Archive: Microsoft Intune announces Preview 2 for Android Enterprise fully managed devices
Published Apr 18 2019 04:39 PM 55.5K Views

By Priya Ravichandran | Intune Sr. PM

 

Updated 12/19/19 - We have received over 300 comments on the Android preview blog posts, and in those comments and occasional subsequent support cases, you helped us deliver Android Enterprise Fully Managed as generally available. You provided over 58 pieces of actionable feature feedback based on your experience with preview.

More information about the GA release can be found in our blog here: Microsoft Intune support for Android Enterprise fully managed devices is now generally available.

As this feature is now GA, new comments on this post will be turned off. As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page or our Twitter @IntuneSuppTeam. Your continued feedback helps make the product better, we are grateful for this community, thank you!

 

Preview 2 for Android Enterprise fully managed devices is here! Today we’re providing an update to our preview capabilities which were announced in January 2019 for the Android fully managed device solution. For context, Google used to refer to the fully managed device scenario as Corporate Owned Business Only (COBO), and it is one of the “Device Owner” (DO) management scenarios in the Android Enterprise solution set.

 

Before we share the latest updates, we wanted to thank you for all the usage and feedback during our initial preview. We’ve incorporated feedback from Preview 1. It’s been great to work with you and we look forward to hearing more.

 

What’s New in Preview 2

For this update, we focused on compliance and end user experiences. Here are the key new capabilities added into Preview 2:

  • Updated onboarding flow for key required policies
  • Added Device Owner compliance policies
  • Built conditional access workflows
  • Added device group targeting
  • Released a new end user app called ‘Microsoft Intune’ into the Play store as the app to be used on fully managed devices
  • Enabled support for access to the full Play store
  • Introduced Knox Mobile Enrollment (continue reading this post for a few limitations in preview for this feature)

 

These capabilities will add on to what we released in January:

  • Device enrollment using NFC, token entry, QR code and Zero Touch
  • Device configuration for user groups
  • App distribution and configuration for user groups
 
While we’re almost there, you’ll notice there are a few workflows not yet supported in this preview. These scenarios will be supported upon general availability, including:
  • App protection policies
  • Remote access policies with certificate support (i.e. Wi-Fi, VPN, Email)
  • Certificate management
  • Support for managing or enabling system apps
 
Updated Onboarding Scenarios
During onboarding, Intune will now enforce key policies to ensure the device is compliant before allowing the user to access the device. This includes enforcing password policies and installing some key apps to ensure the user is compliant with organizational requirements before they can continue to use the device to access corporate resources.
 
Figure 1: User is required to set a PIN per policy before proceedingFigure 1: User is required to set a PIN per policy before proceeding
 
For more information on what to expect during onboarding, refer to onboarding fully managed devices.
 
Introducing the New Microsoft Intune App
As we mentioned earlier in this post, we are introducing a new end user app for Android fully managed devices. This new modern and light-weight app, simply called ‘Microsoft Intune’, will now enable the experiences end users know and love in the Company Portal app for fully managed devices, including managing compliance for their device. This new app is only for the fully managed scenario; in all other Android management scenarios, Company Portal continues to be the end user app.
 
Figure 2: New Microsoft Intune appFigure 2: New Microsoft Intune app
 
For use of the Microsoft Intune app, you need to set it as required (or available) for end users to get it onto their device and sign in. This component is rolling out and should be available to all by Wednesday, April 24th. If you have not gotten the update yet, you will see a blocking screen when you launch the Intune app. We are also working towards enabling automatic deployment of the Microsoft Intune app to all fully managed devices.
 
You can find the Microsoft Intune app listing in Google Play here.
 
Support for Compliance Policies and Conditional Access
Intune will now support the ability to create compliance policies on fully managed devices. The smaller set of compliance settings on a fully managed device reflect the smaller list of compliance settings available for fully managed devices. There is a greater degree of control and ability to lock down the device configuration since the scenario is intended for corporate owned devices.
 
Figure 3: Create PoliciesFigure 3: Create Policies
In addition to compliance, this update provides conditional access support for fully managed devices. Users can now register their device in Azure Active Directory via the Microsoft Intune app and then view and resolve compliance issues in order to access corporate resources.

Enabling Access to the Consumer Play Store
Intune will now allow you to enable access to the full consumer store on the fully managed device. Many organizations recognize the need to allow end users to personalize the device assigned to them – including access to their favorite consumer apps.
 
Figure 4: Device Configuration setting to allow access to all apps in the Google play storeFigure 4: Device Configuration setting to allow access to all apps in the Google play store

 

Users will have the ability to add their personal accounts to the device, if permitted by configuration. This way your end users can customize their device to support personal use as well as corporate use.

Figure 5: Personalized fully managed device with a user’s corporate and personal accountFigure 5: Personalized fully managed device with a user’s corporate and personal account

 

 

Known Issues
We’re still working on a few items. 
  • When using KME to set up Samsung Knox devices:
    • The username and password cannot be passed to the fully managed device from the KME portal. This will need to be manually entered.
    • The enrollment status of the device will not get updated in the KME portal.
  • In the Microsoft Intune app:
    • When trying to complete Azure Active Directory registration, you may see an error displayed. If this continues to occur, try again after some time.
    • When launching the app, you may see a screen that says, “Hang tight, we’re working to load your organization’s info.” You can check back in after some time to see if it has been resolved.
    • You may see that your “Device settings status” is “Noncompliant” with no way to resolve. In the Azure Portal, you will see that the device is not compliant with the “Has a compliance policy assigned” policy, even though a compliance policy is set. Factory resetting your device and enrolling again may resolve it.
 
Customer Support for This Preview
We outlined above that not all features are yet available for use with the Intune Android fully managed scenario. The preview features are fully supported through our usual Intune support channels and are clearly labeled with “(preview)” in the Intune console.
 
How Can You Reach Us?
As you use Preview 2 and test out the Android fully managed preview scenarios, we would appreciate your feedback on IT admin's enrollment profile configuration and end-user's device enrollment experiences. Keep us posted on your Android experience through comments on this blog post, through Twitter (#IntuneSuppTeam), and request any new features on UserVoice.

Documentation
 
Blog post updates: 
  • 4/19/19 with updated screen shots
  • 4/22/19 extended the app availability date, added in a few known issues
  • 12/19/19 with an update that this preview feature is now GA!
318 Comments
Brass Contributor

Hello All, 

 

Anyone else experiencing problems with dynamic groups for AndroidEnterprise? Newly added devices are not added anymore to the group(s). The rules do find older AndroidEnterprise devices. 

used this as a rule:

(device.deviceOSType -eq"AndroidEnterprise")

 

also tried as mentioned by support

 

(device.deviceOSType -contains "AndroidEnterprise")

 

Seems that the filter/rule does not find the newly added devices even after the update completes.

 

Tried support but they also don't know whats is going on.

 

Best regards, 

 

Wietse 

Hi @WietseD I noticed the same behavior this week. Seems that DeviceOSType for (newly enrolled) Android Enterprise device now is Android! This is for Android Enterprise devices and for Android for Work (Work profile) devices.
Have no idea if this is a change by mistake made my Microsoft or by design.

Iron Contributor

Hi @WietseD 

 

I could be wrong but has OSType AndroidEnterprise been superseded by:

 

COFM - Android (Fully Managed)

Kiosk - Android (Dedicated)

Could be wrong, I'll try it on my test tenant.

I have category groups for my Fully Managed devices, dependant on which category they are added to determines the dynamic group they end up in.

Iron Contributor

Hi @Peter Klapwijk @WietseD 

That said, graph API device reports from Intune still use the "old" references.

 

clipboard_image_0.png

Dedicated & Fully Managed all come under AndroidEnterprise...

Brass Contributor

@Peter Klapwijk @MoZZa Thank you for your quick responses. 

 

I was just calling with microsoft and they also concluded there must be something that has changed. I will change the filters and test to get the right results. Couldn't find the changes in the docs. 

 

support will sent me an email when they have an update, i will share it with you.

 

Have a nice weekend!

 

Greetings

Iron Contributor

@WietseD , @Peter Klapwijk 

 

MS were going to retire the 'Android' reference a while back but my Zebra TC8000 scanners are all listed as Android as they use Android 5.for their OS.

The changes definitely helped me as I can now separate kiosk and Fully Managed by OSType and then the category does the rest.

 

Have a good weekend All!!!

Keep On Posting!!!

Brass Contributor

@Peter Klapwijk @MoZZa 

Hi peter, you were right as i compared the resultset from powershell. The ostype has changed to "Android" for newly added devices.

 

I also received an update from support:

---

Hi Wietse,

 

Thank you for your time and support on the call/remote session.

 

Could you please replace AndroidEnterprise with Andriod and test - (device.deviceOSType -contains "Android")

 

I look forward to your prompt response

---

 

Need to test and finetune it first but i think it will work.

greetings,

 

Wietse

 

 

Copper Contributor

Great, thanks Microsoft! I have policies, compliance and apps deploy for Android based on whether the device is Android for Work (and therefore has personal data) or whether the device is Android Enterprise (and therefore is fully owned and managed). The distinction in the OStype was an easy method for us to perform management on these two user types. We have a lot of configuration dependent on this which we will now have to unpick - why the change? If you want a dynamic group for all Android target where OSType match Android (this would return Android for work and Android enterprise) if you wanted just the fully managed devices, target match to AndroidEnterprise.

 

i hope there is an alternative coming e.g. Profile name (similar to how DEP or Autopilot can be detected)

Iron Contributor

Hi @ictouk , @WietseD , @Peter Klapwijk 

I did some testing and all dynamic rules referencing the "new" OST labels.

All worked fine, it does allow you to separate Kiosk from Fully-Managed. But if you have a lot of polices dependent on the old names; there will be additional lines to add to allow the capture of the new format.

 

@ictouk  I asked MS about this a while ago. It is easy to separate kiosk builds based on the Profile Name. Their answer was basically. Yes. soon...maybe.

Copper Contributor

Hi,

 

Is it possible to disable the MFA challange while login in when starting the device for the first time?

 

Only disable when enrolling the device, it would be very usefull because we have enable MFA on all our users.

 

/L

Copper Contributor

@Lotfi Belyamna 

 

I hear what you're saying.

 

There are things you need to consider here:

The first login to the device after NFC bump or scanning QR code. This is a standard login and is subject to MFA if you have it enabled for users. We're getting around this by using a specific internet connection with different public IP address for setting up Android devices and bypassing this location in conditional access policies.

The second point to consider is that when opening the company portal after enrollment the device registers with Azure AD - this can be configured (I think it's default) to require MFA to add devices. You can turn this off in Azure AD -> Devices -> Device Settings -> Require MFA to join devices. We have done this but it'd really like to enable this and again exclude the above location.

 

If anyone has any ideas how to do that it would be great.

Brass Contributor

@ictoukit sounds like we're in the same boat. I don't know which clever person at Microsoft decided it was a great idea to assign two completely different enrolment types under the single 'Android' type. We have a few dynamic groups set up as well - Fully Managed Devices, Work Profile - Personal Devices and Work Profile - Corporate Devices. Now they're no longer adding new devices, as you'd expect and I can't see an obvious way to separate them for the dynamic groups.

 

I did notice, when using the Get-MsolDevice command, the only difference appeared to be the 'DeviceTrustLevel' property. Fully Managed appear to be listed as 'Managed' and Work Profile as 'Compliant' (and I'm assuming 'Non-compliant' too). I haven't had a chance to see if this property can be used though.

Copper Contributor

@AndyH16 @ictouk You could try this:

 

(device.deviceOSType -eq "AndroidEnterprise") -and (device.enrollmentProfileName -eq null)

 

This will give you ONLY fully managed android devices, and excludes any kiosk devices. It's dirty, but works.

Copper Contributor

@asdgwhfghvbn thans for your reply. I will check with my teams and ur suggested about exluding location and see if its something we can work with. Hope the release of Andriod Enterprise for Intune will have all those things sorted out.

Brass Contributor

@J_Koz  Thanks, but unfortunately this doesn't work. Firstly, it would only pick up old devices as the new ones are classed as 'Android', rather than 'AndroidEnterprise'. Adding 'Android' into the search pulls in the new Fully Managed devices but also pulls in the Work Profile devices. We don't use Kiosk devices.

 

This is the modified query I used, but as I say it doesn't work:

 

((device.deviceOSType -eq "Android") or (device.deviceOSType -eq "AndroidEnterprise")) and (device.enrollmentProfileName -eq null)

 

Brass Contributor

Just to update my last post, I've now figured out a way to get the dynamic groups to populate the correct devices. With the help of Graph I was able to see a few more properties.

 

At the moment the following queries work for me:

 

 

Android Fully Managed:

(device.managementType -ne "mdm") and (device.deviceOSType -contains "Android")


Android Work Profile (Corporate Devices):

(device.managementType -eq "mdm") and (device.deviceOSType -contains "Android") and (device.deviceOwnership -eq "Company")


Android Work Profile (Personal Devices):

(device.managementType -eq "mdm") and (device.deviceOSType -contains "Android") and (device.deviceOwnership -eq "Personal")

 

The Fully Managed devices actually show up with the management type of 'googleCloudDevicePolicyController' but this wasn't getting picked up in my query, so I've just had to do a 'not equal to "mdm"' query instead.

Copper Contributor

@AndyH16  hmmm i must be missing something, because this has worked for me in the past. Let me read the earlier comments.

Copper Contributor

I am still having massive problems with these dynamic groups - I have currently had to set them to the specific Samsung model we have, but they don't update quick enough so you are left waiting for apps and policies to come down after you have enrolled the device - also it doesn't prompt you to set a device PIN at registration even though there is a device policy setup for that.

 

What is the actual guidance on how to assign policies and applications to these devices? I can't seem to find anything in their documentation.

 

Thanks

Brass Contributor

@JonMRoberts1984I believe the official line is that assignments should still be against user groups rather than devices. At present we have our device configuration policy assigned to a user group (I believe this is because the user will exist in Azure whereas the device would not have registered yet). But we have app deployments applied to a mix of device and user groups.

Copper Contributor

@AndyH16That makes sense I suppose - I will test that now.

 

Going forward Device Groups do need to update quicker and deploy the apps as soon as possible, we moved away from user based groups as we have a mix of BYOD and Corporate devices, both enrolled via Company Portal. We don't want personal devices getting the same required apps and policies as corporate ones, this works fine with iOS.

 

For now I've created a dynamic group based on the specific model of phone we are testing Android Corporate on, this works but still a delay. As you said we may need to target the compliance policies at users so that they immediately get them at registration and their device is marked complaint.

 

What documentation are you following to set this up? They should surely have something on how to create the device/user groups - I think in fairness I have seen it somewhere.

Brass Contributor

@JonMRoberts1984This is the document I followed when it was initially launched, https://docs.microsoft.com/en-gb/intune/android-fully-managed-enroll

 

It states:

This preview supports the following features for Android Enterprise fully managed devices:

  • Device configuration for user groups

 I don't believe this has ever changed and Intune support do love to reiterate this.

Copper Contributor

Thanks @AndyH16 - Surely if I have BYOD users enrolled in Company Portal this will mean any apps targeted at user groups will appear on their device (it does).

 

So this means instant installation on the corporate devices but also on BYOD.

Brass Contributor

@JonMRoberts1984 

 

In my deployment of Android the Device Configuration policy is assigned to a user group and the App deployments are targeted at a mix of dynamic and static device groups, mostly. I only use user groups on app deployment in special cases, i.e. PRTG Monitoring app to the IT group of users.

 

That didn't work when Fully Managed Preview was first released but one day started to work.

Would be nice if the @Intune_Support_Team can give us an update on the Dynamic groups and the DeviceOSType..........

Hi @AndyH16 how do your devices look like at the moment regarding the DeviceOSType?
I now see Work profile devices show up as AndroidForWork again, but Fully Managed user devices still have DeviceOSType Android.

 

Regards,

 

Peter

Brass Contributor

@Peter KlapwijkHi, it appears they're all still in the correct groups. The dynamic rule I have matches the Android for Work devices using an 'mdm' tag and the OS Type just has to contain 'Android', so 'AndroidForWork' is matching.

Brass Contributor

Hello All, 

 

@Peter Klapwijk We use this at the moment as adviced by MS, it does find some older android admin devices but that is no issue for us:
((device.deviceOwnership -eq "Company") and (device.deviceOSType -contains "Android"))

 

We do seem to have a problem with this and i like to know how you guys have managed this in your environment(ps i am not trying to steal the topic).

I have assigned my AndroidEnterprise policies to the dynamic group(device group) stated in this message.

When we enroll a device the policies are not deployed fast enough because the device is still unknown in azure as @AndyH16 @JonMRoberts1984 said before. 

I know by now this is wrong and i am trying to fix it:

This preview supports the following features for Android Enterprise fully managed devices:

  • Device configuration for user groups

 

Do you have a group with all users assigned or do you add a user to a special group prior to an enrollment. 

 

Thank you for your thoughts on this. 

 

Regards, 

Wietse

Mostly we assign configuration and compliance policies to a group which contains all Intune licensed groups.
Indeed if you use a device group, it takes (too much) time for the device to be member of the (dynamic) group and policies to be applied.

Brass Contributor

Yes, we're the same. I apply ours to a user group containing all Intune licensed groups.

Hi @Peter Klapwijk, thanks for the tag!

There has been several reports on an issue using dynamic device groups with the deviceOSType value for "AndroidEnterprise" devices.

Engineering is currently investigating, and will update this thread as soon as an update becomes available.

Copper Contributor

I'm hoping there is a quick and easy answer to this. We are using Knox KME for enrolment, we did have these devices set up with the "no system apps" option in the MDM config profile.

 

The only issue is, as we have found out this means you don't get camera, gallery, clock etc. We need these and I can't find the stock apps in the Google Play store.

 

So I changed it to "leave all system apps enabled" but this installs Facebook, OneDrive (personal), Netflix etc. which we definitely can't have on the device. Is there a way to specify what apps we need installed on the base image?

 

Thanks,
Jon

Brass Contributor

@Intune_Support_Team wrote:
 

Hi @Peter Klapwijk, thanks for the tag!

There has been several reports on an issue using dynamic device groups with the deviceOSType value for "AndroidEnterprise" devices.

Engineering is currently investigating, and will update this thread as soon as an update becomes available.


 

@Intune_Support_Team It's not just deviceOSType dynamic device groups - none of our Compliance or Configuration Policies that are assigned to DDGs are being applied to new devices. The devices are still going into the groups (slowly as expected), but the policies no longer get applied to the new devices, and they never become compliant as a result. Only workaround I've found so far is to apply the Compliance Policy to a Static User Group (in addition to the DDG), which inexplicably nudges the Configuration Policies back into life too. 

@JonMRoberts1984 Think you have to wait some longer for managing system apps as it is mentioned on https://docs.microsoft.com/en-us/intune/in-development#device-management

Iron Contributor

Hi @JonMRoberts1984 

 

I had a similar issue with Fully-Managed and Kiosk devices.
To resolve this I used a few 3rd party apps.
I posted all the details earlier in this blog, I will dig out the details and send them onto you, to see if it could do the job for you.

Brass Contributor

Seeing same issue i had with Samsung A5 using KME with System apps enabled on Galaxy Tab S4. Device get to the finishing up stage of the knox enrollemnt and then just sits there

Iron Contributor

Hi @Intune_Support_Team , Hi All,

Quick question, although this may just affect Kiosk devices.
One of my Samsung J6's has just done a fairly lengthy system update.
This has changed the Home Screen appearance, as far as adding shortcut icons to the bottom of the screen!

I am about to rebuild it as a Fully Managed device to see if the same issuette appears there too.
1.png

Both devices are on Android 9.0, built by KME method, System apps disabled.

 

*****************UPDATE********************

I have rebuilt the same updated device as a Fully-Managed device and the 3 standard/default icons, Phone - Contacts - Messaging appear.

So, it appears this is only affecting Kiosk devices. The icons are not active, apart from the Settings and Apps icon.

Hopefully, I can hide this using a policy or config .......

 

Brass Contributor

Seems Fully Managed has gone GA according to latest whats new,

https://docs.microsoft.com/en-us/intune/whats-new#week-of-september-16-2019

 

Let the roll-outs commence (probably with a few hiccups)

 

Yes, the preview tag is removed for Fully Managed!

Brass Contributor

Having issues with deploying SCEP certs to Android Enterprise Fully Managed devices, IOS and android device administrator without issue.

 

Ticket logged with MS, 

 

Also noticed that app configuration Policies are stuck at pending. anyone else noticed this?

 

 

Iron Contributor

@Peter Klapwijk 
IT'S ALIVE!!!!!!!!!

Brass Contributor

@Adrian Bishop 

this was an issue whilst in preview as well and I had a case logged with MS ... I was told it was a preview issue and would be resolved for GA ... will have to re-open the ticket!

Brass Contributor

Yeah also had some other weirdness in that all required apps were uninstalled then as soon as that finished they were reinstalled.

 

no policies applied to do that beahviour

Early days so hopefully sorted soon

Have enrolled some devices, it looks fine at the moment (haven`t deployed certs).

 

But what still is an issue, the DeviceOSType for fully managed devices still shows Android instead of AndroidEnterprise, like it was a while ago.
For Work profile devices it now shows as AndroidForWork as it also showed Android for a while.

 

@Intune_Support_Team any updates on that?

 

@JonMRoberts1984 Since the weekend managing system apps is available in Intune.

 

 

Iron Contributor

Hi @Peter Klapwijk 
Just checked my devices and I still have the 3/4 types:

Android (Device Administrator) - Legacy Android (Zebra Scanners in my env.)

Android (Fully Managed) - Corporate Owned

Android (Dedicated) - Kiosk

Android (Work Profile) BYOD

 

"@JonMRoberts1984 Since the weekend managing system apps is available in Intune." - Really? I'll check that out now.

I was on a call with MS over the weekend, nearly 9 hours

in total as an update to the Managed Home Screen app went a little screwy. I found the issue and a way around it, but just waiting for MS to fix properly.

Didn't notice it at all.

Hi @MoZZa That`s probably in Intune?

If you have a look at Azure AD (Powershell run Get-AzureADDevice) it shows DeviceOsType Android for Fully managed, where it showed AndroidEnterprise before. We have dynamic groups based on that AAD value.

Iron Contributor

Hi @Peter Klapwijk 

 

I knew they had simplified the LOB apps process, but I didn't notice the System Apps :facepalm::cryingwithlaughter:

Will do a test later to see if this is a better version of the built-in apps option from a while back.
If it is, then we should be able to add the Camera etc. without having to add the unwanted social media apps etc.
This will also work for Kiosk devices, previously, I have had to add 3rd party apps for the camera and gallery.
I did notice the option to open a screen shot in the built-in Gallery app on a kiosk device with 3rd party gallery app installed, that was the middle of last week. I just shrugged it off and carried on creating my documents LOL

Iron Contributor

Hi @Peter Klapwijk 

 

I'll check when I get back later this evening. Will be interesting to see what they show up for Fully Managed, as the Kiosk builds are showing up as AndroidEnterprise

@MoZZa 
I just got an update from Microsoft, they are still investigating the issue. But interesting how it shows up at your tenant.

Brass Contributor

Hmm, I'm not sure what they've done but now when I registered a new device (just tried two different ones). I don't get prompted to set a PIN at setup and all my apps have vanished from the Play Store, apart from the standard four apps (Intune, Company Portal, etc.)

 

It's like the device configuration policy is being ignored, but nothing has changed at our end - it's still being assigned to a user group.

Version history
Last update:
‎Dec 19 2019 10:16 AM
Updated by: