

Recent Posts

See All

Comments


bottom of page