- Article
Personal and organization-owned devices can be enrolled in Intune. Once enrolled, they receive the policies and profiles you create. You have the following options when enrolling Android devices:
- BYOD: Android Enterprise personally owned devices with a work profile
- Android Enterprise corporate owned dedicated devices (COSU)
- Android Enterprise corporate owned fully managed (COBO)
- Android Enterprise corporate owned work profile (COPE)
- Android Open Source Project (AOSP)
- Android device administrator (DA)
This article provides enrollment recommendations and includes an overview of the administrator and user tasks for each option.
There's also a visual guide of the different enrollment options for each platform:
Download PDF version | Download Visio version
Tip
This guide is a living thing. So, be sure to add or update existing tips and guidance you've found helpful.
Before you begin
For a list of all the Intune-specific prerequisites and configurations needed to prepare your tenant for enrollment, go to Enrollment guide: Microsoft Intune enrollment.
Note
After you create an enrollment profile and assign it to users or groups, don't rename the enrollment profile. It can prevent future enrollments. If you need to change the name of the enrollment profile, then:
- Create a new enrollment profile with the new name
- Assign the new profile to the your users & devices
- Delete the old profile
BYOD: Android Enterprise personally owned devices with a work profile
These devices are personal or BYOD (bring your own device) Android devices that access organization email, apps, and other data.
| Feature | Use this enrollment option when |
|---|---|
| Use Google Mobile Services (GMS). | ✔️ |
| Devices are personal or BYOD. | ✔️ You can mark these devices as corporate or personal. |
| You have new or existing devices. | ✔️ |
| Need to enroll a few devices, or a large number of devices (bulk enrollment). | ✔️ |
| Devices are associated with a single user. | ✔️ |
| You use the optional device enrollment manager (DEM) account. | ✔️ |
| Devices are managed by another MDM provider. | ❌ When a device enrolls, MDM providers install certificates and other files. These files must be removed. The quickest way may be to unenroll, or factory reset the devices. If you don't want to factory reset, then contact the other MDM provider for guidance. |
| Devices are owned by the organization or school. | ❌ Not recommended for organization-owned devices. Organization-owned devices should be enrolled using Android Enterprise fully managed (in this article), or using Android Enterprise corporate owned work profile (in this article). |
| Devices are user-less, such as kiosk, dedicated, or shared. | ❌ User-less or shared devices should be organization-owned. These devices should be enrolled using Android Enterprise dedicated devices. |
Admin tasks (personally owned devices with a work profile)
This task list provides an overview. For more specific information, go to Set up enrollment of Android Enterprise personally owned work profile devices.
- Be sure your devices are supported based on platform. For AOSP devices, see Android Open Source Project Supported Devices.
- In the Intune admin center, connect your Intune organization account to your Managed Google Play account. When you connect, Intune automatically adds the Company Portal app and other common Android Enterprise apps to the devices. For the specific steps, go to Connect your Intune account to your Managed Google Play account.
End user tasks (personally owned devices with a work profile)
Your users must do the following steps. For the specific user experience, go to enroll the device.
Go to the Google Play store, and install the Company Portal app.
Users open the Company Portal app, and sign in with their organization credentials (
user@contoso.com). After they sign in, your enrollment profile applies to the device.Users may have to enter more information. For more specific steps, go to enroll the device.
Users typically don't like enrolling themselves, and may not be familiar with the Company Portal app. Be sure to provide guidance, including what information to enter. For some guidance on communicating with your users, see Planning guide: Step 5 - Create a rollout plan.
Tip
There is a short, step-by-step video to help your users in enroll their devices in Intune:
Android Enterprise dedicated devices
Previously referred to as COSU. These devices are organization-owned, and are supported by Google's Zero Touch. The only purpose is to be a kiosk-style device. They aren't associated with a single or specific user. These devices are commonly used to scan items, print tickets, get digital signatures, manage inventory, and more.
| Feature | Use this enrollment option when |
|---|---|
| Use Google Mobile Services (GMS). | ✔️ |
| Devices are owned by the organization or school. | ✔️ |
| You have new or existing devices. | ✔️ |
| Need to enroll a few devices, or a large number of devices (bulk enrollment). | ✔️ |
| Devices are user-less, such as kiosk, dedicated, or shared. | ✔️ |
| Devices are personal or BYOD. | ❌ BYOD or personal devices should be enrolled using Android Enterprise personally owned devices with a work profile (in this article). |
| Devices are associated with a single user. | ❌ Not recommended. These devices should be enrolled using Android Enterprise fully managed. |
| You use the optional device enrollment manager (DEM) account. | ❌ The DEM account isn't supported. |
| Devices are managed by another MDM provider. | ❌ To be fully managed by Intune, users need to unenroll from the current MDM provider, and then enroll in Intune. |
Admin tasks (Dedicated devices)
This task list provides an overview. For more specific information, go to Set up Intune enrollment of Android Enterprise dedicated devices.
Be sure your devices are supported.
Factory reset the devices. This step is required.
In the Intune admin center, connect your Intune organization account to your Managed Google Play account. When you connect, Intune automatically adds the Intune app and other common Android Enterprise apps to the devices. For the specific steps, go to Connect your Intune account to your Managed Google Play account.
In the Intune admin center, create an enrollment profile, and have your dedicated device group(s) ready to receive the profile. For the specific steps, go to Set up Intune enrollment of Android Enterprise dedicated devices.
Enroll the devices in Intune. For the specific steps, go to Enroll your Android Enterprise devices.
On Samsung's Knox devices, you can automatically enroll a large number of Android Enterprise devices using Samsung Knox Mobile Enrollment (KME). For more information, go to Automatically enroll Android devices by using Samsung's Knox Mobile Enrollment.
Communicate to your users how they should enroll: Near Field Communication (NFC), Token, QR Code, Google Zero Touch, or Samsung Knox Mobile Enrollment (KME).
End user tasks (Dedicated devices)
Admins can complete the enrollment themselves, and then give the devices to the users. Or, users can enroll the devices using the following steps:
- Users turn on the device, and are prompted for information, including the enrollment method: NFC, Token, QR Code, or Google Zero Touch.
- After they enter the required information, your enrollment profile applies to the device. When the enrollment wizard completes, the device is ready to use.
Users typically don't like enrolling themselves, and may not be familiar with the Company Portal app. Be sure to provide guidance, including what information to enter. For some guidance on communicating with your users, see Planning guide: Step 5 - Create a rollout plan.
Android Enterprise fully managed
Previously referred to as COBO. These devices are organization-owned, and have one user. They're used exclusively for organization work; not personal use.
| Feature | Use this enrollment option when |
|---|---|
| Use Google Mobile Services (GMS). | ✔️ |
| Devices are owned by the organization or school. | ✔️ |
| You have new or existing devices. | ✔️ |
| Need to enroll a few devices, or a large number of devices (bulk enrollment). | ✔️ |
| Devices are associated with a single user. | ✔️ |
| Devices are user-less, such as kiosk, dedicated, or shared. | ❌ User-less devices should be enrolled using Android Enterprise dedicated devices (in this article). |
| Devices are personal or BYOD. | ❌ BYOD or personal devices should be enrolled using Android Enterprise personally owned devices with a work profile (in this article). |
| Devices are managed by another MDM provider. | ❌ To be fully managed by Intune, users need to unenroll from the current MDM provider, and then enroll in Intune. |
| You use the optional device enrollment manager (DEM) account | ❌ The DEM account isn't supported. |
Admin tasks (Fully managed)
This task list provides an overview. For more specific information, go to Set up Intune enrollment of Android Enterprise fully managed devices.
Be sure your devices are supported.
Factory reset the devices. This step is required.
In the Intune admin center, connect your Intune organization account to your Managed Google Play account. When you connect, Intune automatically adds the Company Portal app and other common Android Enterprise apps to the devices. For the specific steps, go to Connect your Intune account to your Managed Google Play account.
In the Intune admin center, enable fully managed user devices. For the specific steps, go to Set up Intune enrollment of Android Enterprise fully managed devices.
Enroll the devices in Intune. For the specific steps, go to Enroll your Android Enterprise devices.
Communicate to your users how they should enroll: Near Field Communication (NFC), Token, QR Code, Google Zero Touch, or Samsung Knox Mobile Enrollment (KME).
Using Samsung Knox Mobile Enrollment (KME), you can automatically enroll a large number of Android Enterprise Samsung Knox devices. For more information, go to Automatically enroll Android devices by using Samsung's Knox Mobile Enrollment.
End user tasks (Fully managed)
The specific steps depend on how you configured the enrollment profile. For the specific user experience, go to enroll the device.
Users turn on the device, and are prompted for information, including the enrollment method: NFC, Token, QR Code, or Google Zero Touch. They may be asked to sign in with their organization credentials (
user@contoso.com).After they enter the required information, your enrollment profile applies to the device.
Users may have to enter more information. For more specific steps, go to enroll the device.
Users typically don't like enrolling themselves, and may not be familiar with the Company Portal app. Be sure to provide guidance, including what information to enter. For some guidance on communicating with your users, see Planning guide: Step 5 - Create a rollout plan.
Android Enterprise corporate owned work profile
Previously referred to as COPE. These devices are organization-owned, and have one user. They're used for organization work, and allow personal use.
| Feature | Use this enrollment option when |
|---|---|
| Use Google Mobile Services (GMS). | ✔️ |
| Devices are owned by the organization or school. | ✔️ |
| You have new or existing devices. | ✔️ |
| Need to enroll a few devices, or a large number of devices (bulk enrollment). | ✔️ |
| Devices are associated with a single user. | ✔️ |
| Devices are user-less, such as kiosk, dedicated, or shared. | ❌ User-less devices should be enrolled using Android Enterprise dedicated devices. Also, an organization administrator can enroll. When the device is enrolled, create a dedicated device profile, and assign this profile to this device. |
| Devices are personal or BYOD. | ❌ BYOD or personal devices should be enrolled using Android Enterprise personally owned devices with a work profile (in this article). |
| Devices are managed by another MDM provider. | ❌ To be fully managed by Intune, users need to unenroll from the current MDM provider, and then enroll in Intune. |
| You use the optional device enrollment manager (DEM) account. | ❌ The DEM account isn't supported. |
Admin tasks (Corporate owned with a work profile)
This task list provides an overview. For more specific information, go to Set up Intune enrollment of Android Enterprise corporate owned work profile.
Be sure your devices are supported.
Factory reset the devices. This step is required.
In the Intune admin center, connect your Intune organization account to your Managed Google Play account. When you connect, Intune automatically adds the Company Portal app and other common Android Enterprise apps to the devices. For the specific steps, go to Connect your Intune account to your Managed Google Play account.
In the Intune admin center, enable corporate-owned personal profile devices. For the specific steps, go to Set up Intune enrollment of Android Enterprise corporate-owned devices with work profile.
Enroll the devices in Intune. For the specific steps, go to Enroll your Android Enterprise devices.
Communicate to your users how they should enroll: Near Field Communication (NFC), Token, QR Code, Google Zero Touch, or Samsung Knox Mobile Enrollment (KME).
Using Samsung Knox Mobile Enrollment (KME), you can automatically enroll a large number of Android Enterprise Samsung's Knox devices. For more information, go to Automatically enroll Android devices by using Samsung's Knox Mobile Enrollment.
End user tasks (Corporate owned with a work profile)
The specific steps depend on how you configured the enrollment profile. For the specific user experience, go to enroll the device.
Users turn on the device, and are prompted for information, including the enrollment method: NFC, Token, QR Code, or Google Zero Touch. They may be asked to sign in with their organization credentials (
user@contoso.com).After they enter the required information, your enrollment profile applies to the device.
Users may have to enter more information. For more specific steps, go to enroll the device.
Users typically don't like enrolling themselves, and may not be familiar with the Company Portal app. Be sure to provide guidance, including what information to enter. For some guidance on communicating with your users, see Planning guide: Step 5 - Create a rollout plan.
Android Open Source Project (AOSP)
Note
Currently, there's limited OEM support for this enrollment method.
Also referred to as AOSP. These devices are organization-owned, and don't use Google Mobile Services (GMS). They can be kiosk-style devices that aren't associated with a single or specific user, or can have one user. They're used exclusively for organization work; not personal use.
When you create the Intune enrollment profile, you decide if the devices are userless, or are associated with a single user. For more information on these options, including supported OEMs, go to:
- Set up Intune enrollment for Android (AOSP) corporate-owned userless devices
- Set up Intune enrollment for Android (AOSP) corporate-owned user-associated devices
| Feature | Use this enrollment option when |
|---|---|
| Use Google Mobile Services (GMS). | ❌ These devices don't support GMS (opens Android's web site). Some countries/regions don't support GMS. If your devices will use GMS, then use dedicated devices (in this article) or fully managed (in this article) enrollment. |
| Devices are owned by the organization or school. | ✔️ |
| You have new or existing devices. | ✔️ |
| Need to enroll a few devices, or a large number of devices (bulk enrollment). | ❌ Can only enroll one device at a time. |
| Devices are associated with a single user. | ✔️ |
| Devices are user-less, such as kiosk, dedicated, or shared. | ✔️ |
| Devices are personal or BYOD. | ❌ Android Enterprise personally owned devices with a work profile (in this article) support GMS (opens Android's web site). |
| Devices are managed by another MDM provider. | ❌ To be fully managed by Intune, users need to unenroll from the current MDM provider, and then enroll in Intune. |
| You use the optional device enrollment manager (DEM) account | ❌ The DEM account isn't supported. |
Admin tasks (AOSP)
This task list provides an overview. For more specific information, go to enrollment for AOSP corporate-owned userless devices and AOSP corporate-owned user-associated devices.
Be sure your devices are supported.
Factory reset the devices. This step is required. New devices might not require a factory reset.
In the Intune admin center, create an enrollment profile, and have your device group(s) ready. For the specific steps, go to:
- AOSP corporate-owned userless devices
- AOSP corporate-owned user-associated devices
Enroll the devices in Intune. For the specific steps, go to:
- AOSP corporate-owned userless devices
- AOSP corporate-owned user-associated devices
During enrollment, the Microsoft Intune app and Microsoft Authenticator app automatically install and open on the device, which allows the device to enroll. The device is locked in the enrollment process until enrollment completes.
End user tasks (AOSP)
The specific steps depend on how you configured the enrollment profile.
Admins can complete the enrollment themselves, and then give the devices to the users. Or, users can enroll the devices using the following steps:
Users turn on the device, and are prompted for information, including the enrollment method: QR Code. If you created a user-associated devices enrollment profile, then they may be asked to sign in with their organization credentials (
user@contoso.com).If you created a userless devices enrollment profile, then wait for the enrollment wizard to complete. When it does, the device is ready to use.
If you created a user-associated devices enrollment profile, then users enter the required information. Then, wait for the enrollment wizard to complete. For more specific steps, go to enroll the device.
Users typically don't like enrolling themselves, and may not be familiar with the Company Portal app. Be sure to provide guidance, including what information to enter. For some guidance on communicating with your users, see Planning guide: Step 5 - Create a rollout plan.
Android device administrator
Important
Microsoft Intune is ending support for Android device administrator management on devices with access to Google Mobile Services (GMS) on August 30, 2024. After that date, device enrollment, technical support, bug fixes, and security fixes will be unavailable. If you currently use device administrator management, we recommend switching to another Android management option in Intune before support ends. For more information, read Ending support for Android device administrator on GMS devices.
These Android devices are corporate, or personal/BYOD (bring your own device) devices that can access organization email, apps, and other data.
Google deprecated Android device administrator management in 2020 and Intune will be ending support for device administrator devices with access to Google Mobile Services in August 2024.
Microsoft recommends:
Don't enroll new devices using Android device administrator.
Enroll new devices using one of the other methods described in this article and/or using App protection policies.
Move existing Android device administrator devices to one of the other methods described in this article. If you will be moving them to Android Enterprise personally owned devices with a work profile (in this article), consider using the streamlined flow to move Android devices from device administrator to personally owned work profile management.
Create a device enrollment restriction to block device administrator enrollment. Android devices may try to enroll using device administrator before trying other enrollment methods. So, create the restriction to prevent this behavior. For more information, go to Set enrollment restrictions.
Next steps
- MAM
- iOS/iPadOS enrollment guide
- Linux enrollment guide
- macOS enrollment guide
- Windows enrollment guide
