Android Enterprise and Microsoft Intune: And Android Device Policy

I’ve mentioned Android Device Policy before, earlier this year, in my post about Android Enterprise and Microsoft Intune. In that post, however, I’ve only briefly mentioned that app, while that app is an important piece of the Microsoft management solution for corporate-owned devices. That’s why I thought it would be good to devote a blog post to that app. To simply show it’s importance. Android Device Policy is really important for configuring managed devices and also provides some nice capabilities. The importance should be familiar with any IT administrator, responsible for managing Android devices, and those capabilities are sometimes slightly hidden, but provide a good starting point for troubleshooting. Especially when verifying whether settings are already applied or not. In this post I’ll start with an introduction about Android Device Policy and it’s usage within a Microsoft Intune solution. I’ll end this post with the steps for opening Android Device Policy, in the different Android Enterprise deployment scenarios, and the steps for enabling debug information in Android Device Policy.

Introducing Android Device Policy

Starting with Android 5.0 and later, Google introduced Android Enterprise. That introduction, introduced the managed device (device owner) and work profile (profile owner) modes to provide enhanced privacy, security, and management capabilities. These modes support the different Android Enterprise deployment scenarios and can be managed by using the Android Management API. That API can be used to configure the different policy settings for managed devices by using a Device Policy Controller (DPC) on those managed devices. As DPC, Google provides – and maintains – the Android Device Policy. That app is the only DPC that can be used with the Android Management API and that app can be used to automatically enforce the policy settings on managed devices.

For the Android Enterprise corporate-owned device deployment scenarios, Microsoft Intune relies on the Android Management API and the Android Device Policy as DPC. That eliminates the need for Microsoft – for those deployment scenarios – to create, update, and maintain their own custom DPC. That also reduces the effort for Microsoft that is required to introduce new features, when they become available in Android Enterprise and in the Android Management API. Microsoft only needs to make the configuration options of those new features available in the Microsoft Endpoint Manager admin center and bring the configuration of those features to the DPC to enforce the configuration on managed devices. The DPC is installed automatically and basically acts as a bridge between Microsoft Intune (and the Android Management API) and the managed devices. Below, in Figure 1, is a high-over schematic overview of that process and in that overview the EMM console equals Microsoft Endpoint Manager admin center.

Tip: Google also provides a Test DPC that can be used for testing behavior on devices. On corporate-owned devices that can be used by providing the afw#testdpc as the DPC identifier during the device provisioning.

Opening Android Device Policy

Android Device Policy is the DPC that is used on Android Enterprise corporate-owned devices that are managed with Microsoft Intune. Depending on the Android Enterprise deployment scenario that is used, Android Device Policy can be opened via multiple different paths. Below are the most common paths.

  • On Android Enterprise Corporate-Owned Fully Managed devices, the Android Device Policy app can be opened by
    • opening Play Store and navigating to My work apps > Installed > Android Device Policy, or by
    • navigating to Settings > Google > Device Policy
  • On Android Enterprise Corporate-Owned devices with Work Profile, the Android Device Policy app can be opened by
    • opening Play Store and navigating to My work apps > Installed > Android Device Policy
  • On Android Enterprise Corporate-Owned Dedicated devices, the Android Device Policy app can be opened, depending on the configuration, by
    • tapping back multiple times and selecting Launch Android Device Policy app, or by
    • swiping down from the top and navigating to Device Info > Open Android Device Policy, or by
    • navigating to Settings > Google > Device Policy

Enabling debug information in Android Device Policy

After opening Android Device Policy, the app provides some basic information about the management status of the device and the device itself. Below, in Figure 2, is an example of the basic information that the app provides. It shows the Device Policy page with the basic information about the management state, the latest sync time and the installed apps. Below, in Figure 3, is an example of the menu that’s available by default and below, in Figure 4, is an example of the Device details page when clicking on Device details in the menu. This is also were it gets more interesting. When scrolling down to Model, notice that it’s written darker. Tapping multiple times on Model will open new menu options.

Below, in Figure 5, is an example of the updated menu that became available. It now contains an option to select All policies and an option to view Event logs. Below, in Figure 6, is an example of the Device Policy page after selecting All policies. It now contains an overview of all the applied policies on the managed device. Below, in Figure 7, is an example of the Event logs page when clicking on Event logs in the updated menu. Together these two pages combine to a good starting point for troubleshooting.

Note: When more information is needed for troubleshooting, it might be worth to enabling debugging and hooking it onto a computer with Android SDK platform tools installed.

More information

For more information about the Android Device Policy, refer to the following docs.

1 thought on “Android Enterprise and Microsoft Intune: And Android Device Policy”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.