Security
Reader small image

You're reading from  Microsoft Intune Cookbook

Product typeBook
Published inJan 2024
PublisherPackt
ISBN-139781805126546
Edition1st Edition
Concepts
Cloud Security
Right arrow
Author (1)
Andrew Taylor
Andrew Taylor
author image
Andrew Taylor

Andrew Taylor is an End-User Compute architect with 20 years IT experience across industries and a particular interest in Microsoft Cloud technologies, PowerShell and Microsoft Graph. Andrew graduated with a degree in Business Studies in 2004 from Lancaster University and since then has obtained numerous Microsoft certifications including Microsoft 365 Enterprise Administrator Expert, Azure Solutions Architect Expert and Cybersecurity Architect Expert amongst others. He currently working as an EUC Architect for an IT Company in the United Kingdom, planning and automating the products across the EUC space. Andrew lives on the coast in the North East of England with his wife and two daughters.
Read more about Andrew Taylor

Right arrow

Android Device Management

After the excitement of enrolling and provisioning our first Windows device, we can now look at the other supported operating systems. This chapter looks at Android device management, configuring policies to manage enterprise-owned and managed devices, and then app protection policies to protect your user-owned Bring Your own Device (BYOD).

It will also run through the process of configuring Intune to work with a managed Google Play account and deploying applications from the Play Store.

Finally, we will enroll both a managed device and a BYOD.

This chapter includes the following recipes:

  • Setting up a managed Google Play account
  • Configuring enrollment profiles
  • Adding a Google Play application
  • Configuring a device restrictions policy
  • Configuring an OEM policy
  • Configuring a Wi-Fi policy
  • Adding an app protection policy
  • Enrolling an Android device – managed
  • Enrolling an Android device – BYOD
...

Chapter materials

As with Chapter 2, this chapter will not cover all available policy types, so we will run through them all now to get a better understanding of what is available for Android devices. All profiles are available for creation for either corporate-owned (fully managed, dedicated, or work profile) or personally owned (work profile) devices. These profile types will be explained in the first recipe. We will also be concentrating on Android Enterprise devices; Android Device Administrator is now legacy and should not be used. Android Open Source Project (AOSP) is improving, but it is still less popular and has fewer options available.

The available profile types are as follows:

  • OEM Config: We will cover this later in this chapter. It is for configuring manufacturer-specific OEM settings (where applicable).
  • Derived credential: This is used for certificate authentication within apps. You can read more here: https://learn.microsoft.com/en-gb/mem/intune/protect...

Technical requirements

For this chapter, you will need a modern web browser and a PowerShell code editor such as Visual Studio Code (VS Code) or PowerShell ISE.

All of the scripts that are referenced in this chapter can be found here: https://github.com/PacktPublishing/Microsoft-Intune-Cookbook.

For enrolling devices, you will need a factory-reset Android device.

Tip

If your device is already enabled for another MDM, you will need to remove any previous management that has been configured and then wipe the device before enrolling into Intune.

Setting up a managed Google Play account

Before we configure any Android policies or settings, we need to attach Intune to a managed Google Play account. We will then use this for enrolling devices as well as deploying applications.

You do not need an existing Google account for this, as we can set it up during the process (ideally an Android Enterprise account). It is also worth using a shared/generic account rather than one linked to a particular member of staff.

Follow this recipe to link Intune and a managed Google Play account.

How to do it…

Follow these steps:

  1. First, we need to navigate to Devices from the Intune menu.
  2. Then, click Enrollment; in the old portal, click Enroll Devices.
  3. Now, click Android.
  4. Click Managed Google Play.
  5. Check the box to agree to the permissions and click the Launch Google to connect now button.
  6. In the pop-up window, click either of the Sign In buttons.
  7. Now, click Create Account (not Sign in).
  8. Select...

Configuring enrollment profiles

Now that our Google Play account has been linked, we can configure a profile to allow devices to be enrolled. This will provide us with a QR code and text code we can use when setting up a new device.

Before we run through the process of creating a profile, we need to understand all of the options available on the Android device enrollment screen:

  • Zero-touch enrollment: This is a way of bulk enrolling devices into your profile without needing to configure any steps during device configuration and enrollment (similar to Apple iOS and Apple Business Manager Automated Device Enrollment (ADE), which will be covered in the next chapter). It requires specific devices that have to be enrolled into the service by the distributor or service provider. Samsung Knox is a popular example that is free to configure and use, as well as Android Zero Touch for non-Samsung devices.
  • Personally-owned devices with work profile: This button just loads an information...

Adding a Google Play application

Before we look at our configuration policies, it is best to cover application deployment as we will need applications in the tenant for both device restrictions and OEM policies.

This recipe is going to concentrate on managed Google Play applications as they are the preferred choice for application deployment in an enterprise environment. It is worth covering the other application options so that we are aware of what is available:

  • Android Store app: This adds applications that are effectively shortcuts to the Play Store. Users will need a Google account, and you will need your restrictions to leave the store open, which means users can install anything they want.
  • Managed Google Play app: This adds a managed application that does not require a Google Play account. The store can be restricted to only approved applications.
  • Web link: Deploys a web link to devices onto the home screen.
  • Built-in app: These are pre-approved and curated...

Configuring a device restrictions policy

While we can now enroll a device, it will lack any configuration, and the user experience will be the same as any off-the-shelf device. For the full corporate experience, we need to configure a policy to manage them.

Android policies have yet to migrate to Settings catalog, so for this example, we are going to configure a device restrictions policy with some basic settings to set you on your way. The PowerShell script and included JSON will contain further settings.

How to do it…

Follow these steps:

  1. First, click on Devices in the Intune menu.
  2. Then, click Android.
  3. Now, click Configuration profiles.
  4. Finally, add a profile by clicking +Create | +New policy.
  5. Select Android Enterprise and then Device restrictions under Fully Managed, Dedicated and Corporate-Owned Work-Profile. Then, click Create.
  6. Give your policy a name and a description, and click Next.

    This next screen lists every setting available for...

Configuring an OEM policy

Most large Android manufacturers also provide the option to configure device-specific settings using a mixture of a Google Play application and a corresponding OEM policy. You can then use device filters (which we will cover in Chapter 13) to restrict these applications and policies to the correct devices.

For this example, we are going to configure a policy for the Microsoft Surface Duo range of devices, but some other manufacturer applications are as follows:

Configuring a Wi-Fi policy

In an enterprise/office setup, you want a secure wireless network that the users both should not and cannot connect to themselves, whether this is using a certificate-based connection or just a secure code that is not shared with staff.

To do this, we need to deploy a Wi-Fi policy to our mobile devices. Remember, however, that unless you are using a zero-touch enrollment such as Samsung Knox, the devices will not pick up this new policy until after enrollment. Therefore, you will need an initial internet connection to enroll and set up new devices. This could be a 4G/5G connection, a guest network, or a basic enrollment network with strict security policies applied.

This example will cover a more simple WPA2 network configuration as an Enterprise configuration will require certificate deployments. If this is more appropriate for your environment, you can follow the guide here: https://learn.microsoft.com/en-us/mem/intune/configuration/wi-fi-settings...

Adding an app protection policy

We have now configured policies for our corporate-owned devices to keep them secured and managed, but what about devices owned by users who want to access their email and other corporate apps on their personal devices? One option is to block this completely, but for most, that is not ideal, and we will just end up with a much larger list of corporate devices to purchase and manage.

Another option is to do nothing and let them add the apps completely unmanaged, but from a data protection perspective, this is a security concern as you have no control over your corporate data.

For this, we can use app protection policies and enroll devices into Mobile Application Management (MAM) instead of Mobile Device Management (MDM). Both can be used for additional security, but this would be unusual as it will add extra steps for the users on their devices, and we can assume a managed device is secure at the device layer. We do not want users fully enrolling...

Enrolling an Android device – managed device

Now that our policies have been fully configured, we can start enrolling our devices, starting with fully managed, corporate accounts. To do this, we will need an Android device that can be wiped for enrollment.

Getting ready

Wipe your Android device to the screen where you are prompted to enter your Gmail account and have your previously created QR code ready.

How to do it…

Follow these steps:

  1. On the screen where you must enter your credentials, you have two options, depending on the age of the device. For older devices, you will need to enter afw#setup; on newer devices, repeatedly tap the same screen:
Figure 5.8 – Android’s Sign in screen

Figure 5.8 – Android’s Sign in screen

Click Accept and Continue on the Let’s set up your work device screen.

  1. Scan your QR code (or enter it manually) and click Accept & Continue.
  2. Click Next on the privacy screen.
  3. Click ACCEPT &...

Enrolling an Android device – BYOD

The preceding recipe was for corporate-owned devices. However, you cannot reset and enroll a personally owned device without many complaints. So, for these devices, we will use the Company Portal app to install our deployed apps into the secure work profile. As you will recall from earlier, personally owned devices with a work profile are enabled without any further configuration.

There are two ways of doing this, depending on your configuration – you can either allow or block personal devices to enroll with a work profile (covered in Chapter 13). The enrollment process is slightly different for each, so we will run through both here.

Getting ready…

For this recipe, you will need a current Android device with a connection to the Play Store and a signed-in account.

How to do it…

First, let us check what happens if you have personal enrollment allowed within your tenant.

Enrolling with personal enrollment...

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 6 of 17
Next Chapter
You have been reading a chapter from
Microsoft Intune Cookbook
Published in: Jan 2024Publisher: PacktISBN-13: 9781805126546
© 2024 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Author (1)

author image
Andrew Taylor

Andrew Taylor is an End-User Compute architect with 20 years IT experience across industries and a particular interest in Microsoft Cloud technologies, PowerShell and Microsoft Graph. Andrew graduated with a degree in Business Studies in 2004 from Lancaster University and since then has obtained numerous Microsoft certifications including Microsoft 365 Enterprise Administrator Expert, Azure Solutions Architect Expert and Cybersecurity Architect Expert amongst others. He currently working as an EUC Architect for an IT Company in the United Kingdom, planning and automating the products across the EUC space. Andrew lives on the coast in the North East of England with his wife and two daughters.
Read more about Andrew Taylor

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages