Forum Discussion
Why different broker apps for iOS and Android (not enrolled) when using app protection policies?
Hi Jonas,
yes I can explain why, but I can't explain if it will change in future. Here is the reason for this:
Android has a way to share data between apps which the Intune product uses on the Android platform. Which data actually is shared I don't know, but there are various opportunities for which you can use this. For example to deliver new SDK versions to other apps on the Android platform. The Company Portal is maintained by the Intune product group where the Authenticator app is maintained by the Azure AD product group.
The sharing is officially documented here: https://docs.microsoft.com/en-us/intune/end-user-mam-apps-android
The Company Portal app is a way for Intune to share data in a secure location. Therefore, the Company Portal app is a requirement for all apps that are associated with app protection policies, even if the device is not enrolled in Intune.
For iOS this is not possible because Apple does not allow such a scenario due to his app model and containerization. So, for iOS there is absolutely no reason then to force usage of the Company Portal but the Authenticator as a broker makes totally sense.
So why does not Android switch to Authenticator as well? I think that's because of the different teams, Intune does not own the Authenticator and maybe the publishing of new versions then is not that fast as they would like it to have (that's the way how big companies and product ownership works).
You can use Microsoft Intune UserVoice to make a Design Change Request or support a maybe already existing one here:
https://microsoftintune.uservoice.com/forums/291681-ideas
best,
Oliver
Although this article states that Authenticator can suffice as broker app on Android: https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-android
In our testing this is not true, if we have APP deployed to Android then it still prompts the user to install InTune Company Portal app (which we don't want since that's kind of the point of MAM instead of MDM).
I'm hoping Microsoft teams can coordinate and clarify when we can get off the requirement for Company Portal to deploy APP on Android?
NT-DW Actually, after submitting the above, I think the article is correct. I have found the cause of the confusion:
- The 'Require approved client app' Conditional Access policy requires a broker app to perform device registration - on Android, this can be Microsoft Authenticator, or Microsoft Company Portal.
- The 'Require app protection policy', and the general Intune App Protection Policy feature require app protection functionality, which on Android is only built into the Company Portal app.
In my testing, it seems that the 'Require approved client app' setting by itself can work on an Android device with Microsoft Authenticator installed.
However the 'Require app protection policy' setting, and applying app protection policies in Intune, do require the Company Portal app on Android.
This is slightly confusing since often the 'Require approved client app' setting (which can use Microsoft Authenticator or Company Portal on Android) is setup along with app protection policies (which can only use Company Portal on Android). But the current text in the article is actually correct, once you realise that a 'broker app' is not the same as 'app protection functionality'.
Perhaps the 'Require app protection policy' section should be worded more clearly:
'The broker app can be Microsoft Authenticator for iOS. On Android the broker app must additionally support app protection functionality, so the only supported broker app for this policy is Microsoft Company Portal for Android devices.'
NT-DW thanks for letting us know.
As a matter of fact, we're doing multiple implementations of this now at customers and see the same issue - Intune Company Portal is still required on Android devices to apply App Protection Policies. It's requested by Outlook once the policy is applied to the user.
I'll post feedback on the docs.microsoft.com pages and also see if I can log a support ticket.
Many hours later we still confirm that Intune Company Portal is still required on Android. Also had a support ticket with Microsoft [Case #:32525687] and they came to the same conclusion. So I will go ahead and post feedback on docs.microsoft.com.
- Found this today. Have submitted a feedback request for the doco: https://github.com/MicrosoftDocs/azure-docs/issues/105756
