Enrollment guide: Enroll Android devices in Microsoft Intune
Article
Personal and organization-owned devices can be enrolled in Intune. Once enrolled, they receive the policies and profiles you create. You have the following options when enrolling Android devices:
After you create an enrollment profile and assign it to users or groups, don't rename the enrollment profile. It can prevent future enrollments. If you need to change the name of the enrollment profile, then:
Create a new enrollment profile with the new name
Assign the new profile to the your users & devices
Delete the old profile
BYOD: Android Enterprise personally owned devices with a work profile
These devices are personal or BYOD (bring your own device) Android devices that access organization email, apps, and other data.
Feature
Use this enrollment option when
Use Google Mobile Services (GMS).
✅
Devices are personal or BYOD.
✅
You can mark these devices as corporate or personal.
You have new or existing devices.
✅
Need to enroll a few devices, or a large number of devices (bulk enrollment).
✅
Devices are associated with a single user.
✅
You use the optional device enrollment manager (DEM) account.
✅
Devices are managed by another MDM provider.
❌
When a device enrolls, MDM providers install certificates and other files. These files must be removed. The quickest way might be to unenroll, or factory reset the devices. If you don't want to factory reset, then contact the other MDM provider for guidance.
Users open the Company Portal app, and sign in with their organization credentials (user@contoso.com). After they sign in, your enrollment profile applies to the device.
Users might have to enter more information. For more specific steps, go to enroll the device.
Users typically don't like enrolling themselves, and may not be familiar with the Company Portal app. Be sure to provide guidance, including what information to enter. For some guidance on communicating with your users, see Planning guide: Step 5 - Create a rollout plan.
Tip
There is a short, step-by-step video to help your users in enroll their devices in Intune:
Previously referred to as COSU. These devices are organization-owned, and are supported by Google's Zero Touch. The only purpose is to be a kiosk-style device. They aren't associated with a single or specific user. These devices are commonly used to scan items, print tickets, get digital signatures, manage inventory, and more.
Feature
Use this enrollment option when
Use Google Mobile Services (GMS).
✅
Devices are owned by the organization or school.
✅
You have new or existing devices.
✅
Need to enroll a few devices, or a large number of devices (bulk enrollment).
✅
Devices are user-less, such as kiosk, dedicated, or shared.
Communicate to your users how they should enroll: Near Field Communication (NFC), Token, QR Code, Google Zero Touch, or Samsung Knox Mobile Enrollment (KME).
End user tasks (Dedicated devices)
Admins can complete the enrollment themselves, and then give the devices to the users. Or, users can enroll the devices using the following steps:
Users turn on the device, and are prompted for information, including the enrollment method: NFC, Token, QR Code, or Google Zero Touch.
After they enter the required information, your enrollment profile applies to the device. When the enrollment wizard completes, the device is ready to use.
Users typically don't like enrolling themselves, and may not be familiar with the Company Portal app. Be sure to provide guidance, including what information to enter. For some guidance on communicating with your users, see Planning guide: Step 5 - Create a rollout plan.
Android Enterprise fully managed
Previously referred to as COBO. These devices are organization-owned, and have one user. They're used exclusively for organization work; not personal use.
Feature
Use this enrollment option when
Use Google Mobile Services (GMS).
✅
Devices are owned by the organization or school.
✅
You have new or existing devices.
✅
Need to enroll a few devices, or a large number of devices (bulk enrollment).
✅
Devices are associated with a single user.
✅
Devices are user-less, such as kiosk, dedicated, or shared.
Communicate to your users how they should enroll: Near Field Communication (NFC), Token, QR Code, Google Zero Touch, or Samsung Knox Mobile Enrollment (KME).
The specific steps depend on how you configured the enrollment profile. For the specific user experience, go to enroll the device.
Users turn on the device, and are prompted for information, including the enrollment method: NFC, Token, QR Code, or Google Zero Touch. They can be asked to sign in with their organization credentials (user@contoso.com).
After they enter the required information, your enrollment profile applies to the device.
Users might have to enter more information. For more specific steps, go to enroll the device.
Users typically don't like enrolling themselves, and may not be familiar with the Company Portal app. Be sure to provide guidance, including what information to enter. For some guidance on communicating with your users, see Planning guide: Step 5 - Create a rollout plan.
Android Enterprise corporate owned work profile
Previously referred to as COPE. These devices are organization-owned, and have one user. They're used for organization work, and allow personal use.
Feature
Use this enrollment option when
Use Google Mobile Services (GMS).
✅
Devices are owned by the organization or school.
✅
You have new or existing devices.
✅
Need to enroll a few devices, or a large number of devices (bulk enrollment).
✅
Devices are associated with a single user.
✅
Devices are user-less, such as kiosk, dedicated, or shared.
❌
User-less devices should be enrolled using Android Enterprise dedicated devices. Also, an organization administrator can enroll. When the device is enrolled, create a dedicated device profile, and assign this profile to this device.
Communicate to your users how they should enroll: Near Field Communication (NFC), Token, QR Code, Google Zero Touch, or Samsung Knox Mobile Enrollment (KME).
End user tasks (Corporate owned with a work profile)
The specific steps depend on how you configured the enrollment profile. For the specific user experience, go to enroll the device.
Users turn on the device, and are prompted for information, including the enrollment method: NFC, Token, QR Code, or Google Zero Touch. They can be asked to sign in with their organization credentials (user@contoso.com).
After they enter the required information, your enrollment profile applies to the device.
Users might have to enter more information. For more specific steps, go to enroll the device.
Users typically don't like enrolling themselves, and may not be familiar with the Company Portal app. Be sure to provide guidance, including what information to enter. For some guidance on communicating with your users, see Planning guide: Step 5 - Create a rollout plan.
Android Open Source Project (AOSP)
Note
Currently, there's limited OEM support for this enrollment method.
Also referred to as AOSP. These devices are organization-owned, and don't use Google Mobile Services (GMS). They can be kiosk-style devices that aren't associated with a single or specific user, or can have one user. They're used exclusively for organization work; not personal use.
When you create the Intune enrollment profile, you decide if the devices are userless, or are associated with a single user. For more information on these options, including supported OEMs, go to:
During enrollment, the Microsoft Intune app and Microsoft Authenticator app automatically install and open on the device, which allows the device to enroll. The device is locked in the enrollment process until enrollment completes.
End user tasks (AOSP)
The specific steps depend on how you configured the enrollment profile.
Admins can complete the enrollment themselves, and then give the devices to the users. Or, users can enroll the devices using the following steps:
Users turn on the device, and are prompted for information, including the enrollment method: QR Code. If you created a user-associated devices enrollment profile, then they might be asked to sign in with their organization credentials (user@contoso.com).
If you created a userless devices enrollment profile, then wait for the enrollment wizard to complete. When it does, the device is ready to use.
If you created a user-associated devices enrollment profile, then users enter the required information. Then, wait for the enrollment wizard to complete. For more specific steps, go to enroll the device.
Users typically don't like enrolling themselves, and may not be familiar with the Company Portal app. Be sure to provide guidance, including what information to enter. For some guidance on communicating with your users, see Planning guide: Step 5 - Create a rollout plan.
Android device administrator
Important
Android device administrator management is deprecated and no longer available for devices with access to Google Mobile Services (GMS). If you currently use device administrator management, we recommend switching to another Android management option. Support and help documentation remain available for some devices without GMS, running Android 15 and earlier. For more information, see Ending support for Android device administrator on GMS devices.
These Android devices are corporate, or personal/BYOD (bring your own device) devices that can access organization email, apps, and other data.
Create a device enrollment restriction to block device administrator enrollment. Android devices can try to enroll using device administrator before trying other enrollment methods. So, create the restriction to prevent this behavior. For more information, go to Set enrollment restrictions.
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.