📱 Managing Android Enterprise Fully Managed Devices in Microsoft Intune
When managing Android Enterprise Fully Managed Devices through Microsoft Intune, administrators gain full control over system settings, policies, and applications. This mode is ideal for corporate-owned devices used exclusively for work purposes, allowing you to apply strict data protection rules and enforce compliance with your organization’s security policies.
Below is a breakdown of how to configure such devices, manage contacts securely, and prevent users from performing restricted actions like factory resets or data sharing.
⚙️ What Is a Fully Managed Android Enterprise Device?
Fully Managed devices are corporate-owned, device-enrolled, and controlled by Microsoft Intune MDM policies.
Unlike Work Profile (BYOD) setups, users cannot separate personal and work data — the device is entirely managed by the organization.
Key characteristics:
- Full control over system and security settings
- Ability to enforce strict compliance policies
- Deployment of only approved corporate apps
- Control over factory reset, data sharing, and app installation
- Ideal for frontline workers, shared environments, and education setups
🧩 Prerequisites
Before configuration, ensure:
- You have a valid Microsoft 365 Business Premium or Intune Suite license.
- Android devices are Android 8.0 (Oreo) or newer.
- Devices are factory reset before enrollment.
- Android Enterprise is linked to Intune via a Managed Google Play account.
🔐 Objective 1: Restrict Contact Sharing, Copying, or Deletion
The user’s goal is to secure corporate contacts stored in native or company-managed apps. Here’s how this can be achieved:
Option 1: Use App Protection Policies (APP)
While APPs are primarily for BYOD or Work Profile scenarios, they can still complement device restrictions.
Steps:
- Go to Microsoft Intune Admin Center → Apps → App protection policies.
- Create a new policy for Android Enterprise.
- Under Data protection, configure:
- Restrict cut, copy, paste to Policy managed apps only.
- Save copies of org data to Policy managed apps only.
- Restrict contact sync to No (prevents syncing contacts to native Android contacts).
- Enable Encrypt app data and Require PIN for access.
This ensures that contacts managed through Outlook or Teams cannot be exported or copied to other apps.
Option 2: Restrict via Device Configuration Policy
- Navigate to Devices → Configuration profiles → Create profile.
- Choose:
- Platform: Android Enterprise
- Profile type: Device restrictions (Fully Managed)
- Under Work profile settings / System restrictions, configure:
- Disallow Contact sharing → Enabled
- Block Contacts app access (if using another approved contacts management app)
- Block screen capture → Enabled (optional for extra security)
- Block clipboard sharing → Enabled
- Block USB file transfer and Bluetooth sharing → Enabled
This ensures that contacts, once loaded into the system via approved apps (e.g., Outlook), cannot be exported, copied, or deleted by the user.
📇 Objective 2: Centralize Corporate Contacts
While Android doesn’t natively support global centralized contacts through Intune alone, you can use several workarounds:
Option 1: Microsoft Outlook with GAL Sync
- Configure Outlook for Android to access the Global Address List (GAL) from Microsoft Entra ID (formerly Azure AD).
- Users can search and view corporate contacts within Outlook without syncing them to native contacts.
- To prevent contact export, disable contact sync within Outlook via App Configuration Policies.
Option 2: Use Shared Contact Management Tools
If your organization requires a shared address book:
- Use Microsoft 365 Shared Mailboxes with contact folders.
- Third-party enterprise contact sync solutions (like SyncGene, CB Exchange Server Sync, or ContactMonkey) can sync GAL entries directly to devices in a controlled, read-only manner.
Option 3: Managed Google Account Integration
If you manage Android devices with a Managed Google Play enterprise account, you can:
- Use Google Workspace directory sync with Microsoft Entra ID for read-only access to corporate contacts.
- Restrict Google Contacts editing and syncing to prevent users from modifying or deleting entries.
🧱 Objective 3: Prevent Device Reset or Factory Wipe
To stop users from resetting their fully managed devices:
- Go to Devices → Configuration profiles → Android Enterprise → Device restrictions.
- Under System security, configure:
- Allow factory reset → Not allowed
- Allow safe mode → Not allowed
- Allow developer options → Disabled
- Block Settings app access (optional for kiosk or shared setups)
- Pair this with Enrollment restrictions to ensure devices remain enrolled and compliant:
- Navigate to Tenant administration → Enrollment restrictions.
- Disallow personal device enrollment (for corporate-only management).
Once applied, users won’t be able to perform a manual reset or unenroll the device from Intune.
🧰 Additional Recommendations
- Managed Home Screen:
If the devices use Managed Home Screen (MHS) for kiosk mode, ensure you configure Chrome, Outlook, or custom apps within App Groups so users can access approved apps only. - Device Compliance Policy:
Add compliance settings such as:- Device must not be rooted
- Require a minimum OS version
- Require encryption and passcode
- Reporting and Monitoring:
Use Intune > Reports > Device compliance to verify that policies are applied.
Review Device configuration > Per setting status for enforcement validation.
🧾 Example Policy Configuration Summary
| Policy Type | Setting | Value |
|---|---|---|
| Device Restrictions | Factory reset | Blocked |
| Device Restrictions | Contact sharing | Blocked |
| App Configuration | Clipboard sharing | Disabled |
| App Protection | Cut/Copy/Paste | Policy managed apps only |
| App Protection | Contact sync | Disabled |
| Device Restrictions | Safe Mode | Disabled |
| Outlook App Config | Contact sync | Disabled |
| App Config (Chrome) | Microphone/Camera | Grant automatically |
✅ Summary
By combining Device Restriction, App Configuration, and App Protection policies in Intune, you can fully secure Android Enterprise devices against contact sharing, deletion, or export.
Centralized contact access can be achieved through Outlook GAL integration or third-party sync tools, while device reset and data loss prevention are managed through Intune’s system control settings.
This setup ensures a tightly managed Android environment suitable for education, frontline, or enterprise deployments under Microsoft 365 Business Premium.
