Deployment guide: Enroll Android devices in Microsoft Intune

Personal and organization-owned devices can be enrolled in Intune. Once enrolled, they receive the policies and profiles you create. You have the following options when enrolling Android devices:

This article provides recommendations on the Android enrollment methods. It also includes an overview of the administrator and user tasks for each enrollment type.

For more specific information, see Enroll Android devices.

Tip

This guide is a living thing. So, be sure to add or update existing tips and guidance you've found helpful.

Before you begin

For an overview, including any Intune-specific prerequisites, see Deployment guidance: Enroll devices in Microsoft Intune.

BYOD: Android Enterprise personally owned devices with a work profile

These devices are personal or BYOD (bring your own device) Android devices that access organization email, apps, and other data.


Feature Use this enrollment option when
Devices are personal or BYOD. ✔️

You can mark these devices as corporate or personal.
You have new or existing devices. ✔️
Need to enroll a small number of devices, or a large number of devices (bulk enrollment). ✔️
Devices are associated with a single user. ✔️
You use the optional device enrollment manager (DEM) account. ✔️
Devices are managed by another MDM provider.

When a device enrolls, MDM providers install certificates and other files. These files must be removed. The quickest way may be to unenroll, or factory reset the devices. If you don't want to factory reset, then contact the MDM provider.
Devices are owned by the organization or school.

Not recommended for organization-owned devices. Organization-owned devices should be enrolled using Android Enterprise fully managed (in this article), or using Android Enterprise corporate owned work profile (in this article).
Devices are user-less, such as kiosk, dedicated, or shared.

User-less or shared devices should be organization-owned. These devices should be enrolled using Android Enterprise dedicated devices.

Android Enterprise personally owned devices with a work profile administrator tasks

This task list provides an overview. For more specific information, see Set up enrollment of Android Enterprise personally-owned work profile devices.

Android Enterprise personally owned devices with a work profile end user tasks

Your users must do the following steps. For the specific user experience, see enroll the device.

  1. Go to the Google Play store, and install the Company Portal app.

  2. Users open the Company Portal app, and sign in with their organization credentials (user@contoso.com). After they sign in, your enrollment profile applies to the device.

    Users may have to enter more information. For more specific steps, see enroll the device.

Users typically don't like enrolling themselves, and may not be familiar with the Company Portal app. Be sure to provide guidance, including what information to enter. For some guidance on communicating with your users, see Planning guide: Task 5: Create a rollout plan.

Tip

There is a short, step-by-step video to help your users in enroll their devices in Intune:

Enroll your Android device

Android Enterprise dedicated devices

Previously referred to as COSU. These devices are organization-owned, and supported by Google’s Zero Touch. The only purpose is to be a kiosk-style device. They aren't associated with a single or specific user. These devices are commonly used to scan items, print tickets, get digital signatures, manage inventory, and more.


Feature Use this enrollment option when
Devices are owned by the organization or school. ✔️
You have new or existing devices. ✔️
Need to enroll a small number of devices, or a large number of devices (bulk enrollment). ✔️
Devices are user-less, such as kiosk, dedicated, or shared. ✔️
Devices are personal or BYOD.

BYOD or personal devices should be enrolled using Android Enterprise personally owned devices with a work profile (in this article).
Devices are associated with a single user.

Not recommended. These devices should be enrolled using Android Enterprise fully managed.
You use the optional device enrollment manager (DEM) account.

The DEM account isn't supported.
Devices are managed by another MDM provider.

To be fully managed by Intune, users need to unenroll from the current MDM provider, and then enroll in Intune.

Android Enterprise dedicated devices administrator tasks

This task list provides an overview. For more specific information, see Set up Intune enrollment of Android Enterprise dedicated devices.

Android Enterprise dedicated devices end user tasks

It's not recommended for users to enroll Android Enterprise dedicated devices. This task should be completed by administrators.

Android Enterprise fully managed

Previously referred to as COBO. These devices are organization-owned, and have one user. They're used exclusively for organization work; not personal use.


Feature Use this enrollment option when
Devices are owned by the organization or school. ✔️
You have new or existing devices. ✔️
Need to enroll a small number of devices, or a large number of devices (bulk enrollment). ✔️
Devices are associated with a single user. ✔️
Devices are user-less, such as kiosk, dedicated, or shared.

User-less devices should be enrolled using Android Enterprise dedicated devices.
Devices are personal or BYOD.

BYOD or personal devices should be enrolled using Android Enterprise personally owned devices with a work profile (in this article).
Devices are managed by another MDM provider.

To be fully managed by Intune, users need to unenroll from the current MDM provider, and then enroll in Intune.
You use the optional device enrollment manager (DEM) account

The DEM account isn't supported.

Android Enterprise fully managed administrator tasks

This task list provides an overview. For more specific information, see Set up Intune enrollment of Android Enterprise fully managed devices.

Android Enterprise fully managed end user tasks

The specific steps depend on how you configured the enrollment profile. For the specific user experience, see enroll the device.

  1. Users turn on the device, and are prompted for information, including the enrollment method: NFC, Token, QR Code, or Google Zero Touch. They may be asked to sign in with their organization credentials (user@contoso.com).

  2. After they enter the required information, your enrollment profile applies to the device.

    Users may have to enter more information. For more specific steps, see enroll the device.

Users typically don't like enrolling themselves, and may not be familiar with the Company Portal app. Be sure to provide guidance, including what information to enter. For some guidance on communicating with your users, see Planning guide: Task 5: Create a rollout plan.

Android Enterprise corporate owned work profile

Previously referred to as COPE. These devices are organization-owned, and have one user. They're used for organization work, and allow personal use.


Feature Use this enrollment option when
Devices are owned by the organization or school. ✔️
You have new or existing devices. ✔️
Need to enroll a small number of devices, or a large number of devices (bulk enrollment). ✔️
Devices are associated with a single user. ✔️
Devices are user-less, such as kiosk, dedicated, or shared.

User-less devices should be enrolled using Android Enterprise dedicated devices. Also, an organization administrator can enroll. When the device is enrolled, create a dedicated device profile, and assign this profile to this device.
Devices are personal or BYOD.

BYOD or personal devices should be enrolled using Android Enterprise personally owned devices with a work profile (in this article).
Devices are managed by another MDM provider.

To be fully managed by Intune, users need to unenroll from the current MDM provider, and then enroll in Intune.
You use the optional device enrollment manager (DEM) account.

The DEM account isn't supported.

Android Enterprise corporate owned work profile administrator tasks

This task list provides an overview. For more specific information, see Set up Intune enrollment of Android Enterprise corporate owned work profile.

Android Enterprise corporate owned work profile end user tasks

The specific steps depend on how you configured the enrollment profile. For the specific user experience, see enroll the device.

  1. Users turn on the device, and are prompted for information, including the enrollment method: NFC, Token, QR Code, or Google Zero Touch. They may be asked to sign in with their organization credentials (user@contoso.com).

  2. After they enter the required information, your enrollment profile applies to the device.

    Users may have to enter more information. For more specific steps, see enroll the device.

Users typically don't like enrolling themselves, and may not be familiar with the Company Portal app. Be sure to provide guidance, including what information to enter. For some guidance on communicating with your users, see Planning guide: Task 5: Create a rollout plan.

Android device administrator

These Android devices are corporate, or personal/BYOD (bring your own device) devices that can access organization email, apps, and other data.

Google is reducing device administrator support in new Android releases. To avoid reduced functionality, Microsoft recommends:

There are some situations when you must use Device Administrator enrollment:

  • Android Enterprise requires access to Google services. Google services may not be available because of geography, or because of the device manufacturer. For example:

    • There are places where Google services are not available, like China. In this situation, use Android device administrator enrollment.
    • Some devices are based on Android, but don't have access to Google Services, such as Amazon Fire tablets. In this situation, use Android device administrator enrollment.
  • Android OS versions older than 5.0 must use Android device administrator enrollment. Android Enterprise enrollment isn't an option.

Next steps