Forum Discussion

Aluca12's avatar
Aluca12
Copper Contributor
Mar 22, 2019
Solved

Work profile cannot be created on Galaxy Tab S4

Hi, I'm testing with Intune for several days with a Samsung Galaxy Tab S4 but I can't get my tablet to create a work profile. When I installed the Intune portal app and started registrating my devic...
Intune
mobile device management (mdm)
  • Alexander Vanyurikhin's avatar
    Alexander Vanyurikhin
    Mar 25, 2019

    Aluca12 

    Looks like i missed the point of using fully-managed device. Based on my understanding, you can't have fully managed device and work-profile on the same device.


    https://docs.microsoft.com/en-gb/intune/android-fully-managed-enroll

    When using these preview features, keep the following in mind:

    • Use of the Intune Company Portal app isn't supported on Android Enterprise fully managed devices.
Aluca12's avatar
Aluca12
Copper Contributor
Mar 25, 2019

Hi,

I checked my tenant again but I still can't get it working.

My test user has M365 Business and EMS E5 licenses added, managed Google Play is setup, the intune portal app is approved in Google Play and I configured the device registration restrictions to Android=blocked, Android Work Profile=Allowed but still I get the same errors during enrollment via app:
"Work Profile can not be added. Work profile can not be added to this device. Please contact your Administrator."

and

"Device could not be added. To manage your device, you need to approve all system permissions".

To clarify my procedure, I enroll my tablet with the fully managed QR-Code token and as soon as the intune portal app is installed, I try enrolling it with the work profile where the error messages mentioned appear. 

I enabled the developer options on my device and could find 2 suspicious entries in the log file:

...
com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver:

..
userRestrictions:
no_add_managed_profile
defaultEnabledRestrictionsAlreadySet={no_add_managed_profile}

..

 

It seems that either the user itself has no permissions for creating a work profile or the device was given a false setting.

May I ask which enrollment path you use for your devices Alexander Vanyurikhin ?

Kind Regards

Julian

Alexander Vanyurikhin's avatar
Alexander Vanyurikhin
Iron Contributor
Mar 25, 2019

Aluca12 

Looks like i missed the point of using fully-managed device. Based on my understanding, you can't have fully managed device and work-profile on the same device.


https://docs.microsoft.com/en-gb/intune/android-fully-managed-enroll

When using these preview features, keep the following in mind:

  • Use of the Intune Company Portal app isn't supported on Android Enterprise fully managed devices.
  • Aluca12's avatar
    Aluca12
    Copper Contributor
    Mar 25, 2019

    Ok, after a few tests it seems you are right.

    I was sure I saw a video with a fully-managed and work profile on it and the docu also states that enterprise devices can have added work profiles. I need to test with dedicated devices again as it didn't work there too but that has no priority atm.

    Thanks for all your help ;)
    Have a nice day!

     

    • AndrewDawson's avatar
      AndrewDawson
      Brass Contributor
      Mar 25, 2019
      When Microsoft deployed Work Managed Devices they used the newer Android Management API https://developers.google.com/android/management/

      Last time I checked the API does not support the use of COPE (Corporate Owned Personally Enabled), once Google creates this functionality Microsoft will be able to add support.

      The older DPC model supports COPE, however Microsoft only used it to develop Work Profile.

Resources