With Android Enterprise, Google raises the bar for management of mobile devices and services. Additional management capabilities and improved consistency across the Android ecosystem enable you to confidently deploy Android devices in your enterprise. From the enterprise mobility management (EMM) perspective, Android Enterprise replaces legacy Device Administration API (referred to as device admin in this article) to provide enhanced privacy, security, and management capabilities for company-owned and bring-your-own devices alike. Microsoft is one of the first EMM vendors to embrace Google’s cloud services architecture for Android Enterprise. Known as Android Management API, it streamlines design and deployment of management solutions to enable Intune to release the available platform features at a more consistent pace. Microsoft supports the Google recommendation that all partners and customers move off of device admin management, since Google has announced that they will be removing device admin capabilities in the near future. In this article, we explore the paths that Microsoft Intune customers may choose to plan their Android management.
How can Microsoft Intune simplify my transition to Android Enterprise?
Microsoft Intune offers flexible device management options for Android Enterprise so you can select the right management approach for different use cases and scenarios relevant to your organization. Typically, Android devices fall into two groups:
- personal devices used for work, also known as bring-your-own devices (BYOD), or
- company owned devices delivered by IT.
This simplified flowchart provides a high-level overview of the flexible alternatives.
Some organizations allow employees to use the same device for personal use and work apps. Microsoft helps them deliver a great user experience that adapts to employees’ individual work styles for the highest productivity, without compromising security. Organizations have a key stake in protecting any corporate data that is viewed or stored on personal devices in the form of emails, calendar, documents, and certain apps. Depending on your organizational needs, you may require enrollment of devices for access to work data or you may choose to manage corporate data and apps without enrollment of the device itself. For the former use-case, Intune supports Android Work Profile, which requires users to enroll and provides certain device-level controls for IT administrators. If you don’t need the device management capabilities, you may instead deploy Intune app protection policies (APP) that manage the corporate identities and protect corporate data on devices without enrollment
For company owned devices, IT administrators can apply extensive policies with Microsoft Intune to configure the settings, security, and availability of apps and resources on the device. Intune supports the Android Enterprise dedicated device mode, designed for locked-down kiosk-style use cases where the device is not associated with a specific user identity. Dedicated device mode provides IT the ability to control the use of the keyboard, camera, push apps and updates, and restrict access to settings or other parts of the software in certain employee or customer-facing scenarios such as kiosks, digital signage, point-of-sale devices, and handhelds. Early next year, Intune will introduce the Android Enterprise fully managed capabilities for company owned devices, which give IT control over the device while leveraging identity-driven features such as conditional access policies, email and calendar support (including Microsoft Outlook for Android), personalization, and so on.
With any of these Android Enterprise device management modes, IT admins can take advantage of app lifecycle management features with Managed Google Play. Managed Google Play provides a substantial set of improvements in app management compared to what is available with device admin. Some of the benefits of using Managed Google Play for your corporate app store:
- Push managed apps – deploy required/mandatory apps to users without requiring that they perform any steps. Deploy the app from the Intune console, and it will install automatically on the device
- Unified app experience – the end user experience for apps is now the same regardless of whether you are managing an app in the public Play Store or a private line of business app.
- Enhanced security – end users no longer have to enable installations from unknown sources to install apps. This is more secure than the earlier approach, and improves the end users experience.
Let’s dig a little deeper to understand which approach meets your organization needs.
Modern management of BYO devices
Microsoft Intune supports two management modes for bring-your-own devices: Work profiles and Intune app ppolicies.
Work Profile management when users enroll their devices
Work profile mode is suitable for BYOD deployments where you require device level controls push deployed apps, device PIN code (at the device or work profile level), certificate management, or Wi-Fi and VPN configuration. In this mode, the end user initiates enrollment which creates a work profile on the device. This work profile is manageable by IT, and it sits alongside the user’s personal profile. The end user has complete privacy of personal apps and data, since they reside in a separate space from the IT managed work profile. IT has the ability to install certificates and install required apps in the work profile. The separation between apps in the personal profile and the corporate apps in the work profile is enforced at the OS level.
Learn more about how to set up enrollment of Work Profile devices and see the user flow for Work Profile enrollment. If you use Microsoft System Center Configuration Manager for hybrid mobile device management, while we support enablement of Work Profile enrollment in Configuration Manager, we do recommend that you look to move away from hybrid mobile device management instead. This will allow you to leverage all of Android Enterprise supported by Intune.
Intune app protection policy (APP) management with or without device enrollment
For scenarios where you do not require device level controls or have a set of users that may not enroll their devices for management, you can use Intune’s app protection policies to manage only the corporate identities and corporate data on a device without managing the device itself. This provides you with the data protection you require for your corporate data, but with the lightest touch and smallest management footprint on the device. This capability is available across all releases of Android 4.4 and up and is not affected by the coming discontinuance of device admin management. By implementing app-level policies, you can prevent company data from saving to untrusted cloud storage locations (“Prevent Save As”) or from being shared to other apps that aren’t protected by app protection policies (“Restrict cut, copy, and paste”). You can require a PIN to open an app in a work context, block managed apps from running on rooted devices, and selectively wipe company data from managed apps.
Learn how to create and assign app protection polices and review the specific Android settings. Intune app protection policies provide maximum device management flexibility by protecting your company’s data independent of any mobile-device management (MDM) solution, whether devices are enrolled with Intune, enrolled with a 3rd party MDM, or not enrolled in any MDM.
Modern management of corporate-owned devices
Microsoft Intune supports several management modes for Android Enterprise corporate devices.
Android Enterprise dedicated device management
Dedicated device management for kiosk-type Android Enterprise devices is one of the fastest growing use-cases for Intune management, as it allows IT to enable kiosk-type scenarios to any Android Enterprise devices. In the past, this was restricted to device manufacturer specific extension to Android device admin management. IT admins lock down the usage of devices for a limited set of apps and web links and prevents users from adding other apps or taking other actions on the device. Devices that are managed in this way are enrolled in Intune without a user account and aren’t associated with any end user. They’re not intended for personalized applications or apps, such as Outlook or OneDrive, that inherit policies based on user identity. For specific employees and customer-facing scenarios, IT requires a robust solution where devices can be shipped thousands of miles away, be plugged in by line-of-business staff, and start working without any on-site technical support. With Intune, these devices are easy to provision, to push a set of apps and keep them updated, and configure remotely. Note that devices will need to be factory reset to be enrolled into this mode
If you are currently using the Samsung Knox settings for kiosk devices, you may transition to this method for Android Enterprise support.
Learn about the different enrollment methods available to set up Android kiosk-style devices and manage them remotely.
Android Enterprise fully managed device mode
The fully managed device mode is usually suitable for information worker devices that are provided by the company and associated with individual user identities. Device and app management capabilities in this mode exceed the current capabilities under an equivalent device admin mode. User-oriented features such as conditional access are available with this mode, and they are tailored for conventional productivity scenarios such as calls, messaging, email, app store access, and so on. With the addition of this capability, corporate device administrators will get to choose the extent of Android Enterprise management appropriate for different departments and users within the organization. Watch for the public preview rolling out soon.
Shift with confidence to modern management
Now is the time to prepare your organization to adopt the higher security requirements and wider variety of use cases available in the Android Enterprise ecosystem. Microsoft offers a variety of resources and support tools to help you in this journey. Start by using Microsoft FastTrack to plan your cloud deployment; the service is included in most Microsoft subscriptions.
Customers with eligible subscriptions to Microsoft 365, Microsoft Enterprise Mobility + Security (EMS) or Microsoft Intune can use FastTrack at no additional cost for the life of their subscription. Whether you are a customer or a partner, FastTrack provides customized guidance for onboarding and adoption, including access to Microsoft engineering expertise, best practices, tools, and resources so you can leverage existing resources instead of creating new ones.
More info and feedback
Learn how to get started with Microsoft Intune with our detailed technical documentation. If you missed Microsoft Ignite, check out these excellent Android migration tips (video) by product managers Chris Baldwin and Saud Al-Mishari.
Don’t have Microsoft Intune? Start a free trial or buy a subscription today!
Source: EM+S Blog Feed