Skip to main content This browser is no longer supported. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Deployment guide: Enroll Android devices in Microsoft Intune- Article
- 09/23/2022
- 14 minutes to read
In this articlePersonal and organization-owned devices can be enrolled in Intune. Once enrolled, they receive the policies and profiles you create. You have the following options when enrolling Android devices: - BYOD: Android Enterprise
personally owned devices with a work profile
- Android Enterprise corporate owned dedicated devices (COSU)
- Android Enterprise corporate owned fully managed (COBO)
- Android Enterprise corporate owned work profile
(COPE)
- Android Open Source Project (AOSP)
- Android device administrator (DA)
This article provides
recommendations on the Android enrollment methods. It also includes an overview of the administrator and user tasks for each enrollment type. For more specific information, see Enroll Android devices. There's also a visual guide of the different enrollment options for each platform:
Download PDF version | Download Visio versionTip This guide is a living thing. So, be sure to add or update existing tips and guidance
you've found helpful. Before you beginFor an overview, including any Intune-specific prerequisites, see Deployment guidance: Enroll devices in Microsoft Intune. BYOD: Android Enterprise personally owned devices with a work
profileThese devices are personal or BYOD (bring your own device) Android devices that access organization email, apps, and other data.
| Feature | Use this enrollment option when |
|---|
| Use Google Mobile Services (GMS).
| ✔️
| | Devices are personal or BYOD.
| ✔️ You can mark these devices as corporate or personal.
| | You have new or existing devices.
| ✔️
| | Need to enroll a few devices, or a large number of devices (bulk enrollment).
| ✔️
| | Devices are associated with a single user.
| ✔️
| | You use the optional device enrollment manager (DEM) account.
| ✔️
| | Devices are managed by another MDM provider.
| ❌ When a device enrolls, MDM providers install certificates and other files. These files must be removed. The quickest way may be to unenroll, or factory reset the devices. If you don't want to factory reset, then contact the MDM provider.
| | Devices are owned by the organization or school.
| ❌ Not recommended for organization-owned devices. Organization-owned devices should be enrolled using Android Enterprise fully managed (in this article), or using
Android Enterprise corporate owned work profile (in this article).
| | Devices are user-less, such as kiosk, dedicated, or shared.
| ❌ User-less or shared devices should be organization-owned. These devices should be enrolled using Android Enterprise dedicated devices.
|
Android Enterprise personally owned devices with a work profile administrator tasksThis task list provides an overview. For more specific information, see Set up enrollment of Android Enterprise personally owned work profile
devices. - Be sure your devices are supported.
- In the Endpoint Manager admin center, connect your Intune organization account to your Managed Google Play account. When you connect, Intune automatically adds the Company Portal app
and other common Android Enterprise apps to the devices. For the specific steps, see Connect your Intune account to your Managed Google Play account.
Android Enterprise personally owned devices with a work profile end user tasksYour users must
do the following steps. For the specific user experience, see enroll the device. Go to the Google Play store, and install the Company Portal app. Users open the Company Portal
app, and sign in with their organization credentials (). After they sign in, your enrollment profile applies to the device. Users may have to enter more information. For more specific steps, see enroll the device.
Users typically don't like enrolling themselves, and may not be familiar with the Company Portal app. Be
sure to provide guidance, including what information to enter. For some guidance on communicating with your users, see Planning guide: Task 5: Create a rollout plan. Android Enterprise dedicated devicesPreviously referred to as COSU. These devices are organization-owned,
and supported by Google’s Zero Touch. The only purpose is to be a kiosk-style device. They aren't associated with a single or specific user. These devices are commonly used to scan items, print tickets, get digital signatures, manage inventory, and more.
| Feature | Use this enrollment option when |
|---|
| Use Google Mobile Services (GMS).
| ✔️
| | Devices are owned by the organization or school.
| ✔️
| | You have new or existing devices.
| ✔️
| | Need to enroll a few devices, or a large number of devices (bulk enrollment).
| ✔️
| | Devices are user-less, such as kiosk, dedicated, or shared.
| ✔️
| | Devices are personal or BYOD.
| ❌ BYOD or personal devices should be enrolled using Android Enterprise personally owned devices with a work profile (in this article).
| | Devices are associated with a single user.
| ❌ Not recommended. These devices should be enrolled using Android Enterprise fully managed.
| | You use the optional device enrollment manager (DEM) account.
| ❌ The DEM account isn't supported.
| | Devices are managed by another MDM provider.
| ❌ To be fully managed by Intune, users need to unenroll from the current MDM provider, and then enroll in Intune.
|
Android Enterprise dedicated devices administrator tasksThis task list provides an overview. For more specific information, see Set up Intune enrollment of Android Enterprise dedicated devices. Be sure your devices are
supported. Factory reset the devices. This step is required. In the Endpoint Manager admin center, connect your Intune organization account to your Managed Google Play account. When you connect, Intune automatically adds
the Intune app and other common Android Enterprise apps to the devices. For the specific steps, see Connect your Intune account to your Managed Google Play account. In the Endpoint Manager admin center, create an enrollment profile,
and have your dedicated device group(s) ready. For the specific steps, see Set up Intune enrollment of Android Enterprise dedicated devices. Enroll the devices in Intune. For the specific steps, see
Enroll your Android Enterprise devices. On Samsung's Knox devices, you can automatically enroll a large number of Android Enterprise devices using Samsung Knox Mobile Enrollment (KME). For more information, see
Automatically enroll Android devices by using Samsung's Knox Mobile Enrollment.
Android Enterprise dedicated devices end user tasksAdmins can complete the enrollment themselves, and then give the devices to the users. Or, users can enroll the devices using the
following steps: - Users turn on the device, and are prompted for information, including the enrollment method: NFC, Token, QR Code, or Google Zero Touch.
- After they enter the required information, your enrollment profile applies to the device. When the enrollment wizard completes, the device is ready to use.
Users typically don't like enrolling themselves, and may not be familiar with the Company Portal app. Be sure to provide guidance, including what information to
enter. For some guidance on communicating with your users, see Planning guide: Task 5: Create a rollout plan. Android Enterprise fully managedPreviously referred to as COBO. These devices are organization-owned, and have one user. They're used exclusively for organization work;
not personal use.
| Feature | Use this enrollment option when |
|---|
| Use Google Mobile Services (GMS).
| ✔️
| | Devices are owned by the organization or school.
| ✔️
| | You have new or existing devices.
| ✔️
| | Need to enroll a few devices, or a large number of devices (bulk enrollment).
| ✔️
| | Devices are associated with a single user.
| ✔️
| | Devices are user-less, such as kiosk, dedicated, or shared.
| ❌ User-less devices should be enrolled using Android Enterprise dedicated devices.
| | Devices are personal or BYOD.
| ❌ BYOD or personal devices should be enrolled using Android Enterprise personally owned devices with a work profile (in this article).
| | Devices are managed by another MDM provider.
| ❌ To be fully managed by Intune, users need to unenroll from the current MDM provider, and then enroll in Intune.
| | You use the optional device enrollment manager (DEM) account
| ❌ The DEM account isn't supported.
|
Android Enterprise fully managed administrator tasksThis task list provides an overview. For more specific information, see Set up Intune enrollment of Android Enterprise fully managed devices. Be sure your devices are
supported. Factory reset the devices. This step is required. In the Endpoint Manager admin center, connect your Intune organization account to your Managed Google Play account. When you connect, Intune automatically adds
the Company Portal app and other common Android Enterprise apps to the devices. For the specific steps, see Connect your Intune account to your Managed Google Play account. In the Endpoint Manager admin center, enable fully managed
user devices. For the specific steps, see Set up Intune enrollment of Android Enterprise fully managed devices. Enroll the devices in Intune. For the specific steps, see Enroll your
Android Enterprise devices. Communicate to your users how they should enroll: Near Field Communication (NFC), Token, QR Code, Google Zero Touch, or Samsung Knox Mobile Enrollment (KME). Using Samsung Knox Mobile Enrollment (KME), you can automatically enroll a large number of Android Enterprise Samsung Knox devices. For more information, see
Automatically enroll Android devices by using Samsung's Knox Mobile Enrollment.
Android Enterprise fully managed end user tasksThe specific steps depend on how you configured the enrollment profile. For the specific user experience, see
enroll the device. Users turn on the device, and are prompted for information, including the enrollment method: NFC, Token, QR Code, or Google Zero Touch. They may be asked to sign in with their organization credentials (). After they enter the required information, your enrollment profile applies to the
device. Users may have to enter more information. For more specific steps, see enroll the device.
Users typically don't like enrolling themselves, and may not be familiar with the Company Portal app. Be sure to provide guidance, including what information to enter. For some guidance on communicating with your users,
see Planning guide: Task 5: Create a rollout plan. Android Enterprise corporate owned work profilePreviously referred to as COPE. These devices are organization-owned, and have one user. They're used for organization work, and allow personal use.
| Feature | Use this enrollment option when |
|---|
| Use Google Mobile Services (GMS).
| ✔️
| | Devices are owned by the organization or school.
| ✔️
| | You have new or existing devices.
| ✔️
| | Need to enroll a few devices, or a large number of devices (bulk enrollment).
| ✔️
| | Devices are associated with a single user.
| ✔️
| | Devices are user-less, such as kiosk, dedicated, or shared.
| ❌ User-less devices should be enrolled using Android Enterprise dedicated devices. Also, an organization administrator can enroll. When the device is enrolled, create a dedicated device profile, and assign this profile to this device.
| | Devices are personal or BYOD.
| ❌ BYOD or personal devices should be enrolled using Android Enterprise personally owned devices with a work profile (in this article).
| | Devices are managed by another MDM provider.
| ❌ To be fully managed by Intune, users need to unenroll from the current MDM provider, and then enroll in Intune.
| | You use the optional device enrollment manager (DEM) account.
| ❌ The DEM account isn't supported.
|
Android Enterprise corporate owned work profile administrator tasksThis task list provides an overview. For more specific information, see Set up Intune enrollment of Android Enterprise corporate owned work profile.
Be sure your devices are supported. Factory reset the devices. This step is required. In the Endpoint Manager admin center, connect your Intune organization account to your Managed Google Play account. When you
connect, Intune automatically adds the Company Portal app and other common Android Enterprise apps to the devices. For the specific steps, see Connect your Intune account to your Managed Google Play account. In the Endpoint Manager
admin center, enable corporate-owned personal profile devices. For the specific steps, see Set up Intune enrollment of Android Enterprise corporate-owned devices with work profile. Enroll the devices in Intune. For the specific steps, see
Enroll your Android Enterprise devices. Communicate to your users how they should enroll: Near Field Communication (NFC), Token, QR Code, Google Zero Touch, or Samsung Knox Mobile Enrollment (KME). Using Samsung Knox Mobile Enrollment (KME), you can automatically enroll a large number of Android Enterprise
Samsung's Knox devices. For more information, see Automatically enroll Android devices by using Samsung's Knox Mobile Enrollment. Android Enterprise corporate owned work profile end user tasksThe specific steps depend on how you configured the enrollment
profile. For the specific user experience, see enroll the device. Users turn on the device, and are prompted for information, including the enrollment method: NFC, Token, QR Code, or Google Zero Touch. They may be asked to sign in with their organization credentials (). After they enter the required
information, your enrollment profile applies to the device. Users may have to enter more information. For more specific steps, see enroll the device.
Users typically don't like enrolling themselves, and may not be familiar with the Company Portal app. Be sure to provide guidance, including what information to enter.
For some guidance on communicating with your users, see Planning guide: Task 5: Create a rollout plan. Android Open Source ProjectNote Currently, there's limited OEM support for this enrollment method. Also referred to as AOSP. These devices are
organization-owned, and don't use Google Mobile Services (GMS). They can be kiosk-style devices that aren't associated with a single or specific user, or can have one user. They're used exclusively for organization work; not personal use. When you create the Intune enrollment profile, you decide if the devices are userless, or are associated with a single user. For more information on these options, including supported OEMs, see: - Set up Intune enrollment for Android (AOSP) corporate-owned userless devices
- Set up Intune enrollment for Android (AOSP) corporate-owned user-associated devices
| Feature | Use this enrollment option when |
|---|
| Use Google Mobile Services (GMS).
| ❌ Device doesn't support GMS (opens Android's web site). Some countries don't support GMS. If your devices will use GMS, then use dedicated devices (in this article) or
fully managed (in this article) enrollment.
| | Devices are owned by the organization or school.
| ✔️
| | You have new or existing devices.
| ✔️
| | Need to enroll a few devices, or a large number of devices (bulk enrollment).
| ❌ Can only enroll one device at a time.
| | Devices are associated with a single user.
| ✔️
| | Devices are user-less, such as kiosk, dedicated, or shared.
| ✔️
| | Devices are personal or BYOD.
| ❌ Android Enterprise personally owned devices with a work profile (in this article) support GMS (opens Android's web site).
| | Devices are managed by another MDM provider.
| ❌ To be fully managed by Intune, users need to unenroll from the current MDM provider, and then enroll in Intune.
| | You use the optional device enrollment manager (DEM) account
| ❌ The DEM account isn't supported.
|
Android Open Source Project administrator tasksThis task list provides an overview. For more specific information, see enrollment for AOSP corporate-owned userless devices and
AOSP corporate-owned user-associated devices. Be sure your devices are supported. Factory reset the devices. This step is required. New devices might not
require a factory reset. In the Endpoint Manager admin center, create an enrollment profile, and have your device group(s) ready. For the specific steps, see: - AOSP corporate-owned userless devices
- AOSP corporate-owned user-associated devices
Enroll the devices in Intune. For the specific steps, see: - AOSP corporate-owned userless
devices
- AOSP corporate-owned user-associated devices
During enrollment, the Microsoft Intune app and Microsoft Authenticator app automatically install and open on the device, which allows the device to enroll. The device is locked in the enrollment process until enrollment completes.
Android Open Source Project end user tasksThe specific steps depend on how you configured the enrollment profile. Admins can complete the enrollment themselves, and then give the devices to the users. Or, users can enroll the devices using the following steps: Users turn on the device, and are prompted for information, including the enrollment method: QR Code. If you created a user-associated devices enrollment profile,
then they may be asked to sign in with their organization credentials (). If you created a userless devices enrollment profile, then wait for the enrollment wizard to complete. When it does, the device is ready to use. If you created a user-associated devices enrollment profile, then users enter the required information. Then, wait for the enrollment wizard to complete. For more specific steps, see
enroll the device.
Users typically don't like enrolling themselves, and may not be familiar with the Company Portal app. Be sure to provide guidance, including what information to enter. For some guidance on communicating with your users, see
Planning guide: Task 5: Create a rollout plan. Android device administratorThese Android devices are corporate, or personal/BYOD (bring your own device) devices that can access organization email, apps, and other data. Google is reducing device administrator support in new
Android releases. To avoid reduced functionality, Microsoft recommends: - Enroll new devices using Android Enterprise personally owned devices with a work profile (in this article). Don't enroll new devices using Android device administrator.
- Create a device
enrollment restriction to block device administrator enrollment. Android devices may try to enroll using device administrator before trying other enrollment methods. So, create the restriction to prevent this behavior. For more information, see Set enrollment restrictions.
- If devices will update to Android 10, then migrate devices off device
administrator management.
- Move existing Android device administrator devices to Android Enterprise personally owned devices with a work profile (in this article) or
corporate-owned work profiles (in this article). For more information, see Move Android devices from device administrator to work profile
management.
- By default, device administrator enrollment is blocked on new tenants.
There are some situations when you must use Device Administrator enrollment: Android Enterprise requires access to Google services. Google services may not be available because of geography, or because of the device manufacturer. For example: - There are places where Google services aren’t available, like China. In this situation, use Android device administrator
enrollment.
- Some devices are based on Android, but don't have access to Google Services, such as Microsoft Teams Android devices and Amazon Fire tablets. In this situation, use Android device administrator enrollment.
Android OS versions older than 5.0 must use Android device administrator enrollment. Android Enterprise enrollment isn't an option.
Next steps- MAM
- iOS/iPadOS enrollment guide
- macOS enrollment guide
- Windows enrollment guide
FeedbackSubmit and
view feedback for
Which category of software is created for the operation maintenance and security?
Which category of computer is generally meant to be used by only one person at a time?
A microcomputer is a computer that has a microprocessor chip (or multiple microprocessors) as its CPU. They are more commonly called personal computers because they are designed to be used by one person at a time.
Which software title allows users to create works that require complex layouts such as magazines and newspapers?
Adobe InDesign is a desktop publishing and page layout designing software application produced by Adobe Inc. and first released in 1999. It can be used to create works such as posters, flyers, brochures, magazines, newspapers, presentations, books and ebooks.
Introduction. The computer mouse (also called pointing device) is an important tool used to communicate with your computer. This tool allows you to point to objects on the computer screen, click and select them, or move them.
|
