SOP: Enrolling Android Mobile Phones into Microsoft Intune (Dedicated Device Mode)

Document Control

  • Service Area: Langley ICT Services
  • Platform: Microsoft Intune (Android Enterprise)
  • Device Type: Android Mobile Phones
  • Enrollment Type: Corporate‑owned, Dedicated Device (COSU)
  • School Reference: TAW300 – The Telford Langley School

1. Purpose

This SOP describes the standard process for enrolling Android mobile phones into Microsoft Intune using Android Enterprise – Dedicated Device mode.

Dedicated Device mode is used where:

  • Devices may be reassigned to different users
  • Devices are not tied to a specific personal Google account
  • Centralised management, configuration, and consistency are required

This is the preferred and default Android enrollment method used by Langley ICT Services due to its reliability, security, and ease of management.

2. Scope

This procedure applies to:

  • All Android mobile phones managed by Langley ICT Services
  • Corporate‑owned devices enrolled into the TAW300 Intune tenant
  • Devices requiring centrally managed apps, policies, and restrictions

This SOP does not cover:

  • Personally owned (BYOD) Android devices
  • Android devices enrolled using Work Profile (COPE/BYOD)

3. Prerequisites

Before starting, ensure the following:

  • The device has been factory reset
  • The device has an active Wi‑Fi or mobile data connection
  • You have access to the Microsoft Intune Admin Center
  • The Android device is intended to be managed under:
    • Enrollment profile: TAW300 Mobile Phones
  • You are signed in to Intune with an account that has:
    • Intune Administrator or equivalent permissions

4. Enrollment Method Overview

Android devices are enrolled using:

  • Android Enterprise
  • Corporate‑owned, Dedicated Device (COSU)
  • QR code–based enrollment

This method:

  • Prevents users from signing in with personal Google accounts
  • Automatically locks the device into organisation‑controlled management
  • Applies configuration profiles and applications automatically after enrollment

5. Device Enrollment Procedure

Step 1: Start Device Setup

  1. Power on the Android phone.
  2. Follow the initial setup prompts:
    • Language selection
    • Region
    • Network connection (Wi‑Fi or mobile data)

Step 2: Trigger Android Enterprise Enrollment

  1. When prompted to sign in with a Google account, tap the email address field.
  2. Type the following exactly:
afw#setup
  1. Proceed through the remaining setup prompts by selecting Next as required.

Step 3: Generate the Enrollment QR Code (Intune)

  1. On an admin workstation, open the Intune enrollment portal:

    https://intune.microsoft.com/#view/Microsoft_Intune_Enrollment/CorporateOwnedProfiles.ReactView/isEnrollmentModeEnabled~/true/enrollmentMode/corporateOwnedDedicatedDevice/isSharedCosuEnabled~/true

  2. In the list of enrollment profiles:

    • Select TAW300 Mobile Phones

  3. Select Token

  4. Click Show token

A QR code will be displayed.

Step 4: Scan the QR Code

  1. On the Android phone, when prompted to scan a QR code:
    • Use the device camera to scan the QR code shown in Intune
  2. The device will begin enrollment automatically:
    • Android Enterprise components are configured
    • Device registers with Intune
    • Policies and apps begin downloading in the background

6. Post‑Enrollment Behaviour

After successful enrollment:

  • The device will:
    • Be locked into Dedicated Device mode
    • Be fully managed by Intune
  • Configuration profiles and restrictions are applied automatically
  • Assigned applications are installed without user interaction

No user sign‑in is required on the device.

7. Application Management

App Assignment Group

All Android mobile phones are added to the Entra ID group:

TAW300 Intune Android Devices - Mobile Phones

This group is used by Langley ICT Services to:

  • Assign Android applications
  • Target configuration and compliance policies

Existing Applications

  • Android apps already imported into Intune can be assigned immediately.
  • These apps are visible under Apps > Android in the Intune Admin Center.

New Application Requests

If an app is not already available in Intune:

  1. Log a call with Langley ICT Services
  2. Provide:
    • App name
    • Link to the app on the Google Play Store
  3. Langley ICT Serviceswill:
    • Import the app into Intune
    • Assign it to the appropriate device group

8. Configuration and Policy Management

Device Restrictions Profile

All configuration changes for Android mobile phones are managed via:

TAW300 Android Enterprise Device Restrictions - Mobile Phones

This profile controls:

  • System restrictions
  • Device capabilities
  • User experience limitations
  • Security controls

Any required changes to device behaviour must be made only within this configuration profile by Langley ICT Services.

9. Troubleshooting

  • If enrollment fails:

    • Confirm the device was factory reset
    • Verify network connectivity
    • Ensure the correct enrollment profile was selected

  • If apps or policies do not apply:

    • Confirm the device appears in Intune
    • Verify group membership for:
      • TAW300 Intune Android Devices - Mobile Phones
    • Allow up to 15–30 minutes for initial policy sync

10. Change History

  • Initial SOP authored and maintained by Langley ICT Services
  • Terminology updated to avoid confusion with TW IDT