Understanding enrollment time grouping for Android devices

This week is all about enrollment time grouping for Android devices. More specifically, enrollment time grouping for Android Enterprise corporate-owned devices. The focus of enrollment time grouping for Android devices is exactly the same as for Windows devices; the focus is to speed up app and policy provisioning during the device enrollment. With enrollment time grouping, the IT administrator can add a device to an Entra security group directly during the enrollment of the device. That enables the IT administrator to use that security group for assigning required apps and device configurations. Together that provides a faster delivery of the required apps and device configurations, as the device will be a member of the security group directly after the enrollment. This takes away any delays related to updating the security group memberships.

The updating of dynamic security group membership is out of the control of Microsoft Intune and might take too much time. And besides that, it created an inconsistent user experience. Sometimes all apps and device configurations would be available, and sometimes not. Enrollment time grouping creates a very consistent experience, as the device will be added to the security group by Microsoft Intune. This post will focus on the required configurations for using enrollment time grouping for Android devices.

Configuring enrollment time grouping for Android devices

The configuration of enrollment time grouping is actually pretty straightforward, as it only contains two basics steps. Step one being creating an assigned security group with the right owner, and step two being adding that security group to an enrollment profile for Android Enterprise corporate-owned devices. Especially the ownership is important in this configuration.

Creating the assigned security group

The first step is is creating the assigned security group. That security group on itself is not that special, but it does require a specific configuration. And that configuration includes the owner of the security group. The owner should be configured to the service principal of the Intune Provisioning Client, so that the enrollment profile for Android Enterprise corporate-owned devices can be used to add devices to that security group. The following three steps walk through that process.

Note: In some tenants the name of the required service principal is Intune Provisioning Client and others it is Intune Autopilot ConfidentialClient. The AppID, however, will always be the same.

1. Open the Microsoft Intune admin center navigate to Groups
2. On the Groups | All groups page, click New group
3. On the New Group page, as shown in Figure 1, provide the following information and click Create

• Group type: Select Security as the type of the group
• Group name: Specify a unique name for the group to distinguish it from other groups
• Group description: Specify a description for the group to further distinguish it from other groups
• Microsoft Entra roles can be assigned to the group: Select No to not use this group for role assignments
• Membership type: Select Assigned as the membership type of the group
• Owners: Click No owners selected and select the service principal with AppID f1346770-5b25-470b-88bd-d5744ab7952c
• Members: No configuration needed, as members will be added by Microsoft Intune directly after the enrollment

Important: Keep in mind that only one Entra security group can be added per enrollment profile.

Note: When the service principal does not exist, simply use the steps documented here to created it.

Creating the enrollment profile for Android Enterprise corporate-owned devices

The second step is the pretty straight forward and logical next action to actually use that created group. That can be achieved by creating an enrollment profile for Android Enterprise corporate-owned devices. That could be an enrollment profile for corporate-owned dedicated devices, corporate-owned fully managed user devices, or corporate-owned devices with work profile. The following steps walk through the process of creating an enrollment profile for corporate-owned fully managed user devices, with the focus on the adding the security group to that enrollment profile.

1. Open the Microsoft Intune admin center navigate to Devices > Android > Enrollment > Corporate-owned fully managed user devices
2. On the Corporate-owned, fully managed user devices page, click Create policy
3. On the Basics page, provide a unique name and description, and click Next
4. On the Device group page, as shown below in Figure 2, select the earlier created group and click Next

5. On the Review + create page, review the configuration and click Create

Important: Keep in mind that enrollment time grouping is not supported with an staging token.

Note: The steps for the different enrollment profiles for Android Enterprise corporate-owned devices are similar.

Experiencing enrollment time grouping for Android devices

After creating an enrollment profile for corporate-owned fully managed user devices, with the specified security group, it’s time to experience the actual enrollment time grouping. That is, however, not something that is really easy to capture in a screenshot. The easiest to experience the configuration would be to simply run through the enrollment of a new Android device, using the enrollment profile for corporate-owned fully managed user devices. Directly at the beginning of the enrollment process, the device will be automatically added to the configured security group. The best method to show the automatic behavior is by looking at the audit logs of the security group, which is shown below in Figure 3. That clearly shows that the device got a new membership (1) and that the actor was the service principle (2).

More information

For more information about Android device enrollment and enrollment time grouping, refer to the following docs.

• Set up Android Enterprise work profile for corporate owned devices – Microsoft Intune | Microsoft Learn
• Set up Intune enrollment for Android Enterprise dedicated devices – Microsoft Intune | Microsoft Learn
• Set up enrollment for Android Enterprise fully managed devices – Microsoft Intune | Microsoft Learn
• Set up enrollment time grouping – Microsoft Intune | Microsoft Learn