Tag: Android

Onboarding Checklist for BYOD Android Devices (M365 Business Premium)

bp1

This checklist provides a comprehensive guide to onboard Bring Your Own Device (BYOD) Android phones into a Microsoft 365 Business Premium environment. It ensures that personal Android devices are set up with strong security policies so company information remains protected and secure. The process is broken into phases for clarity: Preparation (Admin setup), User Enrollment Steps, Post-Enrolment Configuration, and Ongoing Management. Key security policies for BYOD Android are highlighted throughout.

1. Preparation (IT Admin Configuration)

1.1 Verify Licensing & Prerequisites

  • M365 Business Premium License: Ensure each BYOD user has an M365 Business Premium licence assigned. This suite includes Intune (for MDM/MAM), Azure AD Premium P1 (for Conditional Access), and information protection features[1] needed for secure BYOD management.

  • Multi-Factor Authentication (MFA): Require all users to have MFA enabled on their Microsoft 365 accounts. This provides an extra layer of identity security before devices can access company data (e.g. using Microsoft Authenticator app).

  • Intune (Endpoint Manager) Setup: Confirm that Microsoft Intune is configured as the Mobile Device Management (MDM) authority for your tenant (in modern tenants it’s enabled by default). Verify you have admin access to the Microsoft 365 admin center and Endpoint Manager admin center.

1.2 Intune Enrollment Configuration

  • Enable Android BYOD Enrollment: In Intune, enable Android Enterprise “personally-owned work profile” enrollment (the setting might be called Android Enterprise work profile). This allows personal Android devices to register with a Work Profile – a separate, encrypted container on the phone for work apps and data[2]. Work profiles isolate corporate information from personal apps, respecting user privacy while securing business data.

  • Managed Google Play Integration: Connect Intune with Managed Google Play. In Endpoint Manager portal, navigate to Devices > Android > Android Enrollment and link to a Managed Google Play account (using a corporate Google account). This integration is required to deploy the Intune Company Portal app and any managed apps to Android devices[3].

  • Define Enrollment Restrictions: (Optional) Review Intune Enrollment Restrictions to ensure personal Android devices are allowed. You may limit enrollment to certain Android OS versions (e.g. block very old, insecure Android versions) or disallow jailbroken/rooted devices.

  • Communicate BYOD Policy: Prepare and distribute a BYOD usage policy document to users. Include what IT will control on the device (work profile only), what security measures will be enforced, and assure users that personal data (photos, personal apps, etc.) remains untouched. Users should consent to remote wipe of company data if the device is lost or upon separation.

1.3 Configure Security Policies in Intune
Set up the following Intune policies before users enroll their devices, so that they apply automatically during enrollment:

  • Compliance Policy for Android (Work Profile): Create a compliance policy targeting Android Enterprise work profile devices with at least:

    • Device must not be rooted – Mark rooted (jailbroken) devices as non-compliant[1].

    • OS version patch level – (Optional) Require a minimum Android version or security patch level. This ensures older, vulnerable OS versions are not allowed.

    • Device Password/PIN – Require a device lock PIN or password of sufficient complexity on the device. For example, a minimum 6-digit PIN or password, with a limit on simple sequences. Set an inactivity auto-lock (e.g. 5 minutes). Intune can enforce these on the whole device or at least on the work profile.

    • Encryption – Require device encryption. Most modern Androids are encrypted by default, but ensure the policy demands encryption is enabled for compliance[4]. This protects data at rest on lost/stolen devices.

    • Threat Protection – If leveraging Microsoft Defender for Endpoint (Mobile), set “Require device at or under Medium threat level” (or Low for stricter security)[1][1]. This uses mobile threat defense to evaluate device risk (e.g. malware detected). Devices with high risk are marked non-compliant automatically. (This requires deploying Defender – see step 3.2).

    • Safety Net/Play Protect – Enable Google Play Protect and SafetyNet device attestation if available[1], to ensure the Android device hasn’t been compromised.

  • App Protection Policy (MAM): Configure an Intune App Protection Policy targeting the user accounts on unmanaged devices (i.e. applying to apps even if the device isn’t fully enrolled, though in work profile scenarios it complements MDM):

    • Approved Apps Only – Specify that corporate data can only be accessed via approved apps (e.g. Outlook, Teams, OneDrive, Office mobile apps, etc.).

    • Prevent Data LeakageBlock backups of work data to personal cloud services (e.g. Google Drive). Prevent “Save As” of corporate files to unmanaged locations; allow saving only to OneDrive for Business or SharePoint[1][5].

    • Restrict Copy/Paste – Do not allow copying text or data from a managed corporate app to personal apps. Conversely, you may allow or restrict personal-to-work copy as appropriate[1].

    • Require App PIN/Biometric – Even if the device is unlocked, require a PIN or fingerprint to open company apps (adds a second layer if device falls into wrong hands)[1].

    • Disable Screenshots – For work profile apps on Android, consider blocking screenshots or screen captures of sensitive app content[1].

    • Selective Wipe – Enable the ability to wipe corporate app data if the device is unenrolled or non-compliant (Intune default for app protection).

  • Configuration Profile (Device Settings): Optionally, deploy a configuration profile to the work profile for additional settings: e.g. enforce device encryption (if not covered by compliance), configure email profile (to push Outlook settings), Wi-Fi profiles for office, etc. These profiles apply to the managed work container on the device.

  • Conditional Access Policies: In Azure AD (Entra ID) > Security > Conditional Access, create policies to protect cloud resources:

    • Require Compliant or Protected Device – e.g. for all Exchange Online, SharePoint, Teams access by mobile apps, require device to be marked compliant or require use of an Intune-approved client app with app protection. This ensures only devices under Intune policies (MDM or MAM) can access company email and files[3][6]. Unmanaged or non-compliant devices will be blocked.

    • Block Unapproved Apps – Require approved client apps for email (forces use of Outlook rather than native mail apps).

    • Require MFA on New/Untrusted Devices – Although MFA is enabled tenant-wide, a CA policy can enforce MFA specifically on risky sign-in or outside trusted locations.

    • Exclude Emergency Accounts – Be sure to exclude break-glass admin accounts from CA rules to avoid lockout.

By completing the above preparation, you have established the policies and infrastructure so that when a user enrolls their BYOD Android, it will automatically receive the necessary protections.

2. User Enrollment Steps (On the Android Device)

Once the admin setup is done, instruct users to follow these steps to onboard their personal Android phones:

2.1 Install Company Portal & Setup Work Profile

  1. Download Microsoft Intune Company Portal app from Google Play Store.

  2. Sign in to Company Portal with the work (Office 365) credentials. The app will begin the device registration process into Intune.

  3. Enroll and Create Work Profile: Follow the on-screen prompts to enroll the device. The user will be asked to set up a Work Profile on their phone (this is an Android OS feature for BYOD). They must accept the creation of a managed work profile and Company Portal will configure it.[2]
    • Note: The user will see their phone “copying” certain system apps into a work profile. A separate Work folder/icon will appear, containing work versions of apps (marked with a briefcase icon).
  4. Accept Management & Policies: The user must agree to allow the organisation to manage the work profile. Assure them that only the work container is managed – personal apps and data remain unaffected. Intune will not collect personal information like photos or texts; it only monitors compliance info on the device.

  5. Set a Work Profile PIN: As part of enrollment or first app launch, the user will be prompted to set a PIN or biometric specifically for the work profile (if required by app protection policy)[2]. For example, they may need to configure a 6-digit PIN that will be used whenever they open a company app like Outlook.

2.2 Install Required Work Apps

  1. Company Portal Checks: Once enrollment is complete, open Company Portal and check device status. It should show as Enrolled/Compliant if all requirements are met (or show actions needed if not).

  2. Automatic App Installation: Intune can automatically deploy essential apps to the work profile. Common apps include: ** Outlook**, *Teams*, *OneDrive*, *Office (Word/Excel)*, *Microsoft Defender*, etc. These will appear in the work profile section of the phone (with briefcase icons).
    • If apps are not pushed automatically, the user can open the Managed Google Play Store (accessible via the Company Portal or Work Profile) which lists approved apps. They should download the required corporate apps from there.
  3. Sign Into Work Apps: User should sign in to the Outlook app and other apps with their work credentials. The Conditional Access policies will enforce that sign-ins only succeed within these approved apps. For example, if they try to add their work email to the phone’s native mail app, it should be blocked by policy, guiding them back to using Outlook.

2.3 Comply with Security Prompts
During or after enrollment, Intune will enforce the compliance settings:

  • If the user had no lock screen, they will be prompted to set a device PIN/password before enrollment completes (the compliance policy requires it). This is mandatory to protect the device.

  • If the OS is out-of-date beyond allowed threshold, it will mark as non-compliant – the user should update their Android to the latest security patch to regain compliance.

  • The user might see a prompt to enable device encryption (if not already enabled). They should follow the instructions to encrypt the device (in most cases, modern Androids are encrypted by default, so this step may be transparent).

2.4 Confirm Setup Completion

  • The device should now show in Company Portal as Compliant. The work profile is active and corporate apps are installed. At this point, the user’s work email, files, and Teams chats are accessible only inside the protected apps.

  • The user should verify they can send and receive work emails in Outlook, access OneDrive files, etc. All company data is now inside the secure work profile environment.

  • Verify that personal apps (e.g. Gmail, personal Facebook, etc.) still function normally – there should be no interference, as policies apply only to the work side.

3. Post-Enrolment Configuration & Security Policies Enforcement

After a successful enrollment, the following protections and policies will be in effect to secure the corporate data on the BYOD device:

3.1 Work Profile Isolation
The Android device now has a dedicated Work Profile. This means:

  • Work apps cannot share data with personal apps. For example, files downloaded in the work profile are stored in a separate encrypted space and can’t be opened by personal apps.

  • The user’s personal notifications and data stay private. Work apps might have their own notifications labelled as work. The admin cannot see personal contacts, photos, or SMS, etc., only an inventory of the work profile apps and device compliance status.

3.2 Policy Enforcement on Device

  • Device Compliance: Intune continuously evaluates the device against the compliance policy. If the user disables their device PIN, or if the device is later rooted or falls out of date, it will flip to non-compliant status. Intune can optionally notify the user and even auto-remediate some issues (like require them to set a PIN again).

  • App Protection: All managed apps apply the App Protection Policy settings: e.g. if the user tries to copy text from a Teams chat (work) to a personal texting app, it will be blocked. Screenshots in a work app will show as blank if disallowed. If they try to save an attachment from Outlook, they’ll only be allowed to save to OneDrive for Business, not to device Downloads folder[5]. These controls ensure company info stays within approved apps and cannot leak to personal space[5].

  • Microsoft Defender for Endpoint (Optional): If deployed, the Defender app runs in the background of the work profile, providing antivirus and anti-phishing protection. It can detect malicious apps or files in the work profile. If malware is detected or the device faces a threat, Defender can raise the device’s risk level. Intune’s compliance policy can then mark the device non-compliant (if risk is above the allowed threshold)[1], and Conditional Access will block the device from accessing company resources until the threat is resolved.

  • Email and Data Access: Thanks to conditional access, if the user attempts any other method to access corporate email or data outside the approved apps, it will be denied. For instance, downloading mail in a personal email app or moving a file to a personal Google Drive won’t be possible. Only Outlook can access Exchange, only OneDrive app can access OneDrive/SharePoint, etc., under the managed context.

  • Conditional Access in Action: When the user launches a protected app (like Outlook), Azure AD checks compliance. If the device ever becomes non-compliant (say the user removes the PIN or the device is detected with an issue), their access token is revoked – Outlook/Teams will inform the user that the device does not meet security requirements and deny access until compliance is restored. This mechanism ensures only secure, policy-abiding devices can use company services[3].

3.3 Security Policy Summary (BYOD Android)
The following is a summary of key security policies now active on the BYOD Android device:

  • Device Protection: Device encryption is enabled and a strong lock PIN/password is enforced. The device is not allowed to be rooted or running outdated software.

  • Separate Work Container: Corporate apps and data reside in an encrypted work profile isolated from personal apps.

  • Data Loss Prevention: No copying of corporate data to personal apps, no backing up work data to unapproved cloud services. Only approved apps can open or edit work files[5].

  • Access Control: Corporate apps require re-authentication or app PIN periodically. If the device fails compliance, corporate app access is blocked.

  • Threat Response: Integrated threat defense (Defender) monitors the device for malware; high risk devices are quarantined from company resources[1][1].

  • User Privacy: Only work profile information is managed. Personal apps, data, and usage remain private and unaffected (aside from the requirement of a device PIN which benefits the user’s own security as well).

These policies together align with common compliance standards by enforcing encryption, access control, and data protection on BYOD devices. For example, requiring encryption and strong authentication helps meet GDPR and other data protection regulations for safeguarding personal data on portable devices, and the strict separation addresses privacy requirements.

4. Ongoing Management and User Responsibilities

Security is not a one-time setup – it requires continuous management and user cooperation. Both IT administrators and the device user have ongoing responsibilities:

4.1 IT Admin Monitoring & Maintenance

  • Compliance Monitoring: Intune provides reports of device compliance. Regularly review the compliance dashboard to spot any non-compliant BYOD devices. If a device is non-compliant for an extended period, follow up with the user. Common issues might include an expired OS version, or a user who hasn’t signed in for a long time (which could indicate a lost device).

  • Update Policies: Keep the compliance and configuration policies up to date. For instance, if a new Android OS version comes out with important security features, you might raise the minimum OS level after a grace period. Similarly, periodically review app protection settings to incorporate new policy options or new corporate apps that need protection.

  • Defender Alerts: If using Defender for Endpoint, monitor its alerts. A malware alert from a BYOD device should be addressed immediately – ensure the threat is remediated and device is clean before marking it compliant again.

  • Conditional Access Reviews: Audit sign-in logs to ensure Conditional Access rules are working as intended (e.g., no unexpected app access). Adjust rules if users encounter false positives (e.g., a new approved app might need to be added to the allowed list).

  • Support & Troubleshooting: Be prepared to assist users with issues. For example, if the Company Portal shows the device as non-compliant due to a setting, guide the user on how to resolve it (update OS or set a PIN, etc.). Ensure helpdesk can answer questions about what IT can and cannot see on BYOD (to alleviate privacy concerns).

4.2 User Best Practices & Responsibilities

  • Keep Device Updated: Users should install Android system updates and security patches promptly. Even with compliance policies, user diligence ensures their device stays secure and compliant.

  • Maintain Screen Lock: Users should never remove or weaken their device PIN/password. If they do, company data access will stop. Encourage them to use biometric unlock for convenience, but the PIN is still required in background.

  • Only Use Work Apps for Work Data: Remind users to only use the apps provided in the work profile for any company information. They should avoid downloading company attachments or data into personal apps. The system largely enforces this, but user understanding helps prevent attempts to circumvent.

  • Report Lost or Stolen Device: It is the user’s duty to immediately inform IT if their phone is lost or stolen. This allows IT to take swift action (see 4.3).

  • No Tampering: Users should not attempt to root their phone or install untrusted firmware. These actions will break compliance and pose security risks. Instruct that doing so will result in loss of access to work resources (until they reset the device to a secure state).

  • Personal Data Backups: Users should continue their normal personal data backups (this is outside of work profile). For work data, they don’t need to worry – it’s in cloud (OneDrive, Exchange) or protected within apps, but not bad practice to remind them corporate data is backed up by the company’s cloud, not by their personal Google account.

4.3 Device Retirement and Incident Response

  • Offboarding Users: When an employee leaves the company or no longer needs corporate access on their phone, perform a Selective Wipe (Retire) via Intune. This action removes all company data and apps from the work profile without affecting personal data. The work profile and its contents will be erased[6]. Always do this for departing staff BYOD devices to prevent any residual access.

  • Lost/Stolen Device: If a device is reported lost or is suspected stolen, Intune can issue a Remote Wipe. For BYOD, you’d typically do a selective wipe (work profile only) to remove business info. In higher-risk scenarios (or if the user requests it), a full device wipe can be initiated, but note this erases personal data too – typically only done if absolutely needed and with user consent. Either way, because data is encrypted and protected by PIN, the risk of data exposure before wipe is low, but timely action adds assurance.

  • Non-Compliant & Inactive Devices: Intune can be set to retire devices that haven’t checked in for a long period (e.g. 90 days of inactivity), which could indicate the device is no longer in use. This auto-cleans stale records and ensures access isn’t lingering on an unused phone.

  • Periodic Policy Acknowledgement: It’s wise to have users periodically re-accept the BYOD policy (e.g. annually). This can be done via a simple internal process or a compliance requirement in Intune that asks users to open Company Portal and acknowledge a Terms of Use. This keeps users aware of their role in protecting company data.

4.4 Continuous User Education
Security is an ongoing effort. Provide regular training or tips to users about mobile security:

  • Educate on phishing threats via SMS or email on their mobile and how to avoid them (the Defender app can help alert if a malicious link is clicked in the work profile).

  • Remind about not installing untrusted apps on the device – even though work data is compartmentalised, a compromised device at the OS level could still be dangerous.

  • Share any updates in policy or new security features (for example, “Now we enforce a 8-digit PIN due to updated policy – please update your PIN proactively.”).

Conclusion

By following this onboarding checklist, organisations can successfully enable employees to use their personal Android devices for work while maintaining a robust security posture. Microsoft 365 Business Premium provides the necessary tools – Intune for device/app management, Conditional Access, Defender for Endpoint, and information protection – to implement a zero-trust approach for BYOD: never trust a device until it meets all security requirements, and continually verify compliance. The result is a balance of productivity and security: users gain the convenience of a single device for work and personal needs, and the company ensures its sensitive emails, files, and applications are safe from unauthorised access or leakage on those devices.

All stakeholders should regularly revisit this checklist and update it as technology and threats evolve. A well-maintained BYOD program with clearly defined security policies will significantly reduce the risk of data breaches and ensure that even outside the office, corporate information remains secure and under IT’s control[3].

References

[1] Android Enterprise compliance settings in Microsoft Intune

[2] Microsoft 365 Business Premium Setup Checklist A Comprehensive Guide for IT Professionals

[3] Comprehensive Android Device Onboarding Checklist for M365 Business Premium

[4] Protect unmanaged devices with Microsoft 365 Business Premium

[5] BYOD iPhone Onboarding Checklist – Microsoft 365 Business Premium

[6] Onboarding a Windows Device into M365 Business Premium Step-by-Step Checklist

Comprehensive Android Device Onboarding Checklist for M365 Business Premium

bp1

Onboarding an Android phone into Microsoft 365 Business Premium (which includes Microsoft Intune for device management) ensures the device is fully managed and protected. This detailed checklist covers every step – from preparation to post-deployment – including security configurations, policies, and ongoing management. Follow the sequence below to set up the Android device securely and keep it compliant with your organisation’s standards.

Step-by-Step Onboarding Process

  1. Prepare the M365 Environment for Android Management

    • Verify Licensing & Access: Ensure the user is assigned a Microsoft 365 Business Premium license (this license includes Intune for Mobile Device Management). Also, have administrator access to the Microsoft 365 admin center and Endpoint Manager (Intune) portal.

    • Intune Tenant Preparation: Confirm Intune is set as the MDM authority (in modern tenants Intune is already the default). If not done previously, set up Intune by signing in to the Endpoint Manager admin center and reviewing enrollment preparation steps. For example, verify your tenant’s enrollment restrictions and device limit settings to allow Android enrollments.

    • Link Intune to Managed Google Play: Configure Android Enterprise integration by connecting Intune to a Managed Google Play account[1][2]. This is required for managing Android devices. In the Endpoint Manager portal, navigate to Devices > Android > Android Enrollment and connect your Intune account to Managed Google Play. Follow the on-screen steps to sign in with a corporate Google account and grant permissions[1]. Result: Intune is linked with Google Play, and the Company Portal app (and other Android Enterprise system apps) will be made available to devices automatically[2].

    • Choose Android Management Mode: Decide on the management mode. For corporate-owned devices that will be fully controlled by IT, use Android Enterprise Fully Managed (formerly COBO – Corporate Owned, Business Only)[1]. (For BYOD personal devices, you’d use Work Profile mode, but this guide focuses on fully managed corporate devices for maximum control and protection.) Ensure the Android OS version on the phone is supported by Intune and Android Enterprise (generally Android 9.0 or above for fully managed)[3]. If the device was previously enrolled in another MDM or used personally, factory reset it now – fully managed enrollment requires a fresh start[2].

    • Configure Initial Device Settings (Optional): If your organisation uses zero-touch enrollment or Samsung Knox Mobile Enrollment for bulk provisioning, set those up in advance. For Zero-Touch or Knox, you’d upload device IDs to those portals and link to Intune enrollment profiles. Otherwise, plan to enroll via QR code or the Company Portal app. Ensure you have a stable Wi-Fi network available for the device’s enrollment.

  2. Define Security Policies in Intune (Compliance & Configuration)
    Before enrolling the device, set up the security policies that will apply upon enrollment. This ensures that as soon as the phone is onboarded, it will receive the required configurations to be secure.

    • Create Compliance Policy: In Endpoint Manager (Devices > Compliance policies), create a new Android compliance policy to enforce your security requirements. Configure rules such as: require a password/PIN on the device (e.g. minimum 6-digit PIN, alphanumeric or complex as needed)[3][3], require device encryption to be enabled[3], set a minimum OS version (e.g. disallow Android versions lower than a certain release)[3], and block jailbroken/rooted devices by enabling Google Play Integrity or SafetyNet checks[3]. You can also mandate that the device is not on a blocked manufacturer/model list if relevant. Define an action for non-compliance (e.g. send user notification or block access after a grace period) – by default, marking the device non-compliant immediately is recommended[3].

    • Create Configuration Profiles: Next, create an Android device configuration profile (specifically an “Device Restrictions” profile for fully managed Android Enterprise). In Endpoint Manager (Devices > Configuration profiles), set restrictions to harden the device. Recommended settings include: disable USB file transfers and external media access to prevent data leaks[3]; block screen capture and screen recording; disable installation from unknown sources (to stop unapproved apps); enforce Google Play Protect app scanning (Threat Scan on apps: Require to ensure malware scanning is active)[3]; require device encryption if not already enforced via compliance; and enable other desired restrictions (e.g. block Bluetooth file sharing, block factory reset by the end-user[3], and force automatic system updates installation on a schedule). Also consider enabling biometric unlock (fingerprint/face) if available for user convenience on top of PIN – Intune can require biometrics for unlock via policy[1].

    • Email and App Configuration (Policy): If you plan to use the native email app (Gmail) for work email, create an “Email profile” configuration profile (with Exchange Online details) to push to the device. However, the recommended approach is to deploy Outlook (covered in the next step) instead of using native email. You can also prepare App Configuration policies for certain apps if needed (for example, pre-configure Outlook’s settings or require a PIN within Outlook app using an App Protection Policy).

    • Conditional Access (Integration with Azure AD): Set up a conditional access policy in Azure AD (if not already) to require device compliance for accessing corporate resources. For example, enforce that only devices marked Compliant by Intune (meaning they meet the above policy conditions) can access Exchange Online, SharePoint, Teams, etc.[4]. This ties the Intune compliance policy to actual access control, ensuring unmanaged or non-compliant devices are blocked from M365 data. (Note: Conditional Access requires Azure AD Premium, which is included in Business Premium.)
    • Review and Save Policies: Save and deploy these policies to the target user or device groups (e.g. to “All corporate devices” or specific user groups). Result: With compliance and configuration profiles in place, any enrolled device must adhere to these security requirements to be deemed compliant and maintain access[4].

  3. Enroll the Android Device into Intune (M365 Management)
    Now that the backend is prepared, proceed to enroll the phone. There are a few enrollment methods for a fully managed device – here we use the QR code method (suitable for Android Enterprise fully managed) or the Company Portal app method:

    • Generate Enrollment QR Code/Token: In Endpoint Manager, go to Devices > Android > Android Enrollment > Enrollment Profiles. Create a “Corporate-owned, fully managed user device” enrollment profile if you haven’t already[1]. Intune will provide an enrollment token (string code) and an option to get a QR code. This QR code or token will be used on the device during setup. (If using Android’s Zero-Touch enrollment or Samsung Knox, you would assign this profile to the device in those portals instead.) For a streamlined experience, the QR code is very convenient – it embeds the enrollment token and Intune’s info.

    • Factory Reset & Initial Setup: Ensure the Android phone is factory reset. Turn on the device (or if just reset, start the setup wizard). Follow the initial prompts (select language, connect to Wi-Fi, etc.). When prompted to sign in or when you reach a screen for device management, use the enrollment method:
      • QR Code enrollment: Tap multiple times on the welcome screen (or in setup, choose “Perform QR code enrollment” if available). Scan the QR code from Intune using the device’s camera. This will automatically configure the device to enroll in Intune.

      • Token entry enrollment: Alternatively, in the Wi-Fi selection screen, you can enter the code afw#setup in the Wi-Fi SSID field (this triggers Android Enterprise setup) and then you will be prompted to enter the enrollment token manually (or sign in to Google to retrieve it). Enter the enrollment token from Intune to proceed.

      • Company Portal app (for BYOD or if already set up): If the device was not factory reset (for example, if doing a personal device with work profile), the user could simply install the Intune Company Portal app from Google Play, launch it, and sign in with work credentials to enroll. In our fully managed scenario, the QR code method is more automated and ensures full control.
    • Intune Enrollment Process: After scanning the QR code or entering the token, the device will automatically download and install the Intune Company Portal and related management apps. It will prompt for the user’s Azure AD (M365) credentials. Sign in with the company (work) account when prompted (this binds the device to the user in Azure AD). The device will then enroll into Intune – you’ll see screens indicating the device is being managed by your organization.

    • Apply Corporate Profile: The enrollment profile will apply, marking the device as corporate-owned. The device may also set up a work Google account silently to manage Managed Play apps. The phone will likely enforce a PIN code setup at this point if your compliance policy requires one. Follow any on-screen instructions (e.g. “create a work profile” or “set a PIN to secure your device”). For fully managed devices, the entire device is now under management (not just a work profile).

    • Network & Sync: Ensure the phone stays connected to the internet during this process. Intune will start pushing down the configurations and apps assigned to this device/user. This can take a few minutes.

    • Verification: In the Endpoint Manager portal, you can check Devices > All Devices, and you should see the new Android phone appear in the list once enrollment is complete. It will show as “Compliant” or “Not compliant” depending on whether it has finished applying policies. (At first, it might be non-compliant until all policies are applied – this is normal. The device will continuously sync until it meets the compliance criteria.)

  4. Deploy and Configure Microsoft 365 Apps (Email, Teams, etc.)
    To ensure productivity and security, install the required Office/M365 applications on the device through Intune and configure them properly:

    • App Deployment via Managed Play: Using Intune’s integration with Managed Google Play, you should have added key apps in advance. If not done yet, go to Apps > Android Apps in Intune, and Add apps from the Managed Google Play store. Search and add apps like Microsoft Outlook, Microsoft Teams, OneDrive, Office (Mobile), Microsoft Authenticator, and any other required apps (such as Line of Business apps)[1]. Assign these apps to the device or user group (as “Required” for corporate devices so they install automatically)[1]. Intune will then push these apps to the enrolled phone.

    • Email Configuration: Outlook Mobile is the recommended email client. Once Intune pushes Outlook and it installs on the phone, the user should launch Outlook. The app may auto-detect the user’s account (through single sign-on with the managed device) or prompt the user to add their Office 365 email account. The user should sign in with their work credentials. Because the device is marked compliant (and conditional access is in place), the email account will successfully configure and start syncing mail. If you instead use the native email app, ensure an email profile policy was sent or instruct the user to add the account via system settings (and expect a prompt to enforce Device Administrator if Office 365 MDM was not already in effect – but since Intune MDM is handling it, Outlook is simpler).

    • Other App Sign-ins: Have the user open other apps like Teams and OneDrive – these should similarly either SSO sign-in or prompt for login with the work account. Verify that each app works and that policies like App Protection (if configured) are applied (for instance, if you set an App Protection Policy, it might require a PIN when opening Outlook or prevent copying data from Outlook to personal apps).

    • Policy Enforcement on Apps: Thanks to the earlier Managed Google Play setup, all apps deployed are the approved versions. Intune can manage permissions for certain apps if configured (for example, you can pre-grant or deny permissions to apps through the Device Restrictions profile). Ensure that Microsoft Defender (if your organisation uses it for mobile threat defense) is also deployed (see next step for more on Defender).

  5. Verify Device Compliance and Security Settings
    At this stage, the phone is enrolled and apps installed. Now verify that all security configurations are in effect and the device is compliant:

    • Compliance Check: On the device, open the Company Portal app. It should show the device status as compliant (green check) or list any actions needed. If any compliance item is missing, the Company Portal will typically prompt the user (for example, “Set a device PIN of at least 6 digits” if the user hadn’t done so, or “Encrypt your device” if encryption wasn’t automatic). Follow any prompts to resolve outstanding issues. Modern Android devices usually encrypt by default when a PIN/password is set, satisfying the encryption requirement automatically[3].

    • Intune Portal Status: In the Endpoint Manager admin center, check the device’s Compliance status. It should be Compliant if all policies are met. If it shows Not Compliant, review which setting is not met. Common causes: the user hasn’t set a required PIN or the device is still installing a required update or app. You can select the device in Intune and view Device Compliance to see a per-setting report. Resolve any outstanding compliance issues by either adjusting the device settings or updating the policies if necessary.

    • Security Policy Enforcement: Verify specific configurations: try taking a screenshot on the device – if you set “block screen capture,” it should be disabled by policy[1]. Attempt to plug the phone into a PC via USB – with USB data transfer blocked, the phone’s storage should not be accessible[3]. These tests confirm that the device restrictions profile is active. Also check that the required PIN complexity is enforced (e.g., try setting a too-simple PIN to see if it gets rejected as per policy).

    • Defender for Endpoint (Optional): If Microsoft Defender for Endpoint (part of Defender for Business in M365 Business Premium) is being used, ensure the Defender app is installed and onboarded. (Intune can deploy the Defender app just like other apps[1][1]. After installation, the user should open the Defender app and sign in to activate it[1][1]. Once onboarded, the device will show up in the Defender portal with its threat status.) This adds an extra layer of protection by scanning for malicious apps, phishing SMS, unsafe network connections, etc.

    • Encryption Status: Confirm the device storage is encrypted. On the phone, you can usually see this under Settings > Security > Encryption (it might say “Encrypted” if all is well). Intune can also report encryption status as part of compliance. This ensures data on the phone is protected if the device is lost.

    • Corporate Data Separation: Although this is a fully managed device (all data is corporate-managed), if any work/personal profile distinction exists (in COPE scenarios), verify that policies for data separation are applied (e.g. copying data from work apps to personal apps is restricted). In our fully managed case, all apps are corporate, so all data is under management and protected by policies like App Protection or the device encryption.

    • Compliance Reports: Intune provides compliance reports and dashboards. Use Devices > Monitor > Compliance in the portal to see an overview of device compliance across your organisation. Ensure this newly onboarded device appears with green status. Monitoring these reports regularly is important for ongoing compliance[5].

  6. Enable and Test Device Management Features
    With the device now managed, you have various remote management capabilities to secure and support it throughout its lifecycle:

    • Remote Wipe / Reset: In Intune, locate the device and test a Retire or Wipe command (caution: do this only for testing if you have no real data on the device, or just be aware of the capability). A Retire action removes the company’s data and management profiles but leaves personal data intact[6]. A Wipe fully resets the device to factory settings, erasing all data[6]. Use Retire for employee personal devices when they leave the company, and use Wipe if a device is lost/stolen or being reissued to someone else. Verify: If possible, simulate a Retire on a test device – the Company Portal and managed apps should get removed, and the device will lose access to corporate email (this demonstrates your ability to protect data if needed). Cancel or avoid a full wipe unless you are ready to reset the device.

    • Remote Lock and Passcode Reset: Intune supports remote locking of a device and resetting the passcode. These actions can be initiated from the device’s page in Endpoint Manager. This is useful if a device is misplaced or the user forgets their PIN. (Fully managed Android devices may support these commands – verify on a test device.)

    • Device Encryption Enforcement: We already required encryption via compliance. If the device for some reason wasn’t encrypted, Intune would mark it non-compliant. There isn’t usually a separate action needed, as modern Android will encrypt upon setting a PIN. However, it’s worth noting for older devices: you might instruct the user through Company Portal to enable encryption if it didn’t happen automatically. Ensure no one turns encryption off (some devices might allow decrypting via settings – which should also flip compliance to non-compliant).

    • Policy Updates & Sync: Know that you can push policy updates or new configurations anytime. For example, if you want to enable a new Wi-Fi profile or VPN configuration on the phone, you can create a profile in Intune and assign it; the device will receive it on next check-in (devices check in with Intune periodically, or the user can open Company Portal and tap “Check Device Settings” to force a sync).

    • Defender and Threat Management: If using Defender, you can view device risk in the Defender Security portal. Intune can also take action based on device risk (via compliance policies integrating with Defender threat level). Make sure Defender is actively protecting the device (run a test EICAR virus file if you want to see if Defender catches it, for example).

    • User Support Abilities: In the Company Portal, the user can see company contacts or support info (you can customise the Company Portal branding and contact details in Intune). It’s good practice to configure Help Desk information there so users know how to get assistance. Also, the user can use the Company Portal to see which policies are applied, which apps are available, and initiate a sync or check compliance. Encourage users to familiarize themselves with the Company Portal app.

  7. Manage Operating System and App Updates
    Keeping the device up-to-date is critical for security. Microsoft Intune provides mechanisms to manage Android OS updates for corporate devices:

    • Configure System Update Policy: In your Device Restrictions configuration profile (created earlier), use the System update settings to control how updates are applied[7]. Options include: using the device default (updates auto-install when idle, charging, on Wi-Fi), forcing automatic install ASAP (no user delay)[7], or postponing updates for a defined period (e.g. postpone up to 30 days)[7]. You can also set a maintenance window for updates (so updates install during off-hours)[7]. For example, you might allow automatic nightly updates or weekend updates to minimise disruption.

    • Enforce Updates (Don’t Rely on Users): It’s best practice not to rely on end users to install OS patches[7]. Intune policies ensure updates happen so that users cannot indefinitely defer important patches[7]. For instance, if an update is deferred 30 days, Intune will prompt or force installation after that. Make sure devices are set to a schedule that balances security with usability (and communicate this to users so they know their device may reboot for updates at designated times).

    • App Updates via Managed Play: Apps deployed through Managed Google Play will be updated automatically via the Play Store (according to Play Store policies). Intune itself doesn’t directly schedule app updates, but by using Managed Play, you ensure the user cannot disable auto-updates for those apps. Periodically check in the Managed Play store if critical apps (e.g. Outlook, Teams) have updates that might require admin approval (for apps in Managed Play, you might need to approve new versions depending on your Play enterprise settings – the default is usually automatic approval).

    • Monitor Update Compliance: Use Intune’s Reports (under Devices > Monitor > Software update status for Android) to see the OS update status of devices. Ensure all devices, including this one, are not running significantly outdated patch levels. You can also enforce compliance by setting a Minimum Android security patch level in the compliance policy if desired (for example, require that the device’s security patch date is no older than 2 or 3 months)[3]. This will mark devices non-compliant if they fall behind on security updates, adding pressure to get them updated.

    • Plan for Upgrade Cycles: When Android releases major new versions, test them with your policies. Intune allows setting a minimum or maximum OS version in compliance, so update those rules over time as you

References

[1] Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune

[2] Android device enrollment guide for Microsoft Intune

[3] Android Enterprise security configurations for corporate-owned fully …

[4] How Conditional Access Works in M365 Business Premium

[5] iPhone Onboarding into M365 Business Premium Step-by-Step Guide

[6] Administrative Intune Offboarding

[7] Admin checklist for Android software updates in Microsoft Intune

Need to Know podcast–Episode 211

Where’s Brenton? Share your thoughts here – http://bit.ly/whereisbj

Microsoft has rolled back it’s recent planned partner changes. we have some new Intune security baseline policies to try (and troubleshoot) and Teams leads Slack in user numbers. I speak with Marc Kean to get the low down on what Azure storage is all about. All this and a lot more on this episode.

This episode was recorded using Microsoft Teams and produced with Camtasia 2019

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-211-azure-storage/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@marckean

@directorcia

Updates to partner program (again)

Microsoft Intune announces security baselines

Exchange Online PowerShell WinRM issue

What is Azure Lighthouse?

Without-enrollment and Outlook for iOS and Android

Teams reaches 13 million active users

Planner and To-Do integration

New PowerApps and Flow licensing

Azure storage

Azure File Sync