I personally like the approach of Google to separate Company and Private data. With Android Enterprise the enrollment will create a kind of Sandbox where the admin can manage everything which is required from a company perspective. The other part of the phone stays untouched and the user can install apps from the Play Store as usual. If the device gets wiped only the Company area will disappear. You can find more information about it on Google.
Click on “Devices”.
Click on “Enroll devices”.
Click on “Android enrollment”.
Click on “Managed Google Play”.
Click on “I Agree”.
Click on “Launch Google to connect now”.
Based on your location you entered in Google the Google Play setup will appear in the corresponding language. If you are not logged in with the Account, you want to use to link the Organization you can also create a new one.
Please doublecheck for typos here.
Click on “Confirm”.
You can close this window and continue in Intune.
There will be a popup notification showing up in Intune if Managed Google Play is successfully configured with the tenant.
Click on Managed Google Play to proceed with adding/approving Apps.
Click on “Open the managed Google Play store”. Afterwards, you will be in the managed Google Play store linked to your organization.
Approve Apps in Managed Google Play
Approving Apps in the Manage Google Play portal is very important because otherwise, your users won’t be able to install any app (at least in the work area). Only approved Apps will show up in the Play Store for Work on the device. This speciality needs some end-user training in advance because it can be confusing to have an app installed with different behaviour on both sides which are technically independent of each other. You can reach Play for work
Search for your preferred App. In this example we will go with Word.
Click on Word.
Click on “Approve”.
Click on Approve again.
The approval settings are special. To choose the right of the two options you should keep the following in mind.
First of all: Does this App really belong to the Work area?
If the developer of the App changes anything and you keep it approved, you won’t notice if the Barcode scanner starts collecting data you are not willing to share.
If you revoke the app approval as soon as app permissions change you must reapprove the app. Ask yourself the question if you really trust the developer. To be on the safe side it is better to reapprove.
Sync Apps from Managed Google Play to Intune
It can be frustrating that freshly approved apps won’t show up directly in Intune. To speed things up we will have to do a manual operation.
There is an additional sync needed to be able to see the freshly approved apps.
Click on “Tenant Administration”.
Click on “Connectors and Tokens”.
Click on “Managed Google Play”.
Click on “Save and Sync”.
There will be a popup showing that the sync is kicked off.
If you check the Android apps list a few minutes later all approved apps show up.
Deploy already approved Apps to the Service
In my example I picked Microsoft Excel. Click on “Properties”.
Click on Assignments “Edit” to add it to your Service group.
In our case, we will assign it as “Available Apps for enrolled devices” because I don’t want this App to be a part of the basic Service.
Required Apps will be installed directly after the enrollment OR after the next sync.
Good to Know
Keep in Mind that on Android devices required Apps will be also downloaded via the mobile contract. It won’t wait until you are connected to a Wi-Fi. Which can cause extra cost. You as an Administrator are fully responsible for that. For example, the Office Apps (Word, Excel and PowerPoint) will sum up to about 220MB.
Most new devices will also download major updates if the user confirms. You should be very transparent in your training material about that and think about providing access to a Wi-Fi hotspot prior the enrollment. Also, a Wi-Fi Profile is not always the solution because the settings could arrive later than needed.
If you click on “+Add group”, you will be able to select your Azure AD group. In my case, it would be “MDM-Android-StdService-AvailableApps”. Click on “Select” to proceed with one group.
The selected group will show up.
It is also possible to do both Required and Available – This will only affect users which accidently deleted an App which was required. These users can access the Play Store for work to reinstall it which could prevent a Service Desk call. On the other hand, a proper sync would fix that faux pas also.
Create an App configuration Policy for Microsoft Outlook
There are a few things that can increase user satisfaction with minimum effort. One of my favourites is pre-entered user accounts. “Classic” Office products like Word, Excel and PowerPoint can use credential sharing from the Company Portal. Microsoft Outlook doesn’t do that but we can pre-configure the App for our users.
Beeing already in the Apps section click on “App configuration policies” to proceed.
Even if it sounds strange click on “Add” and choose “Managed devices”.
Provide a Name and change the Platform to “Android Enterprise” and the Profile type to “Personally-Owned Work Profile Only”. These settings are based on the settings we used previously in the other parts of this series of guides.
I will explain in detail because Microsoft Outlook will be the first App your users will open after enrollment. This really impacts the first impression.
Important: Think of what would be best for your organization – even if I configured it in a different way.
Focused Inbox: I often heard that it is confusing to see emails in a different order than in Microsoft Outlook on the PC, so I turned it off.
Save Contacts: Users want to have their contacts available also in the Contacts App to see who is calling.
Default app signature: I turned this off because it is a legal requirement in Germany to add a company Signature. Prefilled “Sent from Outlook Mobile” won’t fix that. Additional Information: Pictures like company Logos are not supported in Microsoft Outlook. Prepare an End-user Guide on how to set up the Signature with details on what the company policy requires in a signature.
Assign this Policy to the Service Group.
Click on “Next”
Click on “Create”. Afterwards, the users will face a different first-run experience. In my testing, I didn’t have already configured apps so I would strongly recommend testing it upfront if you have already up and running phones with Microsoft Outlook configured manually.