In this post, I want to cover a nice and easy change introduced to Intune when setting up your connection to Managed Google Play. While this might be a small change and one essentially most relevant to new configurations, I do think it’s worth a mention.
When we think of managing Android devices using Intune we commonly think of Android Enterprise as this is the most popular way of deploying management. But it is for a reason, it offers several distinct advantages over other Android management options, particularly for enterprise environments with controlled App deployments, enhanced security, ease of administration and definately its global reach.
There’s one crucial action we have to carry out when setting this up in our Intune tenant though, and that’s make a connection to the Managed Google Play service. Without it, you won’t have access to utilise the enrolments, app whitelisting and security benefits. The great thing is while it’s always been fairly straight-forward in setting this up, Microsoft and Google as of August 2024 have simplified the integration process by making it even easier to setup. Previously you would need to have a Google account ready and waiting to use and go through a set of pages establishing the company name, data protection officer and EU representative. Not entirely difficult I grant you but hey we all love simplification.
Establishing a new connection
The first thing to say when doing this is that you DONT have to do this if you already have a tenant setup, NO. Existing connections will continue to be supported or at least for now BUT it does provide the ability to use a corporate email address directly from your Entra or Intune tenant and also it gives you a Single-sign-on connection. Great right.
In fact I’d go so far as saying DONT reset existing connections as this means losing all assignments and availability of LOB and Library applications plus any specific configurations and app settings will need to be reapplied, things like app permissions, configurations and deployment settings. Take note of the below screen when you do go to disconnect too, existing Android devices MUST first be unenrolled.
When you do go unbind and your Intune has an existing Android device still registered or enrolled it will notify you so this is a nice safe check.
Ok, so this feature isn’t going to win awards and is targeted to new tenants but the process is simpler as per the screen shots below. PLEASE be aware that using an Entra Admin account may not be the best approach as these may not be mail enabled by design for security reasons and the account should be reachable by the Google service for notifications or updates.
That said, to set this up you follow this simple flow:
Login to your Microsoft Intune tenant as an Intune admin or Global admin user and navigate to:
Devices > Android > Enrolment then click on the ‘Managed Google Play’
On the Managed Google Play pop out screen, tick the “I Agree” box and the “Launch Google to connect now” button will be enabled.
It’s at this point the simpler binding process starts and a new window launches. You can see there are 5 steps to this guided wizard by the dots. Enter your chosen corporate Entra user account preferably with the account you are logged into and add to the ‘Create an admin account’ box and click ‘Next’.
As suggested It will recommend to add the account you are logged into Intune as it can directly utilise SSO, but if you choose you can still use another account as shown and then click the ‘Sign in with Microsoft’ link.
If you choose to login with another account it will prompt you for MFA before returning to the next connection step. Which is a request for permissions page. Here accept to view basic information and maintain access to data.
After accepting this takes you to the “Tell us about you” page and you will need at a company name and choose the communication preferences here.
The next page gives you opportunity to add some subscriptions to the account like “Chrome Enterprise Core” which I’ve added manually here. By default only “Android Enterprise” is automatically included. Chrome Enterprise Core is Free and and allows you manage the Chrome browser and get insights into the browser deployments which is a handy addition. Click the ‘Next’ button.
Nearly complete, Click the “Agree and Continue” for the Goggle agreements and then “Allow and create account”
Finally the connection with Google and Intune will update and complete before returning to Intune.
Once completed you’re receive the notification back within Intune and you now have an Android Enterprise connection.
Clearly this is just one small step to managing Android Enterprise devices with Intune but nonetheless an important one.
If you’re starting out with Intune and wanting to learn how to configure all the settings for Android device management, you may be interested in a comprehensive course I have published on the Alpenshield Academy – “Manage and Secure Android Devices with Intune”
https://learn.alpenshield.io/course/manage-secure-android-microsoft-intune
