Comprehensive Android Device Onboarding Checklist for M365 Business Premium

Intune, Microsoft 365 14 Minutes

bp1

Onboarding an Android phone into Microsoft 365 Business Premium (which includes Microsoft Intune for device management) ensures the device is fully managed and protected. This detailed checklist covers every step – from preparation to post-deployment – including security configurations, policies, and ongoing management. Follow the sequence below to set up the Android device securely and keep it compliant with your organisation’s standards.

Step-by-Step Onboarding Process

  1. Prepare the M365 Environment for Android Management

    • Verify Licensing & Access: Ensure the user is assigned a Microsoft 365 Business Premium license (this license includes Intune for Mobile Device Management). Also, have administrator access to the Microsoft 365 admin center and Endpoint Manager (Intune) portal.

    • Intune Tenant Preparation: Confirm Intune is set as the MDM authority (in modern tenants Intune is already the default). If not done previously, set up Intune by signing in to the Endpoint Manager admin center and reviewing enrollment preparation steps. For example, verify your tenant’s enrollment restrictions and device limit settings to allow Android enrollments.

    • Link Intune to Managed Google Play: Configure Android Enterprise integration by connecting Intune to a Managed Google Play account[1][2]. This is required for managing Android devices. In the Endpoint Manager portal, navigate to Devices > Android > Android Enrollment and connect your Intune account to Managed Google Play. Follow the on-screen steps to sign in with a corporate Google account and grant permissions[1]. Result: Intune is linked with Google Play, and the Company Portal app (and other Android Enterprise system apps) will be made available to devices automatically[2].

    • Choose Android Management Mode: Decide on the management mode. For corporate-owned devices that will be fully controlled by IT, use Android Enterprise Fully Managed (formerly COBO – Corporate Owned, Business Only)[1]. (For BYOD personal devices, you’d use Work Profile mode, but this guide focuses on fully managed corporate devices for maximum control and protection.) Ensure the Android OS version on the phone is supported by Intune and Android Enterprise (generally Android 9.0 or above for fully managed)[3]. If the device was previously enrolled in another MDM or used personally, factory reset it now – fully managed enrollment requires a fresh start[2].

    • Configure Initial Device Settings (Optional): If your organisation uses zero-touch enrollment or Samsung Knox Mobile Enrollment for bulk provisioning, set those up in advance. For Zero-Touch or Knox, you’d upload device IDs to those portals and link to Intune enrollment profiles. Otherwise, plan to enroll via QR code or the Company Portal app. Ensure you have a stable Wi-Fi network available for the device’s enrollment.

  2. Define Security Policies in Intune (Compliance & Configuration)
    Before enrolling the device, set up the security policies that will apply upon enrollment. This ensures that as soon as the phone is onboarded, it will receive the required configurations to be secure.

    • Create Compliance Policy: In Endpoint Manager (Devices > Compliance policies), create a new Android compliance policy to enforce your security requirements. Configure rules such as: require a password/PIN on the device (e.g. minimum 6-digit PIN, alphanumeric or complex as needed)[3][3], require device encryption to be enabled[3], set a minimum OS version (e.g. disallow Android versions lower than a certain release)[3], and block jailbroken/rooted devices by enabling Google Play Integrity or SafetyNet checks[3]. You can also mandate that the device is not on a blocked manufacturer/model list if relevant. Define an action for non-compliance (e.g. send user notification or block access after a grace period) – by default, marking the device non-compliant immediately is recommended[3].

    • Create Configuration Profiles: Next, create an Android device configuration profile (specifically an “Device Restrictions” profile for fully managed Android Enterprise). In Endpoint Manager (Devices > Configuration profiles), set restrictions to harden the device. Recommended settings include: disable USB file transfers and external media access to prevent data leaks[3]; block screen capture and screen recording; disable installation from unknown sources (to stop unapproved apps); enforce Google Play Protect app scanning (Threat Scan on apps: Require to ensure malware scanning is active)[3]; require device encryption if not already enforced via compliance; and enable other desired restrictions (e.g. block Bluetooth file sharing, block factory reset by the end-user[3], and force automatic system updates installation on a schedule). Also consider enabling biometric unlock (fingerprint/face) if available for user convenience on top of PIN – Intune can require biometrics for unlock via policy[1].

    • Email and App Configuration (Policy): If you plan to use the native email app (Gmail) for work email, create an “Email profile” configuration profile (with Exchange Online details) to push to the device. However, the recommended approach is to deploy Outlook (covered in the next step) instead of using native email. You can also prepare App Configuration policies for certain apps if needed (for example, pre-configure Outlook’s settings or require a PIN within Outlook app using an App Protection Policy).

    • Conditional Access (Integration with Azure AD): Set up a conditional access policy in Azure AD (if not already) to require device compliance for accessing corporate resources. For example, enforce that only devices marked Compliant by Intune (meaning they meet the above policy conditions) can access Exchange Online, SharePoint, Teams, etc.[4]. This ties the Intune compliance policy to actual access control, ensuring unmanaged or non-compliant devices are blocked from M365 data. (Note: Conditional Access requires Azure AD Premium, which is included in Business Premium.)
    • Review and Save Policies: Save and deploy these policies to the target user or device groups (e.g. to “All corporate devices” or specific user groups). Result: With compliance and configuration profiles in place, any enrolled device must adhere to these security requirements to be deemed compliant and maintain access[4].

  3. Enroll the Android Device into Intune (M365 Management)
    Now that the backend is prepared, proceed to enroll the phone. There are a few enrollment methods for a fully managed device – here we use the QR code method (suitable for Android Enterprise fully managed) or the Company Portal app method:

    • Generate Enrollment QR Code/Token: In Endpoint Manager, go to Devices > Android > Android Enrollment > Enrollment Profiles. Create a “Corporate-owned, fully managed user device” enrollment profile if you haven’t already[1]. Intune will provide an enrollment token (string code) and an option to get a QR code. This QR code or token will be used on the device during setup. (If using Android’s Zero-Touch enrollment or Samsung Knox, you would assign this profile to the device in those portals instead.) For a streamlined experience, the QR code is very convenient – it embeds the enrollment token and Intune’s info.

    • Factory Reset & Initial Setup: Ensure the Android phone is factory reset. Turn on the device (or if just reset, start the setup wizard). Follow the initial prompts (select language, connect to Wi-Fi, etc.). When prompted to sign in or when you reach a screen for device management, use the enrollment method:
      • QR Code enrollment: Tap multiple times on the welcome screen (or in setup, choose “Perform QR code enrollment” if available). Scan the QR code from Intune using the device’s camera. This will automatically configure the device to enroll in Intune.

      • Token entry enrollment: Alternatively, in the Wi-Fi selection screen, you can enter the code afw#setup in the Wi-Fi SSID field (this triggers Android Enterprise setup) and then you will be prompted to enter the enrollment token manually (or sign in to Google to retrieve it). Enter the enrollment token from Intune to proceed.

      • Company Portal app (for BYOD or if already set up): If the device was not factory reset (for example, if doing a personal device with work profile), the user could simply install the Intune Company Portal app from Google Play, launch it, and sign in with work credentials to enroll. In our fully managed scenario, the QR code method is more automated and ensures full control.
    • Intune Enrollment Process: After scanning the QR code or entering the token, the device will automatically download and install the Intune Company Portal and related management apps. It will prompt for the user’s Azure AD (M365) credentials. Sign in with the company (work) account when prompted (this binds the device to the user in Azure AD). The device will then enroll into Intune – you’ll see screens indicating the device is being managed by your organization.

    • Apply Corporate Profile: The enrollment profile will apply, marking the device as corporate-owned. The device may also set up a work Google account silently to manage Managed Play apps. The phone will likely enforce a PIN code setup at this point if your compliance policy requires one. Follow any on-screen instructions (e.g. “create a work profile” or “set a PIN to secure your device”). For fully managed devices, the entire device is now under management (not just a work profile).

    • Network & Sync: Ensure the phone stays connected to the internet during this process. Intune will start pushing down the configurations and apps assigned to this device/user. This can take a few minutes.

    • Verification: In the Endpoint Manager portal, you can check Devices > All Devices, and you should see the new Android phone appear in the list once enrollment is complete. It will show as “Compliant” or “Not compliant” depending on whether it has finished applying policies. (At first, it might be non-compliant until all policies are applied – this is normal. The device will continuously sync until it meets the compliance criteria.)

  4. Deploy and Configure Microsoft 365 Apps (Email, Teams, etc.)
    To ensure productivity and security, install the required Office/M365 applications on the device through Intune and configure them properly:

    • App Deployment via Managed Play: Using Intune’s integration with Managed Google Play, you should have added key apps in advance. If not done yet, go to Apps > Android Apps in Intune, and Add apps from the Managed Google Play store. Search and add apps like Microsoft Outlook, Microsoft Teams, OneDrive, Office (Mobile), Microsoft Authenticator, and any other required apps (such as Line of Business apps)[1]. Assign these apps to the device or user group (as “Required” for corporate devices so they install automatically)[1]. Intune will then push these apps to the enrolled phone.

    • Email Configuration: Outlook Mobile is the recommended email client. Once Intune pushes Outlook and it installs on the phone, the user should launch Outlook. The app may auto-detect the user’s account (through single sign-on with the managed device) or prompt the user to add their Office 365 email account. The user should sign in with their work credentials. Because the device is marked compliant (and conditional access is in place), the email account will successfully configure and start syncing mail. If you instead use the native email app, ensure an email profile policy was sent or instruct the user to add the account via system settings (and expect a prompt to enforce Device Administrator if Office 365 MDM was not already in effect – but since Intune MDM is handling it, Outlook is simpler).

    • Other App Sign-ins: Have the user open other apps like Teams and OneDrive – these should similarly either SSO sign-in or prompt for login with the work account. Verify that each app works and that policies like App Protection (if configured) are applied (for instance, if you set an App Protection Policy, it might require a PIN when opening Outlook or prevent copying data from Outlook to personal apps).

    • Policy Enforcement on Apps: Thanks to the earlier Managed Google Play setup, all apps deployed are the approved versions. Intune can manage permissions for certain apps if configured (for example, you can pre-grant or deny permissions to apps through the Device Restrictions profile). Ensure that Microsoft Defender (if your organisation uses it for mobile threat defense) is also deployed (see next step for more on Defender).

  5. Verify Device Compliance and Security Settings
    At this stage, the phone is enrolled and apps installed. Now verify that all security configurations are in effect and the device is compliant:

    • Compliance Check: On the device, open the Company Portal app. It should show the device status as compliant (green check) or list any actions needed. If any compliance item is missing, the Company Portal will typically prompt the user (for example, “Set a device PIN of at least 6 digits” if the user hadn’t done so, or “Encrypt your device” if encryption wasn’t automatic). Follow any prompts to resolve outstanding issues. Modern Android devices usually encrypt by default when a PIN/password is set, satisfying the encryption requirement automatically[3].

    • Intune Portal Status: In the Endpoint Manager admin center, check the device’s Compliance status. It should be Compliant if all policies are met. If it shows Not Compliant, review which setting is not met. Common causes: the user hasn’t set a required PIN or the device is still installing a required update or app. You can select the device in Intune and view Device Compliance to see a per-setting report. Resolve any outstanding compliance issues by either adjusting the device settings or updating the policies if necessary.

    • Security Policy Enforcement: Verify specific configurations: try taking a screenshot on the device – if you set “block screen capture,” it should be disabled by policy[1]. Attempt to plug the phone into a PC via USB – with USB data transfer blocked, the phone’s storage should not be accessible[3]. These tests confirm that the device restrictions profile is active. Also check that the required PIN complexity is enforced (e.g., try setting a too-simple PIN to see if it gets rejected as per policy).

    • Defender for Endpoint (Optional): If Microsoft Defender for Endpoint (part of Defender for Business in M365 Business Premium) is being used, ensure the Defender app is installed and onboarded. (Intune can deploy the Defender app just like other apps[1][1]. After installation, the user should open the Defender app and sign in to activate it[1][1]. Once onboarded, the device will show up in the Defender portal with its threat status.) This adds an extra layer of protection by scanning for malicious apps, phishing SMS, unsafe network connections, etc.

    • Encryption Status: Confirm the device storage is encrypted. On the phone, you can usually see this under Settings > Security > Encryption (it might say “Encrypted” if all is well). Intune can also report encryption status as part of compliance. This ensures data on the phone is protected if the device is lost.

    • Corporate Data Separation: Although this is a fully managed device (all data is corporate-managed), if any work/personal profile distinction exists (in COPE scenarios), verify that policies for data separation are applied (e.g. copying data from work apps to personal apps is restricted). In our fully managed case, all apps are corporate, so all data is under management and protected by policies like App Protection or the device encryption.

    • Compliance Reports: Intune provides compliance reports and dashboards. Use Devices > Monitor > Compliance in the portal to see an overview of device compliance across your organisation. Ensure this newly onboarded device appears with green status. Monitoring these reports regularly is important for ongoing compliance[5].

  6. Enable and Test Device Management Features
    With the device now managed, you have various remote management capabilities to secure and support it throughout its lifecycle:

    • Remote Wipe / Reset: In Intune, locate the device and test a Retire or Wipe command (caution: do this only for testing if you have no real data on the device, or just be aware of the capability). A Retire action removes the company’s data and management profiles but leaves personal data intact[6]. A Wipe fully resets the device to factory settings, erasing all data[6]. Use Retire for employee personal devices when they leave the company, and use Wipe if a device is lost/stolen or being reissued to someone else. Verify: If possible, simulate a Retire on a test device – the Company Portal and managed apps should get removed, and the device will lose access to corporate email (this demonstrates your ability to protect data if needed). Cancel or avoid a full wipe unless you are ready to reset the device.

    • Remote Lock and Passcode Reset: Intune supports remote locking of a device and resetting the passcode. These actions can be initiated from the device’s page in Endpoint Manager. This is useful if a device is misplaced or the user forgets their PIN. (Fully managed Android devices may support these commands – verify on a test device.)

    • Device Encryption Enforcement: We already required encryption via compliance. If the device for some reason wasn’t encrypted, Intune would mark it non-compliant. There isn’t usually a separate action needed, as modern Android will encrypt upon setting a PIN. However, it’s worth noting for older devices: you might instruct the user through Company Portal to enable encryption if it didn’t happen automatically. Ensure no one turns encryption off (some devices might allow decrypting via settings – which should also flip compliance to non-compliant).

    • Policy Updates & Sync: Know that you can push policy updates or new configurations anytime. For example, if you want to enable a new Wi-Fi profile or VPN configuration on the phone, you can create a profile in Intune and assign it; the device will receive it on next check-in (devices check in with Intune periodically, or the user can open Company Portal and tap “Check Device Settings” to force a sync).

    • Defender and Threat Management: If using Defender, you can view device risk in the Defender Security portal. Intune can also take action based on device risk (via compliance policies integrating with Defender threat level). Make sure Defender is actively protecting the device (run a test EICAR virus file if you want to see if Defender catches it, for example).

    • User Support Abilities: In the Company Portal, the user can see company contacts or support info (you can customise the Company Portal branding and contact details in Intune). It’s good practice to configure Help Desk information there so users know how to get assistance. Also, the user can use the Company Portal to see which policies are applied, which apps are available, and initiate a sync or check compliance. Encourage users to familiarize themselves with the Company Portal app.

  7. Manage Operating System and App Updates
    Keeping the device up-to-date is critical for security. Microsoft Intune provides mechanisms to manage Android OS updates for corporate devices:

    • Configure System Update Policy: In your Device Restrictions configuration profile (created earlier), use the System update settings to control how updates are applied[7]. Options include: using the device default (updates auto-install when idle, charging, on Wi-Fi), forcing automatic install ASAP (no user delay)[7], or postponing updates for a defined period (e.g. postpone up to 30 days)[7]. You can also set a maintenance window for updates (so updates install during off-hours)[7]. For example, you might allow automatic nightly updates or weekend updates to minimise disruption.

    • Enforce Updates (Don’t Rely on Users): It’s best practice not to rely on end users to install OS patches[7]. Intune policies ensure updates happen so that users cannot indefinitely defer important patches[7]. For instance, if an update is deferred 30 days, Intune will prompt or force installation after that. Make sure devices are set to a schedule that balances security with usability (and communicate this to users so they know their device may reboot for updates at designated times).

    • App Updates via Managed Play: Apps deployed through Managed Google Play will be updated automatically via the Play Store (according to Play Store policies). Intune itself doesn’t directly schedule app updates, but by using Managed Play, you ensure the user cannot disable auto-updates for those apps. Periodically check in the Managed Play store if critical apps (e.g. Outlook, Teams) have updates that might require admin approval (for apps in Managed Play, you might need to approve new versions depending on your Play enterprise settings – the default is usually automatic approval).

    • Monitor Update Compliance: Use Intune’s Reports (under Devices > Monitor > Software update status for Android) to see the OS update status of devices. Ensure all devices, including this one, are not running significantly outdated patch levels. You can also enforce compliance by setting a Minimum Android security patch level in the compliance policy if desired (for example, require that the device’s security patch date is no older than 2 or 3 months)[3]. This will mark devices non-compliant if they fall behind on security updates, adding pressure to get them updated.

    • Plan for Upgrade Cycles: When Android releases major new versions, test them with your policies. Intune allows setting a minimum or maximum OS version in compliance, so update those rules over time as you

References

[1] Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune

[2] Android device enrollment guide for Microsoft Intune

[3] Android Enterprise security configurations for corporate-owned fully …

[4] How Conditional Access Works in M365 Business Premium

[5] iPhone Onboarding into M365 Business Premium Step-by-Step Guide

[6] Administrative Intune Offboarding

[7] Admin checklist for Android software updates in Microsoft Intune

Unknown's avatar

Published by directorcia

Published

One thought on “Comprehensive Android Device Onboarding Checklist for M365 Business Premium

  1. Pingback: Microsoft Roadmap, messagecenter and blogs updates from 26-06-2025 - KbWorks - SharePoint and Teams Specialist

Leave a comment