This week is all about an addition to my previous post about the device management jungle of Android Enterprise. In that post I already did a brief look at the future and what Android 11 would bring to the table. At that time Microsoft Intune did not yet support a deployment scenario to address the Corporate-Owned, Personally Enabled (COPE) use case. The good news is: that has changed! Microsoft Intune now contains the deployment scenario Corporate-Owned Work Profile, which is currently still in preview, and that deployment scenario can address the COPE use case.
With this blog I want to provide a refreshed overview of the different deployment scenarios and the use cases that are addressed. However, the main focus of this post is the new Corporate-Owned Work Profile deployment scenario. I’ll start this post with the refreshed overview of the different Android Enterprise deployment scenarios in Microsoft Intune, followed with a summery of the main characteristics of the different deployment scenarios. I’ll end this post by focusing on the implementation of the new Corporate-Owned Work Profile deployment scenario.
Updated overview of the Android Enterprise deployment scenarios
Let’s start with a brief overview of the different Android Enterprise deployment scenarios that are available within Microsoft Intune. I’ve discussed these deployment scenarios before, but I thought it would be good to provide another quick overview to clearly differentiate between the deployment scenario and the use case and to address the main characteristics of the different deployment scenarios. Below in Figure 1 is an overview of the different deployment scenarios. As it’s mainly focused on the Android Enterprise capabilities, I’ve skipped the MAM-only scenario. For a first filtering the deployment scenarios are sorted based on the owner of the device and based on the type of workers for the device.
The next step in providing a clearer overview is the table below. That table describes the main characteristics of the different deployment scenarios. It shows important characteristics like the main use cases of a deployment scenario, if personal use is possible, if the privacy can be guaranteed, the management reach and more familiar characteristics.
|Deployment scenario||Use case||Personal use||Privacy guaranteed||Enrollment method||Management reach||Reset required||User affinity|
|Work Profile||Bring Your Own Device (BYOD)||Yes||Yes||Company Portal app||Profile owner||No||Yes|
|Corporate-Owned Work Profile||Corporate-Owned, Personally Enabled (COPE)||Yes||Yes||Near Field Communication, Token entry, QR code scanning, or Zero touch||Profile owner with device-level settings||Yes||Yes|
|Fully Managed||Corporate-Owned, Business Only (COBO)||Yes||No||Near Field Communication, Token entry, QR code scanning, or Zero touch||Device owner||Yes||Yes|
|Dedicated||Corporate-Owned, Single Use (COSU)||No||No||Near Field Communication, Token entry, QR code scanning, or Zero touch||Device owner||Yes||No|
As a little bit of context with this table, the different collumns are used to provide the following information:
- Deployment scenario – This column describes the name of the deployment scenario (or some times referred to as management scenario) in Microsoft Intune
- Use case – This column describes the often used name of the most common use case
- Personal use – This column describes if the deployment scenario can facilitate personal use (which can be as simple as the option for enabling a personal account for the Google Play store)
- Privacy guaranteed – This column describes if the deployment scenario can guarantee the privacy of the user (which actually can only be the case when using a work profile)
- Enrollment method – This column describes the different enrollment methods that are available for the deployment scenario
- Management reach – This column describes the management reach of the deployment scenario on the device
- Reset required – This column describes if the deployment scenario requires a reset of the device
- User affinity – This column describes if the the deployment scenario facilitates user affinity
Android Enterprise Corporate-Owned Work Profile
Now let’s have a look at the previously missing use case, which was the actual trigger of this post, the COPE use case. That use case can now be addressed with the introduction of the Corporate-Owned Work Profile deployment scenario. A long time the public feeling was that Microsoft was missing a use case in Microsoft Intune. Even though the feeling was fair and actually not just a feeling but a simple fact, there was also a fair reason why the deployment scenario for that use case was not available. Microsoft was relying on the Android Management API (AMAPI) and support for the required deployment scenario was not available. That’s changing now.
However, before looking at that deployment scenario in a bit more detail, let’s start with stating that the previous deployment scenario in Android Enterprise, to address the COPE use case, often named Work Profile on Fully Managed Device (WPoFMD), is not going to happen in Microsoft Intune. The support that’s provided via Microsoft Intune by leveraging AMAPI, is focused on the changes coming with Android 11. With Android 11, Google wants to focus more on the privacy of the user. To achieve that, Google wants to further separate the work profile and the personal profile. With the previous implementation there would be two separate Device Policy Controller (DPC) instances running on the device. An instance running as device owner in the personal profile of the user and an instance running as profile owner in the work profile of the user. As you can imagine, that theoretically provides an organization with a lot of control over the personal profile of the user. Besides the level of control, the organization could also potentially see information from the personal profile of the user, like the installed apps. That will also be one of the biggest changes in the new implementation. There will no longer be a work profile on a fully managed device. Instead, the new Corporate-Owned Work Profile deployment scenario will be similar to a normal work profile, but on steroids. Starting with Android 11, there will be a single DPC instance running as profile owner on the corporate owned device of the user. That instance also has the capabilities to do a few device settings. However, there will be no insights in for example the installed apps, or data, in the personal profile on the device. There will be strict separation between the apps and data in the personal profile and the work profile. Similar to the work profile deployment on personal devices. The main difference between the two are the steroids of the DPC instance. On a personal device, the DPC instance is running as profile owner and only has permissions within the work profile. On a corporate device, the DPC instance is also running as profile owner, it has permissions within the work profile and it can manage a few device settings that also affect the personal profile.
When looking from a Microsoft Intune perspective, the nice thing is that the user will have the same usage experience on devices with Android 8 and later, and that the administrators will also have the same management experience for devices with Android 8 and later. That’s achieved by using AMAPI. That will make sure that with a single configuration performed by the administrator, the correct configuration will be applied to the Android device of the user. No matter the specific Android version. As long as it’s Android 8 or later.
For more information regarding Android Enterprise and Android 11, refer to the following articles:
- What’s new for Android in the enterprise: Work Profile – https://developer.android.com/preview/work#work_profile
- Work profiles on fully managed devices – https://developer.android.com/work/dpc/work-profile-on-managed-device
- Android Enterprise terminology – https://developers.google.com/android/work/terminology
5 thoughts on “Android Enterprise and Microsoft Intune: And the previously missing use case”
Great Job as always!
The hard work you put in really pays off with great articles and we all really appreciate it!
I see the use case with COPE devices that when companies give out phones as a benefit (they can also use it for personal use), we will be able to retrieve the phone and wipe ALL data from the phone since its Corp owned.
Do you agree with this?
Thank you. And yes, I agree that the organization should be able to wipe the devices, as it’s a compony device. That also seems to match with the mentioned device actions here: https://techcommunity.microsoft.com/t5/intune-customer-success/intune-announcing-public-preview-for-android-enterprise/ba-p/1524325