The enrollment process and the screens the user sees will be slightly different depending on the version of OS running on the end-user device. This topic describes the end-user experience for enrolling Android devices.
When they try to access email, the user first receives a quarantine email similar to this sample:
The user clicks Get started now to begin enrolling their device.
If a user has not set a default browser for their device, they will be prompted during device enrollment and during enrollment activation to allow a link to open a browser window. When prompted, they must select the same browser each time or the enrollment process will fail.
The user is prompted to install the Intune Company Portal app from the respective app store.
After it installs, the user opens the app and signs in using their company credentials.
On the Company Access Setup screen, the user clicks Begin to start setting up their device and checking whether it is compliant.
On the Device Enrollment screen, the user clicks Enroll to start enrolling their device.
Users must activate the device administrator by clicking Activate when prompted or the device enrollment procedure will cancel.
After enrollment is completed successfully, the user clicks Continue to start checking compliance on the device.
If there is a compliance issue, the user is prompted to resolve the issue (such as creating a valid password) and to then click Check Compliance to continue.
After the device is fully compliant, the user clicks Continue to initiate enrollment activation. This will connect the AAD device identity with the EAS ID provided by Exchange.
On Android, the default browser will appear for a few seconds during enrollment activation. If the user has not already selected a default browser, they are prompted to choose a browser. While completing Company Access Setup, the same browser must be selected by the user whenever prompted.
Enrollment activation will complete and the user clicks Done to exit the enrollment and compliance verification process.
After the user is enrolled and compliance is verified, email access should become available within a few minutes.
If the user follows those steps to enroll and become compliant and still cannot access their email on their mobile device, they can follow these additional steps to try and fix the issue:
First, verify that their device is enrolled. If not, the user follows the steps above.
Verify that the device is compliant by clicking Check Compliance. If a compliance error is identified, the user can follow the instructions specific to their mobile device about how to resolve it, such as resetting their password.
Call the help desk.
Issues and Solutions
Every 8 hours by default, devices are checked to ensure that they are still compliant. If a device that was previously compliant is later deemed to be noncompliant (for example, a compliance policy was added or changed), the user can follow these steps to get their device back in compliance:
The user receives notification in email or on their device that the device is noncompliant. At this time, the device is quarantined in Exchange.
When the user tries to access email, they see a quarantine email informing them that compliance issues must be fixed before they can get access. When the user clicks on the hyperlink in the quarantine email, it redirects them to the Company Access Setup screen in the Intune Company portal (via default browser and Google Play) where it shows that the device is not compliant.
The user clicks Continue and is shown the compliance issue that is preventing them from accessing email.
After they have fixed the issue, they click Check Compliance to verify that the problem is resolved.
If the issue is fixed, the user clicks Continue to complete the process. Email access should become available again within a few minutes.