The Android Tales: A Full Comprehensive Guide on Managing Android devices with Microsoft Intune
Posted inAndroid Enterprise Microsoft Intune Mobile Device Management

The Android Tales: A Full Comprehensive Guide on Managing Android devices with Microsoft Intune

If you’re an IT admin, tech lead, or simply someone tasked with getting Android devices under control in your organization, welcome. The Android Tales: A Full Comprehensive Guide on Managing Android devices with Microsoft Intune is your go-to guide for understanding how to manage Android devices using Microsoft Intune, without drowning in jargon or complexity.

This multi-part series is designed for beginners and those just starting their journey into mobile device management. We’ll walk through the essential building blocks: from understanding the basic requirements, setting up Managed Google Play, and talking about Zero-Touch enrollment, to choosing the right enrollment method and getting your first devices up and running.

No fluff, no assumptions, just clear, actionable guidance to help you build a secure and scalable Android management strategy using Microsoft Intune.

Whether you’re managing a handful of devices or preparing for a full enterprise rollout, this guide will help you lay the groundwork with confidence.

Overview

Since this guide will cover many topics related to Android, I will briefly summarize the different sections here (click the link to go to the preferred part):

Enrollment Methods

Before I move on to the various configurations, I’d like to take a quick look at all the possible enrollment methods you can use for Android within Microsoft Intune.

  • Android Enterprise personally owned devices with a work profile: ideal for personal devices where you want to have a separate work-related container with no access to personal data, for example, pushing certain custom applications. In my honest opinion, this can start a discussion with the owner of the device; in this case, you can also discuss if Mobile Application Management is more suitable in certain cases.
  • Android Enterprise dedicated devices: ideal for use cases as kiosk-style or single-purpose environments, where the device is corporate-owned and used by multiple users or no specific user at all.
  • Android Enterprise fully managed: devices owned by the company for frontline workers or field technicians, who need a “company” device with full use of Android.
  • Android Enterprise corporate-owned work profile: is ideal for organizations that want to provide employees with a company-owned device that supports both personal and work use.
  • Android Open Source Project: used for enrollment of Teams Phone based on Android, for example.
Overview of the Enrollment Methods for Android in Microsoft Intune.

Requirements

Before we can get started, we need to ensure that we meet the requirements necessary to manage your Android devices with Microsoft Intune. Let’s take a look!

Licensing

First of all, to enroll Android devices using Android Enterprise (Work Profile, Fully Managed, Dedicated, or Corporate-Owned Work Profile), users or devices must have one of the following licenses:

So, device-only licenses are not recommended for the Fully Managed or Work Profile scenario.

Managed Google Play

For Android enrollment, your tenant must be linked to your Managed Google Play account. Managed Google Play is the enterprise version of the Google Play Store, designed specifically for organizations using Android Enterprise with a mobile device management (MDM) solution like Microsoft Intune.

Managed Google Play is a secure, curated app store that allows IT admins to:

  • Approve apps for corporate use.
  • Silently install apps on managed devices.
  • Restrict access to only approved apps.

It’s tightly integrated with Microsoft Intune when managing Android Enterprise devices.

Devices

Make sure your Android devices are compatible for management with Microsoft Intune: These are the general requirements for Android devices:

  • Android OS Version: Devices must run Android OS 8.0 or a newer version. 
  • Google Mobile Services (GMS): The device must have GMS connectivity and be able to connect to GMS. 
  • Android Enterprise Support: The device must support Android Enterprise for comprehensive management. 
  • Play Protect Certification: The device should have a Play Protect certification. 

INFORMATION: For security reasons, always make sure your devices have a supported OS version installed. At the time of this writing, the last supported version of Android is 13.0.

Optional

Zero-touch enrollment (ZTE)

Zero-Touch Enrollment (ZTE) is a provisioning method for Android Enterprise devices that allows organizations to configure and enroll devices into Intune automatically—without manual setup by the end user. It’s designed for corporate-owned, fully managed devices and is ideal for large-scale deployments.

How It Works

  1. Purchase compatible devices from a Zero-Touch reseller or carrier. These devices must support Android Enterprise and be registered in the Zero-Touch portal.
  2. Access the Zero-Touch portal (provided by your reseller) and assign a configuration to each device. This configuration includes the Intune enrollment URL and token.
  3. Create an enrollment profile in Microsoft Intune for fully managed Android devices. This generates a token used in the Zero-Touch configuration.
  4. Ship the devices to users. When powered on and connected to the internet, the device automatically downloads the configuration and begins enrollment into Intune.
  5. Device setup completes with all assigned apps, policies, and restrictions applied—without IT or user intervention.

Key Benefits

  • No need for IT to manually touch or configure each device.
  • Ensures consistent setup across all devices.
  • Reduces setup time and errors.
  • Ideal for remote or distributed workforces.

Requirements

  • Devices must support Android Enterprise and Zero-Touch.
  • Access to the Zero-Touch enrollment portal.
  • A Managed Google Play account linked to Intune.
  • An Intune enrollment profile for fully managed devices

INFORMATION: You can find more information on Zero-touch enrollment (ZTE) here. Because I don’t have a Zero-touch enrollment account, I can’t show you how to link it to Microsoft Intune. But if you go to Microsoft Intune admin center | Devices | Android | Enrollment, you will see a link to the Zero-touch enrollment option underneath Bulk enrollment methods.

Configuration

Managed Google Play

The first thing we need to get right is to link our Managed Google Play to Microsoft Intune. To do this, go to the Microsoft Intune admin center | Devices | Android | Enrollment and choose Managed Google Play underneath the Android Enterprise Prerequisites.

Ensure you agree to the Microsoft Permission and select Launch Google to connect now.

In the next step, enter a Microsoft 365 account you want to use to link to Managed Google Play (if you don’t already have a Managed Google Play account). If you already have an account, you can use that one.

Enter your account and select Next.

If you are using a Microsoft 365 account, the next screen allows you to choose Sign in with Microsoft.

In the next screen, check Consent on behalf of your organization and choose Accept.

Now fill in all the requested information and choose Continue or Next each time. In the second step, choose Android Enterprise only.

Once you have completed all the steps, Microsoft Intune is linked to Managed Google Play.

Now that Managed Google Play is Active, we are ready to start enrolling Android Devices with Microsoft Intune. The first device we will enroll is an Android Enterprise personally-owned device with a work profile.

Android Enterprise personally owned devices with a work profile

In this type of enrollment, we will provide the end user’s personal device with a Work Profile that is separate from the personal data on the device. Only everything within this Work Profile is managed by the organization, and all personal items remain untouched.

NOTE: From experience, I have learned that this type of enrollment still elicits some resistance from the end user, even though personal data is not accessible; end users remain suspicious. In my opinion, in such situations, we can also look at whether a work profile on a personal device is really necessary, and we can look at whether Mobile Application Management is not a better and more trustworthy solution. A while back, I wrote a post about this; you can read it back here.

Requirements

To enroll an Android Enterprise personally-owned device with a work profile, we need the following:

  • A compatible Android device with a supported OS version
  • A Compliance Policy
  • A Configuration Profile
  • The Intune Company Portal app from the Google Play Store

Configuration

Microsoft Entra ID group

The first step is to create a user group in Microsoft Entra ID. We are going to use this group to assign the necessary things to.

Go to the Microsoft Entra admin center | Entra ID | Groups and choose New group. Create a new group with the following information:

  • Group type: Security
  • Group name: AND – USR – Android Enterprise Personal Devices with Work profile
  • Group description: This group contains all AND – USR – Android Enterprise Personal Devices with Work profile enabled users
  • Microsoft Entra roles can be assigned to the group: No
  • Membership type: Assigned

Add your Owner and members and choose Create.

Device Platform Restrictions

If some MDM hardening has been applied for Microsoft Intune, deployments for Personal devices are normally blocked under Device Platform Restrictions

For this type of enrollment, this is a problem since we are dealing with Personal devices. We need to create an additional restriction for Android, where we allow personal devices, but only for members of the newly created Microsoft Entra ID group.

Go to Microsoft Intune admin center | Devices | Android | Enrollment under Enrollment options, and choose Device platform restriction. Go to Android restrictions and choose Create restriction.

Create a new Android device platform restriction with the following

  • Name: AND – Android Enterprise Allow Personal devices for BYOD
  • Description: Enable Personal devices for enrollment for BYOD devices with Work profile users

Choose Next.

Make sure you only allow it for Android Enterprise (work profile), and choose Next.

Skip Scope tags and go to Assignments, and assign the created Microsoft Entra ID group to the restriction policy.

Choose Next and then Create. Our Android Device Platform Restriction is now created; this will allow our specific user group to enroll their personal devices with a work profile.

NOTE: You’ll notice that this one gets a priority 1, so it has priority over the Default. So, for all members of our dedicated group, the restriction policy applies with priority 1.

Compliance Policy

Importantly, for security, our devices must meet certain requirements before they are allowed to enrol. To control this, we are going to provide a Compliance Policy in which we set certain requirements, such as a minimum OS version, block rooted devices, etc.

Go to Microsoft Intune admin center | Devices | Android | Compliance and choose Create policy, select the following, and choose Create.

  • Platform: Android Enterprise
  • Profile type: Personally-owned work profile

Give the policy a name and description and select Next.

We are now going to define some requirements that our devices must meet, such as minimum OS version, password active, etc…. This Compliance Policy is a baseline and not a requirement, but a good start. Below is an overview of all the settings per item that we are going to set under Compliance settings. Configure them as shown and choose Next.

Choose Next and configure the Actions for noncompliance after 3 days. This is also to give the device time to go into compliance.

Choose Next and assign the policy to our Microsoft Entra ID user group, and choose Next again.

In the overview screen, choose Create, and our Compliance Policy is ready to go!

Configuration Profile

The last thing we are going to configure before deploying a device is a Configuration Profile. With this, we are going to configure some settings within the work profile.

Go to Microsoft Intune admin center | Devices | Android | Configuration and choose Create and then New Policy. Choose the following:

  • Platform: Android Enterprise
  • Profile type: Templates

Choose Device restrictions underneath the Personally-Owned Work Profile template.

Give the Configuration Profile a name and description, and select Next:

  • Name: AND – BYOD – Device Restrictions
  • Description: These device restrictions are only applicable to BYOD device users

In the Configuration settings, configure the settings as shown in the screenshots below and choose Next.

Assign the Configuration profile to our Microsoft Entra ID group and select Next.

To complete the configuration of our Configuration profile, choose Create.

Our Configuration profile has been created; this was the last part before we can start enrolling our personal Android device with a work profile.

Enrollment

It is time to enroll our personal Android device. On the personal device, open the Google Play Store and search for the Intune Company Portal app and choose Install. After installation, choose Open.

Choose Sign In and sign in with your user. Make sure this user is a member of our Microsoft Entra ID group.

You need to go through three steps during enrollment of the device:

  • Create work profile
  • Activate work profile
  • Update device settings (applicable only if the requirements do not match the items already set on the personal device).

Go through all the steps and choose Done.

You’re device is now enrolled in Microsoft Intune as an Android Enterprise personally owned device with a work profile. You’re device is now shown in the Intune Company Portal app. And you’ll notice that there is now a Work profile available on the device.

So this is how you configure Android Enterprise personally owned devices with a work profile with Microsoft Intune. Stay tuned for part 3, where we will go through the setup of Android Enterprise dedicated devices.

Stay tuned for the upcoming weeks, when I will go through all the methods and show you how to configure them. Next up, Android Enterprise dedicated devices.