question

CarlettiVanni-8271 avatar image
0 Votes"
CarlettiVanni-8271 asked Jason-MSFT commented

Intune - is there a way to enforce an enrollment method (Google for Enterprise rather than Android device admin) in Intune?

Hi all

I'm looking for a way in Intune to enforce users to enroll a specific personal device using Android for Work instead of the device admin. I cannot use enrollment restrictions as the same user needs to enroll several devices using both Android device admin as well as Google for Enterprise.

Is there a way in Intune to accomplish that ?

mem-intune-enrollment
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

yannara avatar image
0 Votes"
yannara answered

Forget about device admin, it is basically obsolete. With work profile, you need to tell users to download company portal, that's the only way and it cannot be enforced. With fully managed devices, they are wiped via KNOX service, like Samsung and shipped to users as fully managed prepeared. I don't think here is a way to enforce user's personal device to Intune, it requires user actions.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CarlettiVanni-8271 avatar image
0 Votes"
CarlettiVanni-8271 answered

Hi all and thanks for the replies. So this is my situation right now:
- We're starting to migrate from DA to Google for Enterprise
- Unfortunately we still need DA enrollment available because some users will need to set a Teams phone which requires DA enrollment

I know I can limit DA enrollment with restrictions, but if I do that, our users won't be able to to enroll Teams phones, so I was wondering if there's a way to "enforce" Google for enterprise enrollment while keeping DA available.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JarvisSun-MSFT avatar image
0 Votes"
JarvisSun-MSFT answered CarlettiVanni-8271 commented

@CarlettiVanni-8271Thanks for posting in our Q&A.
I have gone through the entire posts. At present, it is impossible to keep DA available. If possible, you can try to re-register for the teams user after completing the migration. More details with work profile enrollment, please refer to: https://docs.microsoft.com/en-us/mem/intune/enrollment/android-move-device-admin-work-profile



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Jarvis

yes the document you posted here was my starting point for the migration. Can you please elaborate a little bit more this sentence "If possible, you can try to re-register for the teams user after completing the migration" ? What do you mean by that? Unfortunately it's not our decision, simply Teams phone manufacturers (like Audiocodes) only allow DA enrollment for now and I just wanted to know if there was a way to set the Google for Enterprise as default enrollment while keeping DA available. I tried to manage this with Enrollment restrictions in Intune, but as soon as I make DA available again, new devices will enroll with DA rather than Google for Enterprise, so I was looking for a way to force Google for Enterprise by default

0 Votes 0 ·
Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered Jason-MSFT commented

Ultimately, there's no way for Intune to know that a device should only be DA enrolled so it can't selectively block or allow something it doesn't know about. Having more/better device restrictions tied to the different enrollment modes could help here, but those don't exist today. You should file feedback in the MEM console for this.

Today, I think the best you can do here is create a compliance policy as described in the document linked to by @JarvisSun-MSFT and target that compliance policy at devices that should be AE enrolled. Then instruct those enrolling Android devices the proper way to enroll the devices (so they are AE enrolled) and if they deviate from this, they will experience some initial pain because they didn't properly follow directions.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Jason

II understand your point and thanks a lot for the reply. I only have one question. When you say "Then instruct those enrolling Android devices the proper way", I guess it's basically what I'm looking for. What I noticed is that if I leave DA available, when a user tries to enroll a device, it goes automatically with DA and that's what I would like to avoid. Perhaps like you said a compliance policy? But if so, that would be evaluated after the device is enrolled, so not sure if that would fix this "issue"...

0 Votes 0 ·

Thanks for the link but unfortunately that one doesn't apply to my case since we'll be enrolling pretty much everybody with personal owned devices, which means they will initiate the enrollment from the Company Portal app. If there's a way to initiate the enrollment for personal devices such that they will be forced into AE enrollment, that would be awesome.

0 Votes 0 ·
Show more comments