Enroll Android devices

As an Intune administrator, you can manage the following Android devices:

  • Android devices, including Samsung Knox Standard devices.
  • Android Enterprise devices, including:
    • Android Enterprise work profile devices: Personal devices granted permission to access corporate data. Admins can manage work accounts, apps, and data. Personal data on the device is kept separate from work data and admins don't control personal settings or data.
    • Android Enterprise dedicated devices: Corporate-owned, single use devices, such as digital signage, ticket printing, or inventory management. Admins lock down the usage of a device for a limited set of apps and web links. It also prevents users from adding other apps or taking other actions on the device.
    • Android Enterprise fully managed devices: Corporate-owned, single user devices used exclusively for work and not personal use. Admins can manage the entire device and enforce policy controls unavailable to work profiles.

Prerequisite

To prepare to manage mobile devices, you must set the mobile device management (MDM) authority to Microsoft Intune. See Set the MDM authority for instructions. You set this item only once, when you are first setting up Intune for mobile device management.

Set up Android enrollment

By default, Intune allows enrollment of Android and Samsung Knox Standard devices. After fulfilling the prerequisite, admins merely need to tell their users how to enroll their devices.

After a user has enrolled, you can begin managing their devices in Intune, including assigning compliance policies, managing apps, and more.

For information about other user tasks, see these articles:

To block Android devices, or to block only personally owned Android devices from enrollment, see Set device type restrictions.

Set up Android Enterprise enrollment

Android Enterprise offers a set of enrollment options that provide users with the most up-to-date and secure features. Android Enterprise enrollment options include work profile, fully managed and dedicated devices.

End user experience when enrolling a Samsung Knox device

Samsung Knox Standard devices are supported for multi-user management by Intune. This means that users can sign in and out of a device with their Azure AD credentials. The device is centrally managed whether it’s in use or not. When users sign in, they have access to apps and additionally get any policies applied to them. When users sign out all app data is cleared.

There are several considerations when enrolling Samsung Knox devices:

  • Even if no policies require a PIN, the device must have at least a four-digit PIN to enroll. If the device does not have a PIN, the user will be prompted to create one.
  • There is no user interaction for Workplace Join Certificates (WPJ).
  • The user is prompted with Service Enrollment info and what the app can do.
  • The user is prompted with Knox Enrollment info and what Knox can do.
  • If an Encryption Policy is enforced, users are required to set a six Character Complex password for the device passcode.
  • There are no additional user prompts to install certificates pushed by a service for Company Resource Access.
  • Some older Knox devices will prompt the user for additional certificates used for Company Resource Access.
  • If a Samsung Mini device fails to install the WPJ with either the Certificate Not Found or Unable to Register Device errors, install the latest Samsung Firmware Updates.

Next steps