Choosing the right Android enrollment method
When starting off with Intune, choosing which Android enrollment you want to use, can be pretty difficult. During this blog post I will walk you through all the possibilities and help you make the right decision.
There are 6 different ‘enrollment’ method for Android devices within Intune:
- Mobile Application Management without Enrollment
- Device Administrator
- Work Profile
- Dedicated devices
- Fully managed devices
- Fully Managed Devices with Work Profile
Device Administrator is the old management method of Android which has been deprecated since Android 9.0. Android Enterprise is it’s replacement which has been around since Android 5.0.
If you want a deep dive into Device Administrator vs Android Enterprise, I recommend going through this article. For the scope of this blog, it’s suffice to say that Device Administrator should be avoided as all the future development (for both Android and Intune) is in Android Enterprise
In some scenarios, you might still run into it:
- Certain hardware like Teams phones or HoloLenses still utilize Device administrator.
- As Android Enterprise isn’t available in China, using Device Administrator might be your only shot at managing corporate devices.
In order to choose the right enrollment method, the first step is to determine the ownership of a device. A device can be either personal or corporate owned. Most of the time, the ownership is decided by who purchases for the device. If the user buys the device (BYOD), the user will also own this device. Some companies buy phones for their employees as a gift or provide vouchers so that the employee can buy a device himself. In those cases, the ownership is personal, even though the user doesn’t pay for it.
When you need to manage personal devices, you can choose between two ‘enrollment’ methods.
MAM-WE isn’t a real enrollment method, because the device doesn’t need to be enrolled. Here, the corporate data is protected by app protection policies which means that you, the IT admin, can only manage and protect the applications. As the device isn’t enrolled you have no control what so ever on device settings. MAM-WE is an extremely lightweight enrollment method which enables the IT admin to secure the data while not being as intrusive on the users privacy.
With Work Profile, the user has to enroll his/her device through the Intune company portal app. This means that the IT admin can manage the device to push applications, certificates and wifi profiles. With Work Profile two partitions are made on the device (personal and corporate) which divides the corporate data.
Choosing between MAM-WE and Work Profile really depends on several factors:
- User Experience:
- Because you can push applications to a device with a work profile, users will have an easier time navigating the different corporate applications.
- MAM-WE is a lightweight management solution which doesn’t require enrollment. This makes it an ideal solution if you want to keep the footprint on the devices as small as possible.
- Work Profile allows you to push certificates and WiFi profiles which might be required to connect to corporate WiFi/VPN.
- Compliance & Conditional Access:
- As Work Profile support device compliance, you have a lot of settings to configure which you can use in a Conditional Access policy.
As you can see, there is no solution that fits all. It really depends on the environment.
One important note to close off, is that this isn’t an ‘or’ choice. I always combine Work Profile with App Protection Policies (APP/MAM) as I find they provide much more granular control over the Microsoft 365 data that resides on a device.
When you want to manage corporate devices, the enrollment method is chosen by whether this is a device with user affinity or not.
A device with user affinity has an identity attached to it, this means this device is used by one user. This can be a personal account or a generic account (shared among different users). Whether you need user affinity depends on the use case. The moment access to email/Sharepoint/Teams is needed, the device requires user affinity.
Dedicated devices are often used in warehouse/reception scenario where the application is locked down to one or more apps. These application typically don’t required user affinity.
A device with user affinity is a Fully Managed Device, without user affinity is a Dedicated device. Both enrollment method have their (dis)advangates
- App Configuration isn’t supported on dedicated devices
This is a huge miss IMO as this means we cannot do things like restricting the websites in Edge. There is a UserVoice for this.
- Enrollment can be done through QR/code or NFC token at the moment of setting up the device
- We can create multiple profiles, which we can base a group on that we can use to dynamically assign policies to particular devices.
- You cannot assign policies to a user group
- Setting applications as available is not supported
Fully managed devices
- Fully Managed devices support a wide range of settings to allow for a great user experience (app configuration policies, Microsoft Launcher…)
- Fully Managed device do not support multiple profiles, which means we cannot group multiple types of devices easily.
In July 2020, Microsoft added support for Fully Managed Devices with Work Profile. This means the device is entirely managed by the company, but the user has a the ability to use his device for personal use as well.
This enrollment method is meant for companies who allow users to install personal apps on their corporate phone.
Fully Managed Devices with Work Profile support multiple profiles, which makes it easy to group devices.
Choosing the right enrollment method isn’t always an easy thing and it should be carefully considered during the design phase before implementing the required policies.
Great article, however i don’t agree with always combining a work profile with MAM. I can understand it if you do it when use the work profile only for WiFi, cert deployment or auto install o365 apps. But once u have many 3th party apps without mam support, u add additional complexity since copy/paste restrictions will be disabled as will the mam pin code as the password restrictions will be on the work profile
I fully agree with you. That’s why I mentioned I prefer to use MAM to protect MS365 data. The moment you start off using third party applications, MAM looses it’s value