Android Enterprise and Microsoft Intune
Corporate security vs. private life: The ultimate choice
Cyberthreats have been on the rise in recent years, making security a high priority for all businesses.
Ask yourself: is there any room for co-existence when we talk about security and personal life? If employees are working remotely or in a decentralised environment, if personal devices with important company information are lost, do you really want your employees using a personal laptop, tablet or smartphone as a work device?
At this point, it really is a fundamental choice. You can trust your employees and do nothing about it. You can go a step further and introduce extreme measures that don’t allow the use of personal devices during working hours. Both approaches would be a kind of double-edged sword.
Separating personal and corporate data and protecting the latter are the ultimate challenges if we want to keep things secure and employee-friendly. Microsoft Intune could be the perfect answer to these and other questions.
Separating personal and corporate data and protecting the latter are the ultimate challenges if we want to keep things secure and employee-friendly. Microsoft Intune could be the perfect answer to these and other questions.
Microsoft Intune the MDM and MAM provider for your devices
Most people think of Microsoft Intune as a Windows PC management tool that works as a cloud alternative to (or extension of) System Center, but its broader reach makes it a powerful tool for managing Android and iOS, as well as distributing enterprise software to devices. Its ‘low-touch’ nature gives you a choice of management options, from minimal to full control, with the option to let users choose what features are deployed to their devices and how much control they are willing to give up.
Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). You control how your organisation’s devices are used, including mobile phones, tablets and laptops. You can also configure specific policies to control applications. For example, you can prevent emails from being sent to people outside your organisation. Intune also allows employees in your organisation to use their personal devices for school or work. On personal devices, Intune helps ensure that your company data remains protected and can isolate company data from personal data.
Registering devices
Managed devices must be registered in Intune. There are two options: BYOD or dedicated. BYOD devices are the user’s own hardware, while dedicated devices are owned by the company and are often used only once. This option is best suited for devices such as Android warehouse management hardware with built-in barcode scanners or work management hardware issued to field technicians. In practice, it is a balancing act between dedicated devices for task workers and BYOD for knowledge workers.
BYOD devices enrolled in Intune are set up with Android Enterprise profiles. These create a separate, secure workspace for managed apps and data. Once a profile is set up, you can use it to control most of a phone’s functions, from setting up email accounts and Wi-Fi access to a corporate network to ensuring a user can take screenshots of business apps. You don’t have to worry about finding specific phones with Android Enterprise support: It’s a feature in all current Android versions.

Android Enterprise profiles create a separate, secure workspace for managed applications and data. Source: Microsoft
Android Enterprise deployment scenarios with Intune

Source: https://www.petervanderwoude.nl/
Let’s start with a brief overview of the different Android Enterprise deployment scenarios available within Microsoft Intune. In the figure is overview of the different deployment scenarios. As it is mainly about the Android Enterprise features, the pure MAM scenario has been skipped. For a first filtering, the deployment scenarios are sorted by the owner of the device and by the type of employees for the device.
The next step for a better overview is the table below. This table describes the main features of the different deployment scenarios. It shows important features such as the main use cases of a deployment scenario, whether personal use is possible, whether data protection can be ensured, the administrative reach and other known features.
Use Scenario | Use Case | Personal use | Guaranteed Data protection |
Registration method | Management range | Reset required |
User affinity |
---|---|---|---|---|---|---|---|
Work profile | Bring Your Own Device (BYOD) | Yes | Yes | Company Portal app | Profile owner | No | Yes |
Company work profile | Corporate Owned, Personally Enabled (COPE) | Yes | Yes | Near Field Communication, Token-Eingabe, QR-Code or Zero Touch | Profile owner with settings at device level | Yes | Yes |
Fully managed | Corporate Owned, Business Only (COBO) | No | No | Near Field Communication, Token-Eingabe, QR-Code or Zero Touch | Device owner | Yes | Yes |
Dedicated | Corporate Owned, Single Use (COSU) | No | No | Near Field Communication, Token-Eingabe, QR-Code or Zero Touch | Device owner | Yes | No |
Ensuring compliance
One of the more important aspects of using Intune to manage Android is support for compliance certification. In Intune, you can create a compliance policy that covers key device features for Android enterprise devices. Start with the minimum OS version to ensure OS versions that fix key bugs are required. You can also set the maximum OS level to lock out untested betas, as well as restrict devices that have been rooted. Other settings require the type of passwords used and whether you want to enforce biometric authentication where it is available.
There is integration with other Android management tools such as the Lookout security platform. This allows you to set the threat level of a device and use Lookout to manage device risk assessments. Intune can also ensure that devices use encrypted storage and that they only use known sources. Similarly, it checks that users have the appropriate version of the corporate portal installed.