Announcing general availability of Android Enterprise corporate-owned devices with a work profile

by Contributed | Jun 23, 2021 | Technology

This article is contributed. See the original author and article here.

Today, Microsoft is announcing the general availability of Android Enterprise corporate-owned devices with a work profile in Endpoint Manager. With this release, Endpoint Manager now supports the complete set of Android Enterprise management scenarios, including dedicated devices, fully managed devices, and personally-owned devices with a work profile.

Nowadays, it is not uncommon for many of us to use our corporate-owned devices for personal use. Employees want to be sure that their personal data and information remains private, and organizations want to be confident that corporate devices are secure and compliant with company policies. Corporate-owned devices with a work profile is the best of both worlds: the work profile provides the same data separation capabilities available on personally-owned work profile, with added device management capabilities designed for a corporate device. Once enrolled, this will automatically keep corporate applications, data, and contacts in the work container (work profile) and personal applications, data, and contacts in the personal container (personal profile). This corporate-owned personally-enabled (COPE) scenario offers end users confidence that their company administrators will not have visibility into the data and applications in the personal profile. 

As more and more employees work from home or in hybrid office environments, corporate-owned devices with a work profile can help enable people to stay securely connected to their work and personal data from virtually anywhere. Employees can easily transition from checking company email to monitoring the status of personal deliveries and then back to their work apps, seamlessly and securely on the same device. During the preview over the past few months, we have seen incredible growth and satisfaction in customer adoption of these capabilities. Let’s dive into the details of enabling Android Enterprise corporate-owned devices with a work profile in Endpoint Manager:

Device Enrollment

Corporate-owned devices with a work profile is available for Android 8+ (Oreo and higher). Endpoint Manager supports these popular provisioning methods:

• Knox Mobile Enrollment


• Zero Touch Enrollment


• NFC – Near Field Communications (only supported on Android 8-10 for COPE devices)


• Token Entry (only supported on Android 8-10 for COPE devices)


• QR code

IT Administrators can enable enrollment for this scenario by selecting the “Corporate-owned devices with a work profile” enrollment tile (indicated with the red arrow below). They can create multiple enrollment profiles with unique tokens that do not expire.

End User Enrollment

The experience for end users to enroll corporate-owned devices with a work profile includes new screens that inform them about the functionality of the work and personal profiles on the device. For example:

Additionally, the experience will guide end users through setting up administration requirements such as creating a device password, installing work applications, and registering the device. Once successfully set up, users will have two sections labeled work and personal in their full application list.

Device Configuration

A subset of the existing settings for fully managed and dedicated devices are available for corporate-owned devices with a work profile. Additionally, we’ve added new settings to configure the work profile password and capabilities in the personal profile (indicated with the red arrows below).

You can create device configuration profiles under the “Fully Managed, Dedicated, and Corporate-Owned Work Profile” category and assign them to corporate-owned devices with a work profile to disable device features, assign certificates, or configure Wi-Fi or VPN. These device configuration profiles can be applied to fully managed, dedicated, and corporate-owned work profile devices.

Some of the settings in the Device Restrictions profile do not apply to corporate-owned devices with a work profile; however, there are headers under each setting category that indicate which device types a particular setting can be applied to. Below is an example of these headers used in the Users and Accounts category.

Some settings that apply device wide on fully managed and dedicated devices only apply at the work-profile level for corporate-owned devices with a work profile. These settings are marked with the “work profile-level” descriptor in the setting name, as shown in the example below.

Device Compliance

The compliance settings and Conditional Access capabilities that are available for fully managed and dedicated devices will also apply to corporate-owned devices with a work profile. IT administrators should select “Android Enterprise” as the platform and “Fully managed, dedicated, and corporate-owned work profile” as the policy type.

App Management

IT administrators can deploy apps and utilize app configuration and app protection policies for corporate-owned devices with a work profile. IT administrators should select “Android Enterprise” as the platform and “Fully Managed, Dedicated, and Corporate-Owned Work Profile” as the profile type.

Device Actions

Wipe device (factory reset), lock device, and reset work profile passcode are available for corporate-owned devices with a work profile.

What new capabilities will be added?

We still plan to add a few new capabilities to the corporate-owned devices with a work profile in the coming months. This includes:

• Single sign-on during end user enrollment flow


• Separate device filtering for corporate-owned work profile, fully managed, and dedicated devices


• Block and allow apps in the personal profile

Get Started

If you have IT administrator credentials for your org, you can start enrolling devices here in the Microsoft Endpoint Manager admin center. Review the Product Documentation for instructions. There are known issues around Wi-Fi reporting documented here: Troubleshoot and review Wi-Fi device profile logs – Intune | Microsoft Docs

Customer Support

The available features are fully supported through our Microsoft Endpoint Manager support channels.

How Can You Reach Us?

Keep us posted on your experience with Android Enterprise corporate-owned devices with a work profile through comments on this blog post, through Twitter (@IntuneSuppTeam), and request any new features on UserVoice.

Android Enterprises Resources

For information about the new privacy protections on company-owned Android devices, refer to Google’s blog post.

Previous Blogs Posts

• Intune announcing public preview for Android Enterprise corporate-owned devices with a work profile

Microsoft Documentation

• Set up Intune enrollment of Android Enterprise corporate-owned devices with work profile


• Enroll your Android Enterprise dedicated, fully managed, or corporate-owned with work profile device…


• Android Enterprise device settings to allow or restrict features using Intune


• Android Enterprise settings to mark devices as compliant or not compliant using Intune

A new way to search at school with Microsoft Search in Bing

by Contributed | Jun 23, 2021 | Technology

This article is contributed. See the original author and article here.

With all of us figuring out how to do things remotely, this past year was not easy. But you made it—congratulations!

As many of you ease into summer break, we’re excited to share some new features coming up, to help you find everything you need for your school, faster and easier.

Here’s a sneak peek at what’s coming soon as part of the back-to-school offering. Our goal is to help make managing school work, assignments, and tasks as easy as searching the web—for you and your students.

Look up your assignments and classes

On Bing, you will be able to search and find your school specific information, like your classes and assignments from Teams, and much more.

Classes

See your upcoming classes and join them easily with Microsoft Teams.

Assignments

Students can find out which homework assignment is due next and start working on it with just a click.

Bookmarks

Find answers to common questions about your school and links to popular resources and tools.

People

See your profile, connect with other teachers, and more.

Pick up where you left off

On Bing, you will be able to look up and find files, conversations, site you access often easily, saving a lot of time having to location these.

Files

Get quick access to your documents and files, as well as files others have shared with you. To keep your school’s info private and secure, you can only find files you have access to.

Conversations

Read messages sent to you in private chats and see what other teachers and students have said in public conversations.

Sites

Find SharePoint sites and other school pages you have access to.

Get info and answers faster

Here are a few other things you can do on Bing to improve yours and your students productivity.

Acronyms

Look up definitions for acronyms and abbreviations used at your school.

Groups

See groups you and others are members of and learn more about them.

In addition to these, we understand your student’s privacy and safety is very important to you. We’ll be sharing more information soon about the new privacy and safety features as well as more details about all the new and upcoming features, so please stay tuned. Until then, whether you’re on a school break or in the classroom, stay safe and have a great time!

What’s New in Microsoft Endpoint Manager – 2106 (June) Edition

by Contributed | Jun 23, 2021 | Technology

This article is contributed. See the original author and article here.

This month, we’re releasing new productivity and security capabilities within Microsoft Endpoint Manager. You can view the complete list of What’s New in the 2106 (June) release for details. The three capabilities I highlight this month improve the experience for users and provide more flexibility and management options for organizations that support Android deployments. As usual, I appreciate your feedback. Comment on this post, connect with me on LinkedIn, or tag me @RamyaChitrakar on Twitter.

Improving security and productivity without compromising privacy on corporate-owned Android devices

Many IT organizations allow employees to use corporate-owned devices for some personal tasks to improve productivity so they won’t have to switch between devices. Because of this, organizations must make sure corporate devices are secure and managed while employees want to ensure their personal data and information remains private.

Enrollment with Android Enterprise corporate-owned devices with a work profile enables separation between corporate and personal applications, data, and settings. This month, we’re announcing general availability for management of Android Enterprise corporate-owned devices with a work profile in Endpoint Manager.

While many customers provided feedback on managing corporate-owned work profile devices during our public preview, several asked how to add this option to their portfolio in Endpoint Manager. Follow these steps to get started:

• Assess the Android devices in your environment. Are these devices mostly personally owned (BYOD) or company owned? Any task-specific devices? Review what you have today and foresee the needs of your organization.


• Review your security strategy. With Endpoint Manager, you can secure and manage all your endpoints, managed or unmanaged, corporate, or BYOD. You can protect work data with or without device enrollment. For example, your security strategy for kiosks in a public space will likely be different from that of an information worker in a corporate office.


• Evaluate the device enrollment strategy for each Android platform. There’s a great guide in docs  on detailed manageability options – this just highlights the management options.
  
  
  
  1. BYOD: Personally owned devices with an Android Enterprise work profile.
  
  
  2. COBO: Corporate Owned, Business-use Only – Android Enterprise Fully managed device – Company owned devices fully managed and configured for business use only.
  
  
  3. COPE: Corp-Owned, Personally-Enabled – Enable corporate-owned devices with a work profile; this is what we’ve announced general availability for this month.
  
  
  4. COSU: Corp Owned, Single Use – Android Enterprise dedicated device – Corporate owned devices, managed and configured for a single, dedicated purpose such as a kiosk.  
  
  
  5. DA: Device Administrator – Google has reduced support for the APIs on this platform; this type of management will be best suited for areas where Google services are not available or where the device type supports Device Administrator and not Android Enterprise.
  
  
  
  


• Provided you determine Android Enterprise corporate-owned work profile has a role in your environment, set policies to meet your organizational compliance requirements, such as assign certificates, or configure Wi-Fi or VPN. Keep in mind if you want to move to this device enrollment strategy, say from an Android Enterprise fully managed device, you’ll need to factory reset the devices.


• Deploy apps and utilize app configuration and app protection policies. You can configure these specifically for each platform.

The following screenshots show some of the screens in the enrollment workflow for Android Enterprise corporate-owned devices with a work profile – this is where we demonstrate the separation of work from personal apps.

Simplifying mobile security and preventing security breaches

The need to prevent security breaches within an organization is a priority for many of our customers as employees access work data from all their devices, and these days, from virtually anywhere. Organizations need to secure not only the data at rest and in transit but also the devices themselves. This month, the client app that integrates Microsoft Tunnel into Microsoft Defender for Endpoint moved from public preview to general availability on Android.

What is Microsoft Defender for Endpoint with Tunnel? It’s a secure, VPN connection for managed devices. Employees can download the Defender for Endpoint app on their Android mobile device to get a more holistic mobile threat defense solution that enables secure and productive remote work and is fully configurable from Endpoint Manager.

How do you get started? Here’s a very brief but prescriptive approach.

• Evaluate your strategy as it relates to VPN and endpoint security. Are you already using a VPN provider? If not, what are your organization’s specific VPN needs? Consider your requirements and validate Defender for Endpoint meets those needs with Microsoft Tunnel. The capabilities built into the new client app were based on customer feedback so let me know if there’s a capability missing.


• Assess your networking architecture and potential security weaknesses as it relates to corporate data access from Android devices. Do you want to allow data access through a more secure connection?


• Confirm if you are already using Defender for Endpoint and Endpoint Manager. Are your Android devices enrolled? If so, move forward with implementing the Microsoft Tunnel Gateway by following the documentation here.


• Once implemented, manage Microsoft Tunnel and Defender through Endpoint Manager just as you manage your other policies. Users just have one app to download from the Google Play store, which improves productivity.

Here’s a video of the user experience:

If you would like a bit more of the engineering backstory, I provided additional insight on our One Microsoft Approach Tunnel and Defender for Endpoint out on LinkedIn.

Making it easier to apply settings on different device types with filters

Filters let you maximize your current asset investments while protecting data on personal, company-owned, and shared devices. The settings catalog makes it easier to customize, set, and manage device and user policy settings. This month – we combined the two! Now, you can have a settings profile and then use filters when assigning it!

In addition, this month we have also deepened our investment in both filters and settings catalog by adding support for the Enrollment Profile Name property in filters for Android Enterprise. Use filters to target devices based on different properties, such as device name and manufacturer.

Last month, I shared what filters and settings catalog enables you to achieve. This month, I’d like to share more about our motivation to integrate these capabilities. Here’s what one of our customers specifically requested – just two examples of why we did this integration:

• Use filters in compliance policies, if for example, you have different compliance policies for Windows HoloLens devices than you do for Windows desktop endpoints.


• Use applicability rules in the settings catalog, in the event you have different configuration profiles for Windows HoloLens devices than you do for Windows desktop endpoints.

We keep our customers’ needs top of mind and invest in areas that improve the user experience and simplify IT administration. Questions? Feedback? Comment on this post, connect with me on LinkedIn, or tag me @RamyaChitrakar on Twitter.

[Amplifying Black Voices] Over Time, a Journey Into Tech

by Contributed | Jun 23, 2021 | Technology

This article is contributed. See the original author and article here.

This blog was written by Microsoft Product Marketing Manager, Joshua West as part of the Amplifying Black Voices blog series. Joshua takes us through his career journey to Microsoft.  

I used to think my journey into technology started on a late-night while completing a homework assignment for my MBA coursework. Or at least that’s the story I told myself or to others. It would go something like this.

Late night study sessions were common during the first semester

It was early September in Rochester, NY, a time when the late summer breeze coming over Lake Ontario made you forget the crisp cold air and first snowfall were waiting right around the corner for you like a freight train coming around the bend.

I flipped open my Surface laptop and the bright backlight illuminated my already dim bedroom. I started on the assigned business case that we had to read, but the split screen quickly diverted my already short attention span to an article in The Wall Street Journal. The article spoke about how MBA graduates were increasingly moving to post graduation careers in technology rather than traditional paths in finance and consulting. The sector was looking to hire more graduates and offered competitive compensation as well. I was curious so I said, “why not me?”

University of Rochester’s River Campus in Fall 2019

But that’s not where this story begins. It starts on a cold November weekend as the last of the fall foliage whittled away leaving bare trees and piles of leaves awaiting to be picked up by the city sanitation department. The dogs’ ears perked up as the familiar sound of the doorbell caused a flurry of rampant barking as he rushed to the door to investigate our visitor. My dad opened the door to the delivery driver who dropped off a large box with the words “fragile” on top. We opened the box and carefully lifted out a Windows 98 Gateway 2000 PC. My eyes instantly lit up as I stared at the computer. My mom came over and explained how she had looked everywhere for the right computer to order and that it was finally time for our family to have one after her job introduced computers to her workplace two years earlier. We immediately set the machine up and watched the green pasture come to life on the desktop. 

That computer became the foundation for learning to type with Mavis Beacon, book reports, photo editors, train simulators, tying up the phone lines with dial-up internet, and so much more. It represented the first step into a technology that would change my life as I knew it. I suppose you could say the rest is history.

My dad in front of our first computer, a Windows Gateway 2000

Two decades later, I found myself as a Product Marketing Manager MBA summer 2019 intern with the same company that made it its mission to put a PC in every home. What I found was an organization that was truly working to put its culture into practice and was seemingly committed to advancing diversity and inclusion to make all voices heard and welcome.

With MBA final round internship interviews complete, I could finally take some photos

For me, that truth manifested through an opportunity to co-lead a team discussion around Bryan Stevenson’s book, “Just Mercy” and share perspectives of my personal experience of growing up Black in America. It was a moment of open vulnerability for the team that gave everyone the opportunity to share how their unique personal experiences growing up in America contributed to their beliefs or misbeliefs about others.

Final presentations for 2019 M&O Summer interns

That journey has continued into my full-time experience, having the opportunity to work with two incredible teammates to lead our US Business Applications team through creating a culture of daring leaders who lead with vulnerability and courage through the work of Brene Browns book, “Dare to Lead.”

But when I think about my journey, I must note that it wasn’t always easy. Starting any new job is difficult but starting a new position remotely during the apex of a global pandemic with the responsibility for marketing a product to an industry I had no prior experience working in, brought with it an entirely separate set of challenges. I struggled with imposter syndrome, wondering if I was truly the person for the role. I doubted that I would get up to speed and truly understand what it meant to be a product marketer and that I could be successful at my job. To put those notions to rest, I continued to talk to friends and mentors, realizing that the more I shared, I was not alone.

Two decades after our first computer, I find myself working for the company that started me on this journey

Within three months, that feeling was gone, and I realized that my job wasn’t to bring that knowledge of an insider, but that of an outsider to provide a new perspective on how we could grow the business. That has helped drive success in the beginning of my career journey with Microsoft. The ability to think differently, provide a new perspective, and incorporate my lived experience into my work are what gives me the ability to empower myself and those around me daily.