Blog Post

Intune Customer Success
4 MIN READ

Android 12 Day Zero Support with Microsoft Endpoint Manager

Intune_Support_Team's avatar
Aug 10, 2021

Updated 11/10: We updated this post to include newly identified impact from the removal of Wi-Fi MAC address.

 

Android 12 was announced at Google I/O 2021 in May of this year, promising significant overhauls of the Android platform from design to privacy. In this post, we’ll highlight some noteworthy changes that you should be aware of, and we’ll share some of what we’ve found from testing the latest beta builds of Android.

 

Our Microsoft Endpoint Manager app protection policy (APP) and mobile device management (MDM) teams have been hard at work making sure Microsoft Intune customers are supported on the new OS release. Most APP and MDM scenarios will continue to be fully compatible with Android 12. However, Google is making some significant changes in Android 12 that affect management capabilities available to Intune.

 

As we approach the official release of Android 12 later in the year (historically the major Android OS releases are often in late Q3/early Q4 of the calendar year), we will continue to update this blog post as we discover new items in our beta testing. We also encourage you to read through Google’s Android 12 change documentation to identify other changes that may be relevant to your organization. Keep us posted on what APP and MDM learnings you find from your beta testing too!

 

Removal of serial number, IMEI, and MEID on personally-owned work profile devices

Google is removing the ability for apps to access hardware identifiers on personally-owned work profile devices. The impacted hardware identifiers are serial number, IMEI, and MEID. For more information, see the Google developer documentation.


The removal affects the following workflows in the Endpoint Manager admin center for personally-owned Android Enterprise with work profile devices running Android 12:

  • Serial number, IMEI, MEID and will no longer be visible in the Endpoint Manager admin center.

  • Serial number and IMEI can no longer be used to identify devices as corporate.

  • Certificates will fail to deploy if you use serial number, IMEI, or MEID variables in the subject and SAN of the certificate profile and the value is not populated. This may impact downstream systems that rely on these values in the subject and SAN of certificates.

  • Network access control with certain NAC providers and third-party VPN providers may be affected. This may impact the ability of enrolled devices to connect to a corporate network. More information can be found here: Support Tip: Android 12 upgrade can affect NAC-enabled network access.

Removal of Wi-Fi MAC address on newly-enrolled device administrator and personally-owned work profile devices

Starting in October, Intune will not display a Wi-Fi MAC address for newly enrolled personally-owned work profile devices and devices managed with device administrator running Android 9 and above.

 

Network access control and third-party VPN solutions that rely or fall back on MAC addresses as device identifiers will not be able to retrieve the device MAC address. This may impact the ability of newly enrolled devices to connect to a corporate network. Devices enrolled prior to the October Company Portal release are not impacted.

 

Cause of impact: In October, there will be a Company Portal app update that increases the Company Portal API targeting from level 29 to level 30, as required by Google. When apps target API level 30, Android prevents them from collecting the MAC address used by the device.

 

Reminder about upcoming changes to Android Enterprise fully managed, dedicated, and corporate-owned work profile devices

Google has documented they are deprecating the Safe boot and Debugging features configuration settings for Android Enterprise device restrictions at the end of October. This affects fully managed, dedicated, and corporate-owned work profile devices. To prepare for this change, we will be adding a new setting, Developer settings, in September's Intune service release (2109). If your organization currently uses one of the deprecated settings, consider making use of Developer settings once it becomes available. For more details, see the message center post MC275160, which you can find either in your tenant status blade in the Microsoft Endpoint Manager admin center, or in the Microsoft 365 admin center. For more on service changes, see - Staying up to date on Intune new features, service changes, and service health.

 

User experience changes

Android 12 includes many changes to how apps look and feel, such as changes to scrolling animations and app launch behavior. The Company Portal and Intune app will adopt these visual changes, giving your users a consistent look and feel on the platform. If you’ve got a helpdesk or support team, they may appreciate advanced notice of the UI app experience changes in Android 12.

 

Other ways to prepare for Android 12

  • Update apps: Encourage your users to update to the latest version of the Company Portal, Intune, Edge, and other APP-supported apps. The latest version will provide the best experience with devices running Android 12.

  • Check compatibility for other managed apps: As with previous major Android OS updates, check mobile app compatibility with your app providers to confirm your users' apps work with Android 12. You’ll see a “What’s New for the app” notice in the Google Play app store, in-app details, or updates on an application’s website. Some apps provide Day 0 support, while others update over time.

 

How can you reach us?

Keep us posted on your Android 12 experience through comments on this blog post, through Twitter (@IntuneSuppTeam), and request any new features on UserVoice. We will update this post with any additional information we learn as testing continues, and when Android 12 releases.

 

Post updates:

9/14/21: Updated with a note that Intune will not display Wi-Fi MAC address for newly enrolled personally-owned work profile devices and devices managed with device administrator running Android 9 and above.

11/10/21: Updated to include newly identified impact from the removal of Wi-Fi MAC address.

Updated Dec 19, 2023
Version 13.0
  • sdeluyck's avatar
    sdeluyck
    Copper Contributor

    Hi,

    I can say for sure that the Intune Company Portal works on an on personally-owned work profile. The device in my possession is a Samsung Galaxy S21 Ultra 5G device. Where it does not work is a OnePlus 9.

    Best Regards.

    NB:We hope that this will be resolved very soon

  • manuel1985's avatar
    manuel1985
    Copper Contributor

    Same with oneplus 9 pro with Android 2. Intune does not working

  • gege765's avatar
    gege765
    Copper Contributor

    Hello,

    If I am not wrong there is no alternative for the moment (concerning IMEI / SN pre-registration)

    But google said that on an article:

    https://www.business-standard.com/article/technology/google-android-12-to-enhance-privacy-productivity-for-work-devices-121021900313_1.html

     

    For employee-owned managed devices, we're creating a new enterprise-specific device identifier that may help enhance privacy in the event an employee leaves their current employer.

    "Instead of relying on hardware identifiers such as IMEI or serial numbers, personal devices will get a new identifier derived programmatically during enrollment," Google said.

     

    The workaround (less secured) is maybe to create a specic group for device restriction (but it will be based only to user not the couple device ID / user).

     

    Best Regards.

     

  • NandSahu's avatar
    NandSahu
    Copper Contributor

    Hi Sir/Madam,
    I have an android phone called "OPPO reno6 5G" in which I was configured Intune company portal app to access my office email, it was working perfectly fine until I upgraded my phone from android 11 to android 12 by software update feature available in device.

    After upgrade to android 12 my outlook mail started crashing so I removed the work profile, uninstalled the intune app, reinstalled it and tried to enroll my office email account but it fails at update device setting. I even reset my phone but still no luck.


    It seems app is not getting some required internal permissions. It is not able to validate/check device compliance status as it always says "last checked: January 1,1 12.43 AM"

     

    I dig more and found below error on log. Please help me how to address this problem.

    ERR_ com.microsoft.omadm.client.tasks.TemporaryOMADMClientExecutorTask 18749 01421 Caught exception while updating device policy java.lang.SecurityException: getPackagesForUid: UID 1010274 requires android.permission.INTERACT_ACROSS_USERS_FULL or android.permission.INTERACT_ACROSS_USERS or android.permission.INTERACT_ACROSS_PROFILES to access user .

    ERR_ com.microsoft.omadm.client.tasks.TemporaryOMADMClientExecutorTask 18749 01443 Caught exception while running task request (startId = 1000001, TaskType=CheckComplianceAndEnforce [23]) java.lang.SecurityException: getPackagesForUid: UID 1010274 requires android.permission.INTERACT_ACROSS_USERS_FULL or android.permission.INTERACT_ACROSS_USERS or android.permission.INTERACT_ACROSS_PROFILES to access user .

     

  • Steven_Hodges's avatar
    Steven_Hodges
    Copper Contributor

    Is there any solution to this? We currently can't register any devices via the company portal now if they are running Android 12. This is going to be a real problem for some of our users.

  • DanielTTT's avatar
    DanielTTT
    Copper Contributor

    Is there any solution to that? Cannot use Intine on new Pixel 6....