Last Updated on September 6, 2021 by Oktay Sari
When you’re testing Microsoft Endpoint manager, chances are, you’re using a virtual Windows 10 device to do most of your testing. For Windows 10, there are many virtualization platforms like Hyper-V, VMWare or Virtual Box. But when it comes to Android, it’s a different ballgame. There are emulators out there, but I find that most are not that great for testing with Microsoft Endpoint Manager (Intune). This post is all about testing virtual Android Devices with Microsoft Endpoint Manager.
I’ll show you how to emulate Android devices. These virtual Android devices run on your PC, and you can use them almost the same way as physical devices. The Android emulator even comes with predefined configurations for various Android phones, tablets, and more. Testing virtual Android Devices with Microsoft Endpoint Manager is a great way to learn about configurations, policies and app deployment. Here’s an idea; If you’re working out a bring your own scenario, you can test your mobile application policies. I’m not going to explain how to configure android enrollment profiles since there are many great blogs out there that explain just that. For starters, have a look at Peter’s blog.
How can we start testing virtual Android Devices with Microsoft Endpoint Manager (Intune)? You’ll need Android Studio. Yes, you can build your own apps if you want to, but I’m interested in one particular piece of softeware: The AVD (Android Virtual Device) Manager.
Install Android Studio:
You can download Android Studio here: Download Android Studio and SDK tools | Android Developers and read more about AVD here: Run apps on the Android Emulator | Android Developers.
I’m on Windows 10 20H2 and Run Android Studio right next to Hyper-v and Virtual Box without any issues. Download Android Studio and start the installation. Make sure Android Virtual Device is selected before you continue.
Creating your first Virtual Android device
After installing Android Studio, start it and if there are any updates, install them before you continue. Getting started with your first Android Virtual device is very simple and can be done in a couple of minutes.
Click on the Tools menu and start AVD (Android Virtual Device) Manager.
Next Click on “+Create Virtual Device”
There are a lot of pre-configured devices available. Just make sure to choose one that has the Google Play Store icon. These devices come with the play store so you can install apps.
The rest is self-explanatory and straight forward but I created a short video to get you started.
Limitations
Don’t forget, you are working with a virtual device and that comes with it’s limitations. Most of the time, I use it to test app configuration policies, device configuration profiles, app protection policies and even conditional access.
- You can’t scan a QR code on a virtual Android device to enroll so we’ll have to find a workaround. More on this below
- I’ve had some issues with compliance policies and setting a PIN. Will need to do more testing on that
- Need to do more tests with compliance policies in general
- Sometimes the VM seems to hang and do nothing for a long time. If you’ve had 2 cups of coffee, start over 😉
- With corporate-owned enrollment profiles, the KIOS mode has it’s challenges. Need to do more testing here
Let me know if you run into any other limitations. I’ll update the post for everyone to learn.
Enroll a virtual Android device in Microsoft Endpoint Manager
You can enroll a Android device by downloading the Intune company Portal App, or by scanning a QR Code. There are 4 different enrollment scenarios:
- Personally-owned devices with work profile
- Corporate-owned dedicated devices
- Corporate-owned fully managed user devices
- Corporate-owned devices with work profile
There are some limitations when performing the enrollment with a virtual device. For example, you can’t scan the QR Code…
This post is all about testing Android devices with Microsoft Endpoint Manager so I’m skipping the user experience part. Our goal is to enroll a virtual Android device with Endpoint manager so you can test your configuration, policies and app deployment.
Enroll using the Company portal app – Personally-owned device with work profile
First we’ll enroll a device using the company portal app. This is what end-users would do on their own devices:
- Start your new Android VM
- Complete the phone setup
- Login with your google account (Needed for Google Play Store)
- Shutdown and start your device again
- Install the “company portal app”
- Enroll with work profile
Here’s another video showing you the steps to enroll the virtual Android device as a Personally-owned devices with work profile. It also shows that sometimes, things don’t go as planned. Although I’m very happy with AVD, it’s not a physical device and sometimes things take a little longer.
If there’s one tip I can give you, it would be ”Be patient” It all takes a little longer, and when you get stuck, wait a little longer and after some coffee, start over again 😉. I prefer working with physical devices, buts sometimes I need to test something when I don’t have a test (physical) device with me. This is when I fall back to using a virtual device. Once you get the hang of it, I’m sure you will use it.
Enroll corporate-owned devices with work profile by scanning a QR Code
Did I mention, you can create screenshots of your virtual android device using AVD? Check out the video above or see the screenshot on the right 😉
I started with a physical device and walked through all steps as described by Microsoft here. Some of the steps are:
- Created a enrollment profile.
- Created a device group.
When you create an enrollment profile, it will generate a QR Code with a token. There was one part of the Microsoft documentation that got my attention:
“For corporate-owned work profile (COPE) devices, the afw#setup enrollment method and the Near Field Communication (NFC) enrollment method are only supported on devices running Android 8-10. They are not available on Android 11. For further details, refer to the Google developer docs here”
“Depending on the Android OS and version of the device, you can use either the token or QR code to enroll the dedicated device”
Now that is interesting. I’ve never used the token before, simply because scanning the QR code is so obvious…
The provided link to Google is an interesting document. At first I did not see the link but upon reading further I saw a link to Enrollment token link.
Workaround
Could this be it? https://enterprise.google.com/android/enroll?et=<enrollmentToken>
The enrollment token can be found by going to:
Endpoint Manager>Devices>Android>Android Enrollment>[your enrollment profile]
Please Note: Yes…I revoked this example/demo token for obvious reasons…😉
I started my virtual Android device and first updated the Google Play Services as Noted above in the Google documentation.
Here are the steps you can follow:
- Update Google Play Services
- Start Google Chrome
- Type in the URL: https://enterprise.google.com/android/enroll?et=<enrollmentToken>
- Follow the steps to enroll
Enroll corporate-owned devices with work profile
If you want to see the complete enrollment please watch the next video:
That’s it for now. You have a corporate-owned device with work profile on a virtual android device, enrolled with Microsoft Endpoint Manager. You’re ready to test your configuration without the need for a physical device.
Final thoughts
Although virtual Android devices are a great way to test Microsoft Endpoint Manager (Intune) when you are out of physical hardware, I personally prefer to work with hardware. There are however a lot of use cases. You can test, and even make great screenshots for documentation or your blogs. Android Virtual devices have their limitations, and sometimes I had issues with enrolling a device and had to start over. But even with these limitations I think it’s a great tool to have.
let me know what you think…
thanks for the post. i was wondering if you deploy a compliance policy with require setting for company portal app runtime integrity, will it bring non-compliant for the AVD too?
because it happened to my AVD but not physical device.
Hi Jeff,
I did have issues with compliance policies. Specially when you require a password to unlock mobile devices, or with PIN length. I worked around this by setting a PIN before enrollment. Just couldn’t get this configured and need to do some more testing here. I’ve updated the post by separating the limitations part of the post. I’ll see if I can test your scenario. Thanks for your feedback!
Hi Jeff, I did not use the runtime integrity setting on a Android VM but I’ll test this and see if it’s the same for me.
hi. when doing the enrollment via the token the part where you register the device clicking on “Set up” has no effect or action. The device just sits in that part of the screen, i tested with a physical and a virtual android device and both have the same behavior. any suggestions?
Hi Tomal, I’m not sure if I understand what you mean. Did you create the enrollment profile and used the QR scanner on your physical device to scan the enrollment token/QR code?
I’m using a Samson Galaxy Tab 7 lite – I used Corporate Owned Dedicated Devices as my profile, but the device still shows a “user” profile. Any thoughts on how I get rid of that?
Hi Cathy, thanks for your feedback. I realize I’m very late with my response and do appologize for that. Did you get this to work? If not, let me know and I’ll see if I can help.
Hi,
Great post!!
I have tried with Android 9 and 10 versions, but I get the same issue when I try to enroll with https://enterprise.google.com/android/enroll?et=<enrollmentToken>
Can’t set up work profile – Your IT admin doesn’t allow a work profile on this device…
Could you help me, please?
Thanks in advance
Hi Elias, it sounds like an enrollment restriction. Did you check the enrollment restriction settings in MEM? It might also have to do with a compliance/conditional access policy. did you check your conditional access policies? What profile did you use? I can’t enroll Corporate-owned, fully managed user devices using Virtual Android devices.
Hello, when I tried to enroll Android COPE I receive “Registration is taking longer than usual”. Device appear on Azure AD but is missing on Intune. Any suggestions?
Hi Alessandro, I’m with same issue. Can you complete the the device register?
Is there a way to do this for iPhones?
Hi Oktay! Nice post, thanks a lot!
Have you got any problem clicking on “Register your device”? My Pixel 2 AVD just got stuck in this part. Apps are in pending status and I cannot move forward.
Same problem here. Did you solve it?
Need to find a way to factory reset and boot to Setup Wizard screen.
thx for the post. i’m encountering a problem. i want to test the Microsoft Intune’s encrypt mobile on a virtual andriod. however, when i try to do the “encrypt tablet” in my virtual android, it shows “plug in your charger and try again” with the “ENCRYPT TABLET” button dimmed. my virtual android is running on Virtualbox. even i’ve encrypted the Virtualbox disk, it does not resolve the issue. any suggestions on this?
Hi work profile android mobile allow security purpose wrok profile passwrod on my mobile device screen i missing passward 15 day do not my mobile unlock plz help suggested solve improtant data in mobile