Pinned Posts
Forum Widgets
Latest Discussions
Intune MAM - Questions about Company Data Removal
Hey all, we're looking to deploy Intune MAM for an organization. The organization only has BYOD devices (users have their own personal phones and company-provided phones are NOT an option.) Our end goal is the ability to wipe company data from a phone once a user has been offboarded (Outlook, Teams, etc.). To reduce friction, we identified that MAM may be the policy to allow for company data removal with little to no friction. Upon doing some reading, we came across a source that said that if a user uninstalls the broker agent (Intune Company for Android and Microsoft Authenticator for iOS), that an App Selective Wipe will NOT complete, especially if the user uninstalls the app BEFORE the wipe or DURING the pending wipe. Has this been the case for anyone else and do you have suggestions as how we can get to our end goal?
IOS - Embedded Webkit - Not Reporting Correct Device info
It appears that with the latest iOS versions (26.3.1 through 26.4), applications that rely on an embedded WebKit for sign-in are no longer reporting accurate device details within Device Info. Users have company-issued phones that are successfully enrolled in Intune, but when they attempt to sign in to Apple Mail, Conditional Access is denying the login. After reviewing the logs, iOS is reporting the OS version as 18.7.0 to Intune, even though the device is actually running iOS 26.4. Additionally, the device information is coming through as blank, so attributes are not being evaluated. When looking at other logins via the outlook app on that device it all appears normal and works. Has anyone else observed this behavior where WebKit is sending incorrect data to Intune? Does anyone know of a workaround other than relaxing Conditional Access policies?
Intune – Unable to reliably validate application installation status via Microsoft Graph APIs
Hi Everyone, I am working on application deployment and validation using Microsoft Intune, and I am trying to implement an automated validation step to confirm whether applications are successfully installed. My primary requirement Verify application installation status Confirm per‑device installation status Validate installation for specific Intune‑managed devices Use Graph APIs as part of an automation workflow APIs tested so far 1️⃣ App installation status per device (NOT working / not usable) I initially tried using the documented API: HTTP GET https://graph.microsoft.com/beta/deviceAppManagement/mobileApps/{mobileAppId}/deviceStatuses Issue: This API is not working for us It either returns no data or behaves as if it is not a valid / usable endpoint It does not return reliable installation status Hence, we cannot use this API for validation in automation At this point, deviceStatuses is not usable as a primary source of truth in our environment. 2️⃣ Detected Apps (secondary confirmation only) We are also using the Detected Apps API: HTTP GET /deviceManagement/managedDevices/{deviceId}/detectedApps This does work, however: It only confirms app presence It does not confirm Intune assignment or installation intent We are using it strictly as a secondary confirmation, not a primary validation method 3️⃣ Intune internal API observed via browser inspection We also tested the API that appears to be used internally by the Intune portal: HTTP GET https://graph.microsoft.com/beta/users/{user-id}/mobileAppIntentAndStates/{device-id} Observations: The API returns data However, installState frequently shows unknown The Intune portal shows a different and final status (Installed / Failed / Pending) This makes the API unreliable for automation It appears to be troubleshooting‑oriented, not intended for reporting or validation Questions I am looking for guidance on Is deviceStatuses known to be unreliable, tenant‑dependent, or effectively unsupported? What is the recommended API to retrieve actual app installation status per device? Are there any v1.0 APIs available for: Device‑level app installation status? User‑level app installation validation? What is Microsoft’s recommended best practice to validate Intune‑installed applications via automation? Is there official documentation that clearly explains: Which API should be used for reporting vs troubleshooting Expected delays or data inconsistencies between Graph APIs and the Intune portal Goal The goal is to build a reliable and supported automation‑based validation mechanism to confirm that Intune‑deployed applications are successfully installed on target devices. Any official guidance, confirmation of known limitations, or alternative approaches would be very helpful. Thanks in advance for your support.
Apple business manager deployment - receiving pop-up bout apple account
Hello intune forum, I recently setup apple business manager in our enviroment to work with Intune. I've created the enrollment profile, setup the VPP token, etc. But now, a few of our users, myself included is getting a pop-up on our phones stating : "this apple account cannot make purchases". I made sure only the VPP apps are being pushed to the company phones and not the apps from the store. Anyone else have this issue?Microsoft Managed Home Screen: Unwanted Samsung One UI 8.0 Elements Appearing
Hello Tech Community, Our organization is currently deploying a configuration in Microsoft Intune using a Corporate-owned dedicated device enrollment profile. We’ve applied a device restriction policy to configure Samsung tablets in Multi-app Kiosk mode, with Managed Home Screen set as the launcher. Instead of using an app configuration policy, Managed Home Screen is configured through the device restrictions policy. We’ve left the device navigation options unconfigured, which should hide the following UI elements: Android Overview button Android Home button Android App drawer Once all policies and required apps are installed, Managed Home Screen successfully acts as the launcher for end-users to sign in. Overall, this works well; however, we’ve encountered an intermittent issue: After multiple lock/unlock cycles, the navigation bar sometimes reappears, showing the Overview, Home, and App Drawer buttons. This allows users to access background apps that are not exposed through Managed Home Screen, which defeats the kiosk experience. Device details: Samsung Galaxy Tab S10 FE Android 16, One UI 8.0 Managed Home Screen version: 2.2.0.107721 Has anyone experienced this behavior or have recommendations to prevent these UI elements from reappearing? I’ll gladly provide additional details about our configuration if needed. Thank you!Windows Autopilot Hybrid Join failing with OOBE error 80004005
Hello everyone, We’re facing a consistent issue with Windows Autopilot user‑driven Microsoft Entra hybrid join where devices are provisioned using a Hybrid Join Autopilot profile, but Hybrid Join does not complete. Setup (High level) Windows Autopilot (user‑driven) Autopilot profile: Microsoft Entra hybrid joined Only one Autopilot profile Domain Join profile configured (domain + OU) Entra Connect: Hybrid Join + device writeback enabled Intune Connector for Active Directory installed and healthy MDM auto‑enrollment enabled Issue During Autopilot OOBE, the device frequently shows: “Something went wrong” Error code: 80004005 Despite this, Autopilot continues and completes. Resulting Device State After provisioning: Device appears in Entra ID as Microsoft Entra joined (not Hybrid) Device is enrolled into Intune and shows compliant Device‑scoped Intune MDM policies do not apply dsregcmd confirms Hybrid Join never completed Understanding So Far From correlating the OOBE error, dsregcmd output, and final device state: Hybrid Join starts but fails mid‑process Windows does not roll back provisioning Device falls back to Entra ID Join Join type is finalized for that run Resetting without fixing the root cause repeats the behavior This explains why devices look healthy but are not Hybrid Joined and why device‑based policies don’t reflect. Questions Is 80004005 during Autopilot OOBE a known indicator of Hybrid Join / Offline Domain Join failure? Is fallback from Hybrid Join → Entra ID Join expected when Hybrid Join prerequisites fail? Once a device ends up Entra joined, is wipe + reprovision the only supported recovery after fixing the root cause? Public Wi‑Fi / offsite scenario: Has anyone successfully completed Hybrid Autopilot using pre‑logon VPN / device tunnel (Always On VPN, GlobalProtect, AnyConnect, etc.) to provide DC line‑of‑sight? Which logs are most useful to confirm the exact failure point (ODJ, dsreg, Intune Connector, ESP)? Thanks in advance for any insights or field experience.Have OneDrive or SharePoint files/folders on home screen of iPad without internet connection?
This. I'm on a big iOS project. We have several users who need files on an ipad when traveling, and be able to open them when there is no internet connectivity. These files aren't intended to be edited, just 'read only.' These files do not contain any sensitive corporate data. The content lives in SharePoint online and I'm using OneDrive as a bridge to their sharepoint site. BUT the files can only be viewed on the ipad within the OneDrive app without internet access. These are devices using user affinity enrollment. Initially, the solution for users was to use the 'Mark Offline' feature within the OneDrive iOS app. I used Power Automate to have it fetch new files found in OneDrive and move them to the teams SharePoint site. These shared devices are locked down (an understatement). These will be used by the least computer savy/literate people and so having them dive through OneDrive folder after folder, even offline, is a tall order to ask. I totally get it and don't want them doing that either. So now I have to move onto plan B. How can we put the files that live within OneDrive/Sharepoint onto the home screen without an internet connection when the ipad is 'out in the field.?' This would make it infinitely easier for them. The key here is to not have end users manually moving files around. We don't want them to even have to go into OneDrive and mark folders/files offline, if possible. We don't have the SharePoint app on them. I tried the SP app a while back, and it is a hot mess of garbage. I could revisit it. Whatever I can get to work of course we'll have to modify our Intune polices. Thoughts?
Reenroll Company Owned With Work Profile Android
I have been putting together a profile that will allow our company to enroll our Android devices into Intune as a Company Owned with Work Profile. One question I currently have is, if we ever need to remove the Work Profile say for troubleshooting do we have to do a complete factory reset of the phone to reenroll it back into Intune? Seems crazy to have to do that just to test or try to fix something especially if the person has data on the personal side like pictures, apps, etc. Please let me that is not the case! LOL!
