Home

By Priya Ravichandran | Intune Sr. PM

 

Preview 2 for Android Enterprise fully managed devices is here! Today we’re providing an update to our preview capabilities which were announced in January 2019 for the Android fully managed device solution. For context, Google used to refer to the fully managed device scenario as Corporate Owned Business Only (COBO), and it is one of the “Device Owner” (DO) management scenarios in the Android Enterprise solution set.

 

Before we share the latest updates, we wanted to thank you for all the usage and feedback during our initial preview. We’ve incorporated feedback from Preview 1. It’s been great to work with you and we look forward to hearing more.

 

What’s New in Preview 2

For this update, we focused on compliance and end user experiences. Here are the key new capabilities added into Preview 2:

  • Updated onboarding flow for key required policies
  • Added Device Owner compliance policies
  • Built conditional access workflows
  • Added device group targeting
  • Released a new end user app called ‘Microsoft Intune’ into the Play store as the app to be used on fully managed devices
  • Enabled support for access to the full Play store
  • Introduced Knox Mobile Enrollment (continue reading this post for a few limitations in preview for this feature)

 

These capabilities will add on to what we released in January:

  • Device enrollment using NFC, token entry, QR code and Zero Touch
  • Device configuration for user groups
  • App distribution and configuration for user groups
 
While we’re almost there, you’ll notice there are a few workflows not yet supported in this preview. These scenarios will be supported upon general availability, including:
  • App protection policies
  • Remote access policies with certificate support (i.e. Wi-Fi, VPN, Email)
  • Certificate management
  • Support for managing or enabling system apps
 
Updated Onboarding Scenarios
During onboarding, Intune will now enforce key policies to ensure the device is compliant before allowing the user to access the device. This includes enforcing password policies and installing some key apps to ensure the user is compliant with organizational requirements before they can continue to use the device to access corporate resources.
 
SetUpWorkPhone.pngFigure 1: User is required to set a PIN per policy before proceeding
 
For more information on what to expect during onboarding, refer to onboarding fully managed devices.
 
Introducing the New Microsoft Intune App
As we mentioned earlier in this post, we are introducing a new end user app for Android fully managed devices. This new modern and light-weight app, simply called ‘Microsoft Intune’, will now enable the experiences end users know and love in the Company Portal app for fully managed devices, including managing compliance for their device. This new app is only for the fully managed scenario; in all other Android management scenarios, Company Portal continues to be the end user app.
 
NewMicrosoftIntuneapp.pngFigure 2: New Microsoft Intune app
 
For use of the Microsoft Intune app, you need to set it as required (or available) for end users to get it onto their device and sign in. This component is rolling out and should be available to all by Wednesday, April 24th. If you have not gotten the update yet, you will see a blocking screen when you launch the Intune app. We are also working towards enabling automatic deployment of the Microsoft Intune app to all fully managed devices.
 
You can find the Microsoft Intune app listing in Google Play here.
 
Support for Compliance Policies and Conditional Access
Intune will now support the ability to create compliance policies on fully managed devices. The smaller set of compliance settings on a fully managed device reflect the smaller list of compliance settings available for fully managed devices. There is a greater degree of control and ability to lock down the device configuration since the scenario is intended for corporate owned devices.
 
Console_Policy_2.pngFigure 3: Create Policies
In addition to compliance, this update provides conditional access support for fully managed devices. Users can now register their device in Azure Active Directory via the Microsoft Intune app and then view and resolve compliance issues in order to access corporate resources.

Enabling Access to the Consumer Play Store
Intune will now allow you to enable access to the full consumer store on the fully managed device. Many organizations recognize the need to allow end users to personalize the device assigned to them – including access to their favorite consumer apps.
 
Device Configuration setting.pngFigure 4: Device Configuration setting to allow access to all apps in the Google play store

 

Users will have the ability to add their personal accounts to the device, if permitted by configuration. This way your end users can customize their device to support personal use as well as corporate use.

personalizedfullymanageddevice.jpgFigure 5: Personalized fully managed device with a user’s corporate and personal account

 

 

Known Issues
We’re still working on a few items. 
  • When using KME to set up Samsung Knox devices:
    • The username and password cannot be passed to the fully managed device from the KME portal. This will need to be manually entered.
    • The enrollment status of the device will not get updated in the KME portal.
  • In the Microsoft Intune app:
    • When trying to complete Azure Active Directory registration, you may see an error displayed. If this continues to occur, try again after some time.
    • When launching the app, you may see a screen that says, “Hang tight, we’re working to load your organization’s info.” You can check back in after some time to see if it has been resolved.
    • You may see that your “Device settings status” is “Noncompliant” with no way to resolve. In the Azure Portal, you will see that the device is not compliant with the “Has a compliance policy assigned” policy, even though a compliance policy is set. Factory resetting your device and enrolling again may resolve it.
 
Customer Support for This Preview
We outlined above that not all features are yet available for use with the Intune Android fully managed scenario. The preview features are fully supported through our usual Intune support channels and are clearly labeled with “(preview)” in the Intune console.
 
How Can You Reach Us?
As you use Preview 2 and test out the Android fully managed preview scenarios, we would appreciate your feedback on IT admin's enrollment profile configuration and end-user's device enrollment experiences. Keep us posted on your Android experience through comments on this blog post, through Twitter (#IntuneSuppTeam), and request any new features on UserVoice.

Documentation
 
Post Updated: 
  •  4/19/19 with updated screen shots
  •  4/22/19 extended the app availability date, added in a few known issues
134 Comments
Regular Visitor

Yes, I want to keep this option set too, to prevent users from adding non-work accounts. Though, I have found that one user was able to add a personal account via the OneDrive app and then, because the block was configured, I couldn't remove the account from the phone! Had to temporarily switch the options off to get rid of it!

New Contributor

@AndyH16 ,

The blocking of users being able to add accounts, has only worked well for me on Kiosk devices. I dare say that if KME is used and you also enter the user accounts in there, would that override the users adding accounts as it is put i place by the System Account. I have not tried this on Fully Managed devices yet. Will try later.

Frequent Visitor

Hey guys, apologies for the delay in replying, currently on annual leave…

@WietseDI would personally wait until GA, as I believe a number of things are currently being addressed, rumours have it that this will be end of June.

@ictoukI agree I have seen issues with Compliance so will not be planning on making this a production device until further functionality issues are resolved. In particular I can see a miss-match in the Work Profile and Device Owner profiles which I am told the gab will be bridged by the time GA is announced. I also see an issue where the finger print, or "low security biometric" is not enforced with the Compliance policy, but something like Encryption in the same policy set is, so something not quite right there either.

@ictoukI notice @AndyH16 has already replied, but I agree the issue with device registration is down to the Add/Change/Delete User accounts config, in particular I narrowed it down to the "change" setting. What I have done for the test users is to enrol the device with no restrictions, then once registered move the device to a group which has all the policies targeted at it. Not ideal in the longer term, but allows the testing to continue.

@MoZZaI am using the functionality for Add/Change/Delete accounts in Fully Managed and appears to work ok, apart from the last comment around device registration.

@WietseD@ictouk @MoZZa don’t know if you guys have seen this, but my latest issue appears to be when I remove a device configuration setting, for example "prevent screen capture", the setting doesn’t appear to revert on the phone which is causing me an issue.

Cheers guys,

Rob

Senior Member

Hi @robbamber where are you hearing rumours that GA will be end of June?

The Microsoft road map was updated to say that GA would be later this year in Q4 now?

I'm hoping GA is sooner rather than later, want to move away from another MDM solution..

 

Frequent Visitor
Occasional Visitor

We are having similar issues with fully managed devices. Policies are stuck in a pending state when applied to the user. Compliance policies are also never evaluated... Additionally, Intune doesn't show that a compliance policy is applied and therefore deems the device non compliant due to the default policy. We are using the new Intune app with no success on either of these. I have opened a ticket in hopes to gain some progress. 

Frequent Visitor

@J_Kozare you using a VPN or anything or are you talking direct to Intune? 

New Contributor

Hi @J_Koz ,
Are you using existing Compliance Policies (i.e A4W)? If yes, then create a new 'Device Owner' for AE. These are cut down versions of regular policies as a lot of the compliance requirements are handled by the Device Config. What you will then see is that the Built-In policy applies to the device and you should get 3 green success ticks. Also, your new Device Owner policy will be applied now and you should be good to go. Remember that if you need to make device config changes, un-assign the compliance policy, make the device config changes and then re-add the compliance policy. This will not be required when on GA, if not before. Crossing my fingers for July :-)

Frequent Visitor

Hi @MoZZa … I wasn't aware you had to unassign the config policy, make changes and then re-apply it … I currently have some test devices applying a configuration that is no longer set, however I didn't remove the assignment and re-apply it … have you experienced this?

Cheers.

New Contributor

Hi @robbamber,

Sorry, I should have said you will need to un-assign the Compliance policy, make changes to the Device Config Policy. Once it has gone out to all of your devices. Re-enable the Compliance Policy. This is not an issue with a handful of devices, but with 1k +; it can be time consuming :-)
MS have said that this "bug" will be resolved when it hits GA.

 

Frequent Visitor

@MoZZa thanks for the reply … I'll give that a go when I return to the office next week … bit of a poor show that the Compliance policies are having that impact on the Device Config policies … hopefully it gets sorted by GA, if not before would be even better.

New Contributor

@robbamber , 
Hope it helps. Just had a load of Note9's passed over to me and they want all the system apps enabled. Luckily i don't have to edit the QR code anymore LOL:manlol:

Frequent Visitor

@MoZZaare they being enrolled as Android 8? I was still experiencing missing default apps last week with Note 9 devices which were Android 9, but the Android 8 ones I enrolled were fine ...

New Contributor

@robbamber  the Note9's are 9.0 the J5's 8.01 and the J6's a mixture, as they are getting the 9.0 upgrade at the moment.
I don't know what has happened to the system as I am trying to build an 8.0.1 and 9.0 devices, but neither has been able pull down MS Authenticator and MS Intune. Don't know why this has just started happening here

Senior Member

@MoZZa that sounds like the problems I've been having. We are mostly using Samsing Active tab2, J6's and A5's currently. All the devices have been effected at some point over the last two weeks with this issue. I haven't found out why or a fix yet.

New Contributor

@AndrewH5 

I have a J5, Note9 and a J6 on a completely different Knox Enrollment portal and Azure tenant and all 3 are failing in various ways. 
J5 & Note9 (built via QR Code) still "installing" 2 required apps; after an hour.
The J6 (KME+Intune build), stalls trying to enroll the device.
These are the first time I had these issues. Such a pain. Does that mean MS are "doing stuff" readying themselves for GA go-live???

Senior Member

Hi all, 

 

Maybe i missed something, but after enrolling android devices the google backup service is stopped. We need this to allow users migrate settings from their current devices and also create backups. I don't see any policies applied for this. 

 

How can we enable this? Thank you.

Microsoft

Hi,

 

Google has informed us that they are working through an issue around application installs via Google Play - which will also include the installation of apps during the onboarding flow. 

 

We will provide updates as available.

 

Regards,

Priya 

Occasional Visitor

@MoZZa thank you for the info. I ended up finding these workaround myself after trial and error. I truly appreciate you taking the time to respond. After removing the compliance policy the restriction and app policies pushed without issue. 

 

I also had the issues with apps never downloading during enrollment. I found that remotely restarting the device sometimes helped.


 

Senior Member

@PriyaR455 is this also about Google backup services?

 

Thank you

Frequent Visitor

@MoZZacurious to know how your enrolment went with the Android v9.0 devices? Did the core apps stay present after enrolment or are they missing? … from my limited testing before annual leave I found enrolling devices with v8.x was fine, as it was after an upgrade to v9.0 afterwards, but enrolment as v9.0 to begin with meant they were missing ...

Thanks.

Rob

New Contributor

@robbamber 
I have had a mixed bag of results. After running a few test builds, 2 in 10 will enrol and install the required apps, but then uninstall all the required apps apart from MS Authenticator, MS Intune and Android Device Policy. I thought it may be linked to not logging in to MS Intune soon enough after the build is complete but this proved not to be the case after leaving v8.0 and v9.0 over night and the apps remained. Any device that has presented this issue; i have wiped and has worked fine on the next run. I also tested to see if it was due to the devices not having a Compliance Policy applied. again this proved not to be the case. HOWEVER, the odd thing I noticed was devices that completed OK have a compliance state of 'Not Evaluated'. Whereas the "app removing" devices had a state of 'Not Compliant'. I can only surmise that there could be a bug in the enrolment process, where the device does not fit into any build mode and therefore attempts to rollback, don't just very odd. It is becoming less and less frequent but I was able to get 2 out of 10 builds to do this.

Frequent Visitor

@MoZZaI have just tried your suggestions around removing the Compliance Policies before changing the Device Configuration Policy and then Re-Applying the Compliance, which appears to have resolved the issue of persistent device configuration settings ... so big thanks for that!! ... hopefully MS will get that little "bug" sorted ASAP ... 

 

On the flip side, just trying to re-enrol a device and I'm back in the age old position of the Authenticator and Intune apps stuck downloading at the beginning of the process ... going to give it a few more minutes before starting over ...

New Contributor

@robbamber  - The issue of the the MS apps taking an age to download, disappeared over the weekend. I left a device for over 2 hours and eventually it completed the 2 apps. Although according to the process, these apps are downloaded before you r required apps come down, in my case 18 apps. However as soon as the 2 apps were ticked; all of the other apps had downloaded in the background anyway. leads me to believe there may be Google or MS bug. This has happened on 2 different Intune tenants and 2 different Knox consoles.

Frequent Visitor

I'm having the app download issue also, getting crazy variances when enrolling Android 6 and 7 devices.

Some devices take 2 minutes to install the Microsoft Apps, but others can take two hours+. Android 8 devices seem to be unaffected.

Senior Member

Hi All, 

 

Did anyone else notice Google Backup services do not work anymore on AE devices?

 

Hi all, 

 

Maybe i missed something, but after enrolling android devices the google backup service is stopped. We need this to allow users migrate settings from their current devices and also create backups. I don't see any policies applied for this. 

 

How can we enable this? Thank you.

 

I hope someone knows how to fix this.

Frequent Visitor

@WietseD… apologies in advance if you have considered the below I am not using Google Backup but ... just thinking out loud about the Google Backup, are you able to add other accounts to the device, such as a Google E-Mail account? … I know I had an issue with the "Account Changes" setting in a Device Configuration Policy being set to Block, don't know if this maybe impacting your scenario … cheers 

 

UDPATE - Looking at the below link it appears the functionality maybe missing from Fully Managed at present. The ability to allow Google Backup appears to only be present for Android, not Enterprise.

https://docs.microsoft.com/en-us/intune/device-restrictions-android

Senior Member

@robbamber Thanks for your response, i can understand policies not being available but the service seems to be disabled completely. 

 

That is strange because it is allowed to let a user use his personal gmail account to download apps apart from the business store. Users want to be able to create backups on their devices. I hope a solution will come shortly or we have to skip fully managed for now. 

 

update: seems default to be disabled on managed devices. I hope MS will create a policy for this.

https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setBackupServiceEnable...)

Frequent Visitor

@WietseDI have just checked on a couple of my Fully Managed devices, and can also confirm that under "Backup and restore" the "Google account - Backup service not available" is greyed out.

@MoZZa @WietseD also having fun enrolling a device this morning ... 55 minutes and counting for the Authenticator and Intune apps to download ... 

Frequent Visitor

@robbamber 

 

Mind sharing what devices and what os version? We have like over 20 devices that are clocking plus 3 hours now. Android 8/9 devices are going through in under 2 minutes.

Frequent Visitor

@RiksV11340They are Note 9 devices, running Android 9. I started enrolling one at 10.51 this morning and it is still attempting the Intune and Authenticator Apps!

New Contributor

@robbamber 

I had the issue again today. Note9 (9.0) and J6 (9.0). However I restarted both devices, twice and boom!!! within seconds they kicked in and built, no further issues.

Frequent Visitor

@MoZZa it finished enrolling by itself some 4/5 hours after I first began, hoping MS were preparing some new features for us being patch Tuesday 😉

 

On a different note ... I am planning to use Fully Managed Intune with apps deployed to a corporate play store which is linked in Intune to a corporate google account ... simple enough ...

 

However I have noticed today that on a device, when you go to the Play Store and view the Account, the account populated (from my understanding) looks to be a service account created upon enrolment for what would be the old style Android For Work Intune configuration ... so it is expecting this to be managed with an old type Google Admin account ... 

 

I was expecting this to reflect the users corporate account not a random service account that I don’t have the ability to manage OR change to another account as the randomly generated one requires authorisation ...

 

Currently chasing MS for an explanation to see if it is me that is missing something, or a preview bug that is under development ...

 

Keen to get your opinion.

Thanks

 

 

New Contributor

@robbamber  - I was hoping the same thing, could they be throttling the connections using this type of enrolment; similar to what they did when organisations using their FastTrack; benefited from favourable speeds.

 

When you build a fully managed device, you are prompted to login twice and need to login once again thereafter.

NOTE*** I am using KME, and not scanning the QR code to enable being able to ship the devices directly to the user.

The first one is your Microsoft Online login screen. (Login with your test user account, or in my case this is where the users who will the devices shipped directly to them will enter their email address/UPN and password.

The second one which will have the email/UPN entered earlier already present in the UserName text box, enter password.
(logging into your organisation)

Then it should show the branding of the organisation and start to setup the device etc.

All the apps assigned to the user's group will be deployed.

Then login to the Intune App to fully register/enrol/owner the device, do the usual to continue.

When you check accounts, you will now see 2 accounts. The randomly generated managed account with a red briefcase and the device owner account blue photo icon.

My description is a bit scrappy but hopefully you'll get the flow.

I am also building Kiosk devices this way,