Microsoft's Android strategy comes into focus

Microsoft has been creating an ecosystem of applications for Android with features such as tracking employees but which make little sense when end users can simply use alternate apps without the reporting features.

Today, however, Microsoft announced a new feature for Intune for Android designed specifically for locked down devices which will prevent that scenario and allow managers to tightly control what applications and features their employees use.

Intune for Android enterprise purpose-built device management targets task-based use cases, such as unattended guest kiosk experiences, inventory tracking, mobile ticketing, point-of-sale devices, digital signage, and other cases where devices need to be tightly managed and heavily locked down.

Devices managed in this way enroll into Intune using popular new enrollment methods, such as scanning a QR code or Android zero touch enrollment, without needing to have user account credentials on the device. IT admins configure these corporate-owned devices to be used in locked-down environments, allowing only the app or apps necessary to complete the task, while preventing users from accessing settings, installing apps, or changing other device functions that could interfere with reliable operation.

This Android enterprise capability is supported on a wide range of devices throughout the Android ecosystem and is standards-based, so managers can count on consistency and completeness of support across a broad set of device manufacturers.

IT organizations can use Intune to streamline remote management to deliver a consistent set of device settings capabilities across device manufacturers and leverage the flexibility and reach of the managed Google Play Store to deploy and configure apps.

Microsoft Intune empowers organizations to achieve more on Android with:

• Streamlined remote device management and modern provisioning.
• Simplified app distribution and robust app security.
• A customizable, user-friendly home screen experience.

Streamlined remote device management and modern provisioning

Purpose-built devices are typically deployed at remote locations and provisioned at scale, such as to all the branches of a store or remote sites where technical staff may not be available. IT requires a robust solution where devices can be shipped thousands of miles away, be plugged in by line-of-business staff, and start working without any on-site technical support. With Intune, these devices are easy to provision and configure remotely.

Other key advantages for a modern kiosk experience include:

• Wider range of device choices—Support for Android enterprise capabilities allows customers to take advantage of great choice in price point, customizations, ruggedization options, and form factors from different device manufacturers—offering a consistent feature-set across the entire ecosystem.
• Streamlined onboarding—Purpose-built device enrollment can be initiated in multiple ways. Depending on the infrastructure, devices may be enrolled by scanning a QR code with the built-in camera, by entering a special enrollment token string, or by taking advantage of the Google Zero Touch provisioning system. Rapid onboarding is possible because there is no need to enter a username and password. It is easy to bring up several new devices without user input at the remote site.

Simplified app distribution and robust app security

Intune makes it easy to turn a standard, corporate-owned Android enterprise device into a purpose-built device by remotely configuring only the apps and device-features necessary to do the job. The app distribution capabilities on Android enterprise devices come from Intune’s integration with the managed Google Play Store.

Key benefits include:

• Unattended app installation and updates—IT admins can silently push “required” app installations with no user intervention.
• Managed app configuration—For apps in the Google Play Store, which support managed configuration options, you can use Intune to browse, specify, and manage configuration settings as well as runtime permissions.
• Device-based targeting—As these devices are not associated with user identity, targeting of apps and policies is done using device groups. Azure Active Directory customers may use dynamic device groups to further simplify the automation to target apps and policies based on a device’s enrollment profile.

Customized home screen experience

You can configure the device experience to specific apps or specific web links with the Managed Home Screen app. Based off the popular Microsoft Launcher consumer app, Managed Home Screen allows Intune to deliver a highly productive, single use experience—whether limited to a single app (kiosk mode), or a set of mobile and web apps. This enterprise app—deployed by admins to managed Android enterprise devices for this scenario—brings the highly-rated consumer experience to locked-down, purpose-built devices.

Devices may be locked down to one or more apps, or specific websites determined by the organization.

The new capability will be deployed on a rolling basis throughout the production environment, with Microsoft expecting it to be enabled for all tenants by the end of the week.  IT can get started with their  Android deployment with Intune documentation here.

Given the child-tracking and parental control features Microsoft is building into Edge and Launcher for Android we assume a consumer version of this tool will also be delivered eventually.

In some ways, Microsoft is hoping to increase use of their applications and services by having managers (and possibly parents) forcing end users to use their apps. What do our readers think of this route to offering a Microsoft-only Android experience for enterprise smartphone users? Let us know below.

Via the Microsoft Cloud blog