Forum Discussion

NotMacGyver's avatar
NotMacGyver
Copper Contributor
Dec 12, 2019

Can't add Google accounts to Android work profiles when managed by Intune

Hello all,

 

Wondering if others have run into this issue and have been able to find a workaround.

 

An organization I'm working with is using Google Enterprise for mail services instead of Office 365 / Exchange Online, but they want to leverage Microsoft Intune to manage BYOD Android devices.

 

What we're finding is that, once the device is enrolled in Intune, the ability to add Google accounts to the work profile is blocked.

 

In the OS' account settings for the work profile the ability to add Google accounts is grayed out. For apps installed via the managed Play Store, such as GMail, attempting to add a Google account results in a message that the "action is not allowed" and "this action is disabled". 

 

The result of this is Android users are unable to access their enterprise mail or other Google Enterprise services from their Android work profiles.

 

Other accounts, such as Hotmail or Yahoo, can be added without issue. All applicable configuration profiles and compliance settings have been removed from the device+user, and so far we haven't been able to identify any policies or settings that would only be restricting the addition of Google accounts.

 

My initial thought is maybe Intune inherently blocks the ability to add additional Google accounts because all enrolled Android devices share a common managed Google Play account, but I might be missing something.

 

Is this a known issue / limitation with Intune and Android work profiles?

 

Appreciate the assist.

 

 

  • Hi NotMacGyver I wanted to confirm that this is By-Design. Intune blocks the user from manually adding Google accounts to the Work Profile, and unfortunately there is no workaround.

  • OffColour1972's avatar
    OffColour1972
    Brass Contributor

    NotMacGyver

     

    I've just run into exactly the same problem. We don't fully use Google like you do, but we do have a G-Suite set up so everyone can have a company Google account with authentication from Azure so you get all the benefits of signing into Chrome, SSO on sites that don't support Azure, etc.

     

    Anyway, the closest setting I can find is "Add and remove accounts" in Device Configuration Profiles/Work Profile settings but that only has the option of Block and Not Configured.

     

    If users can't sign into Chrome on Android it makes it all pretty useless.

    • OffColour1972's avatar
      OffColour1972
      Brass Contributor

      NotMacGyver 

      I raised a ticket with Microsoft and spoke to an Intune Tech Lead. They're saying it's by design as Google accounts as personal and not for adding to work profiles.

      Expressed a lot of disbelief and they'll get back to me...

  • Hi NotMacGyver I wanted to confirm that this is By-Design. Intune blocks the user from manually adding Google accounts to the Work Profile, and unfortunately there is no workaround.

    • OffColour1972's avatar
      OffColour1972
      Brass Contributor

      MatthewButcher Let's try another approach.

      If there's no way of a user MANUALLY adding a G-Suite account, is there any way for the administrator to associate an Azure AD user with the Google account so it's there in the work profile by default?

       

      We already sync Azure AD to G-Suite and use AAD for authentication for Google so this whole setup is supported (at least in one direction) so not allowing that sync'd Google account to be used from a Work Profile is a little odd to say the least.

    • ITCoffeeAddict's avatar
      ITCoffeeAddict
      Copper Contributor
      Has this issue been corrected yet? One of our customers uses Google Enterprise, and I am unable to join their "Meet" conferences without logging in to a Google recognized account. This prevents me from communicating with my customer and makes the Google Meet application useless under the business profile of Intune.
      • PatStone's avatar
        PatStone
        Copper Contributor

        ITCoffeeAddict 

        Google Enterprise Users are able to send invitations that do not require an Google Account to join 

  • omaderemi's avatar
    omaderemi
    Brass Contributor
    We ran into similar problem, and also think that Intune is completely not useful as you've deliberately crippled it to block Google accounts. Kindly review this in the future
    • Mebin260's avatar
      Mebin260
      Copper Contributor
      We were also trying to add account in google meet work profile. But, unable to add.
      • PaulM2115's avatar
        PaulM2115
        Copper Contributor

        Mebin260 We have got this working now, using End Point Manager, App configuration policy, which then allows you to set a rule to overide the security policy.  Not sure that is the best idea, but it works.

         

        We have dedicated home screens so that secures the device for us.

         

        Thanks

Resources