This article is contributed. See the original author and article here.
By Priya Ravichandran | Sr. PM – Microsoft Endpoint Manager – Intune
The Android OS is ubiquitous and a popular choice for purpose-built device manufacturers. However, not all purpose-built devices will ship with Google Mobile Services (GMS). These purpose-built devices enable organizations to accomplish critical tasks in a more streamlined manner and provide the ability to connect remotely while remaining productive. Purpose-built devices have become even more essential with the current shift to remote work during COVID-19. An example of this includes the Teams integrated RealWear devices which deliver purpose-built experiences for field service in safety-critical environments. OEMs such as Lenovo, Facebook, and Vuzix have also shipped Android (non-GMS) purpose-built devices for enterprises.
Most purpose-built devices are based on the Android platform, without integration with GMS. Microsoft Endpoint Manager’s Android Enterprise management options are dependent on GMS, which introduces challenges for managing these types of devices today. However, these devices are critical assets an organization will expect to manage alongside the rest of their device estate.
In this blog, we will review the current options for managing these Android (non-GMS) devices via Microsoft Endpoint Manager – Intune.
Leveraging device administrator to manage non-GMS Android devices
Today Intune supports two options to manage Android devices – Android Enterprise or device administrator.
Android Enterprise is the industry standard that Google is driving to enable a consistent management experience across Android devices, independent of device OEM. However, Android Enterprise requires the devices be integrated with GMS – something many purpose-built specialty devices do not ship with.
Device administrator is the other management mode that Intune currently supports. While Google is decreasing support for device administrator from Android 10, device administrator is still a viable and supported option to manage devices on earlier versions of Android and will be able to address the management needs for these purpose-built devices.
Managing your non-GMS purpose-built devices with Intune
Before starting enrollment, ensure that the following pre-requisites are met:
- The device has met all the necessary requirements – as defined by the OEM – to be successfully managed.
- The Intune tenant is provisioned, and device administrator management is enabled.
- The Microsoft Intune Company Portal app .apk is downloaded. The Company Portal app .apk can be downloaded here.
Onboarding non-GMS devices
Management of your devices starts with the enrollment workflow. For device administrator, the enrollment workflow requires the Microsoft Intune Company Portal app to be installed onto the device. Once the Intune Company Portal app has been installed, the enrollment workflow begins when the user launches the app and completes the steps presented.
Once enrolled, all the applicable device administrator policies would be available for the management of these devices. The only exceptions are policies that are dependent on GMS.
Key things to note
- Device administrator enrollment must be permitted on your tenant for these device enrollments to succeed. If device administrator enrollments are blocked via the enrollment restrictions, the enrollments on these devices will fail.
- If multi-factor authentication (MFA) is enabled for the organization, a user will be expected to complete the MFA challenge when enrolling the device.
- App protection policies (APP) that have been deployed in the organization will also be equally enforced for apps provisioned on these devices as they will be considered part of the applicable Android device landscape. An example of this would be requiring a PIN to access Teams on a RealWear device.
We are aware that support for management using Device Administration mode is moving out of support within the Android platform starting with Android 10. Microsoft Endpoint Manager has been guiding customers to migrate the management of their Android devices to Android Enterprise.
These purpose-built devices are an exception to this guidance because they do not have GMS support. Additionally, most of the major OEMs building these purpose-built devices are using Android versions below Android 10. Thus, device administrator management capabilities are available and supported for these devices.
Looking ahead, the Microsoft Endpoint Manager team is investigating long term options to provide an alternative to device administrator to ensure continuity of management on these devices as their platforms also progress to later Android versions.
Managing purpose-built specialty devices without GMS with device administrator mode in Intune is considered a fully supported scenario. As such, this scenario will be supported through our usual Intune support channels.
- Microsoft Endpoint Manager device administrator management
- Microsoft Intune Company Portal for Android download location
- Managing Enrollment Restrictions in Intune
- How to use Intune in environments without Google Mobile Services
- Microsoft announces RealWear integration for Teams
- Microsoft Teams for RealWear documentation
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.