Monday, 3 August 2020

COPE - Corporate Owned and Personally Enabled device management. Android and Intune.

Corporate Owned Personally Enabled Devices (COPE) Introduction

A newcomer to an organisation might receive two devices on day one - a laptop and a smart phone.  And in these days of Covid pandemic lock-down and furlough indeed they are becoming digital necessities.

The idea of your employees bringing along their own devices for corporate use, while sounding convenient, has never really taken off - at least in my experience.  There are a number of reasons for this.

1) On day one it doesn't create a good impression, informing your new worker he or she will be required to use their own equipment for a while, or until corporate equipment can be given to the new starter.

2) Personally owned devices are not necessarily secure enough and this exposes corporate data, that may download to that device: to possible loss or even to illegal misuse.

3) If the user's device is misplaced - remotely wiping the data on the user's device, using Intune or some other management application - well it is a bit inconvenient if the user finds that device and all their data is gone.  And also the legal implications need to be considered.

4) Personal devices are not necessarily maintained to the same level as corporate devices.  The latest updates may not be installed, or the latest anti-virus policies.  Personal applications may be effecting the performance of the device.  All these things can impact productivity if that device is essential to the worker's daily activities.

Perhaps it was a good idea, in the same way that the seaplane was a good idea - but the concept wasn't quite right.  Now initially the seaplane was seen as a boat that could fly and this was a good idea.  It became a great idea however, when the concept was adjusted so that a seaplane was a plane that could float, rather than a boat that could fly.  And in the same way - a corporate phone enabled for personal use may be a much better idea than a personal phone enabled for corporate use.  We shall see.

In this article I take the reader through the process of enabling COPE in Intune.  The COPE feature is currently in Preview mode.  In addition we will be enrolling a Huawei P smart phone into Intune with personal use enabled.  This phone has Android version 9 installed however you can also test the process on a device with Android version 8.  Stages of the process are as follows:

1) Intune is connected to a Managed Google Play Account
2) The Android COPE profile is created in Intune
3) A dynamic Intune group is created.
4) The smartphone is reset and enrolled into Intune

As part of the process the Microsoft Authenticator and the Microsoft Intune Portal applications are installed onto the Android device.

All the cloud based Intune steps are done in the Microsoft Endpoint Manager Admin Center.

After all of the above is completed, we will examine the personal Google PlayStore and compare it against the Corporate Google Play Store.


Connect Intune Account to your Managed Google Play Account

You can easily determine if you have connected your Intune tenant account to your Managed Google Play account by signing into Microsoft Endpoint Manager admin center and navigating to Devices\Android\Android enrollment.  Click on the Managed Google Play option.


If your tenant is correctly configured you will see a windows similar to the following.



Alternatively you will be given the lower bar in blue and the option to click on Launch Google to Connect now as shown.  



Create the Enrollment Profile

The next step in the process to enable COPE is to create COPE Android enrollment profile.  In the Microsoft Endpoint Manager admin center navigate to Home\Devices\Android\Android enrollment.  You will notice the Corporate owned devices with work profile (Preview) option.



Click on this option.


You are now in the blade where any profiles previously created will be listed.  Click on Create profile.  The Create profile window appears.


Enter a name for the profile that contains the word COPE.  In this case I name the profile COPE Mobile Devices. Click in Next.  The Review + create window appears.  Click on Create to establish the profile.



 Create the COPE dynamic Group

Having created the COPE profile we can now create the COPE group where Android devices will be automatically added when they enroll into the tenant.

Navigate to Home\Groups.  You will notice the option to create a new group.  Click on New Group.





The New Group window appears.  Select Security as the Group Type.  Enter in a relevant  group name such as COPE Android devices.  Select Dynamic Device for the Membership Device.


 
Click the Add dynamic Query option. The Dynamic membership rules window appears.

In the Property drop down selection box choose enrollmentProfileName.  For the Operator chose Contains and for the value enter in COPE.  The query should appear in the syntax box.  Click on Add Expression again if it does not appear.  Click on Save.


The New Group windows appears.  Click on Create to create the group.



Enroll the Smartphone

The Smartphone enrollment process can be sub-divided into the following phases

1) Device Reset
2) Enrollment either via a QR Scan or entering in the QR token code
3) Setting up the work profile
4) Adding your personal account

In the following sections I will keep written input to a minimum because the photographs, in most case, speak for themselves.

1 - Device Reset

On my device a system reset is initiated from Settings\System\Reset.  Data is erased and we start at the Welcome screen.


We are prompted to join a WIFI network.



2) Enrollment 

The important detail in this set of three is the Google sign in account window.  Rather than a standard Google account, we are required to enter in the following string:  afw#setup


You are now required to enroll the device either with the option of using the camera to scan for a QR code or you can manually enter in the code.  In this instance I manually enter in the code.  Where can this code or QR image be found?  

In Microsoft Endpoint Manager Admin Center navigate to Devices\Android\Android enrollment and click on Coprorate-Owned devices with work profile (Preview).  Your profile is listed - in my case it is the COPE Managed Devices profile.  Click on the profile and then click on Token.  Here you will find both the Token and the QR image.

With the Token in hand, we can proceed as shown in the following set of three.



The enrollment completes proceeds.



3) Setting up the work profile

We are now presented with some advisories about IT admin control, in addition a helpful reminder that personal apps are separate from work apps.


In the following three we enter in the user's Azure AD account.


In the next three we can see the installation is shifting into the application installation section of the work profile registration.


And indeed we see the Microsoft Authenticator and Microsoft Intune Apps installed.


In the next three we are required to enter in our credentials to the Microsoft Intune application.


And in the next three we are presented with the Default Directory screens - we can see that we have been registered in Azure and the last capture is actually a screen shot of the devices entry in the Microsoft Endpoint Manager Admin Center.


And there we have the affirmation screen that we are ready to work.



4) Adding your personal account

The final phase is for the user to enter in the details of their personal Google account.


We select an email address.


The final three present us with an Acceptance requirement, some SwiftKey options and finally our lock-screen window informing us the device is managed by our company.



How it works in Everyday Usage - Play Store as an Example

The purpose of this article was to detail the process required to enable COPE for Android devices and using then new Preview feature in Intune.  Detailing the process for creating configuration profiles and illustrating the total matrix of options relating to COPE is beyond this article's scope.  However we can quickly see how this feature can be useful to the user and the IT Administrator by looking at the Google Play Store.  In the following screenshot we can see there are two icons for the Play Store.  One of those icons has a briefcase peripheral icon attached to it, indicating it is for work place usage.  The other icon for the Play Store is the user's personal Play Store.



Thus if we click on the personal Play Store, we are presented with the familiar options we expect to see.


However if we click on the Play Store for corporate usage: we can see that we only have access to the Authenticator and the Intune Portal Apps.


And you will notice also that my attempt to capture the screenshot failed and thus I was required to take a photo with my camera.  Why is this?  It is because I have also created a configuration profile for Android COPE devices that restricts screenshots for applications that are being used within the work profile context.  You can see this setting in the capture below:


I hope you enjoyed reading this article on how to test the new COPE preview feature in Intune.

No comments:

Post a Comment