Forum Discussion
Why different broker apps for iOS and Android (not enrolled) when using app protection policies?
Hi Jonas,
yes I can explain why, but I can't explain if it will change in future. Here is the reason for this:
Android has a way to share data between apps which the Intune product uses on the Android platform. Which data actually is shared I don't know, but there are various opportunities for which you can use this. For example to deliver new SDK versions to other apps on the Android platform. The Company Portal is maintained by the Intune product group where the Authenticator app is maintained by the Azure AD product group.
The sharing is officially documented here: https://docs.microsoft.com/en-us/intune/end-user-mam-apps-android
The Company Portal app is a way for Intune to share data in a secure location. Therefore, the Company Portal app is a requirement for all apps that are associated with app protection policies, even if the device is not enrolled in Intune.
For iOS this is not possible because Apple does not allow such a scenario due to his app model and containerization. So, for iOS there is absolutely no reason then to force usage of the Company Portal but the Authenticator as a broker makes totally sense.
So why does not Android switch to Authenticator as well? I think that's because of the different teams, Intune does not own the Authenticator and maybe the publishing of new versions then is not that fast as they would like it to have (that's the way how big companies and product ownership works).
You can use Microsoft Intune UserVoice to make a Design Change Request or support a maybe already existing one here:
https://microsoftintune.uservoice.com/forums/291681-ideas
best,
Oliver
It's been another year since this and it seems like many articles at docs.microsoft.com has been changed so that Company Portal is no longer required for App Protection policies. Anyone tried it yet? Back in March 2022 when we tried it the last time, Company Portal was still required.
Here's a list of updates:
This article was changed on 5th April 2022:
https://docs.microsoft.com/en-us/mem/intune/protect/app-based-conditional-access-intune
Before it said:
The user gets redirected to the app store to install a broker app when trying to authenticate for the first time. The broker app can be either the Microsoft Authenticator for iOS, or the Microsoft Company portal for Android devices.
Now it says:
The user gets redirected to the app store to install a broker app when trying to authenticate for the first time. The broker app can be the Microsoft Authenticator for iOS, or either the Microsoft Authenticator or Microsoft Company portal for Android devices.
---
This article was changed on 7th Jul 2022:
https://docs.microsoft.com/en-us/intune/end-user-mam-apps-android
Before it says but not anymore:
The Intune Company Portal is required on the device to receive App Protection Policies for Android devices.
---
This was changed on 7th July 2022:
https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-android
Before it said:
The Intune Company Portal is required on the device to receive App Protection Policies for Android devices.
Now it says:
Either the Intune Company Portal or the Microsoft Authenticator is required on the device to receive App Protection Policies for Android devices.
Oliver Kieselbach Especially you maybe have tested it since you had great insights into it in 2019?