Set up enrollment of Android Enterprise personally-owned work profile devices

Set up enrollment for bring-your-own-device (BYOD) and personal device scenarios using the Android Enterprise personally-owned work profile management solution. During enrollment, a work profile is created on the device to house work apps and work data. The work profile can be managed by Microsoft Intune policies. Personal apps and data stay separate in another part of the device and remain unaffected by Intune.

For more information about Android Enterprise work profile features, see Work profiles (opens Android Enterprise Help).

Requirements

• Connect your Intune tenant account to your Android Enterprise account
• Review Android Enterprise requirements (opens Google support)

Set up enrollment

Complete these steps to set up enrollment for Android Enterprise devices in BYOD scenarios.

Note

Device enrollment managers can enroll up to 10 devices per account.

1. Sign in to the Microsoft Intune admin center.

2. Go to Devices > Enrollment device platform restrictions to set up enrollment restrictions. By default, Android Enterprise work profile is marked as allowed for personal devices enrolling in Intune. You can allow or block enrollment in device platform restrictions. Your options:

   • Block: Personal devices that enroll will use the Android device administrator management solution, unless device administrator enrollment is also blocked.
   • Allow (set by default): Personal devices that support the work profile management solution will enroll with a work profile. Android devices that don't support Android Enterprise are enrolled using the Android device administrator solution, unless device administrator enrollment is blocked.

   Any device that supports Android Enterprise personal work profiles also supports the Android device administrator management solution, so if you don't want Android device administrator to be a part of enrollments, make sure to block the platform. For more information, see device platform restrictions.

   Note

   Today, Android Enterprise work profile management for personal devices is allowed by default. In policies configured before July 2019 without any changes, the default setting blocks Android Enterprise work profile management.

3. Communicate enrollment steps to device users. Users typically don't like enrolling themselves, and may not be familiar with the Company Portal app. Be sure to provide guidance, including what information to enter. For some guidance on communicating with your users, see Planning guide: Step 5 - Create a rollout plan.

   Users must be signed in to the primary user account on their device when enrolling. Enrollment is not supported on secondary user accounts. Personal devices previously enrolled with Android device administrator can unenroll, and then re-enroll using the work profile solution.

   Tip

   You can remotely return a device to a state where it's ready to enroll again by using the Retire function in the admin center. To use this remote action, go to Devices > All devices, and select a device. For more information, see Retire Android device administrator.

   For more information and screenshots of the end user experience, see Enroll device with Android work profile in the Intune user help docs.

Data shared with Google

Microsoft Intune shares certain user and device information with Google when Android Enterprise device management is enabled. For more information, see Data Intune sends to Google.

Next steps

• Deploy Android Enterprise apps
• Add Android Enterprise configuration policies
• Configuring and troubleshooting Android Enterprise devices in Microsoft Intune