Microsoft Endpoint Manager (Intune) currently supports fours different Android Enterprise enrollment methods:
- Work Profile
- Dedicated Device
- Fully Managed
- Fully Managed Devices with Work Profile (Corporate Owned – Personally Enabled (COPE))
Each method has it’s own purpose. Work Profile is mostly used for employees who want access to company resources using their own personal device. A dedicated device is used in a production environment where user affinity isn’t required. Fully Managed devices are used when user affinity is required (when a single user uses a specific device).
COPE is essentially a Fully Managed enrollment but with a Work Profile. This means an organization can fully manage the device, while respecting the privacy for the user in the work profile.
Some organizations are using all three enrollment methods and have users that might use every one of those devices. Assigning configuration policies and applications on a user basis isn’t possible in this scenario. That’s why you need to create dynamic device groups for each scenario.
To be able to group Work Profile devices, use the following dynamic device query:
(device.deviceOSType -eq "AndroidForWork") and (device.managementType -eq "MDM")
To enroll dedicated devices, you need to create a new enrollment profile. Each enrollment profile has a unique name and that name can be used to configure a dynamic group. If you would create an enrollment profile called ‘Warehouse_Devices’, the query you need to use is:
(device.enrollmentProfileName -match "Warehouse_Devices")
Keep in mind that dedicated devices do not have a user affiliated with them. So you cannot target policies to a user group for this device type.
Because you can create a device group per enrollment profile, you can be really granular with your configurations.
Fully Managed device
Fully Managed devices don’t have an enrollment profile affiliated with them, so there is only one way to create a group.
(device.deviceOSType -eq "AndroidEnterprise") -and (device.enrollmentProfileName -eq null)
Fully Managed Devices with Work Profile
Fully Managed Devices with Work Profile supports enrollment profiles, just as Dedicated Devices. So you can also create dynamic groups based on the different enrollment profiles.