Browse all topics
All guidesGlossary

Intune and Android Enterprise

Managing Android devices with Intune through Android Enterprise — work profiles, fully managed, dedicated devices.

Android device management in Intune uses Android Enterprise, Google's modern management framework. It replaces the older "device administrator" model (deprecated and removed from new Android versions) and provides several deployment modes for different use cases.

The four deployment modes

1. Work profile (BYOD)

The most common pattern for personal devices. A work profile is a dedicated, encrypted container alongside the user's personal profile. Inside the work profile:

  • IT installs only work apps and policies.
  • IT can wipe just the profile, leaving the personal side untouched.
  • Notifications, app icons, and data are visually separated (often with a briefcase icon).
  • Strong privacy — IT can't see personal apps, browsing, or photos.

This is the right mode for bring-your-own-device scenarios. App protection policies layer on top for finer per-app control.

2. Fully managed (corporate-owned, personal allowed)

For company-issued devices where you still want users to do some personal use. The whole device is managed; users can install personal apps from the managed Play Store. Best for general-purpose corporate phones.

3. Corporate-owned with work profile (COBO)

A hybrid: the device is corporate-owned, but a separate work profile holds work apps. Useful when corporate liability is full but you still want privacy boundaries.

4. Dedicated devices (kiosks)

For single-purpose devices — warehouse scanners, frontline shared phones, lobby kiosks. The device runs one or a small set of pinned apps; the user usually doesn't sign in personally.

Enrolment

  • Zero-touch enrolment (for fully managed and dedicated) — the OEM ships the device pre-configured against your tenant. Same idea as Windows Autopilot.
  • QR code enrolment — print or display a QR code; the user scans it during initial setup.
  • NFC — bump an admin device against a new device for enrolment.
  • Personal device with work profile — user opens Company Portal and signs in.

What you can manage

  • Apps — install required, available, or optional apps from the managed Play Store.
  • Configuration profiles — OEM-specific (Samsung Knox, Zebra, Honeywell) plus Android Enterprise standard profiles.
  • Compliance — OS version, password complexity, encryption, threat level (from Microsoft Defender for Endpoint Android).
  • App protection policies — even in work profile, APP adds container restrictions.

Microsoft Defender for Endpoint Android

Defender for Endpoint on Android is essential for compliance-driven access: it provides network protection, web protection, and risk scoring that flows into Conditional Access. Without it, an Android device's "compliance" is largely a self-attestation.

OEM differences

Different Android OEMs have different management surfaces — Samsung's Knox is the most extensive, with OEMConfig profiles for thousands of additional settings. Zebra, Honeywell, and other rugged-device makers also have OEMConfig profiles. Stock Android (Pixel) is the cleanest experience.

For Microsoft 365 customers, Android Enterprise via Intune covers the full range from personal BYOD to dedicated kiosk fleets. Work profile is the default for most knowledge workers; fully managed for corporate phones; dedicated for frontline scenarios.