Android Work Profile is the recommended way to enrol personal Android devices (BYOD) in Intune. It creates a separate container on the device for work apps and data, keeping personal content completely separate. IT can manage and wipe the work profile without touching personal data.
Android enrolment types in Intune
Intune supports several Android enrolment methods. Choose the right one for your scenario:
- Android Enterprise Work Profile (BYOD) - for personal devices. Creates a work container. IT cannot see or wipe personal content. This guide covers this method.
- Android Enterprise Fully Managed - for corporate-owned devices. IT has full control of the device. No personal use.
- Android Enterprise Dedicated - for shared or kiosk devices. Single-app or multi-app kiosk mode.
- Android Device Administrator (legacy) - the old method. No longer recommended. Google deprecated it in Android 10+.
Prerequisites
- An Intune Administrator account
- A Google account to create a Managed Google Play enterprise (a standard Gmail account works - it does not need to be a Google Workspace account)
- Android devices running Android 8.0 or later
- Users must have an Intune licence assigned
Connect Managed Google Play to Intune
This is a one-time setup that links your Intune tenant to Google so you can approve apps for deployment.
- Go to Devices → Android → Android enrolment → Managed Google Play
- Tick I agree and click Launch Google to connect now
- Sign in with a Google account (this account becomes the enterprise owner - use a shared team account rather than a personal one)
- Complete the Google registration and return to Intune
- The status should show Managed Google Play account is connected
Configure the enrolment profile
Android Work Profile enrolment does not require a separate enrolment profile in Intune - users enrol directly through the Company Portal app. However, you can configure enrolment restrictions to control which devices are allowed.
Check the Default restriction allows Android Enterprise (Work Profile). If you want to block personal device enrolment on non-work-profile Android, block Android Device Administrator.
User enrolment steps
Send these steps to your users:
- On the Android device, open the Google Play Store
- Search for and install Microsoft Intune Company Portal
- Open Company Portal and sign in with their work Microsoft 365 account
- Follow the on-screen prompts to set up the Work Profile
- Android creates a separate work container - work apps appear with a briefcase badge
- When prompted, set a work profile PIN or biometric lock
The whole process takes about 5 minutes. Once complete, the device appears in Intune → Devices → Android devices.
Deploy apps to the work profile
Apps deployed via Intune appear only in the work profile container, not in the personal side of the device.
- Go to Apps → Android → + Add → Managed Google Play app
- Search for the app in Managed Google Play and click Approve
- Return to Intune and sync the app (Apps → Android → Managed Google Play sync)
- Assign the app to a user group as Required or Available
Troubleshooting
Company Portal shows error during work profile setup
Check the user has an Intune licence. Also check that Android Enterprise Work Profile is allowed in the enrolment restriction. Some Android skins (Samsung One UI, Xiaomi MIUI) require additional steps - check the device manufacturer documentation.
Apps not appearing in work profile after assignment
Trigger a sync in Company Portal. Also check the app is approved in Managed Google Play and has been synced to Intune. It can take up to 24 hours for new app approvals to sync.
Work profile not available on older Android version
Work Profile requires Android 8.0 minimum. Devices on Android 7 or below need to be upgraded or replaced. Legacy Android Device Administrator enrolment can be used as a fallback but is not recommended.
I set up Intune for UK small businesses at a fixed price - compliance policies, app deployment, Conditional Access, and full documentation handed over at the end.