Surface Duo management overview
Commercial customers can manage Surface Duo using any of various Enterprise mobility management (EMM) solutions that each provide a consistent set of cloud-based, device management capabilities whether managing employee- or company-owned devices.
You can manage Duo manage Duo via the Microsoft EMM that uses a unified console -- Microsoft Endpoint Manager – and extensible components like Microsoft Intune. Alternatively, you can use any EMM provider in Google’s Android ecosystem. In some cases, third-party EMM solutions provide additional support to meet specific scenarios that may be useful depending on your environment.
To compare EMM solutions, refer to the Android Enterprise Solutions Directory. Endpoint Manager with Intune lets you manage Duo with the latest mobile device management policies as well as earlier technologies such as Exchange ActiveSync. If you already use Exchange ActiveSync settings to manage mobile devices, you can apply those settings to Duo devices with Intune using an Email device-configuration profile. For more information, see Add email settings to devices using Intune.
The primary means of managing devices in Intune, profiles provide default settings that you can customize to meet the needs of your organization.
Managing personally owned Surface Duo devices
|App Protection Policies without device enrollment||Allows you to manage and protect your organization's data within an application.
Deploy app protection policies, a lightweight management solution without requiring device enrollment.
A growing number of apps can now be managed with app protection policies including Microsoft Office and third-party apps like Adobe Acrobat, Service Now, and Zoom. For a complete list, refer to Microsoft Intune protected apps.
|- App protection policies overview
- Android app protection policy settings in Microsoft Intune.
- Prepare Android apps for app protection policies with the Intune App Wrapping Tool.
|Android Enterprise work profile||Targeted at BYOD deployments, work profiles provide a separate space on Duo for work apps and data, giving organizations full control of their data, apps, and security policies without restricting users from using their device for personal apps and data.||- Configure Android Enterprise Work Profile for Surface Duo.|
Managing corporate-owned Surface Duo devices
|Corporate-owned devices with work profile||Targeted at organizations that wish to enable personal use on corporate-owned single-user devices that they have provided for work. It’s designed to give organizations more granular control than managing with a work profile but don’t wish to completely lock down devices using Full device management or dedicated device management.
Work and personal profile app data isolated by Android OS but differs from Android Enterprise work profile by providing admins more device-level control.
IT admins can see, control, and configure the work accounts, applications, and data in the work profile, while end users are guaranteed that admins will have no visibility into the data and applications in the personal profile.
|- Intune announcing public preview for Android Enterprise corporate-owned devices with a work profile|
|Android Enterprise Fully Managed||Provides comprehensive device and app management capabilities for company-owned devices associated with a single user and leveraged exclusively for work and not personal use.
Full device management provides IT with full control over device data and security, as well as access to Android's full suite of app management features. For example:
- You can set the minimum password requirements on a device
- Remotely wipe and lock a device
- Set default responses to app permission requests.
- Customize end user experience with Microsoft Launcher
You also have full control over the apps on a device, including the ability to remotely install and remove apps.
|- Set up Intune enrollment of Android Enterprise fully managed devices.|
|Dedicated device management||This enterprise deployment scenario is targeted for devices deployed into specific use cases like logistics, transportation and factory floors. Use it for locked down experiences where you need to restrict usage to one or two apps and prohibit users from altering any settings.||- Set up Intune enrollment of Android Enterprise dedicated devices|