New policy implementation and web enrollment for Android personally owned work profile

We’re happy to announce two improvements for the management of Android personally owned work profile devices with Microsoft Intune, which will be available in the first quarter of calendar year 2026.

1. A new implementation for how Intune delivers policies to devices
2. Web based enrollment 

These updates modernize how Microsoft Intune manages devices and improves the enrollment flow. Action may be required by you as we move to the new implementation. Keep reading to understand what’s changing, actions, and timelines you need to know. 

What’s changing 

New implementation 

We’re finalizing our work on moving the Android personally owned work profile implementation to the latest and greatest available – Google’s Android Management API (AMAPI).  

It has been almost a decade since Intune released support for Android personally owned work profile management. At that time, we accomplished this by building a custom device policy controller (DPC), in the form of the Intune Company Portal app.   

A lot has changed since then. Google released AMAPI and its companion app, Android Device Policy, which enforces AMAPI policy on devices. This is now Google’s recommended implementation, which we used to deliver the three corporate Android Enterprise management methods: corporate owned work profile, fully managed, and dedicated. Google no longer recommends use of custom DPCs and they’re deprecating associated functionality. 

The benefits of moving personally owned work profile management to AMAPI include: 

1. Faster release of new features across all four Android Enterprise management options.
2. Consistent behaviors across all four Android Enterprise management options.
3. The Microsoft Intune app will replace the Company Portal app as the user app (to manage devices, contact their IT department, collect logs, and more), providing an updated user experience and aligning it with the corporate Android Enterprise management options.
4. Enables Intune to support the latest Android platform management capabilities, which are unavailable with custom DPC implementations. 

Web based enrollment  

The move to AMAPI also enables us to build a web-based enrollment flow for personally owned work profile devices, similar to web based device enrollment for iOS. The benefits of this include: 

1. Users don’t need to manually install an app to start Intune enrollment since they can start enrollment from a webpage instead.
2. Users can access enrollment from any of the three different entry points which all launch the same webpage:
   1. A URL (new!)
   2. Productivity apps (when admin has configured conditional access so that the user is required to enroll before accessing corporate resources)
   3. The Company Portal app
      This gives you more options for how to guide your users to get set up.

3. Android enrollment is more consistent with the iOS web-based enrollment flow.

How to configure and monitor

Web based enrollment  

We will release a new setting that will allow you to switch your tenant to the new web-based enrollment for all personally owned work profile enrollments going forward.

We recommend that you configure this in a test tenant first, try out and document the user flow, and prepare your helpdesks accordingly before opting in on your main tenant. Once you opt in, there isn’t an option to opt out.

Later on, we’ll automatically configure all personally owned work profile enrollments across all tenants to be web enrollments.

New implementation 

We’ll release a new configuration policy that allows you to migrate device groups to the new implementation.

As a best practice, we encourage admins to evaluate migrating a smaller device set before migrating all devices.  Before moving devices to the new implementation, you may want to email users or configure custom notifications to inform them of what to expect.   

Later on, Intune will automatically migrate all remaining devices using the custom DPC implementation over to the new AMAPI implementation.

Monitoring 

There’ll be a new report that will show how many personally owned work profile devices are in each of the following states:  

• On AMAPI
• Not targeted to move to AMAPI
• Targeted to move and pending completion (since it may roll out over some time)
• Attempted to move and hit an error (and why)
  
  

How this will affect your users 

Web based enrollment 

After you opt in to web based enrollment or later after it’s changed to the default, all devices (on all Android OS versions) will enroll with the web based flow. These devices will be managed with AMAPI.

After enrollment, Intune will install a few apps automatically to ensure streamlined management. 

• Microsoft Intune: User-facing app to manage devices, contact the IT department, collect diagnostic logs, and more.
• Company Portal: For mobile app management (MAM).
• Android Device Policy: To enforce AMAPI policies. This app is installed in a “hidden” state, so users won't see it in their app list.
• Microsoft Authenticator: To provide single sign on for users’ work account.

Below is an example of the web based enrollment flow that a user would see if they needed to set a PIN on their device to meet admin requirements.

New implementation 

When a device is moved to the new implementation (either through admin configuration or the later automatic move), devices won’t unenroll and users won’t lose access to corporate resources. Moving enrolled devices to the new implementation will be supported on any device running supported Android OS versions for user-based management methods at that time.

The changes on the device will be:

1. The Microsoft Intune app will install, and it will be the app for users to interact with instead the Company Portal. Users will not see a notification about this app installing.
2. The Android Device Policy app will install to enforce policies. Users will not see a notification about this app installing and it will be in a “hidden” state on their device.
3. If a device connected to corporate Wi-Fi with username and password authentication, when they move to AMAPI, they will lose access to corporate Wi-Fi until they sign in to the corporate Wi-Fi again. To avoid any potential disruption, we encourage you to move to certificate Wi-Fi authentication instead (as mentioned below).

Timeline

We'll update these timelines to provide more specific timeframes in the coming months. 

• 2025: Use this time to revise any relevant policy configurations, update your internal documentation, and prepare your helpdesk teams, as advised below.
• First quarter of calendar year 2026:
  • Enrollment: You’ll be able to opt in for all enrollments of personally owned work profile devices to be web based enrollments on AMAPI.  
  • New implementation: You’ll be able to set a configuration policy to migrate groups of previously enrolled devices over to AMAPI.
• Later on:
  • Enrollment: All enrollments (regardless of past configuration) will be web enrollments for devices running all Android OS versions.  

     

  • New implementation: All devices still on the custom DPC implementation and running supported Android OS versions for user-based management methods at that time will be automatically moved over to AM API. 

    You will receive advanced notice of when these changes will be applying to your tenant. 

How to prepare 

We recommend you make these changes to prepare for the upcoming release and provide the most streamlined experience for users. 

1. Replace custom policies: Intune ended support for custom configuration polices for personally owned work profile devices in April 2025. Custom policies are not supported in the new implementation. Replace all custom policies with equivalent policies using this setting mapping.
2. Certificate authentication for Wi-Fi: If you’re using username and password authentication for Wi-Fi policies, we strongly encourage you to move to certificate authentication instead. Devices that are connected to corporate Wi-Fi with username and password authentication will lose access to corporate Wi-Fi when they are moved to AMAPI until the user signs into the corporate Wi-Fi network again. Devices using certificate authentication for Wi-Fi won’t lose access, and it’s also a more secure authentication method.
3. Evaluate biometric configuration: Devices on the new implementation won't apply policies that prevent users from using face, fingerprint, iris, or trust agents to unlock their device. However, policies that prevent this at the work profile level are still supported. If you have this configured at the device level, consider blocking at the work profile level to protect work resources in an equivalent way. Note that for users who have turned on the setting to use one lock (unified password for the device and work profiles), then biometric settings configured for the work profile will apply to the device instead, since there isn't a separate work profile unlock.
4. Review enrollment restrictions: In enrollment restrictions (also referred to as device platform restrictions) the “Android Enterprise (work profile)” restriction for personally owned work profile devices has a setting to Allow or Block “Personally owned” devices. This configuration will not apply to devices on AMAPI and the setting will be removed from the Intune admin center when all devices are moved to AMAPI. As communicated in the Intune Android 12 blog, this setting does not work reliably on devices running Android 12 and later. Conceptually, personally owned work profile management is meant for personal devices, so blocking personal devices from enrolling and only allowing corporate devices isn’t recommended. If you currently have the “Personally owned” setting set to Block for personal work profile devices, you should plan an alternate way for blocking these devices. Options include using a corporate management method instead (such as corporate owned work profile) or configuring the personal work profile enrollment restriction to block enrollments for all users except for users in a specified group.
   
5. Update Android OS: Intune currently supports Android 10 and later on personally owned work profile devices. We recommend you guide users to update to their device’s latest supported Android version for the best experience.
6. Helpdesk preparation: Inform your helpdesk teams of these coming changes so they know what to expect. For devices on the new implementation, diagnostic logs will be collected using the Microsoft Intune app (instead of the Company Portal app). Plan to update any user instructions you have after you  try out the web based enrollment flow.
7. iOS web based enrollment: We recommend you consider setting up web based device enrollment for iOS now or when we release Android web based enrollment for a more consistent and improved user experience.

Changes to be aware of 

A few defaults will change as part of the move to the new implementation. 

1. Required app installation behavior: In the custom DPC implementation, users can uninstall required apps, and then they are reinstalled automatically within a few hours. In the new implementation, users won’t be able to uninstall required apps from their device, which is the same experience as on corporate Android Enterprise devices.
2. Caller ID and contact search: In the custom DPC implementation, the settings to “Display work contact caller-id in personal profile” and “Search work contacts from personal profile” are two independent settings. In AMAPI, they are controlled with a single setting. If you have blocked either, Intune will automatically block both for devices on the new implementation. Intune will update the policy user interface to have a single setting once all devices are on the new implementation.
3. Screen timeout: In the custom DPC implementation, you can configure screen timeouts either for the full device or for the work profile under “Maximum minutes of inactivity until work profile locks.” In AMAPI, you can only configure this at the work profile level. Intune will set this to the lesser of the two when devices move to the new implementation. We will remove the device level setting from policies when all devices are on AMAPI.
4. Password: There will be some minor changes to how some configurations of password requirements apply on some devices. We will update to provide more information and guidance.

Stay tuned to this blog for updates! If you have any questions or feedback on this change, leave a comment on this post or reach out on X @IntuneSuppTeam.

Post updates
02/19/25: Updated the Timeline and How this will affect your users + New Implementations sections.
04/08/25: Updated these sections: How to configure and monitor, How this will affect your users, Timeline, How to prepare, and Changes to be aware of.
04/09/25: Updated the Changes to be aware of section to include details about TeamViewer supportability.
08/22/25: Added images and updated all sections with the latest information, including an updated Timeline section and removing the information about the delay to TeamViewer support.

09/09/25: Added a screenshot to clarify Android enrollment restrictions.