To start off, what is Android for Work and when should it be used. Android for Work is the MDM (Managed Device Management) solution for Android that is replacing Android Administrator. It will enroll the device itself to Intune and will let you take control of the work partition of the device. When enrolling the device with Work profile, Intune will partition off the device in two parts, one personal and one work partition. An administrator will not be able to manage, take control or see any information that is stored on the personal partition, only the work partition. Now Android for Work is great when you want to not only elevate security but give the users a clear difference between what is Personal and what is Work.
To get get started log on to the Endpoint Manager admin center and navigate to Devices, Android, Configuration profiles then click on Create profile
This will bring up a new pane on the right hand side. In the drop-down menus select Android Enterprise Device restrictions under Work Profile
Give it an appropriate name, I will call mine ‘Android Work Profile’.
The click on Next
Now we get to the part where we can begin to set the settings that will apply to the device. Expand the lines to expand the settings we can set on the device.
Now set the assignment group for whom these settings will apply to. I have previously created a dynamic group in Azure AD that automatically adds all enrolled Android device so I will use that.
Now to finalize check over your settings and click Create on the Review + create screen. Here is configuration and some of the settings I would recommend to get started.
I have chosen to set the password on the device itself, not on the Work Profile and also set it to be numeric complex. This will stop users from using pin codes such as ‘111111’ or ‘123456’
Devices can now be enrolled by downloading and logging into the Company Portal application from the Play Store. But this is just the bare bone so I would highly recommend pairing this with the use of Conditional Access, Compliance policies, App deployment and App protection policies.