Microsoft Intune support for Android Enterprise fully managed devices is now generally available
Published Sep 23 2019 03:00 AM 76.8K Views
Microsoft

(This post is co-authored by Priya Ravichandran, Senior Program Manager, Microsoft 365) 

 

We are pleased to announce that Microsoft Intune support for Android Enterprise fully managed devices is now generally available.

 

Android Enterprise fully managed is one of the “device owner” management scenarios in the Android Enterprise solution set. This scenario enables user productivity on corporate devices while allowing IT admins to manage capabilities needed by the organization. We have seen an overwhelming uptake of this management capability throughout the multiple phases of public preview making this the most widely adopted preview for Android management thus far. In preview, we have tens of thousands of devices across global customers already using it configure and manage their Android devices. In addition to this extensive adoption, we have received significant feedback from the community and customers alike. With this release, customers can deliver a high quality and feature-rich productivity scenario for users on corporate-owned devices while maintaining an extended set of policy controls over the devices.

Onboarding a fully managed device

Intune supports popular provisioning technologies with Android Enterprise devices running Android 6.0 and later, including:

  • Knox Mobile Enrollment
  • NFC
  • QR Code
  • Token Entry
  • Zero Touch Enrollment

Deploying fully managed devices start when a new device is acquired and unboxed, or an existing device is factory reset. Using Intune’s enrollment token with your preferred choice of deployment technology, the fully managed provisioning workflow will launch the out of the box experience (OOBE) that will then guide the user though the necessary steps to complete the onboarding process.

 

Once the user enters their corporate credentials, the onboarding process starts with guiding the user through the process of setting up a device PIN based on the organization policy. Having this set up during OOBE ensures that the device is protected against misuse from the start.          

clipboard_image_14.png

Figure 1: Fully managed OOBE guides user to set up PIN

 

OOBE will automatically download the Microsoft Intune app, Microsoft Authenticator app and the Microsoft Intune Company Portal app. Additionally, the user is also made aware of the full list of required apps that the organization is pushing to their device, making the process more transparent to the end user.

clipboard_image_15.png

 

Figure 2: OOBE installs the two required apps and shows the user the rest of the mandatory apps being installed

 

Since the download of these additional apps start immediately in the background, the user gets a head start having the right tools for the job.

 

The final piece of the OOBE is registering the device with Azure Active Directory. Device registration during OOBE ensures that the device is compliant with the organization’s requirements before being able to access any corporate resources on the device.

clipboard_image_16.png

Figure 3: User starts device registration in OOBE

  

clipboard_image_17.png

      

Figure 4: Device registration completes during OOBE

  

At the end of the onboarding workflow, the user now has a device that has all the policies and apps they need to be productive and secure.

Multi Factor Authentication with fully managed devices

Multi Factor Authentication (MFA) is a key part of the authentication process for many organizations. With this GA release, the fully managed device will be able to support MFA policies that have been put in place by the organization.

Configuring certificates and resource access policies

On a fully managed device, you can deploy both root certificates and SCEP certificates for authentication. Along with certificate profiles, resource access profiles are also now supported with the full spectrum of authentication options. Email, Wi-Fi and VPN profiles can also be created to leverage the certificate profiles needed for your organization.

 

This support allows your organization to determine which resources are used on a device and how the user can authenticate before using it. For example, you can allow a device to use a specific Wi-Fi profile and authenticate with a certificate that has been pushed to the device, in this case a SCEP certificate you deployed.

Enabling corporate and personal applications on the device

On a fully managed device, Intune provides a locked down approach to apps. By preventing the sideloading of apps on the device, the device maintains its security posture. Organizations do not have to enable installing apps from untrusted sources, which is a concern with the previous device administrator management mode. To ensure that only apps from approved sources are installed on the device, organizations can leverage the Managed Google Play store to distribute corporate apps to managed devices.

 

An organization may deploy additional policies to allow users to install other apps from the public Play store on the device, if they wish to, allowing users to personalize their work device. By default, access to the public Play store is blocked on a fully managed device.

clipboard_image_18.png

Figure 5:Enabling end user access to the consumer store on fully managed devices

System applications

System apps – like the camera and the dialer – are key apps that are required by many organizations for their users to do their jobs as expected. Intune enables granular control over system apps on Android Enterprise corporate devices. Admins can manage system apps at the package level to ensure that only key apps needed for productivity are enabled on the device, excluding other system apps that are not relevant to the organization. 

Blog Figure 06.png

Figure 6: Adding and managing system apps - like the Samsung Clock app - on fully managed devices

 

In addition, since these are post-provisioning policy deployments, the list of enabled system apps can be adjusted over the life of the device to meet the organization’s needs.  

Configuration and compliance

The fully managed device supports all the Android Enterprise Device Owner settings offered in the Intune console. Additionally, Intune now supports the ability to create compliance policies on fully managed devices, including:

  • Support for enforcement of PIN complexity requirements
  • Support for specifying a threat level threshold for the device and leveraging Mobile Threat Defense providers
  • Support for SafetyNet Attestation, which will incorporate the jailbreak detection as well.

As with other Intune managed devices, when a device does not meet the compliance requirements, the user is notified and provided with guidelines on how to mitigate the issue. For fully managed devices, end user experiences are now surfaced in the new Microsoft Intune app.

Redesigned end user experience in the Microsoft Intune app

This new modern and light-weight app, simply called ‘Microsoft Intune’, enables the experiences that end users know and love in the Company Portal app for fully managed devices, including managing compliance for their devices, getting support from their organization, and viewing notifications.

 

 

clipboard_image_20.png

   

Figure 7: View devices, update settings when needed, and view notifications

 

clipboard_image_21.png

  

Figure 8: Get support when needed, view organizational terms, and view user profile

 

The latest release of Microsoft Intune app for Android has the following updates:

  • Improved layout with bottom navigation for the most important actions.
  • Added an additional page that shows the user's profile.
  • Added the display of actionable notifications in the app to inform the user, such as the need to update their device settings.
  • Added the display of custom push notifications, aligning the app with the support recently added in the Company Portal app for iOS and Android.

Today, this new app is only for the fully managed scenario; in all other Android management scenarios, Company Portal will continue to be the end user app.

App protection policies

Intune app protection policies are wholly supported on fully managed devices, at parity with support on other platforms. The Microsoft Company Portal is automatically deployed in the background to enable the additional layer compliance control.

 

OEMConfig support

Intune has full support for the OEMConfig framework, including an intuitive configuration designer UI that allows organizations to easily leverage supported OEM-specific settings on their fully managed devices. For more details, see this blog post on the OEMConfig configuration designer or refer to the Intune documentation on OEMConfig.

 

Microsoft Launcher for Enterprises

Another key aspect of managing a corporate device – like a Fully Managed device – is to ensure that all end users have a consistent home screen experience on the device. This includes being able to clearly brand the device as well as ensure that the key apps needed for their role are accessible and discoverable on the device. The Microsoft Launcher is a key partner in enabling this well-defined end user experience on corporate devices.  When the Microsoft Launcher is deployed to a device, the Launcher is able to detect that the device is a corporate device and will then enable enforce any app config settings that the admin has specified. This includes being able to set a device wallpaper as well as the list and order of applications on the home screen.

clipboard_image_22.png

Figure 9 Microsoft Launcher home screen experience on work-managed Android device

While the launcher configuration is currently only exposed via the App config workflow, we are partnering with the Microsoft Launcher team to deliver a first class configuration experience in the Intune Admin Console – to match the experience that is available for the Managed Home Screen today. Watch this space for updates.

 

Next steps

We’re excited to share this milestone with our Microsoft Intune customers who can now deliver a premier manageability and security experience to their end users on Android Enterprise devices. As we continue to innovate on the Android Enterprise platform, we look forward to your ongoing usage and feedback.

Fully managed support is the next step in Intune's commitment to full Android Enterprise support. Also look for new support for private publishing within the Intune console, as well as web link support launching at the same time as Fully managed.  We're committed to a full set of Android Enterprise scenarios that meet high standards of manageability and privacy, so stay tuned for more on this in the coming months.

 

Learn more

Documentation:

Previous blogs in this series:

 

 

More info and feedback

Learn how to get started with Microsoft Intune with our detailed technical documentation. Don’t have Microsoft Intune? Start a free trial or buy a subscription today!

 

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

 

Follow @MSIntune on Twitter

101 Comments

Have enrolled some devices as fully managed user device, it looks fine at the moment.

Configuration policies are applied, Compliance policies are checked and apps deployed.
The enrollment experience is much better as during the previews. So it looks good :)

Copper Contributor

Are there any possibilities for data-seperation

to protect managed data from unmanged Apps Like WhatsApp? Like iOS?

 

 

 

 

@Patrick Boeck Intune App Protection Policies.

Copper Contributor

Any plans for backup/restore functionality? - It appears to be greyed out & blocked.

 

We have users that don't want to factory reset their devices (in order to enroll into fully managed) as they have data that they want to be backed up and then restored into the fully managed solution.

 

Our usual method of using Samsung smart switch is blocked by fully managed and I can't see any obvious configuration settings in Intune relating to this?

Copper Contributor

Is the Intune app for Android only used for corporate owned devices? Using an enrolled personal device, Intune says "Your account is configured to use the Company Portal app instead."

@chuffman Yes that`s correct.
Using a personal device to enroll, than you need to install the Company portal app.

Steel Contributor

While testing, I received the prompt for MFA twice during setup. Once while signing-in to Chrome to start the web-enrollment, and a second time while signing-in to Microsoft Intune to register the device. Is there anyway to not require the second MFA prompt?

@eglockling I had similar experience during the preview phase, but not when I enrolled a few devices Yesterday in GA. Sign in to the Intune app was a SSO experience, no username, no password and no MFA prompt.

Brass Contributor

Nice it's finally in GA but I think it's safe to say that SCEP profiles are not working.

 

When trying to deploy a user cert we get:

Could not connect to any NDES server   ----Update event received: CertAcquireFailedEvent(retryable=true, exception=null, failureType=NoValidNdesServer  ---- Update effects dispatched.

 

Trying to create a device cert profile it throws an error saying that SAN is null even though it's not.

Anyone who was already successful publishing a Managed Google Play private (LOB) app via Intune?
I constantly receive the error: Upload a new APK file with a different package name
Already removed the numbers and space out of the package name, without any result.

Brass Contributor

@almennn  

Also having issues with SCEP certs, have call in with MS and working through it at the moment. IOS and Android device adminstrator scep certificate working fine without issue

Copper Contributor

I'm also wondering about backup and restore functionality. Are there any plans to enable this? I'm not able to restore from my personal google account when enrolled with Android Enterprise.

Brass Contributor

@Adrian Bishop 

Post an update regarding SCEP when done. Interesting to know if it's an easy fix or if we have to wait.

Copper Contributor

Glad to hear about the update - SCEP profiles are however not working here either.

Copper Contributor

what is with the PCKS Support for Certificate. any plans for that on the roadmap?

 

 

Brass Contributor

Anyone else also having issues with AppConfig? the DO devices seems to not pick up any AppConfig at all.

Steel Contributor

@almennn  We have an AppConfig applied to Edge on a DO device successfully. Did you configure the policy for Managed Devices or Managed Apps?

 

Intune managed apps will check-in with an interval of 30 minutes for Intune App Configuration Policy status, when deployed in conjunction with an Intune App Protection Policy. If an Intune App Protection Policy isn't assigned to the user, then the Intune App Configuration Policy check-in interval is set to 720 minutes.

Brass Contributor

Also noticed that Appconfig policy are always showing as pending

Hi @almennn@Adrian Bishop, @kraghhh,

A bug for SCEP Profiles has been identified, is currently being resolved, and should work shortly.

If you continue to experience any issues, please let us know!

Brass Contributor

Any update on the time frame for the SCEP issue to be resolved?

 

Brass Contributor

@eglockling 

Managed devices. I have policys for Edge, Adobe, Outlook and Knox Service Plugin. None of them have been picked up by the device in 3 days.

Copper Contributor

Unfortunately SCEP Profiles are still not working properly. 

Moreover, 'Trusted Certificate' profiles, even when installed properly, do not send that information back to Intune - profile installation state stays in 'Pending' state forever. Only 'Device Restrictions' seems to work.

After having Android Fully Managed enrollment profile in Preview for such a long time, this is not even funny to have such a bug.

Brass Contributor

@Jakub Galicki 

For us the state for trusted certificates and other profiles works as expected. The only thing not applying for us on the device and stays in a forever pending state is AppConfig.

Copper Contributor

@almennn 

But does the SCEP profile work for you too? 

Frankly I don't mind (at least, not at the moment) if devices report proper installation of profiles or applications (including AppConfig policies; BTW - they are applying, but also stay in 'Pending' state). More important is proper SCEP profile application as this affects other profiles (WiFi, VPN), but that's still out of order.

Hi @almennn@Jakub Galicki@kraghhh,

 

If you continue facing an issue with SCEP Profiles not working as expected, please open a support case via the Intune Admin console's Help and Support or any of the methods here, as this will help the team capture all the information needed to resolve the issue. Also, please direct message us with your support case number for follow up.

Copper Contributor

@Intune_Support_Team 

I'm currently working with several Customers trying to make Fully Managed devices work. Are you suggesting that I (or someone from the Customer's side) should open separate case for each such issue? I don't think it should be the way.

Brass Contributor

Facing issues with SCEP on fully managed devices. Getting error '0 no error code' The RootCA cert gets deployed successfull. Created a support case already. I see the device hitting the IIS scep site http 200 but then nothing in ndesplugin.log. Engineer is looking in to it. 

Brass Contributor

We have the same issues with the SCEP certificate. We can see the device in the IIS log. But also no entry in the ndesplugin.log. If no resolution is published soon I will create a MS support ticket.

Steel Contributor

Just opened a support ticket for the same issue with SCEP profile failing for Android Enterprise fully managed.

However, this might be the cause of the issue for myself, not sure if it's the same for others here.

 

SCEP certificate profiles for the Device Owner Only profile have the following limitations:

  1. The following variables are not supported:

    • CN={ { OnPrem_Distinguished_Name } }
    • CN={ { onPremisesSamAccountName } }
  2. Under Monitoring, certificate reporting isn't available for Device Owner SCEP certificate profiles.

  3. Revocation of certificates provisioned by SCEP certificate profiles for Device Owner isn’t supported through Intune, but can be managed through an external process or directly with the certification authority.

Brass Contributor

Still see issues with SCEP today. Initital setup I had was with Subject = CN={ { onPremisesSamAccountName } } but there appears to be a recently documented limitation for DO devices as @eglockling already mentioned. However, using Subject = Common Name or any other supported attribute, still does not work at this moment.

 

I have a question outstanding with our TAM why onPremisesSamAccountName is not supported for Fully Managed. We have a huge dependency on certificates with the Subject reflecting the SamAccount for about 50 in-house lob apps. For Work Profile devices it does work, which leads to believe it is not a technical but more of a strategic limitation.

Brass Contributor

Another issue I have noticed is Compliance in combination with Mobile Threat Defense. Even though the compliance policy for DO devices allows me to specifify 'Require the device to be at or under the Device Threat Level', it doesn't seem to be evaluated at all for my Fully Managed device.

When I look at the DO Compliance policy/Per-setting status page, the specific entry 'Require the device to be at or under the Device Threat Level' seems to be missing entirely.

Interestingly, when I do activate the MTD client (Lookout) on the Fully Managed endpoint, the Compliance policy for Work Profile devices gets added to the evaluated list of compliance policies for that device.

Copper Contributor

I still have massively inconsistent experiences with devices not showing as compliant after enrolment. One day a user will enrol and be compliant, the next day another user will enrol and show as non-compliant. There are no differences between the 2 users who have enrolled but it seems to be a roll of the dice as to whether or not they will show as compliant.

@Raymond Huis in 't Veld I see the exact same behavior for Device Threat level in our tenants.
The DO setting is missing. The Work profile seems to eb evaluated.

Brass Contributor

@Peter Klapwijk  I noticed your question whether anybody had been able to upload APKs to Managed Google Play as a private app via Intune (iframe). I have been able to do so. The message you are getting about 'different package name' refers to the app id (com.sec.android.etcera). Apparently somewhere in the Google Play an app already exists with the specific app id. Have you been testing with the same apk (or an earlier iteration) in the Play Console before?

@Raymond Huis in 't Veld Thnx for the reply!

 

In the mean time we are able to deploy an app to the private store. The developer indeed needed to change the app id.

Copper Contributor

Is there an official website for a list of known issues with inTune enrollments?

Brass Contributor

Hi all, curious what you guys think about the mentioned Microsoft Launcher for Enterprises. How would I deploy this in such a way it would only be required deployed on AE Fully Managed devices? Using a device group? My personal experience with device groups so far is that they update rather slowly. If I would deploy it to a user group, the same user with a BYOD Work Profile device would also receive the MS Launcher in the Work Profile.

 

Any recommendations on this?

Copper Contributor

How about auto enrollment using Samsung's KME for Fully Managed devices? I remember this not being available on previews but how about now? Google's Zero Touch works perfectly!

Brass Contributor

@Joni_Nieminen I used the Samsung KME even in preview and it was working fine for us. 

Brass Contributor

@Cris_Ten_Eyck  not that I know of, but a support blog has been posted with a few known issues:
https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Intune-announces-support-...

 

It seems to miss the issue I mentioned regarding Mobile Threat Defense integration though.

@Joni_Nieminen KME with fully managed devices did work fine for me during preview and still does work fine.

 

@Raymond Huis in 't Veld The Threat Defense Level (TDL) issue is also happening in our tenant. During preview the work profile TDL policy was already checked on DO devices.

Copper Contributor

Is it possible to enable back up services for fully managed devices? It is still greyed out.

Steel Contributor

@Nathan23055  The backup/restore option is greyed-out even when enrolling with other MDM using fully managed (device owner).

@Raymond Huis in 't Veld  I brought it to the attention of the product team, they look in to the issue was the response.

Hi all,

 

We have received reports from a few customers around Device Owner Compliance Policies not evaluated, and the Work Profile is used instead. Engineering is investigating, and will update the Support Tip: Intune announces support for Android Enterprise fully managed devices blog as soon as we have more insight. Will also update you all here as well!

 

Thanks!

Brass Contributor

Cheers @Peter Klapwijk !

Just to make sure we're all on the same page here: The issue looks slightly different though as how the @Intune_Support_Team describes it.
The only compliance setting that is not evaluated from the DO compliance policy is MTD (e.g. Lookout) related. The status from Lookout does not affect the DO compliance at all.

However, once I activate the Lookout agent on the DO device, I see the Work Profile compliance policy being evaluated (for the DO device), but solely for the MTD related compliance setting 'Require the device to be at or under the Device Threat Level'.

Hope that makes sense ;)

Brass Contributor

I agree about the backup and restore functionality. Would be great to have this option. @Intune_Support_Team any plans on making this available?

 

What I did see is that you can use the Smart Switch app on Samsung devices to transfer data, apps and settings from the old phone to the new fully managed device. Don't know about the other brands.

Copper Contributor

Hi

 

I have been asking this question all over and no seems to know the answer

 

Why would our existing devices which are registered with android legacy admin require a factory reset before we can migrate them to enterprise fully managed?

 

Brass Contributor

@dan_birrell This is not an Intune specific requirement:

https://developers.google.com/android/work/device-admin-deprecation#migration_guidance_for_customers

Quote: "We recommend that company-owned devices be set up as fully managed devices. Migrating a device from device admin to managed device requires a factory reset. Since this is more disruptive to users, we suggest a phased adoption, where new devices are enrolled as fully managed devices but existing devices are left on device admin."

Version history
Last update:
‎Sep 19 2019 01:53 PM
Updated by: