Intune provide us following Device Management Solution/Method for Android:
1. Android device admin
Android device admin is legacy management solution
In 2010, Google™ released Android 2.2 (Froyo) with the ability to support the management of mobile devices via AndroidTM Device Administrator.
In the decade since, remote work rose along with the overall needs of the enterprise, enterprise mobility became more complex, the Android Device Admin application programming interface (API) was being asked to do more than it could.
2. Android Enterprise
Android Enterprise supports far more deployment scenarios and provides better security, privacy and configuration options on Android devices.
This is a Google-led initiative to enable the use of Android devices and apps in the workplace. The program offers APIs and other tools for developers to integrate support for Android into their enterprise mobility management (EMM) solutions.
Refer Android device administrator vs Android Enterprise to check more difference between Device Admin and Android Enterprise
Android Enterprise enrollment types :
- Android Enterprise Personally-owned Work Profile (BYOD)
- Android Enterprise Corporate-owned Work Profile (COPE)
- Android Enterprise Fully Managed (COBO – Company Owned/Business Only)- Intended to be shared by more than one user.
- Android Enterprise Dedicated Devices (COSU – corporate-owned, single-use)
Prerequisites:
1. Managed google play account needs to be connected with Intune tenant.
To enroll your Android device with Android Enterprise you must connect your Intune tenant account to your Managed Google Play account. Refer Connect your Intune tenant to Managed Google Play account to connect Managed google play account with your Intune tenant.
2. Devices must:
Run an Android build that has Google Mobile Services connectivity.
Have Google Mobile Services available and be able to connect to it.
Setup:
1. Android Enterprise Personally-owned Work Profile (BYOD)
Use personally-owned devices with work profiles to manage corporate data and apps on user-owned Android devices
Setup:
By default, personally-owned work profile devices enrollment is enabled so no further action is required.
Device Enrollment experience:
2. Android Enterprise Corporate-owned, Fully Managed user devices (COBO)
With this management mode the IT Admin takes full control of the device, unlike with work profiles.
This enrollment method can be used to enroll and manage corporate-owned devices. A fully managed device is associated with a single user and is intended for work, not personal use
Setup:
1. Create a new Enrollment Profile–
Go to Devices-> Android-> Android Enrollment
Tap on Corporate owned, fully managed user devices.
Click on Create Profile
Put the Name and the Description
Select the Scope Tag (Optionally, apply any desired scope tags) and then select Next.
Click on Create button.
An enrollment token will be created. During enrollment this token is needed to let the users scan the code and enroll their device.
2. Create Dynamic security group with the following rule
Property: enrollmentProfileName
Operator: Equals
Value: Enter the name of the enrollment profile you created
3. Create a Device Restriction Profile (Check options available for Corporate owned fully managed) and assign it to Security group
4. Create a Device Owner Compliance policy (Since the second preview of Corporate owned, fully managed user devices the Device Owner Compliance policy option is available.)
5. Approve and assign Android and other applications
Device enrollment experience – Corporate owned, fully managed user devices (COBO)- Device enrollment experience for end user
Note: It requires Android 8.0 or higher version.
Installation of applications is done without the need of a (personal) Google Play account. You`re signed in to the Google Play store with a Google for Work account automatically.
3. Android Enterprise Corporate-owned with work profile (COPE)
This is the latest addition for Android enrollment options in Intune. Using this profile, you can enable personal use on Corporate-owned Android devices.
Features:
Required apps can be installed without interaction of the end-user in the work profile.
All company contacts, data and apps are stored in the work profile.
App protection policies are not required but can be added for additional protection.
Outlook Company contacts are searchable and incoming numbers are recognized.
The entire device can be wiped.
Setup:
1. Create a new Enrollment Profile–
Go to Devices-> Android-> Android Enrollment
Tap on Corporate owned devices with work profile
Click on Create Profile
Give your profile a recognizable and unique name. Fill in a description (optional) and press “Next”.
Select the Scope Tag (Optionally, apply any desired scope tags) and then select Next.
Review your settings and press Create to create the enrollment profile.
An enrollment token will be created. During enrollment this token is needed to let the users scan the code and enroll their device.
2. Create dynamic security group ,
3. Create a Device Restriction Profile (Check options available for COPE) and assign it to Security group
4. Create a Device Compliance policy .
5. Approve and assign Android and other applications
Device enrollment experience –Corporate-owned with work profile (COPE)- End User Device Enrollment Experience
Note: Android 8.0 or higher version.
Installation of applications is done without the need of a (personal) Google Play account. You`re signed in to the Google Play store with a Google for Work account automatically.
4. Android Enterprise Corporate Owned Dedicated Devices (COSU)
This mode is used for dedicated devices which are fully managed, but not assigned to a user.
Those devices are used for a single purpose, like ticket printing for example.
Setup:
1. Create an enrolment profile
Go to Devices-> Android-> Android Enrollment
Tap on Corporate owned dedicated devices.
Click on Create Profile
Give your profile a recognizable and unique name. Fill in a description (optional)
Choose the type of token you want to use to enroll dedicated devices (Note: A corporate-owned dedicated device token enrolls devices into a
userless state. The token with Azure AD shared mode does the same but also deploys the Microsoft Authenticator app and puts the devices in
shared mode so that users can have an easier sign-in/sign-out experience when using apps that are integrated with the Azure AD Microsoft
Authentication Library and global sign-in/sign-out calls.)
Set the expiration date for this token (The selected date can be a maximum of 65 years from the date of profile creation) and press “Next”.
Select the Scope Tag (Optionally, apply any desired scope tags) and then select Next.
Review your settings and press Create to create the enrollment profile.
An enrollment token will be created. During enrollment this token is needed to let the users scan the code and enroll their device
Open the Profile and Click the Token tab. Here you will find the token and QR Code you need during enrollment.
2. Create dynamic security group
3. Create a Device Restriction Profile (Check options available for Corporate owned dedicated devices) and assign it to Security group
Note – Creating and assigning a device restrictions policy is optional when using dedicated Android devices as those devices are already locked down by default.
4. Approve and assign Android applications
End-user experience – Corporate-owned dedicated devices(COSU)- End User Device Enrollment Experience
Note: Android 8.0 or higher version.
Create a kiosk style device, which further locks down the Android devices. A kiosk style device can be setup to only allow a single-app or multiple apps.
3. Android Open Source Project (AOSP)
The AOSP is an open-source operating system development project maintained by Google. Being open-source, anyone is free to review and contribute code and fixes to the project repository. … As well as being open to contributions, the Android Open Source Project is free to use and alter under an open-source license.