By John Hopkins | HopTechOne.com | October 2025

In my ongoing TestVM project, I wanted to extend endpoint management beyond the Windows laptop (JH_5440_Laptop) to mobile devices—a key skill for field service engineers and healthcare IT roles where BYOD (Bring Your Own Device) is common. This post details setting up an Android tablet as a BYOD device with an Intune work profile, installing work-designated apps (Teams, Outlook, OneDrive), and verifying compliance. It’s hands-on, cost-free (using my Microsoft 365 Business Premium tenant), and aligns with 2025 trends: 65% of IT roles need mobile management (Robert Half). With my Fresenius background in device support, this lab sharpened my skills for secure, separated work/personal data on Android.

What started as a simple app install turned into learning about Android Enterprise, work profiles, and Intune enrollment—here’s the step-by-step, challenges, and takeaways.

The Setup: BYOD Android Tablet

Goal: Enroll a personal Android tablet in Intune as BYOD, create a work profile for managed apps, and restrict personal data sharing—ensuring compliance for Eagle.Talon@HopTechOne.com.

Tools: Android tablet (e.g., Samsung Galaxy Tab), Intune Company Portal app, Microsoft 365 tenant (HopTechOne.com).

Prerequisites: Tablet on Android 8.0+; user account (Eagle.Talon@HopTechOne.com) licensed for Microsoft 365 Business Premium.

I used a mid-range Samsung tablet for this lab, simulating a field tech’s BYOD device.

Step-by-Step: Enroll and Set Up Work Profile

Install Intune Company Portal App:

On the tablet, open Google Play Store > Search “Company Portal” > Install the Microsoft Intune app.

Launch the app > Sign in with Eagle.Talon@HopTechOne.com (password from LastPass).

Expected: App prompts for work profile creation (separates work/personal apps/data).

Create and Activate Work Profile:

Accept terms and permissions (e.g., allow notifications, device admin).

The app creates a managed work profile (blue badge on work apps).

Follow prompts to update device settings (e.g., enable location for compliance).

Expected: Work profile icon appears in app drawer; personal apps remain separate.

Challenge: Enrollment hung on first try (network issue); fixed by Wi-Fi toggle and retry.

Install Work-Designated Apps:

In Company Portal app > Apps tab > Available apps (pushed from Intune).

Install Microsoft 365 apps: Teams, Outlook, OneDrive (work versions).

Expected: Apps install in the work profile (blue badge), accessible only with work credentials.

Test: Sign in to Teams with Eagle.Talon@HopTechOne.com > Join a test meeting (e.g., with guest external@hotmail.com).

Verify Compliance in Intune:

On laptop, go to https://intune.microsoft.com > Devices > All devices > Filter “Android” > Select tablet.

Expected: Device shows “Compliant,” with apps listed under “Managed apps.”

Test Restrictions: Try copying personal data to work apps (should be blocked by Intune policy).

Challenges: Work profile setup required tablet admin rights (granted via settings); app deployment took 15 minutes to sync. Propagation delays in Intune (15–60 minutes) meant initial “Not compliant” status.

Key Takeaway:

BYOD work profiles in Intune enable secure mobile management—separating work data from personal while enforcing compliance. Vital for field service or PACS admins accessing sensitive info on the go. This lab highlighted Intune’s power for Android Enterprise, tying into my TestVM Windows setup for hybrid endpoint control.