Have you read the details on Intune’s support for Android enterprise fully managed device? If not, get up to speed by reviewing the Microsoft Intune support for Android Enterprise fully managed devices is now generally available post here: https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Microsoft-Intune-support-for-And....
First off, we are grateful for this community. You tried out the Android Enterprise fully managed previews, you gave us feedback, and you helped each other out through three distinct releases. We received over 300 comments on the preview blog posts, and in those comments and occasional subsequent support cases, you helped us deliver this generally available release. You provided over 58 pieces of actionable feature feedback based on your experience with preview. Thank you!
Second, there are still a few known limitations in managing Android Enterprise fully managed devices:
- Deployment
- When provisioning via Knox Mobile Enrollment, the username and password cannot be passed to the fully managed device from the portal. This is a result of a restriction on how KME interacts with the platform and credentials will need to be manually entered.
- Multi factor authentication
- During enrollment of a fully managed device, the user will not have access to the Microsoft Authenticator app or the ability to receive a call or text message on the device being enrolled. As such, the user will need to have the ability to complete the multi factor authentication via a different method.
- Policies
- Intune will not be able to support the setting “Block user account changes” on Fully Managed devices as this currently causes device registration to fail. The setting will continue to be supported on Android Enterprise Dedicated devices.
- Support for PKCS certs are not available today.
As we make changes that impact these limitations, we will be updating this post. Finally, we have seen both social mentions and a few cases regarding SCEP. There’s one SCEP fix we expect shortly. There is additional complexity in some of the cases, so we appreciate your patience while we parse through logs and determine the right path forward for a few of the SCEP scenarios.
Blog post updates:
- 10/3/19: We have received reports from a few customers around Device Owner Compliance policies not evaluated, and the Work Profile is used instead. Engineering is investigating, and will update this post as soon as we have more insight.
- 3/10/20: For the issue where Device Owner compliance policies are in a not evaluated state, and the Work Profile is used instead that was reported on 10/3/19, engineering has identified a fix, and are working on rolling this out with the 2003 service release. We'll update this article when the fix is live!
- 4/16/20: With an update that a fix has been rolled out with the 2003 service release to address the Device Owner compliance policies previously referenced in past blog updates. If you continue to experience an issue with this, please let us know!
