Set up Intune enrollment of Android Enterprise fully managed devices
Android Enterprise fully managed devices are corporate-owned devices associated with a single user and used exclusively for work and not personal use. Admins can manage the entire device and enforce policy controls unavailable to personally-owned/corporate-owned work profiles, such as:
- Allow app installation only from Managed Google Play.
- Block uninstallation of managed apps.
- Prevent users from factory resetting devices, and so on.
Intune helps you deploy apps and settings to Android Enterprise devices, including Android Enterprise fully managed devices. For specific details about Android Enterprise, see Android Enterprise requirements.
You must have an Intune standalone tenant to manage Android Enterprise fully managed devices. Fully managed device management isn't available in the legacy Silverlight management console.
Devices must meet these requirements to be managed as an Android Enterprise fully managed device:
- Android OS version 8.0 and above.
- Devices must run a build of Android that has Google Mobile Services (GMS) connectivity. Devices must have GMS available and must be able to connect to GMS.
There is no restriction on device manufacturer/OEM if the above requirements are met.
Set up Android Enterprise fully managed device management
To set up Android Enterprise fully managed device management, follow these steps:
- To prepare to manage mobile devices, you must set the mobile device management (MDM) authority to Microsoft Intune. You set this item only once, when you're first setting up Intune for mobile device management.
- Connect your Intune tenant account to your Android Enterprise account.
- Enable corporate-owned user devices
- Enroll the fully managed devices.
Enable corporate owned user devices
- Sign in to the Microsoft Endpoint Manager admin center and choose Devices > Android > Android enrollment > Corporate-owned, fully managed user devices.
- Under Allow users to enroll corporate-owned user devices, choose Yes.
If you have an Azure AD Conditional Access policy defined that uses the require a device to be marked as compliant Grant control or a Block policy and applies to All Cloud apps, Android, and Browsers, you must exclude the Microsoft Intune cloud app from this policy. This is because the Android setup process uses a Chrome tab to authenticate your users during enrollment. For more information, see Azure AD Conditional Access documentation.
When this setting is set to Yes, it provides you with an enrollment token (a random string) and a QR code for your Intune tenant. This single enrollment token is valid for all your users and won't expire. Depending on the Android OS and version of the device, you can use either the token or QR code to enroll the device.
Enroll the fully managed devices
You can now enroll your fully managed devices (but not when using DEM accounts).
Submit and view feedback for