Android Enterprise fully managed devices and the Google Play store

This week another post about an Android Enterprise configuration. Last week was related to company owned single-use (COSU) devices (also known as dedicated devices), while this week is related to company owned business only (COBO) devices (also known as fully managed devices). More specifically, about adding a personal touch to fully managed devices. Microsoft Intune doesn’t know the company owned personally enabled (COPE) devices, yet, but there is a feature within the fully managed devices configuration that can at least enable some more personal options to the user. That can be achieved with a simple configuration to allow access to all apps in the Google Play store. I’ll start this post with the configuration steps (and a little introduction) and I’ll end this post by having a look at the end-user experience.


Let’s start with a quick introduction about the setting that should be configured and the impact of that setting. The setting Allow access to all apps in Google Play store must be set to Allow. Once it’s set to Allow, users get access to all apps in Google Play store. Apps can be sort of blocked by the administrator by assigning an uninstall of the apps to the user (or device). That will simply remove the app (over-and-over) again. When it’s set to Not configured, users are forced to only access the apps the administrator makes available (or required) via the Google Play store.

The following 3 steps walk through the process of creating a device restrictions policy that enables access to the Google Play store for users.

1 Open the Azure portal and navigate to Microsoft Intune > Device configuration > Profiles to open the Device configuration – Profiles blade;
2 On the Device configuration – Profiles blade, click Create profile to open the Create profile blade;

AEFMD-CreateProfileOn the Create profile blade, provide the following information and click Create;

  • Name: Provide a valid name
  • Description: (Optional) Provide a valid description
  • Platform: Select Android Enterprise
  • Profile type: Select Device Owner > Device restrictions
  • Settings: See step 3b
3b On the Device restrictions blade, select Applications to open the Applications blade; and click OK to return to the Add configuration policy blade;
3c On the Applications blade, select Allow with Allow access to all apps in Google Play store and click OK and OK to return to the Create profile blade;

Note: This profile can be assigned to user and device groups.

End-user experience

Now let’s end this post by having a look at the end-user experience. Depending on the exact configuration the end-user can end up with one of the three scenarios as shown below.

  1. Below on the left is showing the Google Play store for the work account only, without access to all apps in the Google Play store.
  2. Below in the middle is showing the Google Play store for the work account only, with access to all apps in the Google Play store. Even though my store is in Dutch, the number of items in the menu, and the apps shown in the background, show the difference.
  3. Below on the right is showing the Google Play store for the work account when also a personal account is added (see the purple circle with a “P”). It provides the same options as shown in the middle, but also enables the user to switch between accounts.
Screenshot_20190729-172606_Google Play Store Screenshot_20190729-181300_Google Play Store Screenshot_20190724-210437_Google Play Store

The combination for the user to add a personal account to the device and being able to install apps via the Google Play store, will at least give the user some options to personalize the device.

More information

For more information about the device configuration options for Android Enterprise fully managed devices, please refer to the Device owner section in the documentation about Android Enterprise device settings to allow or restrict features using Intune.

15 thoughts on “Android Enterprise fully managed devices and the Google Play store”

  1. Hello Peter,
    The problem with “access to all apps” is that the Enterprise PlayStore with optional App (not required at enrolment phase but historicaly “available” on demand users after) is merged with all the Full Public playstore.

    So I tried to activate only “add a personal account” option and it seems to do the job (1 Pro Play Store with recommended App and 1 Full personal PlayStore if user need more) … except that, after few hours, the personal applications are uninstalled by “device administrator”.
    If you know the problem and have a workaround, it would be helpful!


  2. Looks like he wants a restricted store for managed google play but full access if you add your personal account. But in he’s scenario all apps are shown if configured like this but gets auto uninstalled after a few hours.

  3. Peter,

    I have problems with the store. When I enable show all apps the play store won’t show all apps. The problem resides in multiple tenants. Did you experience this aswell?

    Kind regards,

  4. Peter,

    I got the scenario’s working as described, but… after a restart of the device, the look for the play store is changed, there’s no option anymore to switch, just the classic play store look.

    Looks during deployment the play store is in Works mode, but after a reboot this is changed. Tested on 3 android devices, all the same behaviour.

  5. Peter,

    Just found how it works: after the reboot you can’t switch anymore in the screens as supposed, but in the play store search, in the right corner of the search you can switch between the accounts.
    Maybe a little update in the article, because the screenshots given are for a works profile and after restart of the device the look is changed to the classic play store look.

  6. Hey, I’m just wondering. If I use the “fully managed devices” scenario, but give users access to the Play Store (install any apps) and set app protection policies to company apps (data can only move between managed apps). This scenario is almost like COPE? Right? 🙂

    • Hi Jack,
      That’s sort of correct. That gives the user with the ability to install apps to provide a personal touch. However, that doesn’t allow you to actually differentiate between personal and company owned data and apps. That’s something to keep in mind.
      Regards, Peter

  7. Been working on this some time now.
    It’s no problem when enabling allow access to all apps.
    What i would like to have is allow access to all apps when adding personal Gmail account.

    This way users that only want a “work” phone gets it and when you have user that wants to download personal apps you get that.

      • Hi Peter!

        Yes correct i would like to keep the “company” part clean for the apps that the company provides.
        And if they want to download apps they need to add a private account.

        We still want the devices to be fully managed.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.