The simplest and supported path for non‑GMS (AOSP) devices is the AOSP enrollment profile/token flow in Intune. Use the setup guide for instructions and supported options: Set up Android (AOSP) device management in Intune for corporate-owned userless devices - Microsoft …. At this time, only devices on the supported AOSP devices list are supported: Android Open Source Project Supported Devices - Microsoft Intune | Microsoft Learn.

Is there an ETA for Intune to support PSSO Simplified Setup during Automated Device Enrollment?

Thank you everyone for the great participation in this AMA! Below are questions the panelists covered during the live session, along with associated timestamps: 

Question – Is there something on the roadmap to have the same container functionality on Windows devices, that is, the same protection offered for a BYOD Android and IOS, working on a Windows Device like Surface for example? – answered at 1:50.

Question – Troubleshooting tips for macOS, how to check if the IntuneMDMAgent is causing high CPU usage a long time? Where are the lines in the logs telling that?  – answered at 2:54.

Question – Is there a way to force macOS to upgrade during are right after the enrollment to the targeted minor version so that the device is updated sooner? – answered at 4:20.

Question – How can we migrate the management of MacOS devices from other platforms to Intune? – answered at 5:33.

Question – For publishing internal apps to Android, are there any best practices? – answered at 7:54.

Question – Is there a way that IT enroll the corporate macOS device and then the user that will use the device do the Platform SSO registration? – answered at 9:24.

Question – Is it planned to have filters support for DDM policies, especially for update management for macOS? – answered at 14:46.

Question – What kind of controls are available in Intune for OEM specific features, for Android devices? – answered at 17:12.

Question – Is it now possible to block non-managed Apple IDs from logging into a supervised Mac device? Apple had previously announced that they would give us a solution on the MDM front that enables that. – answered at 18:28.

• Keep sharing and upvoting ideas at aka.ms/IntuneFeedback

Question – What’s the best way for an org to support platform SSO for a Mac using Secure Enclave keys in a multi-user environment and can we still offer software on demand (company portal I read isn’t supported for multi-user).  – answered at 20:35.

Question – Is there any way to sequence app installs for the MacOS?  And / or, is there a way or roadmap for a script that is running on the Mac to call back to Intune to request an app be installed?  This would be preferable to having to utilize Azure blob storage.  – answered at 24:32.

• To join the LinkedIn community for Mac, go to aka.ms/MacAdmins
• Visit the blog about Mac migrations at aka.ms/Intune/AppleMigrationOS26

Question – One major challenge of managing iOS devices in Intune is that using the company portal works fine, but handling both corporate and BYOD devices, especially with SSO, can be particularly tricky. Do you have any tips? – answered at 31:29.

Question – Is it planned to have a way to set and forget minor update for MacOS devices? Right now, we can only set a specific date, which means that we have to monitor those releases and then set/update our current policies with a new date. – answered at 37:02.

Question – Can you share tips on building effective Android device restriction policies in Intune? Not just how, but what types are good to set? – answered at 38:58.

• To see the settings we support, go to aka.ms/SettingsCatalogAndroid

Question – Using MAM-WE (without enrollment) with App Protection policies, is there a way to require Microsoft Defender to be not just installed but also have "Check for harmful links" enabled? – answered at 41:32.

Question – Will device name template for macOS at some point be available outside supervised? – answered at 42:45.

Question – Are there any plans to incorporate "sideloading" of Android apps particularly for Android Enterprise dedicated enrolled devices? There are a number of companies in the manufacturing and warehouse management space where leveraging a managed Google Play store methodology is either not available or flexible enough to support a controlled deployment strategy. – answered at 44:36.

Is managing/escrowing the macOS Recovery Partition password on the roadmap?

Also a tool like jamf compliance editor to provide pre defined Configuration profiles to implement CIS benchmarks 

Is there a way to block users from installing Major Macos upgrades, it take times to implement CIS benchmark and get it approved by security team

Using MAM-WE with App Protection policies, is there a way to require Microsoft Defender to be not just installed but also have "Check for harmful links" enabled?

How do prevent app installations from the Microsoft Store and web stores using a configuration policy, without blocking access to the App Store URL?

Will device name template for macOS at some point be available outside supervised?

Are there any plans to incorporate "sideloading" of Android apps particularly for Android Enterprise dedicated enrolled devices.  There are a number of companies in the manufacturing and warehouse management space where leveraging a managed Google Play store methodology is either not available or flexible enough to support a controlled deployment strategy.