Set up enrollment of Android Enterprise personally owned work profile devices

Set up enrollment for bring-your-own-device (BYOD) and personal device scenarios using the Android Enterprise personally owned work profile management solution. During enrollment, a work profile is created on the device to house work apps and work data. You can use Microsoft Intune policies to manage the work profile and its contents. Personal apps and data stay separate in another part of the device and remain unaffected by Intune.

For more information about Android Enterprise work profile features, see Work profiles (opens Android Enterprise Help).

Enrollment methods

Intune supports two enrollment methods for personally owned work profile devices. Use the following table to understand your options and migration path.

To enable web-based enrollment for your tenant, see Enable web-based enrollment.

Requirements

Set up enrollment

Complete these steps to set up enrollment for Android Enterprise devices in BYOD scenarios. Web-based enrollment is the recommended method for personally owned work profile devices. Configuring device platform restrictions is optional and only needed if you want to restrict or customize enrollment behavior beyond the defaults.

Enable web-based enrollment

Users can start enrollment directly from their browser through a link in Microsoft Teams, Outlook, Intune Company Portal, or a URL you provide.

1. Sign in to the Microsoft Intune admin center.
2. Go to Devices.
3. Select the Android tab.
4. Expand Device onboarding and select Enrollment.
5. Under Enrollment Profiles, select Personally owned devices with a work profile.
6. Select Use web enrollment for all users enrolling into Android personally owned work profile management.
7. Select Save.

Configure device platform restrictions

Optionally, control or restrict other enrollment methods. Apply platform restrictions if you need to block specific device types or enrollment methods, such as preventing Android device administrator enrollment. If the default settings meet your needs, you can skip this step.

1. Sign in to the Microsoft Intune admin center.

2. Go to Devices.

3. Expand Device onboarding and select Enrollment.

4. Select the Android tab.

5. In the Enrollment options section, choose Device platform restriction.

6. Select the Android restrictions tab.

7. Select Create restriction.

8. On the Basics page, enter a name and description for the restriction so that you can distinguish it from other restrictions in the admin center. Device users don't see these details.

9. Select Next to continue to Platform settings.

10. Configure platform settings for Android Enterprise (work profile). Your options:

    • Platform: Select Allow to permit enrollment with Android Enterprise work profile. Select Block to prevent work profile enrollment. If you block work profile, devices enroll using the Android device administrator management solution, unless device administrator enrollment is also blocked.
    • Personally owned: Select Allow to permit personal devices to enroll with a work profile. Personal devices are allowed by default. Select Block to prevent personal devices from enrolling with a work profile. Android devices that don't support Android Enterprise enroll using the Android device administrator solution, unless device administrator enrollment is blocked.

    Any device that supports Android Enterprise personal work profiles also supports the Android device administrator management solution, so if you don't want Android device administrator to be a part of enrollments, make sure to block the platform. For more information, see device platform restrictions.

    Note

    Today, Android Enterprise work profile management for personal devices is allowed by default. In policies configured before July 2019 without any changes, the default setting blocks Android Enterprise work profile management.

    Important

    Android device administrator (DA) management is deprecated and no longer available for devices with access to Google Mobile Services (GMS). If you currently use DA management, we recommend switching to another Android management option. Support and help documentation remain available for some Android 15 and earlier devices without GMS. For more information, see Ending support for Android device administrator on GMS devices.

11. Select Next to continue to Scope tags.

12. Optionally, apply one or more scope tags to limit visibility and management of restrictions to certain admin users in Intune. For more information about how to use scope tags, see Use role-based access control and scope tags for distributed IT.

13. Select Next to continue to Assignments.

14. Assign the restriction to all users, or select specific groups.

15. Select Next to continue to Review + create.

16. Review your choices, and then select Create to finish creating the restriction.

Enroll devices

When web-based enrollment is enabled, users can access enrollment from any of the following entry points, all of which launch the same enrollment webpage:

• Productivity apps such as Teams or Outlook (recommended): If you've configured conditional access policies that require enrollment before accessing corporate resources, users are prompted to enroll when they open a supported app.
• Company Portal app: Users can open the Company Portal app and follow the prompts to enroll.
• Enrollment URL: Users can go to aka.ms/enrollmyandroid in their browser to start enrollment.

Be sure to communicate which entry point your organization uses and provide updated guidance before rolling out enrollment.

Communicate enrollment steps to device users. Users typically don't like enrolling themselves, and aren't familiar with the Intune Company Portal app or Microsoft Intune app. Be sure to provide guidance, including what information to enter. For some guidance on communicating with your users, see Planning guide: Step 5 - Create a rollout plan.

Users must be signed in to the primary user account on their device when enrolling. Enrollment isn't supported on secondary user accounts. Personal devices previously enrolled with Android device administrator can unenroll, and then re-enroll using the work profile solution.

For more information and screenshots of the end user experience, see Enroll device with Android work profile in the Intune user help docs.

Apps installed at enrollment

Intune automatically installs the following apps on enrolled devices:

• Microsoft Intune: Handles device management tasks, including checking compliance, syncing policies, collecting diagnostic logs, and contacting IT support.
• Company Portal: Used for browsing and installing work apps and supports MAM scenarios.
• Android Device Policy: Enforces Android Management API policies on web-based enrollments. Installed in a hidden state. Users don't see it.
• Microsoft Authenticator: Provides single sign-on (SSO) for the user's work account.

Data shared with Google

Microsoft Intune shares certain user and device information with Google when Android Enterprise device management is enabled. For more information, see Data Intune sends to Google.

Limitations

The limitations in this section apply to personal devices with a work profile.

Private space

Private space is a feature introduced with Android 15 that lets people create a space on their device for sensitive apps and data they want to keep hidden.

• The private space is considered a personal profile. Microsoft Intune doesn't support mobile device management within the private space or provide technical support for devices that attempt to enroll the private space.

• If users attempt to enroll the private space after they enroll the device, Intune will initiate the device administrator enrollment process. The second enrollment causes two enrollment records to appear in the Microsoft Intune admin center: one under work profile management and one under device administrator management. Microsoft Intune doesn't provide support for this scenario.

Web-based enrollment

• If passkeys are configured as the only accepted authentication method in your tenant, users can't complete web enrollment. This limitation will be resolved in a future update. Don't enable web enrollment until passkey support is announced.
• Microsoft Teams and Outlook are the supported productivity app entry points for web enrollment. Other Microsoft 365 apps aren't currently supported as enrollment entry points.
• Microsoft Entra Terms of Use (TOU) before work profile creation aren't supported for Android web enrollment without also requiring them across all Intune scenarios.
• After web enrollment, both the Microsoft Intune app (for device management) and Company Portal (for app management) are installed in the work profile of the device. If Company Portal isn't visible, verify it was installed successfully.
• If a user is already enrolled with an older EMM work profile and opens a productivity app in their personal profile after web enrollment is enabled but before their device is migrated, they might be prompted to enroll again. Attempting to re-enroll results in an error. Direct these users to open the productivity app in their work profile instead.
• If a user lands on the Get Started enrollment page but their device is already enrolled, they may only need to redo Workplace Join. For more information, see Redo Workplace Join for Android Enterprise devices.
• If Company Portal is older than version 2604.x, users are routed to the app-based enrollment flow instead of web-based enrollment. Ensure Company Portal is up to date on devices before enabling web-based enrollment.
• During enrollment, the browser may prompt users to add their work account to the browser. Users should skip this prompt and continue with the enrollment steps.

Next steps

• Deploy Android Enterprise apps
• Add Android Enterprise configuration policies
• Configuring and troubleshooting Android Enterprise devices in Microsoft Intune