Overview
This knowledge base article will show the steps to get started with Android Enterprise Corporate owned dedicated devices. The steps involved are creating an enrollment profile, a dynamic security group, a device restrictions policy (optional) and approving and assigning Google Play apps.
Prerequisites
It is important to setup your managed Google Play account to be connected to your tenant as per How to setup Android Enterprise Prerequisites in Microsoft Intune?
Create an enrollment profile
1. By navigating to Microsoft Intune portal, then Enrollment then Android tab then under Enrollment profiles, select Corporate-owned dedicated devices.
2. Under Corporate-owned dedicated devices, select Create profile.
3. Under create profile, enter the following:
Name: Corporate-owned dedicated devices profile
Description: Corporate-owned dedicated devices profile
Token type:
Corporate-owned dedicated device (default): This token enrolls devices as a standard Android Enterprise dedicated device. These devices require no user credentials at any point. This is the default token type that dedicated devices will enroll with unless updated by Admin at time of token creation.
Corporate-owned dedicated device with Microsoft Entra ID shared mode: This token enrolls devices as a standard Android Enterprise dedicated device and, during enrollment, deploys Microsoft's Authenticator app configured into Microsoft Entra shared device mode. With this option, users can achieve single sign-in and single sign-out across apps on the device that are integrated with the Microsoft Entra Microsoft Authentication Library and global sign-in/sign-out calls.
In this KB, 'Token type: Corporate-owned dedicated device (default)' has been selected.
Then select a 'Token expiration date' then select Next.
4. Under Review + create, select Create.
5. Once the profile is created, click on the profile.
6. Select Token.
Create dynamic security group
You can follow this KB: How to create Entra dynamic groups for Android Enterprise enrolments? – Devicie Support Home Go to Step 4.
Create and assign Managed Home Screen app
You can follow this KB: How to add and assign Managed Google Play store apps for Android Enterprise? on how to add the Managed Home Screen App. 
Click on Select, then this will appear as 'Approved'
Then navigate to Android Apps, then select on Managed Home Screen then deploy as Required to group: Corporate-owned dedicated devices.
Create a device restriction policy
View the following How to create Devicie Configuration profiles for Android Enterprise devices? – Devicie Support Home on how to create Device Restriction Policy for Android Enterprise devices under Device Restriction Policy for Android Enterprise: Corporate-owned dedicated devices (COSU)
Create App Configuration Policy
View the following How to create App Configuration Profiles for managed Android Enterprise devices? – Devicie Support Home on how to create App Configuration Policy for Android managed apps.
Setup and Enroll
Do a Factory Data Reset:
Hard Reset Process - IF PHONE IS BRAND NEW IN THE BOX and is OFF:
If phone is off, press the volume UP button at the same time as the power button and hold until an OS menu comes up
Select Factory Data Reset
If phone is new and has been turned on but not reset and is at the Welcome screen:
Press volume down and power to shut down
Follow hard reset process above
IF PHONE IS ALREADY ON and set up:
Settings > Scroll down to General Management > Reset > Factory Data Reset > Delete All
1. Start up the device, and it will bring you to Hello message with a "Arrow".
Note: Do not go through the wizard.
At the "Hello" or "Welcome" screen, tap six times in a blank area.
2. This will now load to "Scanning for a QR Code" on the Android device.
Place the QR Code scanning on the token below to the profile.
3. It will then load with "Connect to WiFi", connect the required WiFi then it will begin with "Setting up"
4. It will then display "This device belongs to your organisation", select Next.
5. It will then display "Let's set up your work device", select Accept and continue.
6. It will then display "This device isn't private", select Next.
7. It will then display "Updating device"
8. It will then display with "Registering device"
9. It will then display with "Install work apps"
10. It will then load to Google Services, select More then select Accept. Then select Get Started.
11. After device has been enrolled and registered, navigate back to the Microsoft Intune groups to view Corporate-owned dedicated devices.
12. Under Managed Apps, we can see it has successfully installed the apps set as "Required".
13. The end result will look like this.