Zebra management options with MEM Intune

December 20, 2021 Joymalya Basu Roy Android, Microsoft Intune Comments Off on Zebra management options with MEM Intune
Zebra management options with MEM Intune

Continuing with the MEM Android series with Joy, this will be the 9th blog post of the series and is about managing Android rugged devices in an enterprise environment, especially, Zebra device management options with MEM Intune.

Since these devices are mainly for the frontline workers, we will start this blog with a small thank you note to all those front-liners who play a critical role, but many a time doesn’t get enough mentions in the success stories of organizations that we get to see.

The frontline workers are the face of every business and the first and last person many customers interact with during their journey. These are the workers who assist customers, provide care, and drive efficiency every day. They can make or break the customer experience.

Yet they are often overworked and underappreciated. Empowering the frontline workers is critical to business success and organizations need to strive towards creating a work environment where they can thrive and excel.

For the frontline workers to work effectively in this ever-changing market scenario, they need specialized tools that are curated to support their work, thereby aiding them to succeed in their role.

One good example can be the frontline health workers who work tirelessly to provide health care and critical medical support to millions of people. One way to empower them is embracing the cloud with mobile fleet management solutions that allow immediate access to patient files. This can save countless hours of manual work and improve patient outcomes.

Zebra has the largest range of enterprise-optimized Android devices which are purpose-built to suit and support the frontline workers and with Microsoft Intune as the UEM solution (a pretty obvious choice if you are already in the M365 ecosystem), the IT team can ensure that the frontliners have access to such critical data “whenever, wherever” maximizing mobility and productivity, without compromising security.  
 

Getting started with Zebra device management with MEM Intune

Managing purpose-built Android devices from Zebra with MEM Intune, statistically, we have two options to choose between the management modes.

  • Android Device Administrator (Legacy)
  • Android Enterprise

Considering Android Device Administrator is marked legacy (and also marked as deprecated for Android OS), it is always a wise decision to go ahead with Android Enterprise.

With Android Enterprise as the chosen mode for management, I have mainly seen organizations go with the Corporate Owned Dedicated Device mode for the devices to be set up as KIOSK devices since these devices are primarily targeted to be used by the frontline workers. However, in some cases, we may also see such devices enrolled as Fully Managed devices.

The benefit with Android Enterprise corporate enrollment schemes is that we get multiple ways to provision a device, namely via QR Code, NFC, or the Token entry via afw#setup method.

And with Android Enterprise as the chosen management mode, it is usually the Zebra OEM Config app deployed to the devices via the Managed Google Play which is then utilized for configuring the device via OEMConfig device configuration profile.

Create Enrollment profile to support Zebra device management with MEM Intune

To enroll as a Dedicated device (If setting up as KIOSK) [Without User Affinity]

  • In the MEM Admin Center, navigate to Devices > Android (By platform) > Android Enrollment > Corporate-owned dedicated devices and click on Create profile.
  • Provide a Name for the profile and for the Token type, choose Corporate-owned dedicated device (default).
  • Finally, click on Create.

Once the profile gets created, you can find the QR Code and the Token by looking inside the created profile.

Note: The QR Code/ Enrollment Token is valid for a maximum of 90 days as enforced by Google.
Note: You can replace the QR Code/Token with a new one when the previous one nears its expiry. However, this adds to the IT overhead, every 90 days (max), to replace the old QR Code/Token with the new one in every form of communication towards Helpdesk or Users to ensure continuity of device provisioning.

To enroll as Fully managed device [With User Affinity]

  • In the MEM Admin Center, navigate to Devices > Android (By platform) > Android Enrollment > Corporate-owned, fully managed user devices
  • In the flyout pane that appears, toggle the Allow users to enroll corporate-owned user devices to Yes.
  • You will get to see the QR Code and Token there itself.
Note: This QR Code/Token is valid for all users of the tenant and does not expires.

Create dynamic device group in Azure AD to support Zebra device management with MEM Intune

For devices enrolled as Corporate-owned dedicated devices, you can easily create a dynamic device group using the enrollmentProfileName property for the query.

However, with Corporate-owned Fully managed mode, we do not create any Enrollment profile as such the same formula cannot be used. In such cases, you need to be creative as per the requirement. Maybe formulate a dynamic device group querying deviceManufacturer (Zebra Technologies) and deviceModel (TC51, etc.) in context.

It is important that you have a device group ready at your disposal as the IT Admin for profile/app deployments.

Deploy OEMConfig app from Managed Google Play to support Zebra device management with MEM Intune

  • In the MEM Admin Center, navigate to Apps > Android (By platform), click on Add and select App type as Managed Google Play app.
  • Wait for Managed Google Play store to load within the MEM Admin Center and search for Zebra OEMConfig.
  • Approve the Zebra OEMConfig app.
  • Post approving the app, click on the Sync button available.

The app should shortly appear in the added app list in MEM Admin Center ready for deployment. All you need to do is assign the app to the group that contains the device. (or user in case you are going with Fully managed mode!)

Create OEMConfig device config profile in MEM Intune for managing Zebra device features

  • In the MEM Admin Center, navigate to Devices > Android (By platform) > Configuration profiles (Android policies) and click on Create.
  • Select Platform as Android Enterprise and Profile type as OEMConfig.
  • Give a Name to the profile and select Zebra OEMConfig app already added to Intune as the app.
  • Next you have the section where you can actually configure the settings. Configuration can be done either via Configuration designer configuring the Transaction Steps or via using the JSON editor.
Read the OEM documentation to make sure you're configuring the properties correctly. These app properties are included by the OEM, not Intune. For Zebra, you can find the documentation here.
  • Once you are done with the configuration, add the required Scope tag (if any) and make the necessary assignment, before finally reviewing the profile to Create it.

Deploy and Configure Managed Home Screen app as the launcher

If you are going with Corporate-owned dedicated device mode, you will need to decide on using a launcher app to configure the KIOSK behavior. This is where the Managed Home Screen from Microsoft comes in.

As a note, you can decide to use the MHS as the launcher for the devices even if you are going with the Corporate-owned Fully managed mode.
You can deploy and assign the app as per the steps already shown above for deploying the Zebra OEMConfig app.

Configuring the Managed Home Screen can be quite a task and we need to create an App Configuration profile for the same.

  • In the MEM Admin Center, navigate to Apps > App configuration policies  and click on Add.
  • Choose Managed devices
  • Give appropriate Name to profile, select Platform as Android Enterprise, Profile Type as Fully Managed, Dedicated and Corporate-Owned Work Profile only and finally select the Target app that is Managed Home Screen from the list of available apps available.

Next, you have three sections as highlighted.

  • On the top, you can explicitly define Permissions to override Default app permissions.
  • Middle, you get to decide whether to use the Configuration designer or enter JSON data. [This is where you actually configure how MHS will behave.]
  • Bottom, you can decide if this app will have cross profile intent. Only for corporate-owned work profile devices and as such, we can leave it as Not configured.
Configuration designer will show you all available configurations for features within MHS the instant a new update is released on the Managed Google Play Store. However, some configuration keys will only be configurable through JSON format.
For configuring Managed Home Screen as per requirement, check the Microsoft documentation to be aware of all the possible settings and their supported values.

For the purpose of this blog, I am doing a rather simple config of defining a wallpaper of choice and the applications that will appear on the home screen. 

Note that the applications defined here must be either SYSTEM apps available on the device or apps deployed to the device.
{
    "kind": "androidenterprise#managedConfiguration",
    "productId": "app:com.microsoft.launcher.enterprise",
    "managedProperty": [
        {
            "key": "show_device_info_setting",
            "valueBool": true
        },
        {
            "key": "applications",
            "valueBundleArray": [
                {
                    "managedProperty": [
                        {
                            "key": "package",
                            "valueString": "com.google.android.calendar"
                        }
                    ]
                },
                {
                    "managedProperty": [
                        {
                            "key": "package",
                            "valueString": "com.epic.rover"
                        }
                    ]
                },
                {
                    "managedProperty": [
                        {
                            "key": "package",
                            "valueString": "com.android.deskclock"
                        }
                    ]
                },
                {
                    "managedProperty": [
                        {
                            "key": "package",
                            "valueString": "com.android.calculator2"
                        }
                    ]
                },
                {
                    "managedProperty": [
                        {
                            "key": "package",
                            "valueString": "com.symbol.tool.stagenow"
                        }
                    ]
                },
                {
                    "managedProperty": [
                        {
                            "key": "package",
                            "valueString": "com.microsoft.intune"
                        }
                    ]
                }
            ]
        },
        {
            "key": "wallpaper",
            "valueString": "<your link to image file>"
        }
    ]
}
  • Assign the profile to the group and click on Next.
  • The last work remaining is to click on Create to create the profile.
Here I am not showing KIOSK profile configurations for the day as I have already covered it in my previous blog post.

At the end…

With everything in place, the next phase will be to provision the device and check it first-hand to see the configurations as made.

Monitoring the status of the profiles in the MEM Admin Center shows all in green.

With everything as configured coming up as a Successful deployment from Intune makes it a happy ending for this blog post.

Related Articles