Home
%3CLINGO-SUB%20id%3D%22lingo-sub-877775%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20Tip%3A%20Intune%20announces%20support%20for%20Android%20Enterprise%20fully%20managed%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-877775%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20title%20is%20confusing.%20Just%20name%20it%20%22Limitations%20of%20current%20Android%20Enterprise%20fully%20managed%20implementation%22.%20Now%20it%20sounds%20like%20the%20previous%20post%20you%20link%20to%2C%20but%20it%20is%20not%20about%20the%20release%2C%20but%20about%20problems.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-880043%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20Tip%3A%20Intune%20announces%20support%20for%20Android%20Enterprise%20fully%20managed%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-880043%22%20slang%3D%22en-US%22%3E%3CP%3EWill%20the%20%22%3CSPAN%3EBlock%20user%20account%20changes%22%20be%20possible%20in%20the%20near%20future%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-882088%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20Tip%3A%20Intune%20announces%20support%20for%20Android%20Enterprise%20fully%20managed%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-882088%22%20slang%3D%22en-US%22%3E%3CP%3EDespite%20all%20of%20this%20we%20still%20have%20massively%20inconsistent%20experiences%20with%20devices%20not%20showing%20as%20compliant%20after%20enrolment.%20One%20day%20a%20user%20will%20enrol%20and%20be%20compliant%2C%20the%20next%20day%20another%20user%20will%20enrol%20and%20show%20as%20non-compliant.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-877378%22%20slang%3D%22en-US%22%3ESupport%20Tip%3A%20Intune%20announces%20support%20for%20Android%20Enterprise%20fully%20managed%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-877378%22%20slang%3D%22en-US%22%3E%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EHave%20you%20read%20the%20details%20on%20Intune%E2%80%99s%20support%20for%20Android%20enterprise%20fully%20managed%20device%3F%20If%20not%2C%20get%20up%20to%20speed%20by%20reviewing%20the%20%3CEM%3E%3CSTRONG%3EMicrosoft%20Intune%20support%20for%20Android%20Enterprise%20fully%20managed%20devices%20is%20now%20generally%20available%3C%2FSTRONG%3E%3C%2FEM%3E%20post%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FEnterprise-Mobility-Security%2FMicrosoft-Intune-support-for-Android-Enterprise-fully-managed%2Fba-p%2F862232%22%20target%3D%22_self%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FEnterprise-Mobility-Security%2FMicrosoft-Intune-support-for-Android-Enterprise-fully-managed%2Fba-p%2F862232%3C%2FA%3E.%26nbsp%3B%20%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EFirst%20off%2C%20we%20are%20grateful%20for%20this%20community.%20You%20tried%20out%20the%20Android%20Enterprise%20fully%20managed%20previews%2C%20you%20gave%20us%20feedback%2C%20and%20you%20helped%20each%20other%20out%20through%20three%20distinct%20releases.%20We%20received%20over%20300%20comments%20on%20the%20preview%20blog%20posts%2C%20and%20in%20those%20comments%20and%20occasional%20subsequent%20support%20cases%2C%20you%20helped%20us%20deliver%20this%20generally%20available%20release.%20You%20provided%20over%2058%20pieces%20of%20actionable%20feature%20feedback%20based%20on%20your%20experience%20with%20preview.%20Thank%20you!%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3ESecond%2C%20there%20are%20still%20a%20few%20known%20limitations%20in%20managing%20Android%20Enterprise%20fully%20managed%20devices%3A%20%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EDeployment%3C%2FFONT%3E%3CUL%3E%0A%3CLI%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EWhen%20provisioning%20via%20Knox%20Mobile%20Enrollment%2C%20the%20username%20and%20password%20cannot%20be%20passed%20to%20the%20fully%20managed%20device%20from%20the%20portal.%20This%20is%20a%20result%20of%20a%20restriction%20on%20how%20KME%20interacts%20with%20the%20platform%20and%20credentials%20will%20need%20to%20be%20manually%20entered.%3C%2FFONT%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EMulti%20factor%20authentication%20%3C%2FFONT%3E%3CUL%3E%0A%3CLI%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EDuring%20enrollment%20of%20a%20fully%20managed%20device%2C%20the%20user%20will%20not%20have%20access%20to%20the%20Microsoft%20Authenticator%20app%20or%20the%20ability%20to%20receive%20a%20call%20or%20text%20message%20on%20the%20device%20being%20enrolled.%20As%20such%2C%20the%20user%20will%20need%20to%20have%20the%20ability%20to%20complete%20the%20multi%20factor%20authentication%20via%20a%20different%20method.%20%3C%2FFONT%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EPolicies%3C%2FFONT%3E%3CUL%3E%0A%3CLI%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EIntune%20will%20not%20be%20able%20to%20support%20the%20setting%20%E2%80%9CBlock%20user%20account%20changes%E2%80%9D%20on%20Fully%20Managed%20devices%20as%20this%20currently%20causes%20device%20registration%20to%20fail.%20The%20setting%20will%20continue%20to%20be%20supported%20on%20Android%20Enterprise%20Dedicated%20devices.%20%3C%2FFONT%3E%3C%2FLI%3E%0A%3CLI%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3ESupport%20for%20PKCS%20certs%20are%20not%20available%20today.%20%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EAs%20we%20make%20changes%20that%20impact%20these%20limitations%2C%20we%20will%20be%20updating%20this%20post.%20Finally%2C%20we%20have%20seen%20both%20social%20mentions%20and%20a%20few%20cases%20regarding%20SCEP.%20There%E2%80%99s%20one%20SCEP%20fix%20we%20expect%20shortly.%20There%20is%20additional%20complexity%20in%20some%20of%20the%20cases%2C%20so%20we%20appreciate%20your%20patience%20while%20we%20parse%20through%20logs%20and%20determine%20the%20right%20path%20forward%20for%20a%20few%20of%20the%20SCEP%20scenarios.%20%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CFONT%3EBlog%20post%20updates%3A%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E10%2F3%2F19%3A%26nbsp%3B%3C%2FSTRONG%3EWe%20have%20received%20reports%20from%20a%20few%20customers%20around%20Device%20Owner%20Compliance%20Policies%20not%20evaluated%2C%20and%20the%20Work%20Profile%20is%20used%20instead.%20Engineering%20is%20investigating%2C%20and%20will%20update%20this%20post%20as%20soon%20as%20we%20have%20more%20insight.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-877378%22%20slang%3D%22en-US%22%3E%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EHave%20you%20read%20the%20details%20on%20Intune%E2%80%99s%20support%20for%20Android%20enterprise%20fully%20managed%20device%3F%20If%20not%2C%20get%20up%20to%20speed%20by%20reviewing%20the%20%3CEM%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3EMicrosoft%20Intune%20support%20for%20Android%20Enterprise%20fully%20managed%20devices%20is%20now%20generally%20available%3C%2FSTRONG%3E%3C%2FEM%3E%20post%20here%3A%20%3CA%20style%3D%22background-color%3A%20transparent%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23146cac%3B%20text-decoration%3A%20underline%3B%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FEnterprise-Mobility-Security%2FMicrosoft-Intune-support-for-Android-Enterprise-fully-managed%2Fba-p%2F862232%22%20target%3D%22_self%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FEnterprise-Mobility-Security%2FMicrosoft-Intune-support-for-Android-Enterprise-fully-managed%2Fba-p%2F862232%3C%2FA%3E.%26nbsp%3B%20%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-877378%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAndroid%20Enterprise%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESupport%20Tip%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E

Have you read the details on Intune’s support for Android enterprise fully managed device? If not, get up to speed by reviewing the Microsoft Intune support for Android Enterprise fully managed devices is now generally available post here: https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Microsoft-Intune-support-for-And...

 

First off, we are grateful for this community. You tried out the Android Enterprise fully managed previews, you gave us feedback, and you helped each other out through three distinct releases. We received over 300 comments on the preview blog posts, and in those comments and occasional subsequent support cases, you helped us deliver this generally available release. You provided over 58 pieces of actionable feature feedback based on your experience with preview. Thank you!

 

Second, there are still a few known limitations in managing Android Enterprise fully managed devices:

 

  • Deployment
    • When provisioning via Knox Mobile Enrollment, the username and password cannot be passed to the fully managed device from the portal. This is a result of a restriction on how KME interacts with the platform and credentials will need to be manually entered.
  • Multi factor authentication
    • During enrollment of a fully managed device, the user will not have access to the Microsoft Authenticator app or the ability to receive a call or text message on the device being enrolled. As such, the user will need to have the ability to complete the multi factor authentication via a different method.
  • Policies
    • Intune will not be able to support the setting “Block user account changes” on Fully Managed devices as this currently causes device registration to fail. The setting will continue to be supported on Android Enterprise Dedicated devices.
    • Support for PKCS certs are not available today.

 

As we make changes that impact these limitations, we will be updating this post. Finally, we have seen both social mentions and a few cases regarding SCEP. There’s one SCEP fix we expect shortly. There is additional complexity in some of the cases, so we appreciate your patience while we parse through logs and determine the right path forward for a few of the SCEP scenarios.

 

Blog post updates:

10/3/19: We have received reports from a few customers around Device Owner Compliance Policies not evaluated, and the Work Profile is used instead. Engineering is investigating, and will update this post as soon as we have more insight.

3 Comments
Super Contributor

The title is confusing. Just name it "Limitations of current Android Enterprise fully managed implementation". Now it sounds like the previous post you link to, but it is not about the release, but about problems.

Senior Member

Will the "Block user account changes" be possible in the near future?

Regular Visitor

Despite all of this we still have massively inconsistent experiences with devices not showing as compliant after enrolment. One day a user will enrol and be compliant, the next day another user will enrol and show as non-compliant.