Android Enterprise fully managed security configurations
As part of the Android Enterprise security configuration framework, apply the following settings for Android Enterprise fully managed mobile users. For more information on each policy setting, see Android Enterprise device owner settings to mark devices as compliant or not compliant using Intune and Android Enterprise device settings to allow or restrict features using Intune.
When choosing your settings, be sure to review and categorize usage scenarios. Then, configure users following the guidance for the chosen security level. You can adjust the suggested settings based on the needs of your organization. Make sure to have your security team evaluate the threat environment, risk appetite, and impact to usability.
For corporate owned fully-managed devices, there are three recommended security configuration frameworks:
- Fully managed basic security (level 1)
- Fully managed enhanced security (level 2)
- Fully managed high security (level 3)
Administrators can incorporate the below configuration levels within their ring deployment methodology for testing and production use by importing the sample Android Enterprise Security Configuration Framework JSON templates with Intune's PowerShell scripts.
Fully managed basic security
Level 1 is the recommended minimum security configuration for mobile devices owned by the organization.
The policies in level 1 enforce a reasonable data access level while minimizing the impact to users. This is done by enforcing password policies, a minimum operating system version, SafetyNet Device attestation, and disabling certain device functions (like USB file transfers).
Device compliance
To simplify the table below, only configured settings are listed. Undocumented device compliance settings are not configured.
| Section | Setting | Value | Notes |
|---|---|---|---|
| Device Health | SafetyNet device attestation | Check basic integrity & certified devices | This setting configures Google's SafetyNet Attestation on end-user devices. Basic integrity validates the integrity of the device. Rooted devices, emulators, virtual devices, and devices with signs of tampering fail basic integrity. Basic integrity and certified devices validates the compatibility of the device with Google's services. Only unmodified devices that have been certified by Google can pass this check. |
| Device Properties | Minimum OS version | Format: Major.Minor Example: 9.0 |
Microsoft recommends configuring the minimum Android major version to match the supported Android versions for Microsoft apps. OEMs and devices adhering to Android Enterprise recommended requirements must support the current shipping release + one letter upgrade. Currently, Android recommends Android 9.0 and later for knowledge workers. For Android's latest recommendations, see Android Enterprise Recommended requirements. |
| Device Properties | Minimum security patch level | Not configured | Android devices can receive monthly security patches, but the release is dependent on OEMs and/or carriers. Organizations should ensure that deployed Android devices do receive security updates before implementing this setting. For the latest patch releases, see Android Security Bulletins. |
| System Security | Require a password to unlock mobile devices | Require | |
| System Security | Required password type | Numeric Complex | Organizations may need to update this setting to match their password policy. |
| System Security | Minimum password length | 6 | Organizations may need to update this setting to match their password policy. |
| System Security | Maximum minutes of inactivity before password is required | 5 | Organizations may need to update this setting to match their password policy. |
| System Security | Encryption of data storage on device | Require | |
| System Security | Intune app runtime integrity | Require | |
| Actions for noncompliance | Mark device noncompliant | Immediately | By default, the policy is configured to mark the device as noncompliant. Additional actions are available. For more information, see Configure actions for noncompliant devices in Intune. |
Device restrictions
To simplify the table below, only configured settings are listed. Undocumented device restrictions are not configured.
| Section | Setting | Value | Notes |
|---|---|---|---|
| General | Default permission policy | Device Default | |
| General | Factory reset | Block | |
| General | USB file transfer | Block | |
| General | External media | Block | |
| General | Data sharing between work and personal profiles | Device Default | |
| System security | Threat scan on apps | Require | |
| Device experience | Enrollment profile type | Fully managed | |
| Device experience | Make Microsoft Launcher the default launcher | Not configured | Organizations may choose to implement Microsoft Launcher to ensure a consistent home screen experience on Fully managed devices. For more information, see How to Setup Microsoft Launcher on Android Enterprise Fully Managed Devices with Intune |
| Device password | Required password type | Numeric Complex | |
| Device password | Minimum password length | 6 | |
| Device password | Number of sign-in failures before wiping device | 10 | |
| Power settings | Time to lock screen | 5 | |
| Users and Accounts | User can configure credentials | Block | |
| Applications | Allow access to all apps in Google Play store | Not configured | By default, users cannot install personal apps from the Google Play Store on fully managed devices. If organizations would like to allow fully managed devices to be utilized for personal use, consider changing this setting. |
| Applications | App auto-updates | Wi-Fi only | Organizations should adjust this setting as necessary as data plan charges may occur if app updates occur over the cellular network. |
| Work profile password | Required password type | Numeric Complex | Organizations may need to update this setting to match their password policy. |
| Work profile password | Minimum password length | 6 | Organizations may need to update this setting to match their password policy. |
| Work profile password | Number of sign-in failures before wiping device | 10 | Organizations may need to update this setting to match their password policy. |
Fully managed enhanced security
Level 2 is the recommended configuration for company owned devices where users access more sensitive information. These devices are a natural target in enterprises today. These settings don't assume a large staff of highly skilled security personnel. Therefore, they should be accessible to most enterprise organizations. This configuration expands upon the configuration in Level 1 by enacting stronger password policies, and disabling user/account capabilities.
The level 2 settings include all the policy settings recommended for level 1. However, the settings listed below include only those settings that have been added or changed. These settings may have a slightly higher impact to users or to applications. They enforce a level of security more appropriate for risks facing users with access to sensitive information on mobile devices.
Device compliance
| Section | Setting | Value | Notes |
|---|---|---|---|
| System Security | Number of days until password expires | 365 | Organizations may need to update this setting to match their password policy. |
| System Security | Number of passwords required before user can reuse a password | 5 | Organizations may need to update this setting to match their password policy. |
Device restrictions
| Section | Setting | Value | Notes |
|---|---|---|---|
| General | Factory reset protection emails | Google account email addresses | |
| General | List of email addresses (Google account email addresses option only) | example@gmail.com | Manually update this policy to specify the Google email addresses of device administrators that can unlock the devices after they are wiped. |
| Device password | Number of days until password expires | 365 | Organizations may need to update this setting to match their password policy. |
| Device password | Number of passwords required before user can reuse a password | 5 | Organizations may need to update this setting to match their password policy. |
| Device password | Number of sign-in failures before wiping device | 5 | |
| Users and Accounts | Add new users | Block | |
| Users and Accounts | User removal | Block | |
| Users and Accounts | Personal Google Accounts | Block | |
| Work profile password | Number of passwords required before user can reuse a password | 5 | Organizations may need to update this setting to match their password policy. |
Fully managed high security
Level 3 is the recommended configuration for both:
- organizations with large and sophisticated security organizations.
- specific users and groups who will be uniquely targeted by adversaries. Such organizations are typically targeted by well-funded and sophisticated adversaries. Therefore, they merit the additional constraints and controls listed below.
This configuration expands upon Level 2 by:
- ensuring that the device is compliant by enforcing the most secure Microsoft Defender for Endpoint or mobile threat defense level.
- increasing the minimum operating system version.
- enforcing additional device restrictions (like disabling unredacted notifications on lock screen).
- requiring apps to always be up-to-date.
The policy settings enforced in level 3 include all the policy settings recommended for level 2. The settings listed below include only those that have been added or changed. These settings may have significant impact to users or applications. They enforce a level of security more appropriate for risks facing targeted organizations.
Device compliance
| Section | Setting | Value | Notes |
|---|---|---|---|
| Microsoft Defender for Endpoint | Require the device to be at or under the machine risk score | Clear | This setting requires Microsoft Defender for Endpoint. For more information, see Enforce compliance for Microsoft Defender for Endpoint with Conditional Access in Intune. Customers should consider implementing Microsoft Defender for Endpoint or a mobile threat defense solution. It is not necessary to deploy both. |
| Device Health | Require the device to be at or under the Device Threat Level | Secured | This setting requires a mobile threat defense product. For more information, see Mobile Threat Defense for enrolled devices. Customers should consider implementing Microsoft Defender for Endpoint or a mobile threat defense solution. It is not necessary to deploy both. |
| Device Properties | Minimum OS version | Format: Major.Minor Example: 11.0 |
Microsoft recommends configuring the minimum Android major version to match the supported Android versions for Microsoft apps. OEMs and devices adhering to Android Enterprise recommended requirements must support the current shipping release + one letter upgrade. Currently, Android recommends Android 9.0 and later for knowledge workers. See Android Enterprise Recommended requirements for Android's latest recommendations |
Device restrictions
| Section | Setting | Value | Notes |
|---|---|---|---|
| General | Date and Time changes | Block | |
| General | Tethering and access to hotspots | Block | |
| General | Beam data using NFC | Block | |
| General | Search work contacts and display work contact caller-id in personal profile | Block | |
| Device password | Disabled lock screen features | Trust Agents, Unredacted Notifications | |
| Applications | App auto-updates | Always | Organizations should adjust this setting as necessary as data plan charges may occur if app updates occur over the cellular network. |
| Work profile password | Number of sign-in failures before wiping device | 5 | Organizations may need to update this setting to match their password policy. |
Next steps
Administrators can incorporate the above configuration levels within their ring deployment methodology for testing and production use by importing the sample Android Enterprise Security Configuration Framework JSON templates with Intune's PowerShell scripts.
- Configure device enrollment restrictions for personal devices
- Configure app configuration policies
- Configure security settings for personal devices
- 🡺 Configure security settings for fully managed devices (You are here)
Feedback
Submit and view feedback for