I was recently helping out a customer who wanted to manage Android mobile devices using Endpoint Manager for users in China.

What is different from managing Android mobile devices for users in China and out of China? There is a significant difference and it is due to the services available on an Android mobile device that is required for managing the devices using Microsoft Intune.

Microsoft Endpoint Manager provides 2 ways of protecting the mobile devices which are MAM-WE (Application management without enrollment) and Device enrollment (MDM).

Following are some of the major differences between MDM vs MAM (app protection policies):

MDM (Mobile Device Management)MAM(Mobile Application Management)
Enroll devicesPublish Apps
Provision settings, certs, profilesConfigure and update apps
Auto install appsSecure corporate data within mobile apps
Report and messure device complianceReport app inventory and usage
Remove corporate dataRemove corporate data
Reset deviceRemote wipe (Corporate data ONLY)
Suitable for corporate owned devicesSuitable for BYOD devices

If you are managing the corporate data on the mobile device (BYOD) using MAM, you don’t need to think of the device having GMS services or not as it works with corporate apps and no enrollment is required, but if you planned to do MDM (device management), you would need Google Mobile Services (GMS) and is prerequisite for device enrollment (Android enterprise/work profile).

What is GMS? – Endpoint Manager Android China

Google Mobile Services (GMS) is a collection of Google applications and APIs that help support functionality across devices. These apps work together seamlessly to ensure your device provides a great user experience right out of the box.

Google mobile services (GMS) is part of the Android operating system which is used to connect to Google services and it is not free.

Why is GMS not available for users in People’s Republic of China?

A year ago, U.S put a ban on Chinese tech giant Huawei to do business with any organization that operates in the United States.

As part of this announcement, Google declared that they would comply with the Huawei ban and Huawei will longer have access to the core applications on an Android device such as Gmail, YouTube, Google Drive, and the big piece Google Play Store. For more information on the Huawei ban, please read here

So, what other options do we have to manage the Android devices without GMS?

If you look at the Android device enrollment types, we have 2 options:

  1. Device Administrator (Legacy)
  2. Android enterprise enrollment (work profile).

For #1, device administrator, you don’t need GMS services but the features you get from Microsoft Intune are very limited. Google has already announced about the depreciation of the device admin https://developers.google.com/android/work/device-admin-deprecation and is highly encouraged to use Android enterprise for devices where GMS available.

For #2 Android Enterprise enrollment such as work profile, COBO (company-owned business Only), COSU (corporate-owned single user), COPE (company-owned personally enabled), you will need GMS.

Endpoint Manager Android China

Since our requirement is to manage the Android devices (corporate-owned) with no GMS services, we will need to fallback to the device admin enrollment type with limited Intune features until the GMS services available. This will help us to push the applications to end-users and control other device settings due to business requirements.

For limitations of Intune device admin where GMS is not available, please read the Microsoft Documentation

How do we configure the device enrollment options for Android device administrator?

In Microsoft Intune, the default device restriction policy enabled with all platforms and applied to all devices with default priority. Anything you create new will have a high priority.

Endpoint Manager Android China

With this default setting, if a user (with/without GMS) try to enroll the Android device to Endpoint Manager, the device picks up the Android enterprise (work profile) type as default and do the enrollment process but this will fail on a device that doesn’t have GMS services because Android enterprise requires GMS.

To use the Android device administrator, we will need to do the following tasks:

  1. Create an AD/AAD sec group and add users who will be participating in the device Legacy enrollment profile.
  2. Create new device enrollment type restriction, select Block for Android enterprise (Work profile)

To achieve this :

Endpoint Manager Android China
  • Click Enrollment Restrictions and then Create Restriction / Device Type Restriction
Endpoint Manager Android China
  • Select Block for Android enterprise (Work profile)
Endpoint Manager Android China
  • In the Assignment Tab, apply this restriction to a group of users that you created in step 1
  • This legacy enrollment type applies to the users based on their priority

Android Enterprise (work profile) and Android device administrator platforms have the following behavior based on their assignment:

  • If both platforms are allowed for the same user, then users will be enrolled with a work profile if their device supports it, otherwise, they will enroll as DA.
  • If both platforms are allowed for the group and refined for specific and non-overlapping versions, then users will receive the enrollment flow defined for their OS version.
  • If both platforms are allowed but blocked for the same versions, then users on devices with the blocked versions will be taken down the Android device administrator enrollment flow and then get blocked from enrollment and prompted to sign out.

Users can visit the respective store apps provided by the device manufacturer such as AppGalary for Huawei etc and install the Microsoft Company portal and other Intune supported apps.

When the user tries to enroll the device, they go through the device admin enrollment process and receive the device management policies that are pushed by the Intune admin.

You can refer to this post for more information about managing the Android devices in the China region

Comments (0)