Deployment guide: Manage Android devices in Microsoft Intune

Intune supports the mobile device management (MDM) of Android devices to give people secure access to work email, data, and apps. This guide provides Android-specific resources to help you set up enrollment in Intune and deploy apps and policies to users and devices.

Prerequisites

Before you begin, complete these prerequisites to enable Android device management in Intune. For more detailed information about how to set up, onboard, or move to Intune, see the Intune setup deployment guide.

Plan for your deployment

Use the Microsoft Intune planning guide for help with planning, designing, and implementing Microsoft Intune in your organization. The guide provides information to help you:

  • Determine goals, use-case scenarios, and requirements.
  • Create rollout and communication plans.
  • Create support, testing, and validation plans.

Leverage the Android Enterprise security configuration framework

The Android Enterprise security configuration framework is a series of recommendations for device compliance and configuration policy settings. These recommendations can help you tailor your organization's mobile device security protection to your specific needs. You can apply them to devices that are fully managed or personally owned with work profiles.

The taxonomy for this framework is similar to the one used for security configurations in iOS. It includes recommended settings for basic, enhanced, and high-level security. Each security level builds off the previous one to offer more protection than the last.

The security levels for personally owned devices with work profile are:

  • Basic security (Level 1) – This configuration is recommended as the minimum security configuration for personal devices where users access work or school data. This configuration introduces password requirements, separates work and personal data, and validates Android device attestation.

  • High security (Level 3) – This configuration is recommended for devices used by specific users or groups who are uniquely high risk. For example, users who handle highly sensitive data where unauthorized disclosure causes considerable material loss to the organization. This configuration introduces mobile threat defense or Microsoft Defender Advanced Threat Protection (ATP), enforces stricter Android version requirements, enforces stronger password policies, and further restricts work and personal separation.

The security levels for fully managed devices are:

  • Basic security (Level 1) – This configuration is recommended as the minimum security configuration for supervised devices where users access work or school data. It enforces password requirements, minimum Android version, and certain device restrictions.

  • Enhanced security (Level 2) – This configuration is recommended for devices from which users access sensitive or confidential information. It enforces stronger password policies and disables user and account capabilities. It's applicable to most mobile users accessing work or school data on a device.

  • High security (Level 3) – This configuration is recommended for devices used by specific users or groups who are uniquely high risk. For example, users who handle highly sensitive data where unauthorized disclosure causes considerable material loss to the organization. This configuration enforces stricter Android version requirements and other device restrictions, and introduces mobile threat defense or Microsoft Defender ATP.

For more information about the security framework, see the articles listed in the following table.

Task Detail
Learn about the Android Enterprise framework deployment methodology Learn about the Microsoft-recommended methodology for deploying the security configuration framework.
Configure device enrollment restrictions for personally owned devices Apply these restrictions to configure a basic or high security level for devices that are personally owned with work profile.
Disallow personal accounts on Android Enterprise devices Prevent people on work or school devices from signing into Microsoft apps with a personal account.
Configure security settings for personally owned devices Apply these settings to configure a basic or high security level on devices that are personally owned with work profile.
Configure security settings for fully managed devices Apply these settings to configure a basic, enhanced, or high security level on corporate-owned, fully managed devices.

Create compliance rules

Use compliance policies to define the rules and conditions that users and devices should meet to access your organization's protected resources. You can also create Conditional Access policies, which work alongside your device compliance results to block access to resources from noncompliant devices. For a detailed explanation about compliance policies and how to get started, see Use compliance policies to set rules for devices you manage with Intune.

The following tasks apply to both Android Enterprise and Android device administrator platforms.

Task Detail
Create a compliance policy Get step-by-step guidance on how to create and assign a compliance policy to user and device groups.
Add actions for noncompliance Choose what happens when devices no longer meet the conditions of your compliance policy. You can add actions for noncompliance when you configure a device compliance policy, or later by editing the policy.
Create a device-based or app-based Conditional Access policy. Specify the app or services you want to protect and define the conditions for access.
Block access to apps that don't use modern authentication Create an app-based Conditional Access policy to block apps that use authentication methods other than OAuth2. For example, you can block apps that use basic and form-based authentication. Before you block any access, sign in to Azure AD and review the authentication methods activity report to see if users are using basic authentication to access essential things (like meeting room calendar kiosks) you forgot about or are unaware of.

Configure endpoint security

Use the Intune endpoint security features to configure device security and to manage security tasks for devices at risk.

The following tasks apply to both Android Enterprise and Android device administrator platforms.

Task Detail Platform
Manage devices with endpoint security features Use the Endpoint security settings in Intune to effectively manage device security and remediate issues for devices.
Enable the mobile threat defense (MTD) connector for enrolled devices Enable the MTD connection in Intune so that MTD partner apps can work with Intune and your MTD device compliance policies. If you're not using Microsoft Defender for Endpoint, consider enabling the connector so that you can use another mobile threat defense solution. You can also enable the MTD connector for devices not enrolled in Intune.
Create MTD app protection policy Create an Intune app protection policy that assesses risks and limits a device's access to work or school apps.
Create MTD device compliance policy Create an Intune app protection policy that assesses risk and limits a device's corporate access based on the threat level.
Add and assign MTD apps Add and deploy MTD apps in Intune. These apps work with your device compliance and app protection policies to identify and help remediate device threats. You can also assign MTD apps to devices not enrolled in Intune.

Configure device settings

Use Microsoft Intune to enable or disable settings and features on devices. To configure and enforce these settings, create a device profile and then assign the profile to groups in your organization. Devices receive the profile once they enroll.

Task Detail Platform
Create a device profile in Microsoft Intune Learn about the different types of device profiles you can create for your organization. Android Enterprise, Android device administrator
Configure Wi-Fi profile This profile enables people to find and connect to your organization's Wi-Fi network. For a description of the settings in this area, see the Wi-Fi settings reference for Android Enterprise Wi-Fi settings or Android device administrator Wi-Fi settings. Android Enterprise, Android device administrator
Configure VPN profile Set up a secure VPN option, such as Microsoft Tunnel, for people connecting to your organization's network. For a description of the settings in this area, see the VPN settings reference for Android Enterprise VPN settings or Android device administrator VPN settings. Android Enterprise, Android device administrator
Configure email profile Configure email settings so that people can connect to a mail server and access their work or school email. For a description of the settings in this area, see Android Enterprise email settings or Android device administrator email settings. Android Enterprise, Android device administrator
Restrict device features Protect users from unauthorized access and distractions by limiting the device features they can use at work or school. For a description of the settings in this area, see Android Enterprise device settings or Android device administrator device settings. Android Enterprise, Android device administrator
Configure custom settings for Android device administrator Add or create custom settings that aren't built in to Intune, such as a per-app VPN profile and web protection with Microsoft Defender for Endpoint. Android device administrator
Configure Samsung Knox apps Create a custom profile to allow and block apps for Samsung Knox Standard devices. Android device administrator
Create custom profile for Android Enterprise Add or create custom settings that aren't built in to Intune for personally owned devices. Android Enterprise
Configure Zebra Mobility Extensions (MX) profile Use Zebra's Mobility Extensions (MX) profiles to customize or add more Zebra-specific settings in Intune. Android device administrator
Create OEMConfig configuration profile Use OEMConfig to add, create, and customize OEM-specific settings for Android Enterprise devices. Android Enterprise
Customize branding and enrollment experience Customize the Intune Company Portal and Microsoft Intune apps with your organization's branding to create a familiar experience for people enrolling their devices. Android Enterprise, Android device administrator

Set up secure authentication methods

Set up authentication methods in Intune to ensure that only authorized people access your internal resources. Intune supports multi-factor authentication, SCEP and PKCS certificates, and derived credentials. Certificates can also be used for signing and encryption of email using S/MIME.

Task Detail Platform
Require multi-factor authentication (MFA) Require people to supply two forms of credentials at time of enrollment. Android Enterprise
Create a trusted certificate profile Create and deploy a trusted certificate profile before you create a SCEP, PKCS, or PKCS imported certificate profile. The trusted certificate profile deploys the trusted root certificate to devices using SCEP, PKCS, and PKCS imported certificates. Android Enterprise, Android device administrator
Use SCEP certificates with Intune Learn what’s needed to use SCEP certificates with Intune, and configure the required infrastructure. After you do that, you can create a SCEP certificate profile or set up a third-party certification authority with SCEP. Android Enterprise
Use PKCS certificates with Intune Configure required infrastructure (such as on-premises certificate connectors), export a PKCS certificate, and add the certificate to an Intune device configuration profile. Android Enterprise, Android device administrator
Use imported PKCS certificates with Intune Set up imported PKCS certificates, which enable you to set up and use S/MIME to encrypt email. Android Enterprise, Android device administrator
Set up a derived credentials issuer Provision Android devices with certificates that are derived from user smart cards. Android Enterprise

Deploy apps

As you set up apps and app policies, think about your organization's requirements, such as the platforms you'll support, the tasks people need to do, the type of apps they need to complete those tasks, and the groups who need those apps. You can use Intune to manage the whole device (including apps) or use Intune to manage apps only.

Task Detail Platform
Add Google Play Store apps Add Android apps from the Google Play Store. Android device administrator
Add managed Google Play apps Add store apps, line-of-business (LOB) apps, and web apps through the managed Google Play Store. Android Enterprise
Add Android Enterprise system apps Use Intune to enable and disable Android Enterprise system apps. Android Enterprise
Add web apps Add web apps to Intune and assign to groups. Android device administrator
Add built-in apps Add built-in apps to Intune and assign to groups. Android Enterprise, Android device administrator
Add line-of-business apps Add Android line-of-business (LOB) apps to Intune and assign to groups. Android device administrator
Assign apps to groups Assign apps to users and devices. Android Enterprise, Android device administrator
Include and exclude app assignments Control access and availability to an app by including and excluding selected groups from assignment. Android Enterprise, Android device administrator
Create an Android app protection policy Keep your organization's data contained within managed apps like Outlook and Word. For details about each setting, see Android app protection policy settings. Android Enterprise, Android device administrator
Validate your app protection policy Validate that your app protection policy is correctly set up and working before deploying it org-wide. Android Enterprise, Android device administrator
Create an app configuration policy Apply custom configuration settings to Android apps on enrolled devices. You can also apply these types of policies to managed apps, without device enrollment. Android Enterprise, Android device administrator
Configure Microsoft Edge Use Intune app protection and configuration policies with Microsoft Edge for Android to ensure that corporate websites are accessed with safeguards in place. Android Enterprise, Android device administrator
Configure Google Chrome Use an Intune app configuration policy to configure Google Chrome on Android devices enrolled in Intune. Android Enterprise
Configure Microsoft Managed Home Screen app Set up Managed Home Screen on corporate-owned Android Enterprise dedicated devices enrolled via Intune and running in multi-app kiosk mode. Android Enterprise
Configure Microsoft Launcher app Configure Microsoft Launcher to customize the home screen experience on your organization's fully managed devices. Android Enterprise
Configure Microsoft Office apps Use Intune app protection and configuration policies with Office apps to ensure that corporate files are accessed with safeguards in place. Android Enterprise
Configure Microsoft Teams Use Intune app protection and configuration policies with Teams to ensure that collaborative team experiences are accessed with safeguards in place. Android Enterprise
Configure Microsoft Outlook Use Intune app protection and configuration policies with Outlook to ensure corporate email and calendars are accessed with safeguards in place. Android Enterprise

Enroll devices

Enrolling devices allows them to receive the policies you create, so have your Azure AD user groups and device groups ready.

Intune supports the following enrollment methods for Android devices:

  • Bring-your-own-device (BYOD): Android Enterprise personally owned devices with a work profile
  • Android Enterprise corporate owned dedicated devices
  • Android Enterprise corporate owned fully managed
  • Android Enterprise corporate owned work profile
  • Android device administrator

For information about each enrollment method and how to choose one that's right for your organization, see the Android device enrollment guide for Microsoft Intune.

Task Detail Platform
Connect Intune account to managed Google Play account To enable Android Enterprise management in Intune, connect your Intune tenant account to your managed Google Play account. Android Enterprise
Set up work profile enrollment for personally owned devices Set up work profile management for personally owned devices. This enrollment method creates a separate area on the device for work-related data so that personal things remain unaffected. Android Enterprise
Set up work profile enrollment for corporate-owned devices Set up work profile management for corporate-owned devices intended for work and personal use. This enrollment method creates a separate area on the device for work-related data so that personal things remain unaffected. Android Enterprise
Set up enrollment for dedicated devices Set up enrollment for corporate-owned, single-use, kiosk-style devices. Android Enterprise
Set up enrollment for fully managed devices Set up enrollment for corporate-owned devices that are associated with a single user and used exclusively for work. Android Enterprise
Enroll dedicated, fully managed, or corporate-owned work-profile devices After you've set up Intune for Android Enterprise enrollment, enroll devices using one of the five supported enrollment methods. Android Enterprise
Set up device administrator enrollment Set up Android device administrator enrollment. This method of managing devices has been superseded by Android Enterprise, so we don't recommend enrolling new devices this way. Android device administrator
Use Samsung Knox Mobile Enrollment to automatically enroll Android devices Set up Intune for Samsung Knox Mobile Enrollment (KME), which enables you to automatically enroll large numbers of corporate-owned Android devices. Android Enterprise, Android device administrator
Identify devices as corporate-owned Assign corporate-owned status to devices to enable more management and identification capabilities in Intune. Corporate-owned status cannot be assigned to devices enrolled through Apple Business Manager. Android Enterprise, Android device administrator
Change device ownership After a device has been enrolled, you can change its ownership label in Intune to corporate-owned or personal-owned. This adjustment changes the way you can manage the device. Android Enterprise, Android device administrator
Troubleshoot enrollment problems Troubleshoot and find resolutions to problems that occur during enrollment. Android Enterprise, Android device administrator

Run remote actions

After devices are set up, you can use remote actions in Intune to manage and troubleshoot devices from a distance. Availability varies by device platform. If an action is absent or disabled in the portal, then it isn't supported on the device.

Task Detail
Run remote actions in Intune Learn how to drill down and remotely manage and troubleshoot individual devices in Intune. This article lists all remote actions available in Intune and links to those procedures.
Remediate vulnerabilities identified by Microsoft Defender for Endpoint Integrate Intune with Microsoft Defender for Endpoint to take advantage of Defender's threat and vulnerability management, and use Intune to remediate endpoint weakness identified by Defender's vulnerability management capability.
Wipe corporate data from Intune-managed apps Selectively remove work-related data from a device.

Next steps

Check out these enrollment tutorials to learn how to do some of the top tasks in Intune. Tutorials are 100 – 200 level content for people new to Intune or a specific scenario.

For the iOS/iPadOS version of this guide, see Deployment guide: Manage iOS/iPadOS devices in Microsoft Intune.