I wrote about managing Android devices using Microsoft Intune or Microsoft Endpoint Manager in previous posts, where I described the different ways of using Mobile Device Management (MDM) to manage the Android OS on a smartphone/tablet:

In this third post in my MDM enrollment for Android series, I’m going to describe how to enroll an Android device that is corporate owned and fully managed. Meaning, this is the type of device an organization would issue to a user (that the organization owns), and that the entire device is managed and controlled. This type of device would not be intended to be used for personal reasons.

I’m going to cover how to enroll the device into MDM using Microsoft Endpoint Manager (MEM). I will save management capabilities and configuration of the device for future blogs. I will also not be covering zero touch deployment of Android devices – we’ll save that for a future blog also.

This blog will assume you already connected Microsoft Endpoint Manager to your Managed Google Play account.

Obtain Enrollment Token

To enroll devices using this method, you will need to obtain an enrollment token from MEM. To do so, login to https://endpoint.microsoft.com and navigate to Devices -> Android Enrollment ->Corporate-owned, fully managed user devices. This barcode will be scanned by the device later in the instructions.

This barcode can be emailed to users, posted on a helpdesk website, etc and the users will self enroll using their credentials. This is how corporate owned devices will be enrolled.

Enroll The Android Device

My Android smartphone has been wiped and reset to factory defaults. Upon powering on, I will connect the device to a Wi-Fi or carrier network and will then be presented with a sign in screen.

At the sign in screen, type afw#setup then tap Next

Wait while the sign in process completes

At Let’s setup your work device tap Accept & Continue and wait while the device loads.

At Enroll this device tap Next

At Scan or enter code scan the barcode you created earlier

Here’s my enrollment token I will scan with the device’s camera

Wait while the device loads

At the sign in screen, sign in with your credentials

At Set up your work phone screen tap Install

Three core apps will be installed on the device:

Microsoft Intune – Used for Android Enterprise fully managed scenarios.

– Used for Android Enterprise fully managed scenarios. Microsoft Authenticator – Helps you sign-in to your accounts if you use two-factor verification.

– Helps you sign-in to your accounts if you use two-factor verification. Intune Company Portal – Used for App Protection Policies (APP) and Android Enterprise work profile scenarios.

When the apps are finished installed, tap Next

Tap Start to register the device

At the blue Intune screen tap Sign In

Enter your credentials and tap Sign In

The device will sign in

At Set up Access screen tap Next

The device will register. When complete tap Done

At You’re ready for work tap Done

The home screen will be displayed

The device is now fully managed. To show an example of this, opening the Google Photos app notice the red text Your administrator has not given you access to this item

At this point, we can push security policy to the device, in addition to apps – this is configured in Microsoft Endpoint Manager under Device Configuration Profiles and Apps respectively.

To manage the device, within Microsoft Endpoint Manager browse to Devices -> Android -> Android Devices

From here, click on the device, and it will display the management screen for that device.