Microsoft’s Intune IT management platform is part of its Microsoft 365 offering, using mobile device management techniques to manage a lot more than Windows. Taking advantage of de facto mobile management standards, Intune can give you a low-touch management environment that protects work information not only on corporate device fleets, but also on users’ own devices as part of a BYOD (Bring Your Own Device) program.
Most people think of Intune as a tool for managing Windows PCs, working as a cloud alternative to (or extension of) System Center, but its broader reach makes it a powerful tool for managing Android and iOS, as well as distributing enterprise software to devices. Its low-touch nature gives you a selection of management options, from minimal to complete control, with the option of allowing users to choose what features are deployed on their devices and how much control they’re prepared to give up.
Managed devices need to be enrolled in Intune. There are two options: BYOD or dedicated. BYOD devices are users’ own hardware, while dedicated devices are corporate owned, and often single use. This option is best used for devices like Android warehouse stock control hardware, with built-in barcode scanners, or work management hardware that’s handed out to field service engineers. In practice it’s a split between dedicated devices for task workers and BYOD for knowledge workers.
SEE: 10 free alternatives to Microsoft Word and Excel (TechRepublic download)
BYOD devices enrolled in Intune are set up with Android Enterprise profiles. These create a separate, secured workspace for managed applications and data. Once a profile is in place you can use it to control most of a phone’s features, from setting up email accounts and wi-fi access to a corporate network, to ensuring that a user can take screenshots of business applications. You don’t need to worry about finding specific phones with Android Enterprise support: it’s been a feature in all recent Android releases.
Connecting Intune to Google Play
Managing Android with Intune starts with connecting your Intune tenant to a Gmail account that’s not associated with G Suite. This is your service account and is used to work with Android and with Google’s Play service, controlling what Google refers to as ‘managed Google Play’. As part of setting up Intune’s Android support you create an enterprise instance of the Google Play store, one that’s customized to your organization’s needs.
With a connected managed Google Play instance, you can then set up the applications that will be deployed through the Intune Company Portal app. New apps can be chosen and assigned to specific users via the Intune management portal, before being delivered via the Play Store. This can be via apps with an enterprise license, or your own apps that can be kept in a private area of the Google Play store, where they can only be accessed by registered devices and users. Fully managed devices can be restricted to only approved apps, or you can choose to allow full access to the store with users able to install anything. Purchases can be limited, or you can lift this restriction and allow access to any app with a user’s own Google account.
One of the more important aspects of using Intune to manage Android is its support for compliance certification. In Intune, you can build a compliance policy that covers key device features for Android Enterprise devices. Start with the minimum OS version to ensure that OS releases that fix key bugs are required. You can also set the maximum OS level to lock out untested betas, as well as restricting devices that have been rooted. Other settings require the type of passwords used and whether you want to force biometric authentication where it’s available.
There’s integration with other Android management tools like the Lookout security platform. This lets you set the threat level of a device, using Lookout to manage device risk assessments. Other supported security platforms include Google Play Protect and SafetyNet device attestation. Intune can also ensure that devices use encrypted storage, and that they only use known sources (you will have to disable this option if you’re sideloading corporate apps). Similarly, it will check to ensure that users have the appropriate version of the corporate portal installed.
SEE: G Suite: Tips and tricks for business professionals (free PDF) (TechRepublic)
Failing compliance doesn’t stop a device working — it simply blocks it from accessing corporate resources. That’s an important aspect of modern device management: it’s not about disabling devices, but about ensuring that users can still use them as personal devices and that they have the opportunity to update software or change how they log in in order to bring their phones back into compliance.
Working with Intune and Microsoft 365
Once devices and users register with Intune, you use the same web-based management console for Android phones and tablets as for Windows PCs. You make the same queries, and even get much of the same information. As part of the rest of Microsoft 365 you also get access to the rest of the Enterprise Management Suite, which lets your Android apps use conditional access to ensure that only managed devices get access to corporate data, as well as managing information that’s sent via Outlook using information rights management. Corporate data is isolated from personal data, so BYOD devices uninstalling a corporate app will delete its data without affecting the user’s photos or other valuable personal data.
One useful Intune feature is device-only subscriptions. If you’re managing devices that aren’t assigned to users, working in a kiosk mode, you can use a lower-cost subscription to add it to your Intune fleet, without having to assign them to users. This works well for tablets and phones that are used for point-of-sale devices, or for kiosks that manage seating assignments in restaurants.
Android devices are increasingly popular, which makes Intune’s mobile device management tooling increasingly useful. By using it to control Google’s Enterprise Android features, you can apply the appropriate control for all the devices and users in your organization, from giving access to corporate email and networks, to deploying enterprise software on heavily managed devices. With Intune available as part of Microsoft 365, you can now use the same tool to manage users’ phones as their PCs — with many of the same tools available across all their devices.