What is Intune

 

Mastering Microsoft Intune: Deploying Android Corporate-Owned, Fully Managed Devices Complete Guide

Microsoft Intune makes it easy for IT teams to manage company-owned Android devices that are fully dedicated to work. These devices are assigned to individual users and are strictly for business use—no personal apps or data allowed. This guide walks IT administrators through the entire process, from enrolling and setting up these devices to applying policies and resolving common issues, with clear, step-by-step instructions.

Why Use Fully Managed Devices

some your organization provides Android tablets or smartphones to company employees, only for business purposes, but someone use it to bypass security and install unapproved apps, so in you have Intune environment, you can manage the full device without user engagement

• fully controlled by your organization
• Employees cannot override settings
• Company policies decide how the device works, what apps are installed, and how data is protected

Create an Enrollment Profile:

• Sign in to the Microsoft Intune admin center. https://intune.microsoft.com/
• Go to Devices > Android > Android enrollment

• Select Corporate-owned, fully managed user devices.

• Click Create policy and provide a name (Example: "Fully Managed Android").

Token Type -

Corporate-owned, fully managed (default)

• Each device is being set up directly for the end user. The device is enrolled into Intune with the user’s account during setup. All Intune profiles, apps, and policies apply immediately to that specific user.
• Assigning a device permanently to one employee right from day one.
• Faster if you’re just setting up for one user immediately.

Corporate-owned, fully managed, via stag

• You want to pre-configure devices before giving them to the actual user An IT admin (or staging account) enrolls the device first The device gets all baseline apps, configurations, and policies. Then the end user signs in later — no need for them to wait through the full enrollment process.
• Large rollouts, retail/kiosk devices, or when you want devices ready “out of the box” for staff.
• Better for bulk provisioning or if you want consistent baseline setup before giving to employees.

• Select Token type as Corporate-owned, fully managed (default) or via staging for pre-provisioning by vendors.

• Then you can see created full management profile

After creating your Corporate-owned, Fully Managed enrollment profile, you should create a group in Intune that automatically adds devices as they enroll. Every time a new Android device is enrolled using this profile, Intune automatically adds it to this group, so it instantly receives all assigned policies, apps, and compliance settings.

• In the Microsoft Endpoint Manager Admin Center, navigate to Groups > New Group

• Set Group type to Security and Membership type to Dynamic Device.

• Add a dynamic query example (device enollmentProfileName -eq "fully managed Android") to automatically and Save the group. Note that it may take time for devices to populate in the group.

Enrol the Android Tablet on Intune

• Once your dynamic device group is ready, you can enrol your corporate-owned Android tablet on Intune. You can get the tablet you want to enroll. Factory reset the device so it starts fresh.

• Click the all settings and next

• During manual setup of a factory-reset Android device, you might see the Google Account sign-in screen pop up. Instead of entering a personal Gmail address, you can trigger Android Enterprise enrollment by using the AFW#setup code.

• Start Enrolling the Tablet into Your Organization then next

• This will launch the QR code scanner. The camera screen will pop up.

• After the QR scanner pops up, navigate to your created Corporate-owned enrollment profile in Intune. From there, you can either scan the QR code directly or manually enter the enrollment token to start the device setup

• After you scan the code, the device will display your organization’s setup and policy screen. Review the information, then continue to complete the enrollment process.

• Then, next, start Device provisioning

• The device prompts you to sign in with your work or school account associated with Intune he device prompts you to sign in with your work or school account associated with Intune Enter your email user and password, then tap

• This links the device to your user profile in Intune, allowing personalized policy application and app deployment.

• Registering your device means uploading your device details to connect it to work resources

• Tap “Continue” to proceed and complete the enrollment process.

• Tap “Register” to complete the device registration with your organization’s Intune environment.

After pop-up Register, a confirmation message will appear.

• Next, you will see a “Register your device” screen. Tap Next to complete this final stage of device registration.

• Then go to the Intune Admin Center under Devices > Android to see and manage your fully enrolled device

• This device is fully managed, meaning users cannot install apps or change settings—only administrators have full control.
• If you want to deploy Android Enterprise policies, create and assign them before creating your Android Fully Managed device group. This ensures policies are automatically applied when devices join the group.
• Also, for app deployment, keep in mind that user-installed apps will not work on fully managed Android devices. To deploy any apps, assign them to the device group before the devices enroll, so they install automatically.

• Note: In this view, devices are identified by their Device ID, not by the user’s name.