Android Enterprise security configuration framework

The Android Enterprise security configuration framework is a series of recommendations for device compliance and configuration policy settings. These recommendations help you tailor your organization's mobile device security protection to your specific needs, and include:

  • Device enrollment restrictions for personally owned work profile.
  • App configuration policies for fully managed devices.
  • Basic and high-level security settings for personally owned work profile.
  • Basic, enhanced, and high-level security settings for fully managed devices.

The security framework provides recommendations for the following Android Enterprise management solutions:

  • Fully managed: Corporate-owned devices, associated with a single user, used exclusively for work and not personal use.
  • Personally-owned work profile and corporate-owned work profile: User-owned devices, for BYOD scenarios, creates clear boundary between work and personal data on device.

Deployment methodology

Before deploying the framework, Microsoft recommends using a ring methodology for testing validation. Defining deployment rings is generally a one-time event (or at least infrequent). However, IT should revisit these groups to ensure that the sequencing is still correct.

Deployment ring approach

Microsoft recommends the following deployment ring approach for the framework:

Deployment ring Tenant Assessment teams Output Timeline
Quality Assurance Pre-production tenant Mobile capability owners, Security, Risk Assessment, Privacy, UX Functional scenario validation, draft documentation 0-30 days
Preview Production tenant Mobile capability owners, UX End-user scenario validation, user facing documentation 7-14 days, post Quality Assurance
Production Production tenant Mobile capability owners, IT help desk N/A 7 days to several weeks, post Preview

All policy setting changes should be first applied in a pre-production environment to understand the policy setting implications. After testing is complete, move the changes into production and apply them to a subset of production users, the IT department, and other applicable groups. Finally, the complete the rollout to the rest of the mobile user community. Roll out to production may take longer depending on the changes' scale of impact. If there's no user impact, the change should roll out quickly. If there is user impact, rollout may need to go slower because of the need to communicate changes to the user population.

When testing changes to Android Enterprise devices, be aware of the delivery timing. The status of compliance policies for devices can be monitored. For more information, see Monitor Intune device compliance policies and Monitor device profiles in Microsoft Intune.

Next steps

  1. Configure device enrollment restrictions for personal devices
  2. Configure app configuration policies
  3. Configure security settings for personal devices
  4. Configure security settings for fully managed devices