I assume you are familiar with Android Enterprise so I wont waste space explaining it. The reason why many organizations are moving to Android Enterprise is because Google has deprecated the previous Android Device Admin mobile device management mode. Contents of this post include:
- Android Enterprise Management modes
- Work Profile
- Fully Managed
- Fully Managed with Work Profile (Company Owned Personally Enabled, COPE)
- Dedicated Device
- Intune configurations
Android Enterprise Management modes
There are 4 different management modes for different scenarios. Here is a compact summary of each of these with some notes from different customer scenarios. What is similar for all scenarios is that only Apps from Managed Google Play Store can be distributed to devices. So make sure all 3rd party business applications etc. are registered to Play Store.
Work Profile
- Requires personal Google account from end user
- Creates a separate “sandbox” for Work apps on personal device. Sandbox appears as separate folder or sheet on Android device depending on the version.
- Separate Default apps (Play Store, Contacts) for Work and Personal
- Only the Work Profile is considered Compliant by Conditional Access. Personal Profile is not.
- Enrolled by end user from Intune Company Portal. No factory reset required.
- Cannot be enrolled using enrollment program (Samsung Knox or Google ZTE)
- Device cannot be wiped using Intune, only Work Profile can be retired
Customer experiences:
- Rather confusing at first because with Conditional Access enabled you have to remember to use apps from Work profile and not personal. Also all the necessary apps need to be available on the Work Profile store
- Separating contacts to Work and Personal can be a showstopper for some users. Being unable to for example send WhatsApp messages to Work contacts can be frustrating.
- Images and other documents from Work Apps (such as Onedrive) are stored in the Work Profile and cannot be accessed from Personal apps.
- Unable to store contacts from call history to Work Profile / Outlook
So as you can see it´s not always straightforward to deploy Work Profiles for end users. There have been improvements on Intune configuration profiles and Android Enterprise to address the issues, but even currently these arise when experimenting with customers making the enrollment to Work Profile less attracting. Which is sad because the absolute positive in Work Profile is that it can be enrolled by end user to current devices.
Fully Managed
- No personal Google account needed
- Associated with single user. Not for multi-user scenarios
- No separate sandboxes. More familiar end user experience
- No separate apps. Play Store by default only contains Apps that have been Approved and distributed from Intune. Installation of all Play Store can be allowed using Intune Configuration Profile.
- Device is considered compliant when it meets the Compliance policy requirements
- Enrollment via Factory reset only. QR Code from Intune required to enroll the device unless an enrollment program (Knox or ZTE) is used
- Multiple devices can not be enrolled using Intune Device Enrollment Manager account (not supported anymore)
- Device can be wiped from Intune
Customer experiences
- More familiar for end users when all Play Store apps are allowed
- Pain to enroll and therefore transition usually via life-cycle instead of enrolling current devices to Fully Managed
- Utilizing Knox or ZTE makes Fully Managed device straightforward to deploy to end users
Fully Managed With Work Profile (COPE)
- By default same bullets apply as in Fully Managed mode
- Separate personal Google account can be added after deploying the device. When added the device will create Work and Personal Profiles and therefore change the end user experience to similar as Work Profile scenario
- Even with Work Profile enabled the device can still be wiped from Intune
Customer experiences
- Well its the same as Fully Managed if Work Profile is not enabled
- And the same as Work Profile if separate Google account is added
Dedicated Device
- No personal Google account needed or allowed
- Not associated with a single user. No personal work apps such as Outlook, Teams etc
- No separate sandboxes. Familiar end user experience
- No separate apps. Play Store only contains Apps that have been Approved and distributed from Intune.
- Compliance policies cannot be targeted do Dedicated Devices and therefore they are not considered Compliant by Conditional Access
- Configuration Profiles can be used to force passwords for compliance purposes, but the device still is not considered compliant
- Enrollment via Factory reset only. QR Code from Intune required to enroll the device unless an enrollment program (Knox or ZTE) is used
- No account needed to enroll the device
- Supports “Single App” (Kiosk) mode, but can also be used like “normal” mobile device.
- Device can be wiped from Intune
Customer experiences
- Easy to deploy and use
- Use scenarios need to be thought out because dedicated device allows no personal work apps or accounts
- Being unable to identify device as compliant might cause some issues if there is need to use apps that utilize Conditional Access. Although Conditional Access policies target user accounts and by design Dedicated Devices should not be used for anything that require authenticating with Azure AD Accounts.
Intune configurations
The configurations for each management mode are somewhat similar. I assume you are familiar with Intune basics so I only point out the differences between different management modes. At first you need to have Android Enterprise allowed from Device Restrictions and Managed Google Play Account associated with Intune.
Work Profile
- Compliance policy for Android Enterprise Work Profile
- Configuration Profile for Android Enterprise Work Profile to manage Work Profile restrictions and settings
- Apps from Managed Google Play Store targeted to devices or users in order to be able to install them from Work Profile Play Store
Fully Managed
- Enrollment enabled and QR Code / Token available
- Compliance Policy for Android Enterprise Fully Managed
- Configuration Profile for Android Enterprise Fully Managed to manage device settings for example allowing all Play Store Apps
- Apps from Managed Google Play Store targeted to devices or users. Especially if all Play Store Apps are not allowed
Fully Managed with Work Profile (COPE)
- Enrollment profile created and QR Code / Token available
- Compliance Policy for Android Enterprise Fully Managed (Same as in Fully Managed scenario)
- Configuration for COPE Scenario included in Fully Managed Configuration Profile. There are several settings that can be configured
- Apps from Managed Google Play Store targeted to devices or users. Especially if all Play Store Apps are not allowed
Dedicated Device
- Enrollment Profile(s) created and QR Code / Token available for each Dedicated Device scenario
- Dynamic Device Group created in Azure AD for each Enrollment Profile to target Apps and Configuration Profiles to devices
- Configuration Profile for Dedicated Device Settings. Including enforcements for passwords etc because Compliance Policy cannot be used. Targeted to Dynamic Device Group(s)
- Apps from Managed Google Play Store targeted to Dynamic Device Group(s)
Summary
That was a blog post full of bullets. Key point being in acknowledging different Android Enterprise Management modes and suitable use scenarios for each. Configuration on the Intune side is fairly easy. There are six points you should at least remember from this post:
- Android Enterprise allows only Apps from Managed Google Play
- Work Profile is the only management mode that can be enrolled without factory reset
- There are some end user experience hiccups with Work Profile. Make sure you utilize end user testing and piloting before deploying
- You can allow all Play Store Apps for Fully Managed mode
- End User Experience for COPE mode is either the same as Fully Managed or the same as Work Profile if personal google account is added
- Dedicated Devices dont support Compliance policies and require dynamic device groups to target settings and apps.
I would also recommend to check other Android Enterprise related posts from bloggerz.cloud
3 Comments
Almar Diehl · 30.09.2020 at 11.00
For solving the contacts not being available in the personal profile, check out https://play.google.com/store/apps/details?id=com.zaanweg.synccontacts
Also available in a free demo version: https://play.google.com/store/apps/details?id=com.zaanweg.aecontacts
Lars Engström · 02.11.2020 at 10.30
Do you know if it is possibel in the fully manged profile to have only allowed apps in “work” play account and if you switch to your private google play account you can se all apps. We have not been able to get that working but thats the way we want to have it.
Matti Väliniemi · 16.11.2020 at 13.01
So you want two separate Play Stores in one profile (Fully Managed) ? To my knowledge that is currently not possible. If you deploy COPE then you get two different Play Stores, but also two different profiles (Work & Personal).