Android + Intune = Android management

When I speak with organizations who are considering Android devices there’s usually the question of, “which management option should we choose?”. The answer to the question requires a clear understanding of the scenarios the organization would like to bring under management such as personal devices or corporate devices or even purpose-built devices (e.g. inventory scanners, digital signage, etc.).

There are many different versions of Android from many different OEMs and choosing and supporting each version can be challenging. However, as I’ll discuss later in this post, Android enterprise aims to address OEM fragmentation while providing a variety of management options. Fortunately, Microsoft Intune will address various Android management methods available today including those offered with Android enterprise, so let’s look at how Android management is accomplished with Intune.

The table below walks through each available Android device management scenario, how Microsoft Intune supports it, as well as items to evaluate when considering each option.

Device Management Type Enrollment Type Intune Management
Android Device Admin
Considered legacy administration, the Android device administration API has provided APIs to manage the Android device since Android 2.2. The issue with device admin is there are only so many management APIs available, the user experience is challenging, and according to Google, device admin will be depreciated in 2019. With Android Q, device admin will not be available at all.Device Admin requires an Android device to be enrolled via an MDM and requires various administrator permissions during certain enrollment scenarios. As such, device admin offers insufficient privacy for BYOD, insufficient management capabilities for corporate owned devices, and a poor user experience all around. In addition, device admin is less secure than Android enterprise and device admin is not ideal for an environment requiring minimal or no touch enrollment.To learn more about device admin deprecation please visit: https://developers.google.com/android/work/device-admin-deprecation
Intune supports devices enrolled with device admin on Android 4.4+

To enroll a device to Intune using device admin please visit: https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-android

In addition, Intune App Protection policies are supported with device admin (or without enrollment): https://docs.microsoft.com/en-us/intune/app-protection-policy

For BYOD, Intune App Protection policies are a great choice as the policies protect the corporate data at the app layer without requiring the user to enroll their device.

Samsung KNOX Standard
With Samsung devices, Samsung added their own management APIs which expands the management capabilities for devices enrolled with device admin.  An example is managing the email profile for the native email app on a Samsung device.KNOX is only available with certain Samsung devices so utilizing other OEM devices would require device admin or Android enterprise.Note: Samsung has announced the unification of KNOX and Android enterprise. More details may be found here: https://www.samsungknox.com/en/blog/android-enterprise-and-samsung-knox-your-questions-answered-hereSamsung also offers KNOX Mobile Enrollment (KME) which allows for automatic enrollment of devices even after a reset. KME is supported starting with Android 2.4 and KME is beneficial for mass enrollment of devices without having to touch each one. Devices may be manually and/or added through a carrier to an MDM. After which, users will experience a streamlined enrollment process which removes the touch points required by device admin.KNOX Mobile Enrollment is only available with Samsung devices so if no touch enrollment is needed for other device OEMs, Android enterprise may be an option.To learn more about KNOX Mobile Enrollment please visit: https://www.samsung.com/us/business/solutions/samsung-knox/mobile-security-solutions/knox-mobile-enrollment/
Intune supports KNOX standard without additional licensing for KNOX. However, KNOX also requires Device Admin enrollment as well. Once a device is enrolled with an MDM the end user will also see prompts about KNOX after which both device admin and KNOX policies may be deployed to the device. KNOX Mobile Enrollment streamlines the enrollment process by enrolling the device automatically.

To learn more about enrolling a device that supports Samsung KNOX with Intune please visit: https://docs.microsoft.com/en-us/intune/android-enroll#end-user-experience-when-enrolling-a-samsung-knox-device

In addition, Intune App Protection policies are supported with Samsung KNOX: https://docs.microsoft.com/en-us/intune/app-protection-policy

Intune supports KME and to learn more about setting up KME with Intune please visit: https://docs.microsoft.com/en-us/intune/android-samsung-knox-mobile-enroll

In addition, Intune App Protection policies are supported with devices enrolled with KME: https://docs.microsoft.com/en-us/intune/app-protection-policy

Up to this this point we’ve reviewed traditional management methods available on Android as well as enrolling and managing Android devices with Intune. However, if you’ve noticed, there seems to be a theme throughout and it’s around Android enterprise. It appears all paths are leading to Android enterprise so let’s learn about what Android enterprise is and how Intune will assist with managing devices enrolled using Android enterprise.

Android enterprise

There are two primary modes of management under Android enterprise (AE). Work profiles for BYOD and Device Owner for corporate owned devices.  More details on Android Enterprise device ownership please visit: https://developers.google.com/android/work/requirements 

Android enterprise
Android enterprise (AE) offers a variety of management scenarios for certified devices providing more robust management APIs over device admin. Although Android enterprise is supported on Android 5.0+, Google recommends 6.0 or later.Once a device is enrolled in an MDM such as Intune, Android enterprise has the concept of a work profile (formerly Android for Work) that separates or containerizes corporate applications and data on a personal device. The managed profile contains corporate data and allows only applications within the work profile to access the data within while leaving personal data separate. To learn more about work profiles please visit: https://support.google.com/work/android/answer/6191949?hl=enIn addition to work profiles, Android enterprise offers Device Owner mode where corporate owned devices are enrolled with an MDM and managed based on the purpose their intended for. To learn more about Android enterprise management for company-owned devices please visit: https://www.android.com/enterprise/management/To provision the device owner mode the device must be factory reset, unfortunately there are no migration paths to device owner mode from device admin. The provisioning process may be driven by NFC, QR code, or zero-touch. Previous versions of Android such as 5.0 and 5.1 can use an activation code to begin the enrollment process.For more details about device provisioning please visit: https://developers.google.com/android/work/prov-devicesTo learn more about AE management scenarios please visit: https://www.android.com/enterprise/management/Note: as stated previously, moving from device admin to Android enterprise requires a factory reset. Consider the ramifications of already deployed devices to end users and in the workplace before beginning a migration. A strategy of enrolling new devices with device owner while continuing to manage existing devices enrolled with device admin may be an option. Through attrition, devices will onboard using Android enterprise. As mentioned earlier, with Android Q, device admin will not be an option.
Intune supports Android enterprise purpose-built device management including single-use and work profiles which aligns with many organizational use cases.

Details on how to configure Intune to and manage devices supporting Android enterprise are below.

Management of Android enterprise managed profiles and other details may be found here: https://docs.microsoft.com/en-us/intune/android-enterprise-overview

Connect Intune to Android enterprise:

https://docs.microsoft.com/en-us/intune/connect-intune-android-enterprise

Android enterprise single-use (Kiosk) devices Intune enrollment: https://docs.microsoft.com/en-us/intune/android-kiosk-enroll

In addition, Intune App Protection policies are supported with Android enterprise: https://docs.microsoft.com/en-us/intune/app-protection-policy

Applications, including LOB apps are published through managed Google play.

Selecting an enrollment option

Choosing an enrollment option really depends on the scenario and what your business requires. For example, if your devices require minimal or no touch enrollment you may consider KNOX Mobile Enrollment and/or Android enterprise. Since Android enterprise appears to be OEM agnostic, if the plan is to have various device OEMs deployed, devices supporting Android enterprise may be an option. However, if devices are used for kiosk, digital signage, ticket printing, inventory scanning, Android enterprise would be something to investigate as well. If devices are personal devices (BYOD), I recommend looking at Intune App Protection for unenrolled devices and/or Work Profiles. Lastly, before selection consider the short- and long-term ramifications of one option over another.

That’s it! We’ve reviewed the options available for Android enrollment and Intune, documentation on how to enroll Android devices, and the future of Android management through Android enterprise.

Microsoft Flow and Azure AD – let’s automate!

 

When I speak with organizations we often discuss scenarios such as having an onboarding process that is in need of a front-end utility and automation.  Many organizations have cloud services and on premises applications where the user onboarding process in some cases is still a manual procedure.  To assist with these processes and many others, Microsoft offers as service called Microsoft Flow.  I’m always looking for creative uses of applications and Microsoft Flow offers just what we need to help automate processes such as account management across applications and services.  In addition, Microsoft Flow goes well beyond just automating a user management processes (e.g. onboarding) as discussed below.

 

What is Microsoft Flow?

“Microsoft Flow is a service that helps you create automated workflows between your favorite apps and services to synchronize files, get notifications, collect data, and more.”

Source: https://docs.microsoft.com/en-us/flow/getting-started

Microsoft Flow allows you to create workflows to automate tasks, for example, when files are added to a folder in a cloud storage environment such as OneDrive or Box, notify a user. Or create an approval workflow process to manage tweets before they’re posted to Twitter.

 

Microsoft Flow offers connectors to connect to either cloud applications or on premises environments.

To view a list of Microsoft Flow connectors, please visit: https://us.flow.microsoft.com/en-us/connectors/

 

In addition, there are many pre-defined templates that may be utilized such as starting an approval process when a new item is added to SharePoint or save tweets to an Excel file or sync files between cloud drives or a file server via FTP.  The list goes on and on…

To view a list of Microsoft Flow templates, please visit: https://us.flow.microsoft.com/en-us/templates/

 

Microsoft Flow Licensing

Some features are free and require premium Flow sku.  For more details about Microsoft Flow licensing please visit: https://flow.microsoft.com/en-us/pricing/

Microsoft Flow FAQ: https://docs.microsoft.com/en-us/flow/frequently-asked-questions

 

For this post, I will utilize Microsoft Flow to create users in Azure AD as well as provide custom bonus flows! so let’s get started…

As an administrator, the first thing we need to do is access Microsoft Flow and create a new workflow.

Navigate to https://flow.microsoft.com and sign-in.

Search for Azure AD in the search box provided as shown below:

image

 

From the results page, locate and select “Create Azure AD User From Button”

image

 

From there select “Continue” to add the template:

image

 

For more details about the Microsoft Flow Azure AD connector and templates, please visit: https://us.flow.microsoft.com/en-us/connectors/shared_azuread/azure-ad/

 

From here you can use the template as is and select Create flow, or you change the name and edit the steps in the template provided:

image

 

I chose to edit the “Send an email” step in the flow as I wanted a little more detail, I began the editing process by selecting “Send an email”:

image

 

The default template only offers a one-line sentence of info, however I changed it to add information the manager and the end user would need:

image

 

We can also edit each flow step or add more if necessary by deleting or adding fields (if the field is used downstream in the flow you’ll need to delete the field first downstream):

image

image

 

“Adding an Azure AD User” Flow in action

The great thing about Microsoft Flow is a flow may be run on a schedule, via an event or trigger, or manually from the web or the Mobile app. 

Additionally, Flow templates may be shared out to other users to access as well, so administrators don’t always need to be in the process.  Ultimately a Flow template configuration is up to you and what works best for your processes within your organization

 

Flow Web App

To manually start the newly created Flow template, when in the Flow template select “More” from the top and then select “Run now”

image

 

From there the template with a list of fields will open for a user to manually fill in:

image

 

Once all the fields are filled in properly, select “Run flow” and a new user will be created in Azure AD.  I show more details and results below using the mobile app.

 

Mobile App

I find the Microsoft Flow mobile app very easy to use, especially when on the go.  In fact, flows may be created and edited directly from the Microsoft Flow app.

Download the Microsoft Flow app from your favorite app store, in my case I have the iOS app installed on my device.  The first time Microsoft Flow app is launched you’ll need to sign into your Azure AD tenant (be sure that user has rights to create users, groups, access apps, etc.).

 

Select “Buttons” at the bottom of the app:

SNAGHTML4c3e814e

 

Locate the the button that will create the Azure AD User:

image

 

Fill out the form and submit:

image

 

Here are my inputs from my Flow template process, when finished select “Done” at the top of the app and the Flow will run:

imageimage

 

Once the Flow has completed, we can look at the run history and the details of each flow process (great for troubleshooting as well):

imageimage

 

Expanding the “Send an email” flow we see the following:

image

 

Below is the customized email received by a user or manager after the user is created (including a randomly generated password):

image

 

Lastly, below is the user that was created by the Flow process in the Azure AD admin portal:

image

 

Dynamic groups

Once users are created, dynamic group memberships may be used to automatically assign users to group, for example, any user may be dynamically assigned to Group A. Group A can also be assigned to licenses, SaaS applications or assigned to SharePoint Online/OneDrive, so as soon as a user is assigned to a group they’ll have access to the licenses and apps assigned to it.

Dynamic group membership eases the management process of adding and removing users to applications. Simply assign a group to the application permission and use dynamic group rules to automatically assign and remove users. You can even use attributes such as employeeId, mail, or companyName as attributes to look for, however there are many more attributes to choose from and depending where the users originates from, you may want to get creative.  Finally, for applications that support provisioning, users may be automatically provisioned and provisioned to SaaS applications which provides full user lifecycle management.

For more details about Azure AD Dynamic Groups please visit: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-groups-dynamic-membership-azure-portal

 

BONUS FLOWS 

Need to disable or enable sign-on for a user quickly in Azure AD (i.e. O365, Dynamics365, etc.) from your mobile device?  I created Flows to do that.

 

Current sign-in state of the user shown in Azure AD and O365 Portals (it’s the same setting btw) shown below:

imageSNAGHTML13b5bc02

 

I created a button in Microsoft Flow and filling out the following fields in red:

image

 

When the flow is run, type in the UPN (email address) of the users and flow will disable sign-on for that user.

image

image

 

New sign-in state of the user shown in Azure AD and O365 Portals (it’s the same setting btw) now blocked shown below:

imageimage

 

Enable sign-on for an Azure AD user

Follow the Flow creation process above to create a Flow to enable a user to sign-on, however change the “Account Enabled” setting to “Yes”.  Note: Flows may be copied, to copy a flow select Save As for the flow you’d like to copy in the Flow portal and modify from there.

As a result we’ll end up with two flow as shown below:

image

 

And the flow buttons on my mobile device:

SNAGHTML14328189

 

Delete Azure AD Users

Now a question you may have is “can we delete Azure AD Users using a button?”  You could, however there is nothing built in with Flow or connectors today.  A custom app would need to be developed with the proper permissions to the Microsoft Graph to delete an account then added to flow.  So this would be more of a custom development approach that what I demonstrated in this post.  As a result, using Microsoft Flow we can create a custom connector that will call into the app registered with Azure AD to make calls to delete users using a button flow in Microsoft Flow.  Same holds true for resetting user passwords.

With Microsoft Flow, the possibilities are endless with the predefined templates and built-in connectors to services, you don’t have to be a developer to automate processes and workflows!