Set up Intune enrollment of Android Enterprise fully managed devices

Android Enterprise fully managed devices are corporate-owned devices associated with a single user and used exclusively for work and not personal use. Admins can manage the entire device and enforce policy controls unavailable to personally-owned/corporate-owned work profiles, such as:

• Allow app installation only from Managed Google Play.
• Block uninstallation of managed apps.
• Prevent users from factory resetting devices, and so on.

Microsoft Intune helps you deploy apps and settings to Android Enterprise devices, including Android Enterprise fully managed devices. For specific details about Android Enterprise, see Android Enterprise requirements.

Technical requirements

You must have an Intune standalone tenant to manage Android Enterprise fully managed devices. Devices must meet these requirements to be managed as an Android Enterprise fully managed device:

• Android OS version 8.0 and above.
• Devices must run a build of Android that has Google Mobile Services (GMS) connectivity. Devices must have GMS available and must be able to connect to GMS.

There is no restriction on device manufacturer/OEM if the above requirements are met.

Set up Android Enterprise fully managed device management

To set up Android Enterprise fully managed device management, follow these steps:

1. To prepare to manage mobile devices, you must set the mobile device management (MDM) authority to Microsoft Intune. You set this item only once, when you're first setting up Intune for mobile device management.
2. Connect your Intune tenant account to your Android Enterprise account.
3. Enable corporate-owned user devices
4. Enroll the fully managed devices.

Enable corporate owned user devices

1. Sign in to the Microsoft Intune admin center and choose Devices > Android > Android enrollment > Corporate-owned, fully managed user devices.
2. Under Allow users to enroll corporate-owned user devices, choose Yes.

Note

If you have an Azure AD Conditional Access policy defined that uses the require a device to be marked as compliant Grant control or a Block policy and applies to All Cloud apps, Android, and Browsers, you must exclude the Microsoft Intune cloud app from this policy. This is because the Android setup process uses a Chrome tab to authenticate your users during enrollment. For more information, see Azure AD Conditional Access documentation.

When this setting is set to Yes, it provides you with an enrollment token (a random string) and a QR code for your Intune tenant. This single enrollment token is valid for all your users and won't expire. Depending on the Android OS and version of the device, you can use either the token or QR code to enroll the device.

Enroll the fully managed devices

You can now enroll your fully managed devices (but not when using DEM accounts).

Next steps

• Add Android Enterprise fully managed device configuration policies
• Configure app configuration policies for Android Enterprise fully managed devices