We want to start using Android Enterprise with MS Intune.

SmileSerio
Level 1.5: Cupcake

In my organization, we are going to renew equipment, and we were reviewing the option that the equipment we are quoting is an Android Enterprise Recommended device. We were considering the possibility of starting to manage all policies through Microsoft Intune. Now, my question is, aside from having an Android Enterprise Recommended device and the respective active Intune service and everything it entails, do I need anything else, or can I start managing my devices with just this? I would greatly appreciate your support and any additional comments.

 

Best regards.

12 REPLIES 12

mattdermody
Level 2.2: Froyo

It really depends on what the intended use case is for your devices which will influence what management style of Android Enterprise that you use. For example, BYOD knowledge worker devices have completely different needs from a dedicated device used in a warehouse or retail store which are completely different from a dedicated single purpose kiosk. There are different flavors of Android Enterprise Management for each use case and different EMMS excel at different specialities of Android. My personal experience with Intune is that it does not handle the dedicated or "fully managed" device use case very well and leaves a lot to be desired. There are features like Remote Control that I consider critical for dedicated device management that don't come standard with Intune without additional licensing. In comparison Intune, being a part of the Microsoft ecosystem tends to handle MAM, compliance, and hooking into o365 applications fairly well, which makes it decently suited for the BYOD use case. 

 

Intune also has traditionally been considered the cheap option given historical bundling with o365 subscriptions but over time they have moved more and more features into more and more complex and expensive licensing bundles. 

 

https://www.microsoft.com/en-us/security/business/microsoft-intune-pricing

 

In summary, we can't give you a thorough answer unless you also describe the different Android Enterprise management use cases that you're looking to cover with Intune. 

Thank you very much for all the feedback, @mattdermody Below, I’m sharing the specific requirements from my users. The devices they will use will be provided by the company, and we want to restrict the installation of applications while having simple monitoring of these devices.

It’s important to be able to "adopt" the devices into the inventory. In case an employee leaves the company, we need a quick cleanup of the device so that it can be made available again without extensive manual configurations. Additionally, in case of loss, it should be possible to wipe the device remotely.

We also require the installation of specific applications, such as antivirus and some tools from the Microsoft suite that we use internally. Employees will primarily use their devices as a means of communication, both with clients and internally (email, Teams, etc.).

You are describing company provided, business owned devices that are relatively locked down, possibly personally enabled, but still restricted to specific applications. You're describing somewhere in between COBO and COPE from my perspective. Both of those management styles are based on the Device Owner management style which in my personal experience, Intune does not do so well in. Some of the others here my offer a different perspective based on their own experience but I can't personally recommend Intune. 

Moombas
Level 4.1: Jelly Bean

In addition to what Matt already wrote, i highly recommend to look into other MDM alternatives instead of focusing on Intune. There are already some reasons mentioned by Matt here but also our experience in the past (we just tested it shortly) have been very bad from Intunes behavior and the additional need of buying licenses for another software in order to get remote control.

Also the way how Intune works (example: the time it takes until changes taking place,...) was a nogo for us.

Michel
Level 2.2: Froyo

While it is always good to look to different options, Intune isn't that bad lately. I'm doing a lot of implementations of Intune with android Enterprise devices (Smartphones and tablets), rugged devices such as Zebra equipment is better handled with workspace one for example. 

 

As @mattdermody said, it all starts with what you are looking for. Intune does most things good, but don't expect the option for specific settings like disabled battery optimalization for apps in their. Intune works if you are just looking to manage devices and keep it secure, all the basics are there. 

 

One thing I always recommend customers to stay away from is the kiosk mode of Intune, that just does not work as good as it should. It has a couple of bugs for years now. 

 

If you are going for Samsung devices, keep in mind that you can add the Knox OEMconfig to Intune for free by generation a platform for enterprise license in Knox. With this plugin, you get a lot more API's that samsung has built into their devices making Intune a very good fit for those devices (except the kiosk ofcourse). 

 

Another thing worth to mention is firmware control, Intune has the nasty habit to tell your device to update when you are calling for example. 

 

Long story short, decide what you want management flavour(s) you might want and see what the requirements are for your organisation. Only then you can see if Intune is a fit from a technical point of view. I see why Moombas and mattdermody said what they said but I don't agree on all points, Intune is a good fit for most companies I talk to. 

SmileSerio
Level 1.5: Cupcake

Thank you very much! We are considering using Motorola devices, as I mentioned earlier. We are really focused on implementing device management that limits the installation of applications, allowing only the use of specific ones, such as messaging (Teams, email, WhatsApp, and voice calls).

Most of my users are engineers, and they primarily use the devices for communication with their managers or with users who provide them support. I greatly appreciate the time you take to respond to me @Michel 

As said above, this sounds like either a fully managed of COPE configuration which we do for a lot of customers within Intune. This is basic functionality that all MDM should be able to offer I think (not sure if they do though)

 

But i have to agree with @jasonbayton , the UX isn't that good, the portal is often slow and development is for now mainly focussed on Windows and Apple, Android is a bit left behind so it takes longer for new features to appear. I like Samsung because of that, with the plugin you get the ability to use new features without having to wait on the MDM vendor to implement them. 

 

But then again, I use Intune often because a lot of customers do not have very specific demands and are using Intune for their other devices, so why spend extra money if Intune can do what you want and you have experience with it? 

 

As said earlier, don't get stuck on Intune but look at your requirements and maybe reach out to your reseller to see if they have someone who can assist you. 

 

 

jasonbayton
Level 4.0: Ice Cream Sandwich

Explicitly answering your question, when you refresh ensure your reseller is a zero-touch or Knox partner and get those devices up into a provisioning solution straight away. It'll mean devices can go directly into MDM out of the box without a lot of per-device fiddling, and provides some safeguarding against devices going unmanaged after a reset.

 

Echoing others, don't just lean into Intune because it's there. The only thing they've got going for them is conditional access policies, but they allow integration from other EMMs there also. 

 

As a platform their UX is frustrating, their pace of development is frustrating, and based on my experience directly & indirectly, their support is frustrating, with folks winding up here more often than not following a poor interaction with them.

 

Check out the market, there are more options than you can shake a stick at. 

Rakib
Level 2.0: Eclair

We are a shop that are primary Intune, but for function devices we use WS1.

Why:

WS1 is faster when troubleshooting and sending new settings

You can upload apk files directly

Tunnel (microvpn for shared devices)

 

If these or other special cases do not apply to you, Intune should work fine as your MDM. You get used to the UX, since you probably have your windows and macs there already.

 

 

I am not sure what you mean by function devices but if you're referring to dedicated or line of business devices use cases then I completely agree. I would never use Intune for mission critical devices given it's limitations from both a speed of application of settings as well as the inability to install APKs directly on devices for precise version control. Intune may be Android Enterprise Recommended but I consider AER to be the baseline bare minimum set of definitions and standards an EMM must provide. You need a lot more than the bare minimum to support line of business devices. WS1 is a solid choice for that situation, along with SOTI and 42Gears.

Rakib
Level 2.0: Eclair

Based on your requirements, it should be more than achievable on Intune. But I suggest also do a POC on another MDM tool, just to test.

Alex_Muc
Level 2.2: Froyo

 

If your organization has little or no experience with managing Android Enterprise, I would definitely recommend the official AE trainings. AE Associate will already give you a good overview and AE Professional is very informative:
Training infos: https://info.androidenterprise.training/
Portal with training courses and certifications: https://androidenterprise.exceedlms.com/student/catalog

 

With these three points you have a very good basis for Android Enterprise:

 

You should also think about your management use cases in advance.
From the answers it sounded mainly like fully managed. If you want to give users more options, maybe also work profiles on company-owned devices.