Android Enterprise Enrollment Types in Intune

This post is to outline Android Enterprise Enrollment options within Intune. Currently there are 3 types of Android Enterprise Enrollment supported within Intune.

  • Work Profile (Commonly referred to as Android for Work)
  • Dedicated Device (Previously known as COSU)
  • Fully Managed Device (Previously known as COBO)

Work Profiles, Dedicated Device and Fully Managed Device sit within the Android Enterprise category.

So What is the difference?

Work Profile separates corporate and personal data on an android phone. Intune only controls the “Work Profile” which contains the corporate apps and data and the user manages the personal apps and data on the device. This is different from conventional Android enrolment (Device Admin) where Intune would manage the whole device and therefore an administrator would be able to factory reset the device and wipe both personal and corporate data.

Dedicated device is a Corporate enrolment method for shared devices without user affinity i.e. digital signage or Kiosk style devices. Enrolling into dedicated device must be done in the Out of the Box Experience and involves scanning a QR code which has been created by an enrolment profile in Intune. (You can also use KME or ZTE for a zero touch experience.) A QR code created for dedicated device will expire after 3 months and you must then replace that token.

Fully Managed Device is another Corporate Enrollment method but this time has user affinity for a 1 to 1 relationship with a device. The process of enrolling is similar to that of Dedicated device and uses a QR code. The difference with this QR code is it does not expire. After scanning the QR code you will be redirected to sign in with your corporate credentials to link the device to you. As this is currently in public preview there are some limitations which I advise you take a look at https://docs.microsoft.com/en-us/intune/android-fully-managed-enroll#considerations-for-this-preview-featureIf a device can enroll as Android Enterprise it can also be enrolled as a conventional android device. However not all devices which can be enrolled as conventional android devices can be enrolled as Android Enterprise.

When enrolling a device using the Company Portal it will automatically attempt to enroll into Android Enterprise (Work Profile) if it is capable. This requires you to have connected the Intune Tenant to the Android Enterprise account (https://docs.microsoft.com/en-us/intune/connect-intune-android-enterprise). If you wish to block devices from automatically enrolling as Work Profile devices you must block this in enrollment restrictions. (https://docs.microsoft.com/en-us/intune/enrollment-restrictions-set). If a device is not capable of enrolling into Work Profile it will automatically enroll into Device Admin. (unless you block this in restrictions).

Jake Stoker

Jake Stoker

Enteprise Mobility + Security SME

Leave a Reply

Your email address will not be published.