Set up Intune enrollment of Android Enterprise corporate-owned devices with work profile

Android Enterprise corporate-owned devices with a work profile are single user devices intended for corporate and personal use.

End users can keep their work and personal data separate and are guaranteed that their personal data and applications will remain private. Admins can control some settings and features for the entire device, including:

  • Setting requirements for the device password
  • Controlling Bluetooth and data roaming
  • Configuring factory reset protection

Intune helps you deploy apps and settings to Android Enterprise corporate-owned devices with work profile. For specific details about Android Enterprise, see Android enterprise requirements.

Device requirements

Devices must meet these requirements to be managed as Android Enterprise corporate-owned work profile devices:

  • Android OS version 8.0 and above.
  • Devices must run a distribution of Android that has Google Mobile Services (GMS) connectivity. Devices must have GMS available and must be able to connect to GMS.

Set up Android Enterprise corporate-owned work profile device management

To set up Android Enterprise corporate-owned work profile device management, follow these steps:

  1. To prepare to manage mobile devices, you must set the mobile device management (MDM) authority to Microsoft Intune for instructions. You set this item only once, when you're first setting up Intune for mobile device management.
  2. Connect your Intune tenant account to your Managed Google Play account.
  3. Create an enrollment profile.
  4. Create a device group.
  5. Enroll the corporate-owned work profile devices.

Create an enrollment profile

Note

Tokens for corporate-owned devices with a work profile will not expire automatically. If an admin decides to revoke a token , the profile associated with it will not be displayed in Devices > Android > Android enrollment > Corporate-owned devices with work profile (Preview). To see all profiles associated with both active and inactive tokens, click on Filter and check the boxes for both "Active" and "Inactive" policy states.

You must create an enrollment profile so that users can enroll corporate-owned work profile devices. When the profile is created, it provides you with an enrollment token (random string) and a QR code. Depending on the Android OS and version of the device, you can use either the token or QR code to enroll the dedicated device.

  1. Sign in to the Microsoft Endpoint Manager admin center and choose Devices > Android > Android enrollment > Corporate-owned devices with work profile (Preview).
  2. Choose Create profile and fill out the fields.
    • Name: Type a name that you'll use when assigning the profile to the dynamic device group.
    • Description: Add a profile description (optional).
  3. Choose Next.
  4. On the Review + create page, choose Create to create the policy.

Create a device group

You can target apps and policies to either assigned or dynamic device groups. You can configure dynamic Azure AD device groups to automatically populate devices that are enrolled with a particular enrollment profile by following these steps:

  1. Sign in to the Microsoft Endpoint Manager admin center and choose Groups > All groups > New group.
  2. In the Group blade, fill out the required fields as follows:
    • Group type: Security
    • Group name: Type an intuitive name (like Factory 1 devices)
    • Membership type: Dynamic device
  3. Choose Add dynamic query.
  4. In the Dynamic membership rules blade, fill out the fields as follows:
    • Add dynamic membership rule: Simple rule
    • Add devices where: enrollmentProfileName
    • In the middle box, choose Equals.
    • In the last field, enter the enrollment profile name that you created earlier. For more information about dynamic membership rules, see Dynamic membership rules for groups in AAD.
  5. Choose Add query > Create.

Revoke tokens

You can immediately expire the token/QR code. From this point on, the token/QR code is no longer usable. You might use this option if you:

  • accidentally share the token/QR code with an unauthorized party
  • complete all enrollments and no longer need the token/QR code

Revoking a token/QR code won't have any effect on devices that are already enrolled.

  1. Sign in to the Microsoft Endpoint Manager admin center and choose Devices > Android > Android enrollment > Corporate-owned devices with work profile (Preview).
  2. Choose the profile that you want to work with.
  3. Choose Token.
  4. To revoke the token, choose Revoke token > Yes.

Enroll the corporate-owned work profile devices

Users can now enroll their corporate-owned work profile devices.

Note

The Microsoft Intune app will be automatically installed during enrollment of a corporate-owned work profile device. This app is required for enrollment and cannot be uninstalled.

Managing apps on Android Enterprise corporate-owned work profile devices

Only apps that have Assignment type set to Required can be installed on Android Enterprise corporate-owned work profile devices. Apps are installed from the Managed Google Play store in the same manner as Android Enterprise work profile devices.

Apps are automatically updated on managed devices when the app developer publishes an update to Google Play.

To remove an app from Android Enterprise corporate-owned work profile devices, you can do either of the following:

  • Delete the Required app deployment.
  • Create an uninstall deployment for the app.

Next steps