Setting up Android Enterprise Dedicated Device Enrollment
Start course

In this course, we review the enrollment options available and processes to follow for enrolling Android devices in Microsoft 365.

Learning Objectives

  • An overview of the many enrollment options available for Android devices
  • Learn the prerequisites needed before enrolling Android devices in Microsoft 365 via Intune 
  • Cover Android Enterprise, Android Device Administrator, and Android Open Source Project enrollment options

Intended Audience

This course is intended for those who wish to learn about Enrolling Android devices in Microsoft 365.


You will require a basic understanding of Mobile Device Management in Microsoft 365.

Welcome to Setting Up Android Enterprise Dedicated Device Enrollment. Organization-owned single-purpose kiosk-type devices that are used for things like digital signage, ticket printing, and inventory management are supported by Android Enterprise.

Using Android Enterprise Dedicated Device Enrollment, you can lock down these kinds of devices to specific apps, including web apps. By locking these devices down, you can prevent users from adding their own, unapproved, apps to them and you can prevent them from taking actions on them, unless you explicitly approve them.

You can enroll these kinds of devices in Intune in two different ways. A device like this can be enrolled as a standard Android Enterprise dedicated device, or it can be enrolled as a standard Android Enterprise dedicated device that’s automatically set up with Microsoft's Authenticator application configured into Azure AD Shared device mode during enrollment.

Standard Android Enterprise dedicated devices are enrolled in Intune without a user account, meaning they are not associated with any particular user. This is because these kinds of kiosk-style devices are generally not intended for personal use applications, nor for apps that require user-specific account data like Outlook email or Gmail.

A standard Android Enterprise dedicated device that is automatically set up with Microsoft's Authenticator application configured into Azure AD Shared device mode during enrollment is also enrolled in Intune without a user account. It, too, is not associated with any particular user. Devices enrolled in this fashion are meant to be used with apps that are integrated with Azure AD's Shared device mode to allow for single sign-in and single sign-out between users across participating applications.

Regardless of which option you choose, Intune helps simplify the deployment of applications and settings to Android Enterprise dedicated devices. 

Now, it’s important to note that in order to be managed as an Android Enterprise dedicated device, a device needs to meet certain requirements. More specifically, such devices must run Android OS version 6.0 and above, and the device must run a distribution of Android that has Google Mobile Services (GMS) connectivity. The device needs to have GMS available, and it must be able to connect to GMS.

To enable Android Enterprise dedicated device management, you need to first set the mobile device management (MDM) authority to Microsoft Intune. Once you’ve done this, you need to Connect your Intune tenant account to your Managed Google Play account. The URL on your screen provides step-by-step instructions for this:

Once you’ve connected your Intune tenant to your Managed Google Play account, you can create your enrollment profile, which allows you to enroll your dedicated devices. When the enrollment profile is created, you receive an enrollment token and a QR code. You can use either or to enroll the dedicated device, depending on the Android OS and version of the device.

The next step is to create a device group. Using a device group, or multiple device groups, allows you to target apps and policies to groups of devices.

And then, lastly, you can enroll the dedicated devices. During enrollment, the Microsoft Intune app is automatically installed on the dedicated devices. It’s important to note that the Microsoft Intune app is required for enrollment, and it can’t be uninstalled. 

The Microsoft Authenticator app will also automatically be installed during enrollment if you are using the token type Corporate-owned dedicated device with Azure AD shared mode. This app is also required for this enrollment method, and it cannot be uninstalled.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.