Home

Was this article helpful?

Intune device management

This article describes the end-to-end process for enrolling Android Enterprise dedicated devices into Microsoft Intune and deploying applications to those devices. 

 

Before you begin

Confirm that the following requirements are met before proceeding.

 

  • Intune license. 
    A Microsoft Intune license must be assigned to the admin account performing enrollment. The MDM authority must be set to Microsoft Intune.
     
  • Admin role. 
    The account must have Intune Administrator permissions or an equivalent custom role with Android Enterprise read and update permissions. 
     
  • Device OS. 
    Android 16.0 or later with Google Mobile Services (GMS) support. The device must be able to connect to GMS.
     
  • Google account. 
    A dedicated Google service account (not associated with a G Suite domain) used exclusively for Intune-to-Google Play connectivity.
     
  • Network access. 
    Devices must have internet access to reach Google Play and Intune services during enrollment. 
     
  • Connect to Managed Google Play 
    This is a one-time setup step required before any Android Enterprise enrollment can take place. It links your Microsoft Intune tenant to a Managed Google Play account, enabling Intune to manage apps and devices through the Android Enterprise framework. 

    For the full steps on setting up the connection, refer to the Microsoft documentation:  
    Connect your Intune account to your Managed Google Play account

 

Setup Intune

First, login to the Microsoft Intune admin center to setup your enrollment profile and generate a token. 

 

Add enrollment profile

Create an enrollment profile to auto-generate the token we need to enroll dedicated devices. Intune generates a token that is unique for every profile. 

 

For the full guide on how to create an enrollment profile, refer to the Microsoft documentation here: 

Set up Intune enrollment of Android Enterprise dedicated devices

 

Access enrollment token

Once your profile is created, access the enrollment token in the admin center.

 

  1. Go to Devices > Enrollment.
  2. Select the Android tab.
     
  3. In the Enrollment Profiles section:
    1. Choose Corporate-owned dedicated devices.
    2. From the list, select the enrollment profile you just created.
    3. Select Token.

 

The token appears as an alphanumeric string and a QR code. Write down the token string as we will use this in the next step.

Note the token string above the QR code

 

Enroll the device

Now head over to your target Android IFP/device. We will need to perform a factory-reset to access the enrollment screen. 

 

  1. Perform a factory reset on the target device and power it on. 
  2. Follow the on-screen instructions until you arrive on the Google sign-in screen.
     
  3. On the Google sign-in screen: 
    1. Type afw#setup in the Email or phone field.
    2. Select Next
      The device will begin downloading the Android Device Policy app and switch to enterprise management mode. 
       
  4. Select Install when prompted to install the Android Device Policy app. Accept any additional terms presented. 
     
  5. On the Enter the code screen:
    1. Tap on the input box to display the on-screen keyboard. 
    2. Type the token from your new enrollment profile. 
    3. Tap Next.
       
  6. Follow the remaining on-screen prompts to complete enrollment. Once finished, the device is automatically added to the Intune-managed devices list. 

 

 

 

Add to a security group

To distribute apps to the newly enrolled device, add the enrolled device to a security group. Security groups provide a convenient way to deploy app assignments and configuration policies to specific sets of devices. 

 

Create a security group

To create a new security group, perform the following:

 

  1. In the Intune admin center, select Groups from the left menu.
     
  2. Select New Group. On the group creation page, configure the following:
    1. Group type: Select Security.
    2. Group name: Enter a descriptive name.
    3. Membership type: Select Assigned.
       
  3. Select Create.

 

Add device as member

To add the enrolled device to the security group, perform the following:

 

  1. Navigate to Groups > All groups and click on the target group.
  2. Select Members > Add members.
    1. Search for the device by name 
    2. Click on the target device.
    3. Click Select to add the device.

 

 

Distribute apps to enrolled devices

Intune supports two methods for distributing apps.

 

  • Use Managed Google Play for apps available on the Play Store. 
  • Use Android Enterprise System App to re-enable preloaded apps that Android Enterprise hides by default.

 

Add and assign a Managed Google Play app

For the full steps to add and approve an app from Managed Google Play, refer to the Microsoft documentation: 

Add Managed Google Play apps to Android Enterprise devices with Intune.

 

For the full steps to assign the app to a device group, refer to: 

Assign apps to groups with Microsoft Intune.

 

Note the following when assigning the app:

  • Assign the app under Required (not Available) to ensure it installs automatically on enrolled devices.
  • App sync between Intune and Managed Google Play is not automatic. Select Sync each time a new app is approved.

Need additional help?

Check our other resources — we'll be happy to assist you.

Community Support