Archive: Intune announces preview of support for Android corporate-owned, fully managed devices
Published Jan 17 2019 01:58 PM 56.3K Views

By Arnab Biswas | Intune Program Manager

 

Updated 12/19/19 - We have received over 300 comments on the Android preview blog posts, and in those comments and occasional subsequent support cases, you helped us deliver Android Enterprise Fully Managed as generally available. You provided over 58 pieces of actionable feature feedback based on your experience with preview.

More information about the GA release can be found in our blog here: Microsoft Intune support for Android Enterprise fully managed devices is now generally available.

As this feature is now GA, new comments on this post will be turned off. As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page or our Twitter @IntuneSuppTeam. Your continued feedback helps make the product better, we are grateful for this community, thank you!

 

Updated 7/23/19: We have made progress with our Fully Managed support. You can find more updates and discussions on these developments on the following blog posts:

 

Updated 4/17/19: You may notice a new app in Google Play – it’s called the Microsoft Intune app. This app is in preview for new functionality for fully managed devices. We are rolling out the end-to-end scenario with this app and we expect it to be live by the first part of the 4/22/2019 week. More on this expanding workflow will be posted shortly!

 

Today we are releasing a preview of Android corporate-owned fully managed (formerly called Corporate Owned, Business Only (COBO) by Google) device management scenarios in Intune. This is Intune’s newest addition to its list of Android Enterprise management capabilities preceded by work profiles and dedicated (kiosk) devices. 

 

NOTE - the preview is rolling out today - 1/17/19 and is expected to finish up by end of day. If you're on Government Cloud please note this may take until 1/18/19 to see the preview feature.

 

Android fully managed is one of the “device owner” management scenarios in the Android enterprise solution set that enables productivity scenarios for users on corporate devices while allowing IT admins to manage the entire device with an extended set of policy controls. This complements the Android Enterprise dedicated device solution set we released last year, which was focused on task workers and user-less devices. The extended policy capabilities in fully managed scenarios are only intended for corporate devices, which is why there are more controls and settings available here than on personal devices with work profiles. Combining the capabilities of these three solution sets now provides you more control over your Android device landscape.

 

Android fully managed is one of the “device owner” management scenarios in the Android Enterprise solution set that enables productivity scenarios for users while allowing IT admins to manage the entire device and enforce an extended range of policy controls, beyond that which is possible with work profiles on personal devices. Fully managed devices are company-owned general-purpose Android devices that are associated with a single user. These devices are assigned to individuals for getting their work done.

 

What is available in preview?

In today’s release, our Android fully managed preview focuses on device enrollment, configuration and app distribution scenarios. Our goal for this preview is to demonstrate the Android fully managed capabilities that we have built and gather feedback and iterate before this feature becomes generally available in Intune.

 

This preview supports the following Android fully managed scenarios in Intune:

  • Device enrollment using NFC, token entry, QR code and Zero Touch
  • Device configuration for user groups
  • App distribution and configuration for user groups
 
There are a few scenarios not supported in this preview but will be completed for general availability, including:
  • Conditional access
  • Device compliance
  • App protection policies
  • Device group targeting
  • Certificate management
  • Knox Mobile Enrollment
  • Company Portal app for end-user scenarios
 
These scenarios may not function as expected on Android fully managed devices during this preview.
 
Device enrollment for Android fully managed devices
We’ve started with enrollment since this is the first step the IT admin and user must take to bring the device under IT management. The IT admin enables enrollment for fully managed devices in the Intune tenant. This generates a single enrollment token and QR code to be used for enrolling fully managed Android devices to the tenant. This single token is valid for all your users and will not expire; note that this token is for Microsoft Intune and is not specific to your tenant. A user requires both the enrollment token and valid user credentials to authenticate and enroll a device to your organization. The enrollment token can be disabled by the IT admin to prevent enrollment of fully managed devices.

 

QRCode.png

Enable corporate-owned fully managed device enrollment to generate QR code for enrollment.

 

Android fully managed devices support a variety of enrollment methods such as NFC, token entry, QR code and Zero Touch. These enrollment methods can be initiated on a new or factory-reset device so that the device is enrolled, user affinity is established, and device configuration policies are applied when the device is being set up for the first time. Enrollment options for Android devices are in documentation here: https://docs.microsoft.com/intune/android-enroll.

 

You can see the enrollment workflow in the short clip posted below. 

 

Device configuration for Android fully managed devices

Device settings that apply to device owner in Intune are supported on Android fully managed devices. This means that IT admins can configure more advanced device-level settings on a fully managed device than on a work profile such as allow app installation only from managed Google Play, block uninstallation of managed apps, prevent users from factory resetting devices, control system update behavior, and more.

 

Note that dedicated device or kiosk settings are not applicable to Android fully managed devices. This preview supports targeting of device configuration policies to user groups only. Deploying device configuration policies to device groups may not function as expected during this preview.

 

App distribution and configuration for Android fully managed devices

Like existing Android enterprise scenarios (work profile and dedicated devices) in Intune, apps are distributed to Android fully managed devices using managed Google Play. In addition, you can use app configuration policies to supply settings to managed apps. You can configure email or VPN app settings in this manner as well.

 

Note that this preview supports deploying apps to user groups only. Deploying apps to device groups may not function as expected during this preview.

 

What are we still working on?

We are continuing to build Android fully managed support for the following key Intune features that will be announced when Android fully managed becomes generally available:

  • Conditional Access and compliance policies
  • App Protection Policies
  • Knox Mobile Enrollment
  • Certificate management
  • Device group targeting for profiles and apps
  • Dedicated user interface for configuring email, Wi-Fi or VPN
  • A new end-user app.

 

Known issues

  • You may need to tap on “Please click here to continue…” to complete device enrollment: during enrolling a fully managed device, you may see this page. Tap on “Please click here to continue…” to complete device enrollment.

 select here to continue.png

 

Customer support for this preview

Note that the preview features are implemented to Microsoft Intune production standards. However, not all Intune features are available to be used with Android fully managed user devices during the preview as outlined above. The preview features are fully supported through our usual Intune support channels and are clearly labeled with “(preview)” in the Intune console.

 

How to reach us?

As you review the Android fully managed preview scenarios, we would love to hear your feedback on IT admin's enrollment profile configuration and end-user's device enrollment experiences.

 

Keep us posted on your Android plans through comments on this blog post, through Twitter (#IntuneSuppTeam), and on UserVoice.

 

Documentation:

Blog post updates:

  • 12/19/19 with an update that this preview feature is now GA!
44 Comments
Iron Contributor
Are you planning on supporting G Suite accounts soon? We are unable to use managed Google Play accounts.
Copper Contributor

Why can't you use managed Google Play accounts of interest?

Copper Contributor

Hi, what is the ETA for general availability, please?

Brass Contributor

Holy mother.. everyone gets excited with COBO being announced. This was announced couple of month ago, now still preview for god knows how many month/years. Thank you but NO thank you. Kick it up a notch MS - other major vendors like Airwatch or MobileIron have much more to offer when working with Android enterprise. COPE anyone?

Brass Contributor

Hi,

 

It looks like a good start. When can we expect more Device restriction features to be available. Like for instance to allow the user to access the public google play store?

 

regards, Jeroen Dijkman

Hi,

 

Thanks for the feedback. 

@Raymond Huis in 't Veld, we currently don't have an official date for general availability yet. We will continue to update our What's New site as we release new features. 

@Ryan Morash, could you elaborate on why you are unable to use Google Managed Play accounts?

@Jeroen Dijkman, we will continue investigate and build out our device restriction features and will update our What's New site.

 

Thanks,

Priya Ravichandran

 

Copper Contributor

Is anyone else seeing Device Configuration Policies not working? Deployment status "Pending", Using AE FM, Device Only for both WiFi and Device Restrictions. 

Brass Contributor

@Oliver_Boothbywe are seeing the same behavior. Status is pending on the Device Restrictions and Wifi profile. And nothing happening on the device itself. No solution found though....

Iron Contributor

@Oliver_Boothby & @Jeroen Dijkman - Are you applying a "Work Profile Only" device configuration profile?

I'm sure you're not, but just worth a double check.

 

For me with a "Device Owner Only" profile, it's not enforcing password length or type, just giving a Failed state with no info. :(

Any ideas @Priya_Ravichandran ?

Brass Contributor

@Steve PrenticeNo we are applying the "Device Owner" profile. With the result that no settings are enforced.

Copper Contributor

Same behaviour here re: not pushing policies correctly.

 

Consistent with other user experience above - stuck on "Pending". 

Iron Contributor

Further thoughts / feedback...

 

Phone number doesn't appear to be collected... IMEI, Manufacturer and Model are, but no Phone number... it would be useful to have that.

Associated user also seems to randomly be filled in; sometimes it is, and other times not, for the same device.

 

Biggest one for me however is the lack of password policies... they seem very spartan (no number of last passwords remembered, no encrypt options), and what is available (in my option) is useless because users aren't prompted to create a PIN... so a corporate device is left with no PIN if a user doesn't manually create one (and you can bet they don't unless forced), and because there's no compliance checks it doesn't matter if the policies that are in place fail or not....

 

Considering this Preview is focussed on business owned mobiles, strong password policies that users are forced to adhere to would seem a key thing to tackle early on...

Brass Contributor

Hi All,

 

I am also missing some of the basic apps like camera. I tried it on a Huawei and Samsung but same result. It seems a lot of basic native apps are hidden or not installed. 

What I would really like to see is that the Android Fully Managed experience is similar to that of Apple. Giving the users a phone with an interface and apps that they are used to and allow things like public app store and all native apps. 

I also understand this is a preview but frankly this is has to limited functionalities to conduct some proper testing.

Enrollment and app publishing works fine by the way.

Iron Contributor

Hey @Jeroen Dijkman, I've tried on a Samsung J6 via Knox Mobile Enrollment, which I'm pleased to say worked ok even though Knox is listed as an unsupported scenario. I found that in KME I needed to ensure the profile had "Leave all system apps enabled" ticked, which gave me the camera app back. With it unticked there were only a very few basic apps available (i.e. no camera app). Don't know if that might help in your scenario or not!

Brass Contributor

@Steve Prentice, thanks for your suggestion. We are not using the Knox Mobile Enrollment and have no plans to do so. So I hope we can get the setting "Leave all system apps enabled" from somewhere else.

Let's see what the Intune team comes up with.

Hi,

 

Thanks for trying out the scenarios and providing detailed feedback. Regarding the issue where policy restrictions appear to be stuck in a "pending state" we are still investigating. I'll provide updates on this issue as possible.  

 

We are also looking into the other areas of feedback provided around capabilities that are not available today. 

 

Regards,

Priya 

Copper Contributor

Enrollment works really well, but the lack of PIN/Password enforcement is a problem.  The configuration applies but shows errors if no PIN is already set.  The device setup wizard does not require the user to set a PIN/Password, nor do they get notified to set one afterwards once the configuration policy has applied.  If this is not possible then the apps and related app policies should not be deployed to the device until it meets the compliance requirements.  As it stands, the Outlook app and mail profile get deployed to the device so the user has full access to corporate email resources without having any basic security on the device at all.  Maybe this is something that can be controlled by conditional access once it's supported with device owner.

Iron Contributor

@NGreen99Well summarised, that's what I was trying to say but less eloquently. :) Yes, it's a big problem for us, you'd never deploy any other corporate owned device with no password policies enforced, so I'm kind of surprised this was missed from the preview as it's a core feature in my opinion, even for a preview.

 

I'm interested in how you're pushing mail profile for Outlook, I'm having no luck... I'm using Client Apps, App configuration policies with an enrolled device enrolment type, but it just stays in a Pending state and never deployed.... which I put down to the Preview.

Copper Contributor

@Steve PrenticeYes, using Client Apps > App Configuration Policies with a "managed devices" device enrolment type.  Used the configuration designer to set a basic authentication profile, and this was also working fine for Android work profiles.

Two things to note:

1) The device owner preview does not support targeting policies at devices, just users.  Check your policy assignments are using a user based group or "all users", not a device based group otherwise the policy won't apply.  Same applies to the apps themselves, assign these to a user based target otherwise the apps won't deploy to the device.

2) Even though the policy applies OK, the user is not listed at all on the "user install status" tab of the app configuration policy.  The device shows under "device install status" but with a username of "none" and device status of "pending".  Clearly some reporting issues here.

Iron Contributor

Hey @NGreen99, Thanks for coming back to me. :) It ended up being a bit of a mix of 1 and 2, so cheers for the reminders.... I had deployed Outlook to users, but was deploying the config policy to devices, once that's changed to All Users it started to work ok.... but as you said with 2, it reports that it's not worked which I was relying on too much to tell me the truth. :) My only problem now is that it wants the device to Register with AAD, so it appears to not notice that it's already Enrolled and takes me through a registration and MFA process (like personal devices would get with MAM-WE for us)... not a massive problem, but would be nicer if it didn't do that.

Copper Contributor

We don't get that problem @Steve Prentice. We enrolled the device (Android 8.1) using QR code and logged in via ADFS during the initial enrollment, but don't get prompted for any further enrollment afterwards.

Maybe worth checking all the settings in your device or app configuration policies?  Did you perhaps choose Modern Authentication in your outlook app configuration? I think this authenticates directly to O365 with MFA.  We use basic authentication to authenticate to on-prem Exchange using ActiveSync.

 

To clarify my earlier post, IF the user does manually set a PIN/password, they are required to meet the minimum requirements of the device configuration policy, and once set the errors no longer show against the device configuration policy status.  So the policy is applying correctly, it's just an issue with forcing the user to add the initial PIN/password before allowing access to corporate resources.

Iron Contributor

Yep @NGreen99 that's it exactly. :) Modern to 365 via ADFS... I suspect it's hitting an Azure AD Conditional Access rule that doesn't see that the device is enrolled... which I guess is expected as Conditional Access isn't part of the Preview yet I think.

 

And yep, same noted with the password / PIN... to a degree.... one device enforces 8 digit as set, other one ignores, but I think that's due to KME on one and not the other, so guess that'll change once it's supported.

Iron Contributor

Hi @Priya_Ravichandran … Trying to contact you directly, but I get "You have reached the limit for number of private messages that you can send for now. Please try again later.", even if I try on different days without sending any other private messages... no idea what's going on there, so apologies for not replying to you.

 

In short, password policies pending are no longer a problem, it's that they fail because there's no user prompt to set a PIN.

I note that my Samsung device it wasn't picking up the password policies, but now it is, so some work has obviously happened there.

 

Good luck with the rest of the Preview and thanks for keeping an eye on this thread.

Very much looking forward to increased password policy abilities, system apps and conditional access.

Apart from the What's New pages, is there anywhere to track what changes/additions have happened in the Preview?

Copper Contributor

Been bashing my head on Intune for over a week now - haven't been able to enrol a single device so far!

Our InTune only has the "Personal devices with work profile" for Android enrolment - any ideas on how to enable the other enrolment options?!

Iron Contributor

@danganderIt sounds like you're in Hybrid with SCCM? If so, you need to move to Intune Standalone / move your MDM authority... once we did that then all the other options you'd expect to see turn up. https://docs.microsoft.com/en-gb/sccm/mdm/deploy-use/migrate-hybridmdm-to-intunesa

 

Copper Contributor

@Priya_Ravichandran and others- Should we add individual devices or users as members to the group that we are targeting for the Device Owner restriction policy and Managed Play Store apps.  The reason I'm asking is we have users with multiple devices and we want only the Corporate Owned Fully Managed enrolled device to receive this policy and apps and not their non-AE enrolled device.  I didn't see anything specific in the documentation above so that is why I'm asking.  I wasn't sure if I just added the user to the group targeted, if Intune would have the logic to only apply that policy to the Fully Managed enrolled device.  I believe I have had trouble in the past assigning a Security group to a specific device if I remember correctly.  Thanks in advance.

Iron Contributor

@Jeroen DijkmanI've managed to get an Android Zero Touch portal account and added my test Sony device. Formerly it didn't get system apps like camera, but using "DPC Extras" in the portal with a string of "android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED": true” I have now reset and reenrolled the device and now have system apps like Camera available. So, maybe talking with a telco to get a Zero Touch account might help you. It is a shame that via QR code enrolment you can't seem to do it.

Brass Contributor

@Steve PrenticeThanks for the suggestion about the Android Zero Touch portal. I will certainly give that a try. For your information I have received information from MS that they are working on this issue with Google.

Iron Contributor
For anyone reading along who needs system apps (@Jeroen Dijkman) enabled, it *is* possible, you just have to tinker a little bit.
 
As mentioned above, you can already do it with Zero Touch (by adding the "PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED" command as mentioned above in DPC Extras) and Knox Mobile Enrollment (by ticking the "Leave all system apps enabled" box).
 
If you're NFC'ing, then this blog from MS helps: https://blogs.technet.microsoft.com/cbernier/2018/10/15/nfc-based-android-enterprise-device-enrollme... - and add the PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED command.
 
If you're QR coding… then what I did is:
 
1) Go to "Corporate-owned, fully managed user devices (Preview)", save the QR code as a picture
2) Decode the QR code in an online decoder (Google/Bing has many)
3) Take the produced text, add in the PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED command
4) Reencode the text to a new QR
 
Just to be clear the full command you want to add is:
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED": true
 
Worked fine for me!
 
It's been mentioned that MS are "working" on this with Google... but after reading the Android documentation this is a setting that needs to be enabled before Intune is managing the phone... i.e. at the QR code point... I can only assume MS will alter the Intune portal to have a checkbox to enable system apps that would then regenerate the QR code to have the right commands embedded in it... it's quite a small tweak, so I'm surprised this hasn't already been done, or information on how to manually do it passed on.
Brass Contributor

@Steve Prentice, thanks for the QR code tip. I managed to customize our QR code and it worked fine, all system apps enabled. I do think their was a small typo. The command I used was: "android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true

With "enabled" instead of "enable" and the "True" statement.

 

I do hope MS will build this functionality into the Intune Portal. 

Iron Contributor

@Jeroen DijkmanGlad it worked for you! And thanks for pointing out the typo, I've edited the post just to be really clear in case someone else is following it. :)

Copper Contributor

We are having similar issues with fully managed devices. Policies are stuck in a pending state when applied to the user. Compliance policies are also never evaluated... Additionally, Intune doesn't show that a compliance policy is applied and therefore deems the device non compliant due to the default policy. We are using the new Intune app with no success on either of these. I have opened a ticket in hopes to gain some progress. 

Iron Contributor

Hi @Steve Prentice @Intune_Support_Team @Jeroen Dijkman

 

I tried to enroll after re-encoding the QR code but failed during the enrollment with the message "Cant Setup Device - Reset". Would you mind to share the full code ? We run through hell due to this and the support team couldn't do anything so far. appreciate it !!

Brass Contributor

@Manoj Karunarathne Hi, what did you add before re-encoding the QR code? The full code for keeping the system apps is  "android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true

 

Your full code should look something like this: (I removed the checksum and enrollment token for obvious reasons)

 

{"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME":"com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver","android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":"........","android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION":"https://play.google.com/managed/downloadManagingApp?identifier=setup","android.app.extra.PROVISIONIN...":"........"}}

 

Hope that helps

Copper Contributor

Hi guys! I'm glad to join this community. I got stuck in device configuration when AE FM is in place as well as many of you guys, my devices keep in Pending and not compliance check is happening. I was reading early posts related to this issue, but apparently with no luck. Do yo have news related?

Iron Contributor

Hey Jeroen, 

 

Thanks for the quick response and it was just two additional quotes which messed things up. Removed and used your line and it worked like charm. All default apps now intact and the PlayStore is restricted to enterprise apps only. 

 

Thanks again ! and looking forward to see the final release to get rid of the preview mode.

 

-Manoj K

Iron Contributor

Lots of good info here, I was struggling all day with policies being assigned to devices via dynamic groups and the whole pin issue, having other issues now though...

 

1: I've got some Kyocera phones on Android 9 that say they are encrypted, but Intune says they aren't, and the app never clears me as compliant either, despite syncing over and over. Always says it needs encrypted and a password despite the policies being proper. At enrollment it kept me in a "Encrypt your device now" loop on the initial setup until I "setup" a pin at startup feature. Weird thing was even though I set the pin at startup to ON, it didn't stick, but it did let me through the rest of the setup and I was pumped because I thought it was working. Even when the phones are factory wiped they say encrypted and there's no way to decrypt them and use the Intune workflow to do it.

 

2: Is there some magical step that needs to be done to allow Edge to block certain URLs? I've created the app policies and assigned it to the group, and made sure I selected Edge for Android as the targeted app (targeted the Managed Browser as well). Basically the client wants to keep the users from getting to these website even from the browser. So I've disabled the Chrome browser completely and thought I configured this correctly, but no dice. Neither Edge nor the MB work. Really getting annoyed with this. I thought maybe the Apple supervised model was obnoxious, but Android fully manage is quickly becoming the bane of my existence.

clipboard_image_0.png

Iron Contributor

Think I figured out the encryption piece and the start up pin. Appears these phones (and others now) come encrypted out of the box and this Intune option for encryption just needs to be set to Not Configured which I guess isn't an issue if the devices being purchased and fully managed are indeed encrypted out of the box. Still a bit muddy as far as setup goes.

Iron Contributor

Is enrolment ok for folks today? We're deploying Androids and have had to abandon our sessions for the day because when the process gets as far as the Intune Company Portal app, you sign in (apparently successfully looking at AAD logs), but then get a "Something Went Wrong" on the "get set up to connect to resources" section and you can't get past it. :\

 

Is this just us, or a larger issue? We've opened a ticket, but you guys are usually quicker. :)

Iron Contributor

Steve,

 

I just tried to enroll 3 fresh devices about 10 minutes ago and things were real weird. 1 did the "Something went wrong" over and over. Now all 3 didn't setup a pin on the way through the setup and none of the apps are downloading. All of them show compliant on the phone but all say not compliant with error 65001 (Not applicable). 

 

Greaaaaat start to the morning for a project with a short turnaround time.

 

 

Iron Contributor

Hey @DBR14 

Thanks for coming back, nice to know we weren’t on our own, sorry it’s affecting you too though! After about 6/7 hours it kicked back in to life for us, so hopefully it’s ok for you now too. Fingers crossed!

Cheers,

Steve

Iron Contributor

@Steve Prentice, My error corrected it self after back out and back in maybe a half dozen times? I got it going not to long after the post. Out of curiosity were you guys running with the setup off Wifi or LTE? The phones I was using were on straight Wifi because the phones were not fully activated through Verizon.

Iron Contributor

@DBR14 Hi... So for us we had a second day of abandoned deployments, but after working with support an issue of "some service connection infrastructure becoming unresponsive" was found, and I think fixed, we seem to have been stable since then. This was over 4G by the way. Cheers.

Copper Contributor

Hi

Can you please advise if Zebra Android devices are supported in Microsoft Intune?

And if so which model/versions?

Thanks

John

 

Version history
Last update:
‎Dec 19 2019 10:16 AM
Updated by: