Microsoft Intune is a Microsoft cloud-based unified endpoint management service for both corporate and BYOD devices. It extends some of the “on-premises” functionality of Microsoft Endpoint Configuration Manager to the Microsoft Azure cloud
(It is important to remember that the filters are available for – • Managed Devices: Devices enrolled in Intune & •Managed Apps: Apps which are managed by Intune (suitable for unenrolled BYOD devices))
2. Click on Create > Managed apps
3. Input the Filter Name, Description and Select and Platform.
4. Click Next
5. In Rules, Select deviceManagementType property Equals to Unmanaged (For Unmanaged devices) like in the following screenshot:
(For Managed devices- Select deviceManagementType property Equal to Managed)
Click Next and Create the filter.
Once you have created the filter go to an App Protection Policy for that platform and assign the filter by clicking on edit filter.
Restrictions : There are some general restrictions when creating filters: • For each tenant, there can be up to 200 filters. • Each filter is limited to 3072 characters. • For managed devices, the devices must be enrolled in Intune. • For managed apps, filters apply to app protection policies and app configuration policies. They don’t apply to other policies, like compliance or device configuration profiles
To enroll Android device with Android Enterprise we must connect our Intune tenant to Managed Google Play account.
To connect Managed google play account with your Intune tenant-
Go to Devices-> Android-> Android Enrollment Click on Managed Google Play Option
Tick the Check Box “I Agree.’ And click on “Launch google to Connect now”
Note: Make sure you are not signed-in with any Gmail ID in your browser else it will connect with the same Gmail account or better do it in Incognito Mode.
Click on Sign in
Sign in with an Enterprise account mail ID (You can create the new one, if don’t have already)
Note: Make sure to use or create an Enterprise account rather than a personal Gmail account. Keep in mind that the account you use should be one that is easily shared or transferred in the case that the person setting up the Managed Google Play connection leaves the company or moves teams
Once Signed-in, It will prompt you for your Bussiness Details
Put your Domain/Bussiness Name and Select the EMM Provider.
Put the Contact Details. This details will be used to contact you for any security or privacy concern.
And your Setup is complete.
You can check the Connection details next time you click on Managed Google Play
Android device admin is legacy management solution
In 2010, Google™ released Android 2.2 (Froyo) with the ability to support the management of mobile devices via AndroidTM Device Administrator.
In the decade since, remote work rose along with the overall needs of the enterprise, enterprise mobility became more complex, the Android Device Admin application programming interface (API) was being asked to do more than it could.
2. Android Enterprise
Android Enterprise supports far more deployment scenarios and provides better security, privacy and configuration options on Android devices.
This is a Google-led initiative to enable the use of Android devices and apps in the workplace. The program offers APIs and other tools for developers to integrate support for Android into their enterprise mobility management (EMM) solutions.
1. Managed google play account needs to be connected with Intune tenant.
To enroll your Android device with Android Enterprise you must connect your Intune tenant account to your Managed Google Play account. Refer Connect your Intune tenant to Managed Google Play account to connect Managed google play account with your Intune tenant.
2. Devices must:
Run an Android build that has Google Mobile Services connectivity.
Have Google Mobile Services available and be able to connect to it.
Setup:
1.Android Enterprise Personally-owned Work Profile (BYOD)
Use personally-owned devices with work profiles to manage corporate data and apps on user-owned Android devices
Setup:
By default, personally-owned work profile devices enrollment is enabled so no further action is required.
Device Enrollment experience:
2.Android Enterprise Corporate-owned, Fully Managed user devices (COBO)
With this management mode the IT Admin takes full control of the device, unlike with work profiles.
This enrollment method can be used to enroll and manage corporate-owned devices. A fully managed device is associated with a single user and is intended for work, not personal use
Setup:
1. Create a new Enrollment Profile–
Go to Devices-> Android-> Android Enrollment
Tap on Corporate owned, fully managed user devices.
Click on Create Profile
Put the Name and the Description
Select the Scope Tag (Optionally, apply any desired scope tags) and then select Next.
Click on Create button.
An enrollment token will be created. During enrollment this token is needed to let the users scan the code and enroll their device.
2.Create Dynamic security group with the following rule
Property: enrollmentProfileName
Operator: Equals
Value: Enter the name of the enrollment profile you created
3. Create a Device Restriction Profile (Check options available for Corporate owned fully managed) and assign it to Security group
4. Create a Device Owner Compliance policy (Since the second preview of Corporate owned, fully managed user devices the Device Owner Compliance policy option is available.)
5. Approve and assign Android and other applications
Installation of applications is done without the need of a (personal) Google Play account. You`re signed in to the Google Play store with a Google for Work account automatically.
3.Android Enterprise Corporate-owned with work profile (COPE)
This is the latest addition for Android enrollment options in Intune. Using this profile, you can enable personal use on Corporate-owned Android devices.
Features:
Required apps can be installed without interaction of the end-user in the work profile.
All company contacts, data and apps are stored in the work profile.
App protection policies are not required but can be added for additional protection.
Outlook Company contacts are searchable and incoming numbers are recognized.
The entire device can be wiped.
Setup:
1. Create a new Enrollment Profile–
Go to Devices-> Android-> Android Enrollment
Tap on Corporate owned devices with work profile
Click on Create Profile
Give your profile a recognizable and unique name. Fill in a description (optional) and press “Next”.
Select the Scope Tag (Optionally, apply any desired scope tags) and then select Next.
Review your settings and press Create to create the enrollment profile.
An enrollment token will be created. During enrollment this token is needed to let the users scan the code and enroll their device.
2. Create dynamic security group ,
3. Create a Device Restriction Profile (Check options available for COPE) and assign it to Security group
4. Create a Device Compliance policy .
5. Approve and assign Android and other applications
Installation of applications is done without the need of a (personal) Google Play account. You`re signed in to the Google Play store with a Google for Work account automatically.
This mode is used for dedicated devices which are fully managed, but not assigned to a user.
Those devices are used for a single purpose, like ticket printing for example.
Setup:
1. Create an enrolment profile
Go to Devices-> Android-> Android Enrollment
Tap on Corporate owned dedicated devices.
Click on Create Profile
Give your profile a recognizable and unique name. Fill in a description (optional) Choose the type of token you want to use to enroll dedicated devices (Note: A corporate-owned dedicated device token enrolls devices into a userless state. The token with Azure AD shared mode does the same but also deploys the Microsoft Authenticator app and puts the devices in shared mode so that users can have an easier sign-in/sign-out experience when using apps that are integrated with the Azure AD Microsoft Authentication Library and global sign-in/sign-out calls.) Set the expiration date for this token (The selected date can be a maximum of 65 years from the date of profile creation) and press “Next”.
Select the Scope Tag (Optionally, apply any desired scope tags) and then select Next.
Review your settings and press Create to create the enrollment profile.
An enrollment token will be created. During enrollment this token is needed to let the users scan the code and enroll their device
Open the Profile and Click the Token tab. Here you will find the token and QR Code you need during enrollment.
2. Create dynamic security group
3. Create a Device Restriction Profile (Check options available for Corporate owned dedicated devices) and assign it to Security group
Note – Creating and assigning a device restrictions policy is optional when using dedicated Android devices as those devices are already locked down by default.
Create a kiosk style device, which further locks down the Android devices. A kiosk style device can be setup to only allow a single-app or multiple apps.
3. Android Open Source Project (AOSP)
The AOSP is an open-source operating system development project maintained by Google. Being open-source, anyone is free to review and contribute code and fixes to the project repository. … As well as being open to contributions, the Android Open Source Project is free to use and alter under an open-source license.
Android device admin is legacy management solution.
In 2010, Google released Android 2.2 (Froyo) with the ability to support the management of mobile devices via Android Device Administrator.
In the decade since, remote work rose by 400%1, along with the overall needs of the enterprise; especially as they relate to mobile device usage. Consider:
In 2010, less than 60% of employees brought personal phones and tablets to work. Today, nearly 70% of workers utilize Bring Your Own Device (BYOD) in some way.
It took just three years (2011 to 2014) for companies embracing BYOD to grow from 25% to 90%.
In 2010, approximately nine billion apps were downloaded worldwide. In 2011, it jumped to 29 billion. In 2019, over 200 billion apps were downloaded globally.
As enterprise mobility became more complex, the Android Device Admin application programming interface (API) was being asked to do more than it could.
Android Enterprise supports far more deployment scenarios and provides better security, privacy and configuration options on Android devices.
The launch of Android 5 (Lollipop) in 2014 introduced Android Enterprise with Fully Managed Device (Device Owner) and Work Profile (Profile Owner) modes. Since then, Device Admin has been considered legacy Android Management.8
Android Enterprise supports the separation of data in a BYOD scenario.
Android Enterprise features enhanced app management through Managed Google Play, which was not available in Device Admin.
Device Admin partially supports VPN whereas Android Enterprise offers full-blown support with its configuration abilities via Managed Configs.
