Home

By Priya Ravichandran | Intune Sr. PM

 

Preview 2 for Android Enterprise fully managed devices is here! Today we’re providing an update to our preview capabilities which were announced in January 2019 for the Android fully managed device solution. For context, Google used to refer to the fully managed device scenario as Corporate Owned Business Only (COBO), and it is one of the “Device Owner” (DO) management scenarios in the Android Enterprise solution set.

 

Before we share the latest updates, we wanted to thank you for all the usage and feedback during our initial preview. We’ve incorporated feedback from Preview 1. It’s been great to work with you and we look forward to hearing more.

 

What’s New in Preview 2

For this update, we focused on compliance and end user experiences. Here are the key new capabilities added into Preview 2:

  • Updated onboarding flow for key required policies
  • Added Device Owner compliance policies
  • Built conditional access workflows
  • Added device group targeting
  • Released a new end user app called ‘Microsoft Intune’ into the Play store as the app to be used on fully managed devices
  • Enabled support for access to the full Play store
  • Introduced Knox Mobile Enrollment (continue reading this post for a few limitations in preview for this feature)

 

These capabilities will add on to what we released in January:

  • Device enrollment using NFC, token entry, QR code and Zero Touch
  • Device configuration for user groups
  • App distribution and configuration for user groups
 
While we’re almost there, you’ll notice there are a few workflows not yet supported in this preview. These scenarios will be supported upon general availability, including:
  • App protection policies
  • Remote access policies with certificate support (i.e. Wi-Fi, VPN, Email)
  • Certificate management
  • Support for managing or enabling system apps
 
Updated Onboarding Scenarios
During onboarding, Intune will now enforce key policies to ensure the device is compliant before allowing the user to access the device. This includes enforcing password policies and installing some key apps to ensure the user is compliant with organizational requirements before they can continue to use the device to access corporate resources.
 
SetUpWorkPhone.pngFigure 1: User is required to set a PIN per policy before proceeding
 
For more information on what to expect during onboarding, refer to onboarding fully managed devices.
 
Introducing the New Microsoft Intune App
As we mentioned earlier in this post, we are introducing a new end user app for Android fully managed devices. This new modern and light-weight app, simply called ‘Microsoft Intune’, will now enable the experiences end users know and love in the Company Portal app for fully managed devices, including managing compliance for their device. This new app is only for the fully managed scenario; in all other Android management scenarios, Company Portal continues to be the end user app.
 
NewMicrosoftIntuneapp.pngFigure 2: New Microsoft Intune app
 
For use of the Microsoft Intune app, you need to set it as required (or available) for end users to get it onto their device and sign in. This component is rolling out and should be available to all by Wednesday, April 24th. If you have not gotten the update yet, you will see a blocking screen when you launch the Intune app. We are also working towards enabling automatic deployment of the Microsoft Intune app to all fully managed devices.
 
You can find the Microsoft Intune app listing in Google Play here.
 
Support for Compliance Policies and Conditional Access
Intune will now support the ability to create compliance policies on fully managed devices. The smaller set of compliance settings on a fully managed device reflect the smaller list of compliance settings available for fully managed devices. There is a greater degree of control and ability to lock down the device configuration since the scenario is intended for corporate owned devices.
 
Console_Policy_2.pngFigure 3: Create Policies
In addition to compliance, this update provides conditional access support for fully managed devices. Users can now register their device in Azure Active Directory via the Microsoft Intune app and then view and resolve compliance issues in order to access corporate resources.

Enabling Access to the Consumer Play Store
Intune will now allow you to enable access to the full consumer store on the fully managed device. Many organizations recognize the need to allow end users to personalize the device assigned to them – including access to their favorite consumer apps.
 
Device Configuration setting.pngFigure 4: Device Configuration setting to allow access to all apps in the Google play store

 

Users will have the ability to add their personal accounts to the device, if permitted by configuration. This way your end users can customize their device to support personal use as well as corporate use.

personalizedfullymanageddevice.jpgFigure 5: Personalized fully managed device with a user’s corporate and personal account

 

 

Known Issues
We’re still working on a few items. 
  • When using KME to set up Samsung Knox devices:
    • The username and password cannot be passed to the fully managed device from the KME portal. This will need to be manually entered.
    • The enrollment status of the device will not get updated in the KME portal.
  • In the Microsoft Intune app:
    • When trying to complete Azure Active Directory registration, you may see an error displayed. If this continues to occur, try again after some time.
    • When launching the app, you may see a screen that says, “Hang tight, we’re working to load your organization’s info.” You can check back in after some time to see if it has been resolved.
    • You may see that your “Device settings status” is “Noncompliant” with no way to resolve. In the Azure Portal, you will see that the device is not compliant with the “Has a compliance policy assigned” policy, even though a compliance policy is set. Factory resetting your device and enrolling again may resolve it.
 
Customer Support for This Preview
We outlined above that not all features are yet available for use with the Intune Android fully managed scenario. The preview features are fully supported through our usual Intune support channels and are clearly labeled with “(preview)” in the Intune console.
 
How Can You Reach Us?
As you use Preview 2 and test out the Android fully managed preview scenarios, we would appreciate your feedback on IT admin's enrollment profile configuration and end-user's device enrollment experiences. Keep us posted on your Android experience through comments on this blog post, through Twitter (#IntuneSuppTeam), and request any new features on UserVoice.

Documentation
 
Post Updated: 
  •  4/19/19 with updated screen shots
  •  4/22/19 extended the app availability date, added in a few known issues
82 Comments
Occasional Visitor

thanks.

اصفهان

Regular Contributor

Great updates going to test this weekend!
Unfortunately the new Intune apps shows me a message my account is setup to use the Company portal app and also the Company portal shows a message I cannot use it :)

@Peter Klapwijk give it the weekend to let the service catch up to the app...

New Contributor

For Preview 1 we force installed Company Portal and Outlook, so that Outlook would be protected by Intune APP policies... worked a treat.

I think Company Portal is required for Intune APP policies on Android... can you let me know if we should now stop pushing Company Portal and instead push Microsoft Intune? i.e. does it have the same logic in it for APP policies to continue to work?

I will try to do some testing, but sometimes it's quicker to ask. :)

Regular Visitor

Good to see the advances being made in the Android Full Management.

 

I've just tried to sign in to the Intune App on my three test devices and all of them fail. They come up with the message 'Action not allowed' and appears to be Device Configuration policy that is restricting this, as it comes up with the 'Device Policy' icon. So I get a green tick on 'Update your device settings' but a warning on 'Register your device'.

 

Am I doing something wrong or is this by design and the device needs resetting in order to work?

New Contributor

Hi... This is a great step forward, the updated onboarding is excellent, thanks.

However, it could do with a bit of fine tuning...

I require a PIN and encryption.

The process helps me set a screen lock PIN, then helps me turn on secure start-up (with a greyed out screen lock required stage below it).

I turn on secure start-up, which takes *forever*... I assume in the background it's downloading and installing work apps, but you wouldn't know that.

It actually takes so long (20mins plus) that I'm fairly sure it's just not actually doing anything... it doesn't move on until I start randomly tapping the screen... clicking the three dots top right, Help & feedback, then close that, and bingo it's magically complete, so a refresh problem.

Once it does move on, it then makes you set a screen lock PIN, which is already done, so that step is superfluous.

Hopefully that could be looked at, it'll be hard work talking users through how to move the encryption on.

I have also set it to require Intune app, but by the time the desktop appears it has been "deleted by your admin", and company portal has been installed. I realise this might be fixed by the 24th as per the blog post, so fingers crossed, but it feels unrelated.

BTW, I'm using KME.

New Contributor

@AndyH16 You've got further than me, when I launch the app it just tells me my account is set to use company portal and to open that... :-(

 

Hey MS, I'm stuck with "Looks like your accuont is set up to use the Company Portal app instead. Feel free to uninstall the Intune app." - What do I do? I don't think I have configured my account to specifically use Company Portal app, how do you even do that?!

New Contributor

@Peter Klapwijk I see you have the same issue I just mentioned... did giving it the weekend help? It's now Tuesday after all...

New Contributor

(Removed)

Regular Visitor

@Steve PrenticeI'm not sure if this is down to how I've split out our devices within Intune. I have dynamic groups which group together 'Personal Work Profile', 'Corporate Work Profile' and 'Fully Managed' devices. This means items such as Company Portal are never pushed out to our Fully Managed devices (nor are App Protection Policies, which couldn't function without Company Portal) and they use separate Device Configurations.

 

The Intune app appears to have automatically deployed to our devices, despite not being assigned in the Apps section. Though users have said they're unable to log in. I have separately created another group with some of my test devices and assigned the Intune App to them (despite it already being deployed) and these test devices I'm able to log into the app, just not complete the registration. This may be coincidence, I can't guarantee that's how I got that far!

Senior Member

@Intune Support Team Great additions. When can we expect to be able to configure enrolment profiles for 'Corporate-owned, fully managed user devices (Preview)' as we can today with Corporate-owned dedicated devices?

 

We use this to populate dynamic device groups.

 

Thanks,

Dan

Senior Member

This is a great update, in one of two tenants that I have access to, Microsoft Intune is being force down which is great. It's letting us sign in but not register the device. I guess we just have to wait a bit longer and try again. I suspect it will likely be Thursday before we can get the device to register.

In the other Tenant, the switch over from Company Portal to Microsoft Intune is yet to happen, that's OK though, will just have to wait a bit longer.

 

Much like @Steve Prentice I'm making use of KME and tried with and without system apps which is working fine for us. Keeping the system apps enabled for the time being and hoping that we can "hide" or "disable" certain apps at a later date. Did test to see if usernames are passed through, but this is stated on this page as a known issue.

 

The devices are forced to follow the device compliance polices now during enrolment which is great and as a result having to set an alphanumerical passwords. I did have encryption enabled at first, but the device seemed to "hang forever" so have turned it off for the time being and will test later on this week again.

The required apps are installed after this and I need to double check but it looks like it's forcing the install of Microsoft Authenticator even though I haven't set this as required yet, will double check this again though.

 

I've started to look at the Samsung OEMConfig options but, I'm going to need more time to digest this.

 

Great update so far!

Regular Contributor

@Steve PrenticeTried it on Monday for the last time, still weren`t able to sign-in.
I will give it a try later today.

New Contributor

Ok, so overnight "something" happened and now the Intune app stops booting me over to the Company Portal app.
I get an exclamation mark next to "register your device" as expected and can click continue.
When clicking Continue I get a Please sign in box saying my previous session has timed out. When I press "Sign In", it says singing in and then I get an "Intune has stopped" window which only lets me close the app.
It doesn't let me remove the app (to reinstall) and rebooting the phone doesn’t help.
So, I'm stuck and can't go any further.
Also, the Company Portal app is installed, although I'm not within the groups it's targeted at in Intune, so it shouldn't be installed.
Preview 1 didn't seem too buggy to me but Preview 2 so far isn't going quite so well. :-(

Regular Visitor

@AndrewH5I'm getting Microsoft Authenticator as a forced install during the setup too, we make it available in the Play Store but not required for any devices. Now that Intune has been added these both force install before setup continues, Intune install fairly quickly but Authenticator takes an age - I'm wondering if that sounds similar to your encryption issue - not sure where you're seeing the hang occur. Although we have encryption enabled in the compliance policy this policy didn't exist until yesterday when I created it.

New Contributor

@AndyH16 Same here, encryption didn't exist until created yesterday. But after testing quite a lot, the experience is so bad (similar to @AndrewH5) that I've had to turn it back off. Authenticator here too, although it is a forced install to be fair, but sounds like I'd get it even if it wasn't.

Regular Visitor

@AndyH16 Have you managed to get past the "Register your device" device policy error - we're seeing that here too. I'm not seeing any of the Encryption or Pin setup during enrollment as reported by @AndrewH5 

Regular Visitor

@asdgwhfghvbnNo, still failing with the same error message. I've not seen the encryption mentioned at setup but we do get the PIN requirement - have you set up a Android Device Owner Device Configuration policy with it specified?

I've also not seen any setup speed improvement with switching off the requirement for encryption, the only point it sticks at for a long time is the Microsoft Authenticator install and I'm guessing the encryption step should be done before that.

Regular Visitor

@AndyH16 We've just managed to get past the Device Policy error message. We had a device configuration policy assigned to the device, and upon it's removal we were able to register in the Intune app. We'll carry on working out what policy setting is causing this.

 

Matt

Regular Visitor

@asdgwhfghvbnFunnily enough I wondered if that was the issue for us. I did exclude my test devices from our main policy but configured another policy with settings I thought would have no bearing on it (disable USB storage, etc) - I switched off the settings to prevent accounts from being Added/Edited/Deleted but that made no difference. Maybe it's just having a Device Configuration policy that causes it.

Regular Visitor

Actually, it turns out it was the User Account options being 'Blocked'. (I had forgot to exclude my user account from the policy). Creating a copy of the existing policy I took out the user settings and sure enough I now have a green tick. But we want to make use of the user account blocking to stop users from adding personal accounts. Not sure how we get around this one...

New Contributor

Nice find AndyH16. For me I'm stuck launching the Intune app with a "Hang tight" message saying check back in a few minutes... it's been like it for 7 hours through resets and all sorts. :-/ (it took factory resetting the phone to get around the previous app crashes I was getting)

Regular Visitor

@AndyH16 Similarly we've just established that it's the Users and Accounts -> Account Changes (set to Block) that is causing the inability to register.

I can confirm that if it's changed post registering it works fine - think this is down to MS to fix though.


Matt

Regular Visitor

@Steve Prentice We saw a similar Hang Tight message once which was only resolved with a wipe and re-enrol.

Regular Contributor

I did a new enrollment today and like in the weekend the enrollment was without issues; encryption works fine, I`m asked to set a passcode and the apps are installed.
The Microsoft Intune app is installed by default, without assigning the app from Intune, so that now works as described in this article. And I`m in now able to sign in to the Intune app and register my device in the app.
I must say I`m using a lab environment just for testing and writing articles for my blog, so no production environment.
My policy and apps are still assigned to a user group, as I started testing during preview 1 and during that preview device group targeting was unsupported.
But because I was now able to sign in to the Intune app, I wanted to see if my device was compliant and created a new security group (to assign the compliance policy to) and manually added the test device to it. After a sync from the Device Policy app, all required apps are removed in a split second! I waited a few minutes, did a restart nothing was re-installed. After removing the device from the security group and a new sync and restart, all apps are installed. Device group targeting seems to cause issues, but need to test this some more.

 

Regular Contributor

After waiting some longer the required apps are installed again on my device, both user and device targeted apps.
The only features that still fail are the App configuration policy and the compliance policy.

Regular Visitor

@Peter Klapwijk I'm using dynamic device groups to target Android Enterprise corporate enrolled devices, using this one dynamic group I successfully apply Compliance policies, Device Configuration Policies,  Apps and App configurations.

 

Regarding compliance I can see devices accurately report compliance, and prompt users for resolutions both at enrollment time and using the Intune App - that said there is an issue having require encryption set on the devices I've tested, it requires that you set a startup pin but the setup phase of enrollment doesn't ever proceed and I've needed to manually reboot the device.

 

Device configuration policies apply and obviously are working as we've seen the results of them in the issues discussed above.

 

Apps and App configurations (admittedly I've only tested the Outlook app) have always been working for me even in the previous release - are you sure  that you've got a "managed devices" configuration policy and not a "managed apps" policy.

 

Matt

New Contributor

For me... after waiting 24 hours for the Intune App's "hang tight", I did what @asdgwhfghvbn suggested and reset and started again.

 

This time it gets as far as the Sign in button which works... but I'm back to what I described above, as soon as I click Continue it says my session has expired and then the app crashes and I can't get any further.

 

Are you guys who've used it successfully using just AAD, or are you federated with ADFS? It seems to be crashing somewhere along the line as it's trying to talk to our ADFS.

 

@Intune Support Team @PriyaR455 is this a known issue?

Regular Contributor

@asdgwhfghvbn 

 

The manual security group was just for a quick test, I already switched to a dynamic group. But still compliance policy shows Not evaluated.
And the App configuration policy (which is a managed device configuration) shows pending.

Regular Contributor

@Steve Prenticejust AAD in my lab

New Contributor

@Peter Klapwijk Thanks for confirming. :)

 

Also... the "pending" for app config policies... I seem to remember that from Preview 1 that that's actually a GUI bug in the console... I'm using them for Outlook and they definitely are applying, even though it still says Pending. Might be worth just checking and not relying on what it says.

Regular Contributor

@Steve Prenticeyes I just saw the app confiuration policy is indeed applied, but still shows pending in the portal.
Only thing I`m now wondering, is the policy now applied because I installed the Company portal app recently....

Compliance policy still shows Not evaluated.

 

Time to perform a wipe and test verything again :)

New Contributor

@Peter Klapwijk Does your lab have MFA at all? - I've just tried with a cloud only account (so no ADFS) and the Intune App still crashes for me, the only thing is it has Conditional Access policy applying MFA, so maybe that's what's doing it...

Regular Contributor

@Steve Prenticenot for this test user. But I will reset again and try it with an MFA enabled user.

Regular Contributor

@Steve PrenticeI enabled MFA for a test user, re-enrolled the device everything works as before. I can sign-in to the Intune app withour issues and register the device.

New Contributor

@Peter Klapwijk Thanks for checking, really appreciate it! I re-enrolled my original user, and gave it a 5 min bypass from needing MFA, but it still crashed. Looking in AAD sign in logs there's no evidence of a rule needing MFA both for my ADFS user (on prem MFA) and my cloud user (AzureMFA)... so I'm a bit stumped. I might log a job to see if they can double check if a rule is being triggered which isn't showing in the GUI (not the first time that that's happened for me).

New Contributor

Hi all / @Peter Klapwijk ... Finally got Intune app working... in my tenant, under AAD, Devices, Device settings, I had "Require Multi-Factor Auth to join devices". As soon as I turned that off it all worked as expected and my device was able to register. Happy days. I'll turn the setting back on for now, but at least it shows were there's a bug in the app. Hopefully someone in the product team is quietly watching...

New Contributor

"workflows not yet supported in this preview - App protection policies"

 

As discussed above, not entirely sure what that means, APP policies seem to work ok (even if the status says it's Pending).

 

That said, something such as Outlook requires Company Portal to be installed for APP policies to work... and sadly the Intune App isn't enough for Outlook to work, it still requires Company Portal as well... hopefully that's what the "not yet supported" statement means, it'd be great not to have to install Company Portal any more. :-)

Microsoft

Hi,

 

Thanks for all the feedback and validation on the Fully Managed Preview 2 release. We are actively reviewing your feedback and will provide updates to outstanding issues as they are available. Some initial updates:
1. The Microsoft Authenticator app will be installed as a required app, along with the Microsoft Intune app, onto all fully managed devices during onboarding. Having these apps automatically installed  will provide conditional access support, and Microsoft Intune app users can see and resolve compliance issues.

2. Regarding Intune App Protection Policies (APP) on Fully Managed devices, the new Microsoft Intune app does not have the APP logic built into it and we are working through our APP support on the Fully Managed devices. This is why this scenario is called out as a known gap in the preview 2.

 

Thanks again for the tremendous response to the Preview. Please keep your feedback coming.

 

Regards,

Priya 

New Contributor

I keep on getting "looks like your account is set up to use the COmpany Portal app instead Feel free to uninstall the Intune App" whenever I launch the Intune App.

This is on a "fresh" device device, just did a factory reset (Samsung Xcover 4).  Any ideas ?

New Contributor

@Filip Dhaenens A couple of us have had that... leave it over night, it should sort itself out (hopefully).

New Contributor

Interesting one that I think I noticed.

Test device… two compliance policies, one mine, one Built-in.

User has a (custom) Helpdesk Intune role…. Our compliance policy was marked as compliant, the built-in one wasn’t, and when looking within the built-in policy the “Has a compliance policy assigned” was not compliant.

Once the user was removed from the group that gave him the Intune RBAC control, the device then became compliant again.

I have a feeling that this is a known issue that I came across when I moved from SCCM hybrid, but can’t quite remember the specifics, still weird though, wasn’t expecting it.

Senior Member

Bit of an odd one, does anyone else's Android Device Policy App Icon not show after you've enrolled a device. I've got this for my account on a few different devices. I've still been able to launch it by opening the play store finding it under installed apps and opening it there, but it used to show in the app folder, just a bit strange.

Regular Contributor

@AndrewH5Yes on my first enrolled devices the app was shown, but on the latest device I enrolled earlier this week I have the behavior as you describe.

Microsoft
Hi,
 
The change to the Android Device Policy App icon not showing is a result of a change made by Google on the platform. In addition to the play store approach called out by @AndrewH5  above, the other way to access this is via Settings > Google > Device Policy.
 
Note this does not prevent the Device Policy app from functioning on the device to apply policy sent out by Intune.
 
Regards,
Priya 
Regular Visitor

@PriyaR455This is yet to happen for us, even after resetting the phone.

 

However, the Device Policy is no longer refreshing - I've experienced this previously, early Preview 1. Any changes I make to the Device Configuration policy do not take effect, the only way to apply the changes it is to reset the phone - we seem to be going backwards on some elements!

 

Also, are the team looking into the issue of not being able to sign into the Intune App if we have the user account (Add/Edit/Remove) settings blocked? Adding Office 365 accounts still works ok for Word, Outlook, etc without having to switch these settings off.

Visitor

 

 

 

 

Regular Visitor

Is there any work around to the Outlook app responding with "the intune company portal is required for the account"?

 

Frustratingly, Intune applies the App Configuration policy to it perfectly and then I get that error!

Frequent Visitor

I tested devices with different scenario's, this are my results:

 

With groups (Dynamic Device Rules (device.deviceOSType -eq "AndroidEnterprise")) i ran into the following issues with the Samsung Galaxy Tab 5se:

 

  • The compliance policy won't apply on the device, also the device configuration wont apply (this applies to Dedicated as User ownend). 
  • When i remove the group from the compliance policy, the configuration policy will apply (this applies to Dedicated as User ownend).
  • The portal keeps showing that the compliance policy is not elevated, even after a couple of factory resets.
  • When i enroll the device, it wont show the setup to get compliant (see figure 1).
New Contributor

Great Steps Forward!

With Compliance capabilities, I can now push forward with multiple projects. 

The only issue I have encountered so far, is that existing devices have to be rebuilt to take on any policy changes; group. It does not appear to be dynamic. This could prove to be an issue going forward when amendments are made.