Similarly to iOS enrollment, there are multiple options when enrolling Android devices to Intune MDM.

Android Enterprise personally owned devices with a work profile

Personally-Owned, Work Profile is the most common scenario for bring your own device (BYOD), where the device is privately owned by the employee but is also used for company purposes.

A company profile is created on the device with company applications and data. This profile and the apps in it are managed and strictly isolated from private apps and data. The transfer of information and data between the private and corporate profiles is usually not possible, or at least restricted. Enrollment in this mode is “on the fly” and does not require a factory reset of the device.

Device enrollment

  1. Go to the Google Play store, and install the Company Portal app.
  2. Users open the Company Portal app, and sign in with the organization credentials (). After sign in, the enrollment profile applies to the device.

Android Enterprise fully managed

Corporate-Owned, Fully Managed (COBO) devices are typically user phones that are owned by a company. Such a phone is fully managed, including the system itself and all installed applications.

Factory reset is required to enroll devices in this mode. This mode requires Managed Google Play account and enrollment profile created in the Intune admin center.

Enroll by using a QR code

Intune admins can scan the QR code directly from the enrollment profile to enroll a device. This is the recommended enrollment method for most scenarios.

  1. After you wipe the device, tap the first screen you see repeatedly to launch the QR reader.
  2. If prompted to, install a QR reader on your device. Devices running Android 9.0 and later are preinstalled with a QR reader.
  3. Scan the enrollment profile QR code, and then follow the on-screen prompts to complete enrollment.

Enroll by using Google Zero Touch

Devices must be purchased from an authorized zero-touch reseller and support zero-touch enrollment.

Enroll by using Knox Mobile Enrollment

Samsung Knox Mobile Enrollment can be used as a tool to bulk enroll enterprise devices in Microsoft Intune. Knox Mobile Enrollment enables device enrollment to happen straight out-of-the-box after you turn on the device.

You must have a Samsung Knox account to access Knox Mobile Enrollment services in the Knox Admin Portal. Samsung Knox accounts require approval from Samsung, which can take one to two business days.

Enroll by using Near Field Communication (NFC)

Create a specially formatted NFC tag to provision NFC-supported devices running Android 8.0 or later. You can use your own app or any NFC tag-creation tool.

Enroll by using a token

This method is recommended for new or factory-reset devices, in scenarios where the QR code or NFC method aren’t available. It requires the person provisioning the device to type in the enrollment token string that they’re provided. The token works for all Intune-licensed users and doesn’t expire.

  1. Turn on the device.
  2. On the Welcome screen, select your language.
  3. Connect to your wireless network, and then choose NEXT.
  4. Accept the Google Terms and conditions, and then choose NEXT.
  5. On the Google sign-in screen, enter afw#setup instead of a Gmail account. This value is the DPC identifier for Microsoft Intune. Choose NEXT.
  6. Choose INSTALL for the Android Device Policy app.
  7. Continue to install the policy. Some devices may require additional terms acceptance.
  8. On the Enroll this device screen, allow your device to scan the QR code. Or, enter the token manually.
  9. Follow the on-screen prompts to complete enrollment.

Android Enterprise dedicated devices

Corporate-Owned, Dedicated Device (COSU) are typically single-purpose devices. For example, various presentation devices at trade shows, showrooms, kiosks, etc. They are not assigned to any specific user and are intended for some single-purpose specific use.

Factory reset is required to enroll devices in this mode. This mode requires Managed Google Play account and enrollment profile created in the Intune admin center.

Enroll by using a QR code

Intune admins can scan the QR code directly from the enrollment profile to enroll a device. This is the recommended enrollment method for most scenarios.

  1. After you wipe the device, tap the first screen you see repeatedly to launch the QR reader.
  2. If prompted to, install a QR reader on your device. Devices running Android 9.0 and later are preinstalled with a QR reader.
  3. Scan the enrollment profile QR code, and then follow the on-screen prompts to complete enrollment.

Enroll by using Google Zero Touch

Devices must be purchased from an authorized zero-touch reseller and support zero-touch enrollment.

Enroll by using Knox Mobile Enrollment

Samsung Knox Mobile Enrollment can be used as a tool to bulk enroll enterprise devices in Microsoft Intune. Knox Mobile Enrollment enables device enrollment to happen straight out-of-the-box after you turn on the device.

You must have a Samsung Knox account to access Knox Mobile Enrollment services in the Knox Admin Portal. Samsung Knox accounts require approval from Samsung, which can take one to two business days.

Enroll by using Near Field Communication (NFC)

Create a specially formatted NFC tag to provision NFC-supported devices running Android 8.0 or later. You can use your own app or any NFC tag-creation tool.

Enroll by using a token

This method is recommended for new or factory-reset devices, in scenarios where the QR code or NFC method aren’t available. It requires the person provisioning the device to type in the enrollment token string that they’re provided. The token works for all Intune-licensed users and doesn’t expire.

  1. Turn on the device.
  2. On the Welcome screen, select your language.
  3. Connect to your wireless network, and then choose NEXT.
  4. Accept the Google Terms and conditions, and then choose NEXT.
  5. On the Google sign-in screen, enter afw#setup instead of a Gmail account. This value is the DPC identifier for Microsoft Intune. Choose NEXT.
  6. Choose INSTALL for the Android Device Policy app.
  7. Continue to install the policy. Some devices may require additional terms acceptance.
  8. On the Enroll this device screen, allow your device to scan the QR code. Or, enter the token manually.
  9. Follow the on-screen prompts to complete enrollment.

Android Enterprise corporate owned work profile

Android Corporate-Owned, Personally-Enabled (COPE) is essentially the opposite of BYOD. The device is owned and managed by the organization, but there is an additional private profile on the device where the user can have their own private apps and their own private data.

Factory reset is required to enroll devices in this mode. This mode requires Managed Google Play account and enrollment profile created in the Intune admin center.

Enroll by using a QR code

Intune admins can scan the QR code directly from the enrollment profile to enroll a device. This is the recommended enrollment method for most scenarios.

  1. After you wipe the device, tap the first screen you see repeatedly to launch the QR reader.
  2. If prompted to, install a QR reader on your device. Devices running Android 9.0 and later are preinstalled with a QR reader.
  3. Scan the enrollment profile QR code, and then follow the on-screen prompts to complete enrollment.

Enroll by using Google Zero Touch

Devices must be purchased from an authorized zero-touch reseller and support zero-touch enrollment.

Enroll by using Knox Mobile Enrollment

Samsung Knox Mobile Enrollment can be used as a tool to bulk enroll enterprise devices in Microsoft Intune. Knox Mobile Enrollment enables device enrollment to happen straight out-of-the-box after you turn on the device.

You must have a Samsung Knox account to access Knox Mobile Enrollment services in the Knox Admin Portal. Samsung Knox accounts require approval from Samsung, which can take one to two business days.

Enroll by using Near Field Communication (NFC)

Create a specially formatted NFC tag to provision NFC-supported devices running Android 8.0 or later. You can use your own app or any NFC tag-creation tool.

Enroll by using a token

This method is recommended for new or factory-reset devices, in scenarios where the QR code or NFC method aren’t available. It requires the person provisioning the device to type in the enrollment token string that they’re provided. The token works for all Intune-licensed users and doesn’t expire.

  1. Turn on the device.
  2. On the Welcome screen, select your language.
  3. Connect to your wireless network, and then choose NEXT.
  4. Accept the Google Terms and conditions, and then choose NEXT.
  5. On the Google sign-in screen, enter afw#setup instead of a Gmail account. This value is the DPC identifier for Microsoft Intune. Choose NEXT.
  6. Choose INSTALL for the Android Device Policy app.
  7. Continue to install the policy. Some devices may require additional terms acceptance.
  8. On the Enroll this device screen, allow your device to scan the QR code. Or, enter the token manually.
  9. Follow the on-screen prompts to complete enrollment.

Which Android device enrollment option to use

In practice, mostly used are COPE for fully managed devices owned by the organization, or Work Profile for BYOD scenarios. I, in general, always recommended COPE or COBO if possible because BYOD creates more risks and management overheads.