Forum Discussion

JonasBack's avatar
JonasBack
Iron Contributor
Feb 08, 2019
Solved

Why different broker apps for iOS and Android (not enrolled) when using app protection policies?

So we're setting up app-based conditional access so that iOS and Android are forced to use the Outlook Mobile app instead of the built-in ones and then applying app protection policies to force PIN e...
Intune
Mobile Application Management (MAM)
  • Oliver Kieselbach's avatar
    Oliver Kieselbach
    Feb 08, 2019

    Hi Jonas,

     

    yes I can explain why, but I can't explain if it will change in future. Here is the reason for this:

     

    Android has a way to share data between apps which the Intune product uses on the Android platform. Which data actually is shared I don't know, but there are various opportunities for which you can use this. For example to deliver new SDK versions to other apps on the Android platform. The Company Portal is maintained by the Intune product group where the Authenticator app is maintained by the Azure AD product group.

     

    The sharing is officially documented here: https://docs.microsoft.com/en-us/intune/end-user-mam-apps-android

    The Company Portal app is a way for Intune to share data in a secure location. Therefore, the Company Portal app is a requirement for all apps that are associated with app protection policies, even if the device is not enrolled in Intune.

    For iOS this is not possible because Apple does not allow such a scenario due to his app model and containerization. So, for iOS there is absolutely no reason then to force usage of the Company Portal but the Authenticator as a broker makes totally sense.

     

    So why does not Android switch to Authenticator as well? I think that's because of the different teams, Intune does not own the Authenticator and maybe the publishing of new versions then is not that fast as they would like it to have (that's the way how big companies and product ownership works).

     

    You can use Microsoft Intune UserVoice to make a Design Change Request or support a maybe already existing one here:

    https://microsoftintune.uservoice.com/forums/291681-ideas

     

    best,

    Oliver

Rudy_Ooms_MVP's avatar
Rudy_Ooms_MVP
MVP
Apr 15, 2021

Hi, I also did read the same information, but this information is about an approved app, not require app protection

 

Take a look at this Microsoft doc, it tells us to use the company portal app

 

Android app protection policy settings - Microsoft Intune | Microsoft Docs

 

 

 

Of course to be sure...I tested it... I downloaded Onedrive and when I logged in with my username and password it tells me to install the company portal first.

I did the same test but with the authenticator preinstalled. This time I did not ask me to immediately install the Company portal when I logged in.. but after a few seconds the same prompt... So make sure when you are requiring app protection the company portal is installed

 

If you want to know some more about app protection

 

Call4Cloud requiring Approved Apps or an App Protection Policy

Hap's avatar
Hap
Brass Contributor
Jul 12, 2021

Rudy_Ooms_MVP After testing this it seems that the Company Portal is also required on Android for use of Outlook when hitting a CA policy with 'approved client app' requirement. Authenticator was not sufficient unfortunately.

  • Rudy_Ooms_MVP's avatar
    Rudy_Ooms_MVP
    MVP
    Jul 12, 2021
    Hi, I guess that's what I was telling? 🙂

    "So make sure when you are requiring app protection the company portal is installed"
    • Coopem16's avatar
      Coopem16
      Brass Contributor
      Jul 12, 2021
      Yeah Reading the Snippet I posted, they are talking Specifically about Registration. So for an Android Registration of the device can probably be provided by Authenticator or the Company Portal. But delivering App Protection Policies probably requires Company Portal.
      However this seems like an internal struggle inside MS, so we will probably never see a resolution.
      • JonasBack's avatar
        JonasBack
        Iron Contributor
        Aug 10, 2022

        It's been another year since this and it seems like many articles at docs.microsoft.com has been changed so that Company Portal is no longer required for App Protection policies. Anyone tried it yet? Back in March 2022 when we tried it the last time, Company Portal was still required.

         

        Here's a list of updates:

        This article was changed on 5th April 2022:
        https://docs.microsoft.com/en-us/mem/intune/protect/app-based-conditional-access-intune

         

        Before it said:
        The user gets redirected to the app store to install a broker app when trying to authenticate for the first time. The broker app can be either the Microsoft Authenticator for iOS, or the Microsoft Company portal for Android devices.

         

        Now it says:
        The user gets redirected to the app store to install a broker app when trying to authenticate for the first time. The broker app can be the Microsoft Authenticator for iOS, or either the Microsoft Authenticator or Microsoft Company portal for Android devices.

        ---
        This article was changed on 7th Jul 2022:
        https://docs.microsoft.com/en-us/intune/end-user-mam-apps-android

         

        Before it says but not anymore:
        The Intune Company Portal is required on the device to receive App Protection Policies for Android devices.

        ---

        This was changed on 7th July 2022:
        https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-android

         

        Before it said:
        The Intune Company Portal is required on the device to receive App Protection Policies for Android devices.

         

        Now it says:
        Either the Intune Company Portal or the Microsoft Authenticator is required on the device to receive App Protection Policies for Android devices.

Resources