Intune and Google's Cloud Device Policy Controller (DPC)

Recently, I was looking at some compliance reports for Android enrolled devices in Intune and Google's Cloud DPC caught my attention. 


This got me curious and while researching I realized that there is very little documentation available in relation to Google's Cloud DPC and Intune so I decided to blog about it.

Before we dive into it, lets see how DPC fits in Enterprise Mobility Management (EMM) model first.

An Android Enterprise solution is a combination of three components: EMM console, Android Device Policy, and managed Google Play.

EMM console

EMM solutions typically take the form of an EMM console—a web application you develop that allows IT admins to manage their organization, devices, and apps. To support these functions for Android, you integrate your console with the APIs and UI components provided by Android Enterprise.

Android Device Policy

All Android devices that an organization manages through your EMM console must install Android Device Policy during setup. Android Device Policy is an app supplied by Android that automatically applies the management policies set in your EMM console to devices. This is where Google's Cloud DPC comes into picture. 

The Device Policy Controller (DPC) acts as the bridge between EMM console (and server) and the device. It creates and manages the work profile on the device on which it is installed. The work profile encrypts work-related information and keeps it separate from users' personal apps and data. Before creating the work profile, the DPC can also provision a managed Google Play Account for use on the device. The device policy controller is also used to provision fully managed devices.

Managed Google Play

Managed Google Play is an enterprise version Google Play that facilitates certain app management capabilities for Android Enterprise solutions. It combines the familiar user experience and app store features of Google Play with a set of management capabilities designed specifically for enterprises.

Google's Cloud Device Policy Controller (DPC)

For the Android Enterprise corporate-owned device deployment scenarios, Microsoft Intune uses the Android Management API and the Android Device Policy as DPC. Microsoft makes the configuration options available in the Microsoft Endpoint Manager admin center and enables enforcement of the configuration settings to the DPC which acts as the management agent, bridging between Microsoft Intune and the managed devices.

The device policy controller app enables -

1. Communication with Intune to apply profile, device restrictions and settings.
2. Implementation of managed configurations and allows verification of device compliance with the Intune policies.

After a device or work profile is provisioned, it's ready to be managed. Through the Android Management API, Android supports over 80 device and app management policies.

Well there you have it. With Microsoft directly using the Android Management APIs, not only this cuts down on the need for developing APIs of their own, it also eliminates the need for adding new Android Management features separately. Whenever new features are added in Android Management APIs, Microsoft can just directly pull them and integrate in Intune.

Comments

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

Prevent users from running certain programs or applications on Windows endpoints using Intune

Intune: Configure Printers for Non-Administrative Users