Android Enrolment Methods - Which one is right for you?
Craig McLean
Technical Consultant
19/05/2021

Choosing the right Android enrolment method is key when deciding how you will manage your Android devices within your organisation. Throughout this blog post I will cover all options and help you understand which enrolment method may be right for you.

There are currently five different ways you can manage your Android devices using Microsoft Endpoint Manager (formerly Microsoft Intune).

  • Device Administrator
  • Personally-Owned devices with Work Profile
  • Corporate Owned Dedicated devices
  • Corporate owned, fully managed user devices
  • Corporate owned device with work profile (in Preview)

In addition, App Protection policies can be used to protect corporate data on Android devices.

Device Administrator

This is now a legacy method to manage Android devices using Microsoft Endpoint Manager. Device Administrator has been deprecated since Android 9, so this enrolment method should be avoided as Android 10 is not supported. There are however some cases where you may need to use Device Administrator:

  1. Device Administrator can be used if your organisation wants to manage Microsoft Teams devices. Device Administrator is off by default in any newly created tenants so if you would like to manage Microsoft Teams devices, you will need to enable this method.
  2. Some devices used within the organisation may not support Android Enterprise and therefore you may have to use Device Administrator.

The full list of supported devices on Android Enterprise can be found here.

Personally-Owned Devices with Work Profile

This approach means that users can use their personal device for work purposes, but the corporate data and applications are situated in a separate container on the phone- it essentially creates two partitions on the device (Personal and Corporate).  

Using this method, users will enrol their device through the Intune Company Portal and get access to applications, certificates, VPN profiles and Wi-Fi Profiles needed in order to carry out their day to day job.

Corporate Owned Dedicated Devices

This enrolment method is for devices that will be locked down and generally used as kiosk devices, these devices are often used within the warehouse or reception areas of the business. Dedicated devices don’t require a single user to be associated with the device so these are also considered shared devices.

Enrolment for dedicated devices needs be done via QR code or using an NFC tag at the time of setting the device up in the out of box experience. As there is no user associated with the device, enrolment via the Intune Company Portal cannot be done.

Corporate Owned, Fully Managed user devices

The main enrolment method under Android Enterprise for organisations is Corporate Owned Fully Managed. This method is used when devices are owned by the organisation and assigned to individual users for work purposes. The device is fully managed meaning that the organisation can control the applications that are installed, the data that is stored on the device, and the device has to fully adhere to the company policies that are assigned.

The provisioning methods available to corporate owned devices are:

  • QR Code
  • NFC Tag
  • Zero Touch
  • DPC identifier

Corporate Owned device with Work Profile

The latest enrolment method to be available under Android Enterprise is Corporate Owned with Work Profile, Also known as Corporate Owned Personally Enabled (COPE). This method is similar to Personally-Owned with Work Profile; however using this method, the device is owned by the organisation. The device will use a work profile for corporate use and will have a profile for personal use. The only real difference between Corporate Owned with Work Profile and Personally-Owned with Work Profile is that the company owns the device therefore they can wipe the whole device which will remove personal content and data.

This method is currently still in preview with Microsoft so it is recommended to only be used for pilot use until generally available.

App Protection Policies  

App Protection policies, formerly known as Mobile Application Management (MAM) Policies, isn’t really classed as an enrolment method. This method can be used to protect the applications being accessed from devices that don’t need to be enrolled with Microsoft Endpoint Manager. When using an application that is managed under the App Protection policies, the organisation can put some restrictions in place to avoid data leakage.

Even though App protection policies can be used without enrolment, you can also use it on devices which have been enrolled. This enables the organisation to have that extra layer of protection on corporate owned devices and personally owned with work profiles.  

Conclusion

Choosing the right Android Enrolment method should take careful consideration, there are a number of factors to consider when making the decision, mainly cost and whether the users and organisation would be happy to use personal devices for work use.

If you would like to know more about Android Enterprise, please contact your account manager to arrange a demo from one of our consultants.

Ultima's Microsoft Partnership

At Ultima, we live and breathe Microsoft. We’ve been a Microsoft Gold partner for over 25 years and accumulated 13 Microsoft Gold Partner Competencies. These span App Dev, Cloud Platform, Data Management Business Apps, Mobility and Productivity. We are also 1 of only 4 Fast Track Ready LSPs for Modern Workplace which allows us to seamlessly migrate customers from legacy software over to Office 365.


Full Name