by Android Enterprise Corporate-owned, Fully Managed user devices is a deployment scenario designed for corporate-owned devices that are intended for work-only use. When integrated with Microsoft Intune, this mode empowers IT administrators to fully manage and secure Android Enterprise devices across their lifecycle, from enrollment to retirement.
With Microsoft Intune, organizations can leverage the Android Enterprise framework to enforce robust security policies, deploy and manage apps, and ensure compliance, all while maintaining a seamless user experience.
The purpose of Android Enterprise Corporate-owned, Fully Managed user devices is to provide organizations with a secure and scalable way to manage corporate-owned Android Enterprise devices that are used exclusively for work. When deployed through Microsoft Intune, these devices are fully controlled by IT administrators, allowing them to enforce security policies, manage applications, and ensure compliance with organizational standards. This deployment scenario is ideal for businesses that require dedicated work devices for employees, such as in logistics, retail, healthcare, or corporate environments.
Microsoft Intune
If we start looking at the options for Android Enterprise Corporate-owned, Fully Managed user device configurations, we see two possibilities within the enrollment profile, namely Corporate-owned fully managed and Corporate-owned fully managed via staging. The difference between Corporate-owned fully managed and Corporate-owned fully managed via staging lies primarily in how the devices are enrolled and provisioned before reaching the end user.
Corporate-owned fully managed (Default) versus Corporate-owned fully managed via staging
Corporate-owned, Fully Managed (Default)
Enrollment Flow
The enrollment process for Android Enterprise Corporate-Owned Fully Managed devices in Microsoft Intune follows a two-stage approach. First, the IT administrator creates an enrollment token within Microsoft Intune and shares it with the end user. Once the user receives the device, they sign in and complete the provisioning steps, which configure the device according to the organization’s policies.
Use Case
This enrollment method is particularly suitable in scenarios where users are expected to set up their own devices. It works well in organizations that empower employees to handle initial device setup independently, such as during remote onboarding or distributed deployments.
Device State Before User Sign-in
Before the user signs in, the device is not provisioned. The setup and configuration are completed by the user during the enrollment process, based on the token provided by the administrator.
Pros
One of the main advantages of this approach is its simplicity, especially for small-scale deployments. It reduces the need for IT involvement during initial setup. Additionally, direct user involvement in the provisioning process allows for a more personalized experience, as users can configure certain preferences during setup.
Corporate-owned, Fully Managed via staging
Enrollment Flow
The enrollment process in this scenario follows a three-stage approach. First, the IT administrator creates a staging token within Microsoft Intune. This token is then used by either the administrator or a third-party vendor to pre-provision the device before it reaches the end user. Once the device is fully configured with the necessary apps and policies, the user receives it and simply signs in to complete the final setup.
Use Case
This method is ideal for frontline workers or large-scale deployments where IT teams or external vendors are responsible for preparing devices in advance. It ensures that users receive devices that are ready to use with minimal setup required on their part.
Device State Before User Sign-in
Before the user signs in, the device is already fully provisioned. It comes preloaded with all required applications, configurations, and security policies, so the user only needs to authenticate to begin using it.
Pros
One of the key advantages of this approach is that it provides a faster and smoother experience for the end user. Since the device is pre-configured, setup time is significantly reduced, and the likelihood of user errors during enrollment is minimized. Additionally, this method supports bulk provisioning, making it highly efficient for IT departments or vendors managing large numbers of devices.
Summary Table
| Feature | Fully Managed (Default) | Fully Managed via Staging |
|---|---|---|
| Enrollment Token | Default token | Staging token |
| Setup Responsibility | User | Admin/vendor |
| User Experience | Full setup required | Sign-in only |
| Ideal For | Small deployments | Frontline workers, large-scale rollouts |
| Device State Before User | Unprovisioned | Pre-provisioned |
Configuration – Fully Managed
Microsoft Entra ID group
As with our Android Enterprise Dedicated devices, this group is also for Enrollment Time Grouping. More information can be found in my previous part here.
Go to Microsoft Entra admin center | Groups and choose New group. Create a group with the following settings and choose Create.
- Group type: Security
- Group Name: AND – DVC – Android Fully Managed Devices
- Group Description: Android Enterprise Fully Managed Devices
- Microsoft Entra roles can be assigned to the group: No
- Membership type: Assigned
- Owner: Intune Provisioning Client (f1346770-5b25-470b-88bd-d5744ab7952c)
Once the group is created, it is ready for use in our enrollment profile.
Enrollment Profile
Next thing is to create the enrollment profile, and as discussed earlier, for this section, we are going for the Corporate-owned, fully managed user devices.
Go to Microsoft Intune admin center | Devices | Android | Enrollment and select under Enrollment Profiles for Corporate-owned, fully managed user devices.
Choose Create policy and create a policy as shown below, and choose Next.
- Name: AND – Corporate-Owned Fully Managed
- Description: Enrollment token for Android Fully Managed Devices
- Token type: Corporate-owned, fully managed (default)
- Apply device name template: No
On the Device group screen, choose Microsoft Entra group and select our newly created group, then choose Next.
Review your settings and choose Create.
Our enrollment token is now ready for use. Next up, we will create a Compliance and Configuration policy to get our enrollment ready.
Compliance Policy
As with our other types of enrollments, it is also important here, for security, that our devices must meet certain requirements before they are allowed to enroll. To control this, we will provide a Compliance Policy that sets certain requirements, such as a minimum OS version and blocking rooted devices.
Go to Microsoft Intune admin center | Devices | Android | Compliance and choose Create policy, select the following, and choose Create.
- Platform: Android Enterprise
- Profile type: Fully managed, dedicated, and corporate-owned work profile
Give the policy a name and description and select Next.
- Name: AND – Android Enterprise Corporate-owned Fully Managed
- Description: This compliance policy is assigned to devices with a Corporate-Owned Fully Managed device profile
We are now going to define some requirements that our devices must meet, such as a minimum OS version, a password active, etc. This Compliance Policy is a baseline and not a requirement, but a good start. Below is an overview of all the settings per item that we are going to set under Compliance settings. Configure them as shown and choose Next.
Choose Next and configure the Actions for noncompliance after 3 days. This is also to give the device time to become compliant.
Choose Next and assign the policy to our newly created Microsoft Entra group, and choose Next again.
In the Review + create screen, review your settings and choose Create. Our compliance policy is ready to go!
Managed Google Play – Apps
Before we can start with our configuration, we also need applications to add to our Fully Managed configuration. In a previous post, I described how to add an app from the Managed Google Play in Microsoft Intune and assign it to your group. You can find the steps here.
For our Android Enterprise Corporate-owned, Fully Managed user devices, we will assign our dedicated Microsoft Entra Group to the following applications: Microsoft Edge, Microsoft Outlook, Microsoft Teams, Authenticator, and Microsoft OneDrive. Make sure you do this for all the applications you need in your configuration.
Configuration Profile
We are going to create a Configuration Profile with some base settings for our Android Enterprise Corporate-owned, Fully Managed user devices.
Go to Microsoft Intune admin center | Devices | Android | Configuration and choose Create and then New Policy. Choose the following:
- Platform: Android Enterprise
- Profile type: Templates
Choose Device restrictions underneath the Fully Managed, Dedicated, and Corporate-Owned Work Profile template.
Give the Configuration Profile a name and description, and select Next:
- Name: AND – Fully Managed Devices – Device Restrictions
- Description: This policy will set some base configuration for Fully Managed Devices
Let’s set some settings. For our example, you can use the one shown below and choose Next.
Assign our newly created group to the policy and choose Next. Review your configuration and choose Create.
Our Configuration Policy is now ready to go.
In this last part, I’ll show you how to enroll your device and show the end-user experience for Android Enterprise Corporate-owned, Fully Managed user devices.
Enrollment
Boot your device and tap the Welcome screen 6 times. Select your language, then scan the QR code you created in the Enrollment profile. Choose your Wi-Fi connection and start deploying.
When you get the screen This device belongs to your organisation, choose Next. Now follow all the steps until you get to the This [model device] isn’t private screen and choose Next.
Wait until you get a Microsoft login page (Google Chrome will open), and sign in with your user account.
On the Your work checklist screen, configure a PIN code and choose Install for the work apps. The final step is to register your device, so choose Set up.
The Microsoft Intune app will open, and you need to choose Sign in and fill in your user password. On the “Help is keep your device secure ” page, choose Register. This will bring to the final stage. Choose Next in the next screen to complete your device registration. Once the registration is completed, choose Done.
In the last steps, you need to Accept some Google services and Agree to some end-user policies, and after that, your device is ready to go.
So this is how you configure an Android Enterprise Corporate-owned, Fully Managed user device that is completely user-driven. Now, let’s check on how you can configure and enroll your Android Enterprise Corporate-owned, Fully Managed devices in staging mode!
Configuration – Fully Managed via Staging
The difference in configuration here is that Enrollment Time Grouping is not supported for Staging. Here, we will work with a dynamic group based on the name of the enrolment profile. It is important that we first determine the name of the enrolment profile. In this post, we will go for AND – Fully Managed – Staging.
IMPORTANT: It is important that the name matches exactly in the dynamic rule of the dynamic group, as in the enrolment profile, otherwise the enrolment will not work.
Microsoft Entra ID Group
So, the first thing we are going to do is create a dynamic group based on the enrollment profile name.
Go to Microsoft Entra admin center | Groups and choose New group. Create a group with the following settings and choose Create.
- Group type: Security
- Group Name: AND – DVC – Android Fully Managed Devices – Staging
- Group Description: Android Enterprise Fully Managed Devices – Staging Mode
- Microsoft Entra roles can be assigned to the group: No
- Membership type: Dynamic Device
- Dynamic membership rule: (device.enrollmentProfileName -eq “AND – Fully Managed – Staging”)
Once the group is created, it’s ready to use for our enrollment profile assignment.
Enrollment Profile
For Android Enterprise Corporate-owned, Fully Managed in Staging mode, we need to create a separate enrollment profile.
Go to Microsoft Intune admin center | Devices | Android | Enrollment and select under Enrollment Profiles for Corporate-owned, fully managed user devices.
Choose Create policy and create a policy as shown below, and choose Next.
- Name: AND – Fully Managed – Staging
- Description: Enrollment token for Android Fully Managed Devices in Staging Mode
- Token type: Corporate-owned, fully managed, via staging
- Token expiration date: (use a date that is at least three months from the day you create the token)
- Apply device name template: No
Note the message that says, Assigning a static security group during enrollment is not supported with staging. If you do so, you’ll get the following error while creating the enrollment profile.
So on the Device group screen, choose None because we are working with a dynamic group, then choose Next.
Review your settings and choose Create.
Our enrollment token is now ready for use.
Compliance policies, Managed Google Apps, and Configuration Profile
For this example, we are just going to assign our new dynamic device group to the same apps and policies described in the Fully Managed (default) mode setup. So make sure you assign the dynamic group to the compliance policies, applications, and configuration profiles.
IMPORTANT: The device will only become a member of the dynamic device group after the user stage of enrolment has been completed; nothing happens during the device stage.
Enrollment
Boot your device and tap the Welcome screen 6 times. Select your language, then scan the QR code you created in the Enrollment profile. Choose your Wi-Fi connection and start deploying.
When you get the screen This device belongs to your organisation, choose Next. Now follow all the steps until you get to the This [model device] isn’t private screen and choose Next.
Your device will go into the staging phase of the enrollment and will go through several steps automatically. During enrollment, the Microsoft Intune and Microsoft Authenticator apps will be installed automatically. You only need to Accept and Agree to the Google policies, and you will be directed to the home screen.
Your device is now pre-provisioned and ready to be handed over to the end-user.
User Experience
Once the device is pre-provisioned during the device staging phase, it will be handed over to the end-user. The following steps need to be done by the end-user. During this stage, the device will become a member of our dynamic device group, so all our apps, compliance, and configuration policies will be deployed to it. It’s rather confusing that during the user phase, the device becomes a member of the dynamic device group. Right?
IMPORTANT: You do need to be patient, as we work with a dynamic device group here. At the time of writing, it took about 15 minutes for the device to become a member of the group. As a result, the policies and applications only came through then.
On the device, go to the Microsoft Intune app, and sign in with your Microsoft 365 account.
On the next screen, choose Register, and you’ll be directed to the Microsoft Intune app. Choose Next, and once the registration is completed, choose Done. Once your device is enrolled, the assigned apps will be installed on the device.
So this was the part where we enrolled Android Enterprise Corporate-owned, Fully Managed user devices in two different ways, user-driven (default) and via staging (pre-provisioning). Next up is Android Enterprise Corporate-owned devices with work profile. Stay tuned!
