Forum Discussion
Why different broker apps for iOS and Android (not enrolled) when using app protection policies?
Hi Jonas,
yes I can explain why, but I can't explain if it will change in future. Here is the reason for this:
Android has a way to share data between apps which the Intune product uses on the Android platform. Which data actually is shared I don't know, but there are various opportunities for which you can use this. For example to deliver new SDK versions to other apps on the Android platform. The Company Portal is maintained by the Intune product group where the Authenticator app is maintained by the Azure AD product group.
The sharing is officially documented here: https://docs.microsoft.com/en-us/intune/end-user-mam-apps-android
The Company Portal app is a way for Intune to share data in a secure location. Therefore, the Company Portal app is a requirement for all apps that are associated with app protection policies, even if the device is not enrolled in Intune.
For iOS this is not possible because Apple does not allow such a scenario due to his app model and containerization. So, for iOS there is absolutely no reason then to force usage of the Company Portal but the Authenticator as a broker makes totally sense.
So why does not Android switch to Authenticator as well? I think that's because of the different teams, Intune does not own the Authenticator and maybe the publishing of new versions then is not that fast as they would like it to have (that's the way how big companies and product ownership works).
You can use Microsoft Intune UserVoice to make a Design Change Request or support a maybe already existing one here:
https://microsoftintune.uservoice.com/forums/291681-ideas
best,
Oliver
Found this when researching the Required App for Conditional Access. It looks like Android can either use Authenticator or the company portal.
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant#require-approved-client-app
Hi, I also did read the same information, but this information is about an approved app, not require app protection
Take a look at this Microsoft doc, it tells us to use the company portal app
Android app protection policy settings - Microsoft Intune | Microsoft Docs
Of course to be sure...I tested it... I downloaded Onedrive and when I logged in with my username and password it tells me to install the company portal first.
I did the same test but with the authenticator preinstalled. This time I did not ask me to immediately install the Company portal when I logged in.. but after a few seconds the same prompt... So make sure when you are requiring app protection the company portal is installed
If you want to know some more about app protection
Call4Cloud requiring Approved Apps or an App Protection Policy
Rudy_Ooms_MVP After testing this it seems that the Company Portal is also required on Android for use of Outlook when hitting a CA policy with 'approved client app' requirement. Authenticator was not sufficient unfortunately.
- Hi, I guess that's what I was telling? 🙂
"So make sure when you are requiring app protection the company portal is installed"- Yeah Reading the Snippet I posted, they are talking Specifically about Registration. So for an Android Registration of the device can probably be provided by Authenticator or the Company Portal. But delivering App Protection Policies probably requires Company Portal.
However this seems like an internal struggle inside MS, so we will probably never see a resolution.
- Thanks,
Right now we are only using MFA and Required app in CA. When we set up our policy few apps supported the require app protection. So far this is the only Documentation that mentioned using either for the broker. None of the other docs do not mention it.
