This week is all about the recently ability to stage Android Enterprise devices. That ability enables IT administrators to further prepare devices before actually giving them to the user. In a way, staging Android Enterprise devices is similar to pre-provisioning Windows devices. In other words, a method to prepare the device for the user and to simplify and fasten the user experience to get up-and-running. Before, the IT administrator would generate an enrollment token that could be used by the user to start the enrollment process. The user would then sign in and walk through the guided enrollment process. Now, with the staging ability, the IT administrator still generates an enrollment token, but instead of directly sharing that with the user, it’s used by the IT administrator, or supplier, to prepare the device for the user. In other words, stage the device. During this action, the device remains useless. Once that process is completed, the device can be provided to the user to sign in and to finalize the configuration. A smooth and further simplified process. This post will walk through the configuration for staging corporate Android devices, followed with the experience.
Note: Device staging is available for corporate-owned fully managed and corporate-owned work profile devices.
Creating an enrollment profile for staging Android Enterprise devices
When looking at staging corporate-owned Android devices, it all starts with the enrollment profile. That profile is used to create an enrollment token for a specific Android device management scenario. The creation of that profile is pretty similar to creating other enrollment profiles for Android devices. Just a different option that is available. The following four steps walk through the creation of a enrollment profile for staging Android Enterprise fully managed devices.
- Open the Microsoft Intune admin center portal navigate to Devices > Android > Android enrolment > Corporate-owned, fully managed user devices
- On the Corporate-owned, fully managed user devices blade, click Create profile
- On the Basics page, provide the following information and click Next
- Name: Provide a valid and unique name for the enrollment profile to distinguish it from other enrollment profiles
- Description: (Optional) Provide a description for the enrollment profile to further distinguish it from other profiles
- Token type: Select Corporate-owned, fully managed, via staging to create an enrollment profile for staging devices
- Token expiration date: Select a date when the enrollment token will expire
- On the Review + create page, verify the configuration and click Create
Important: When creating a dynamic group, based on the created enrollment profile, that group can only be used during the user stage. During the staging by the IT administrator, or supplier, this is not supported.
Note: The process for corporate-owned devices with work profile is the same, just started from a different place.
Experiencing staging of Android Enterprise devices
The most important thing is the change in the enrollment process. Before, it was a two step process in which the first step was to share the enrollment token with the user, or to use something like Android Zero-Touch, or Samsung Knox Mobile Enrollment, to directly configure the out-of-box-experience with the required enrollment token. In either case, the second step was that the user walks through the enrollment process.
The new process adds another step to that enrollment process. After configuring the enrollment token and the rest of the configuration and apps for those devices, the IT administrator shares the enrollment token with the party that is responsible for staging the devices. That can be another IT administrator, or even a third-party. That party starts the enrollment by scanning the QR-code, or using the token code, and going through the enrollment steps. Those enrollment steps will be all the standard enrollment pages, except for the page to sign-in as a user to register the device. That action will be left for the user. That also makes it less interesting to actually look at that user experience. What is more interesting, is the actual registration in Microsoft Intune. After going through the staging process, the device object will be registered with a prefix of “Staging_“, as shown below in Figure 2. A clear indication that only the staging process is finished.
Note: There is currently no easy method to see if the staging process is finished. Often the best guess seems to be to verify that all the applicable apps are installed.
After the device went through the staging process, the device is turned off and can be handed over to the user. When the user turns on the device, it seems to be usable immediately. However, it is important for the user to open de Microsoft Intune app and to finish the registration of the device. That will eventually make sure that the device name will change and a primary user will be connected, as shown below in Figure 3. To make sure that the user finishes that process, it is important that it is communicated clearly and that Conditional Access is in place to eventually enforce it.
More information
For more information about creating enrollment profiles for staging Android devices, refer to the following docs.
I got to test out the new enrolment method since it was announced. I tested the enrolment on Android Enterprise Corporate-owned fully managed.
However, I observed an issue with the PIN code setup during testing.
Current Behaviour:
• Users do not receive a prompt to set up a device PIN code after completing device registration.
• Intune marks the device as non-compliant and emails the user to set up a PIN code.
Desired Behaviour:
• The process should prompt users to set up a PIN code either before or immediately after device registration.
Observations:
• There is no notification prompt for PIN code setup when users sign in to the Intune app to complete device registration.
• The prompt only appears after the device syncs with Intune and undergoes a compliance policy check.
• This approach is not user-friendly and could pose a security risk if a device is left unprotected without a PIN code.
Have you noticed that yet?
Hi Paul,
Yes, I’ve noticed that also. The best would be to provide this as feedback to Microsoft.
Regards, Peter
Hi Peter, downside is the fact that the user needs to set a pincode him/herself using the intune app for a second time, where the first time it is used to register the device and him/herself. Any thoughts on that?
Hi Nico,
Yes, I’ve seen that as well. The best would be to provide this as feedback towards Microsoft.
Regards, Peter