Android 12 Day Zero Support with Microsoft Endpoint Manager

Published Aug 10 2021 08:00 AM 6,641 Views

Android 12 was announced at Google I/O 2021 in May of this year, promising significant overhauls of the Android platform from design to privacy. In this post, we’ll highlight some noteworthy changes that you should be aware of, and we’ll share some of what we’ve found from testing the latest beta builds of Android.

 

Our Microsoft Endpoint Manager app protection policy (APP) and mobile device management (MDM) teams have been hard at work making sure Microsoft Intune customers are supported on the new OS release. Most APP and MDM scenarios will continue to be fully compatible with Android 12. However, Google is making some significant changes in Android 12 that affect management capabilities available to Intune.

 

As we approach the official release of Android 12 later in the year (historically the major Android OS releases are often in late Q3/early Q4 of the calendar year), we will continue to update this blog post as we discover new items in our beta testing. We also encourage you to read through Google’s Android 12 change documentation to identify other changes that may be relevant to your organization. Keep us posted on what APP and MDM learnings you find from your beta testing too!

 

Removal of serial number, IMEI, and MEID on personally-owned work profile devices

Google is removing the ability for apps to access hardware identifiers on personally-owned work profile devices. The impacted hardware identifiers are serial number, IMEI, and MEID. For more information, see the Google developer documentation.


The removal affects the following workflows in the Endpoint Manager admin center for personally-owned Android Enterprise with work profile devices running Android 12:

  • Serial number, IMEI, MEID and will no longer be visible in the Endpoint Manager admin center.

  • Serial number and IMEI can no longer be used to identify devices as corporate.

  • Certificates will fail to deploy if you use serial number, IMEI, or MEID variables in the subject and SAN of the certificate profile and the value is not populated. This may impact downstream systems that rely on these values in the subject and SAN of certificates.

  • Network access control with certain NAC providers and third-party VPN providers may be affected. This may impact the ability of enrolled devices to connect to a corporate network. More information can be found here: Support Tip: Android 12 upgrade can affect NAC-enabled network access.

Removal of Wi-Fi MAC address on newly-enrolled device administrator and personally-owned work profile devices

Starting in October, Intune will not display a Wi-Fi MAC address for newly enrolled personally-owned work profile devices and devices managed with device administrator running Android 9 and above.

 

Cause of impact: In October, there will be a Company Portal app update that increases the Company Portal API targeting from level 29 to level 30, as required by Google. When apps target API level 30, Android prevents them from collecting the MAC address used by the device.

 

Reminder about upcoming changes to Android Enterprise fully managed, dedicated, and corporate-owned work profile devices

Google has documented they are deprecating the Safe boot and Debugging features configuration settings for Android Enterprise device restrictions at the end of October. This affects fully managed, dedicated, and corporate-owned work profile devices. To prepare for this change, we will be adding a new setting, Developer settings, in September's Intune service release (2109). If your organization currently uses one of the deprecated settings, consider making use of Developer settings once it becomes available. For more details, see the message center post MC275160, which you can find either in your tenant status blade in the Microsoft Endpoint Manager admin center, or in the Microsoft 365 admin center. For more on service changes, see - Staying up to date on Intune new features, service changes, and service health.

 

User experience changes

Android 12 includes many changes to how apps look and feel, such as changes to scrolling animations and app launch behavior. The Company Portal and Intune app will adopt these visual changes, giving your users a consistent look and feel on the platform. If you’ve got a helpdesk or support team, they may appreciate advanced notice of the UI app experience changes in Android 12.

 

Other ways to prepare for Android 12

  • Update apps: Encourage your users to update to the latest version of the Company Portal, Intune, Edge, and other APP-supported apps. The latest version will provide the best experience with devices running Android 12.

  • Check compatibility for other managed apps: As with previous major Android OS updates, check mobile app compatibility with your app providers to confirm your users' apps work with Android 12. You’ll see a “What’s New for the app” notice in the Google Play app store, in-app details, or updates on an application’s website. Some apps provide Day 0 support, while others update over time.

 

How can you reach us?

Keep us posted on your Android 12 experience through comments on this blog post, through Twitter (@IntuneSuppTeam), and request any new features on UserVoice. We will update this post with any additional information we learn as testing continues, and when Android 12 releases.

 

Post updates:

9/14/21: Updated with a note that Intune will not display Wi-Fi MAC address for newly enrolled personally-owned work profile devices and devices managed with device administrator running Android 9 and above.

%3CLINGO-SUB%20id%3D%22lingo-sub-2621665%22%20slang%3D%22en-US%22%3EAndroid%2012%20Day%20Zero%20Support%20with%20Microsoft%20Endpoint%20Manager%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2621665%22%20slang%3D%22en-US%22%3E%3CP%3EAndroid%2012%20was%20announced%20at%20Google%20I%2FO%202021%20in%20May%20of%20this%20year%2C%20promising%20significant%20overhauls%20of%20the%20Android%20platform%20from%20design%20to%20privacy.%20In%20this%20post%2C%20we%E2%80%99ll%20highlight%20some%20noteworthy%20changes%20that%20you%20should%20be%20aware%20of%2C%20and%20we%E2%80%99ll%20share%20some%20of%20what%20we%E2%80%99ve%20found%20from%20testing%20the%20latest%20beta%20builds%20of%20Android.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOur%20Microsoft%20Endpoint%20Manager%20app%20protection%20policy%20(APP)%20and%20mobile%20device%20management%20(MDM)%20teams%20have%20been%20hard%20at%20work%20making%20sure%20Microsoft%20Intune%20customers%20are%20supported%20on%20the%20new%20OS%20release.%20Most%20APP%20and%20MDM%20scenarios%20will%20continue%20to%20be%20fully%20compatible%20with%20Android%2012.%20However%2C%20Google%20is%20making%20some%20significant%20changes%20in%20Android%2012%20that%20affect%20management%20capabilities%20available%20to%20Intune.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20we%20approach%20the%20official%20release%20of%20Android%2012%20later%20in%20the%20year%20(historically%20the%20major%20Android%20OS%20releases%20are%20often%20in%20late%20Q3%2Fearly%20Q4%20of%20the%20calendar%20year)%2C%20we%20will%20continue%20to%20update%20this%20blog%20post%20as%20we%20discover%20new%20items%20in%20our%20beta%20testing.%20We%20also%20encourage%20you%20to%20read%20through%20Google%E2%80%99s%20Android%2012%20change%20documentation%20to%20identify%20other%20changes%20that%20may%20be%20relevant%20to%20your%20organization.%20Keep%20us%20posted%20on%20what%20APP%20and%20MDM%20learnings%20you%20find%20from%20your%20beta%20testing%20too!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-2114081779%22%20id%3D%22toc-hId-2115033166%22%3ERemoval%20of%20serial%20number%2C%20IMEI%2C%20and%20MEID%20on%20personally-owned%20work%20profile%20devices%3C%2FH3%3E%0A%3CP%3EGoogle%20is%20removing%20the%20ability%20for%20apps%20to%20access%20hardware%20identifiers%26nbsp%3Bon%20personally-owned%20work%20profile%20devices.%20The%20impacted%20hardware%20identifiers%20are%20serial%20number%2C%20IMEI%2C%20and%20MEID.%20For%20more%20information%2C%20see%20the%20%3CA%20href%3D%22https%3A%2F%2Fdeveloper.android.com%2Fabout%2Fversions%2F12%2Fwork%23privacy-enhancements%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EGoogle%20developer%20documentation%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EThe%20removal%20affects%20the%20following%20workflows%20in%20the%20Endpoint%20Manager%20admin%20center%20for%20personally-owned%20Android%20Enterprise%20with%20work%20profile%20devices%20running%20Android%2012%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ESerial%20number%2C%20IMEI%2C%20MEID%20and%20will%20no%20longer%20be%20visible%20in%20the%20Endpoint%20Manager%20admin%20center.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%3ESerial%20number%20and%20IMEI%20can%20no%20longer%20be%20used%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fintune%2Fenrollment%2Fcorporate-identifiers-add%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eidentify%20devices%20as%20corporate%3C%2FA%3E.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%3ECertificates%20will%20fail%20to%20deploy%20if%20you%20use%20serial%20number%2C%20IMEI%2C%20or%20MEID%20variables%20in%20the%20subject%20and%20SAN%20of%20the%20certificate%20profile%20and%20the%20value%20is%20not%20populated.%20This%20may%20impact%20downstream%20systems%20that%20rely%20on%20these%20values%20in%20the%20subject%20and%20SAN%20of%20certificates.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%3ENetwork%20access%20control%20with%20certain%20NAC%20providers%20and%20third-party%20VPN%20providers%20may%20be%20affected.%20This%20may%20impact%20the%20ability%20of%20enrolled%20devices%20to%20connect%20to%20a%20corporate%20network.%20More%20information%20can%20be%20found%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fandroid-12-ae-byod-nac%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESupport%20Tip%3A%20Android%2012%20upgrade%20can%20affect%20NAC-enabled%20network%20access%3C%2FA%3E.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH3%20id%3D%22toc-hId-306627316%22%20id%3D%22toc-hId-307578703%22%3ERemoval%20of%20Wi-Fi%20MAC%20address%20on%20newly-enrolled%20device%20administrator%20and%20personally-owned%20work%20profile%20devices%3C%2FH3%3E%0A%3CP%3EStarting%20in%20October%2C%20Intune%20will%20not%20display%20a%20Wi-Fi%20MAC%20address%20for%20newly%20enrolled%20personally-owned%20work%20profile%20devices%20and%20devices%20managed%20with%20device%20administrator%20running%20Android%209%20and%20above.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ECause%20of%20impact%3A%3C%2FSTRONG%3E%20In%20October%2C%20there%20will%20be%20a%20Company%20Portal%20app%20update%20that%20increases%20the%20Company%20Portal%20API%20targeting%20from%20level%2029%20to%20level%2030%2C%20%3CA%20href%3D%22https%3A%2F%2Fdeveloper.android.com%2Fdistribute%2Fplay-policies%23APILevel30%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Eas%20required%20by%20Google%3C%2FA%3E.%20When%20apps%20target%20API%20level%2030%2C%20Android%20prevents%20them%20from%20collecting%20the%20MAC%20address%20used%20by%20the%20device.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--1500827147%22%20id%3D%22toc-hId--1499875760%22%3EReminder%20about%20upcoming%20changes%20to%20Android%20Enterprise%20fully%20managed%2C%20dedicated%2C%20and%20corporate-owned%20work%20profile%20devices%3C%2FH3%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdevelopers.google.com%2Fandroid%2Fmanagement%2Frelease-notes%23march-2021%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EGoogle%20has%20documented%3C%2FA%3E%20they%20are%20deprecating%20the%20%3CSTRONG%3ESafe%20boot%3C%2FSTRONG%3E%20and%20%3CSTRONG%3EDebugging%20features%3C%2FSTRONG%3E%20configuration%20settings%20for%20Android%20Enterprise%20device%20restrictions%20at%20the%20end%20of%20October.%20This%20affects%20fully%20managed%2C%20dedicated%2C%20and%20corporate-owned%20work%20profile%20devices.%20To%20prepare%20for%20this%20change%2C%20we%20will%20be%20adding%20a%20new%20setting%2C%20%3CSTRONG%3EDeveloper%20settings%3C%2FSTRONG%3E%2C%20in%20September's%20Intune%20service%20release%20(2109).%20If%20your%20organization%20currently%20uses%20one%20of%20the%20deprecated%20settings%2C%20consider%20making%20use%20of%20Developer%20settings%20once%20it%20becomes%20available.%20For%20more%20details%2C%20see%20the%20message%20center%20post%20MC275160%2C%20which%20you%20can%20find%20either%20in%20your%20tenant%20status%20blade%20in%20the%20Microsoft%20Endpoint%20Manager%20admin%20center%2C%20or%20in%20the%20Microsoft%20365%20admin%20center.%20For%20more%20on%20service%20changes%2C%20see%20-%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FMEMServiceChangeBlog%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EStaying%20up%20to%20date%20on%20Intune%20new%20features%2C%20service%20changes%2C%20and%20service%20health%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-986685686%22%20id%3D%22toc-hId-987637073%22%3EUser%20experience%20changes%3C%2FH3%3E%0A%3CP%3EAndroid%2012%20includes%20many%20changes%20to%20how%20apps%20look%20and%20feel%2C%20such%20as%20changes%20to%20scrolling%20animations%20and%20app%20launch%20behavior.%20The%20Company%20Portal%20and%20Intune%20app%20will%20adopt%20these%20visual%20changes%2C%20giving%20your%20users%20a%20consistent%20look%20and%20feel%20on%20the%20platform.%20If%20you%E2%80%99ve%20got%20a%20helpdesk%20or%20support%20team%2C%20they%20may%20appreciate%20advanced%20notice%20of%20the%20UI%20app%20experience%20changes%20in%20Android%2012.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--820768777%22%20id%3D%22toc-hId--819817390%22%3EOther%20ways%20to%20prepare%20for%20Android%2012%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FH3%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EUpdate%20apps%3C%2FSTRONG%3E%3A%20Encourage%20your%20users%20to%20update%20to%20the%20latest%20version%20of%20the%20Company%20Portal%2C%20Intune%2C%20Edge%2C%20and%20other%20APP-supported%20apps.%20The%20latest%20version%20will%20provide%20the%20best%20experience%20with%20devices%20running%20Android%2012.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3ECheck%20compatibility%20for%20other%20managed%20apps%3C%2FSTRONG%3E%3A%20As%20with%20previous%20major%20Android%20OS%20updates%2C%20check%20mobile%20app%20compatibility%20with%20your%20app%20providers%20to%20confirm%20your%20users'%20apps%20work%20with%20Android%2012.%20You%E2%80%99ll%20see%20a%20%E2%80%9CWhat%E2%80%99s%20New%20for%20the%20app%E2%80%9D%20notice%20in%20the%20Google%20Play%20app%20store%2C%20in-app%20details%2C%20or%20updates%20on%20an%20application%E2%80%99s%20website.%20Some%20apps%20provide%20Day%200%20support%2C%20while%20others%20update%20over%20time.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1666744056%22%20id%3D%22toc-hId-1667695443%22%3EHow%20can%20you%20reach%20us%3F%3C%2FH3%3E%0A%3CP%3E%3CSPAN%20class%3D%22TextRun%20SCXW92287006%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW92287006%20BCX8%22%3EKeep%20us%20posted%20on%20your%20Android%201%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW92287006%20BCX8%22%3E2%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW92287006%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eexperience%20through%20comments%20on%20this%20blog%20post%2C%20through%20Twitter%20(%3C%2FSPAN%3E%3C%2FSPAN%3E%3CA%20class%3D%22Hyperlink%20SCXW92287006%20BCX8%22%20href%3D%22https%3A%2F%2Faka.ms%2FIntuneSuppTeam%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20class%3D%22TextRun%20Underlined%20SCXW92287006%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW92287006%20BCX8%22%20data-ccp-charstyle%3D%22Hyperlink%22%3E%40IntuneSuppTeam%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20class%3D%22TextRun%20SCXW92287006%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW92287006%20BCX8%22%3E)%2C%20and%20request%20any%20new%20features%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW92287006%20BCX8%22%3Eon%E2%80%AF%3C%2FSPAN%3E%3C%2FSPAN%3E%3CA%20class%3D%22Hyperlink%20SCXW92287006%20BCX8%22%20href%3D%22http%3A%2F%2Faka.ms%2FIntuneUserVoice%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20class%3D%22TextRun%20Underlined%20SCXW92287006%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW92287006%20BCX8%22%20data-ccp-charstyle%3D%22Hyperlink%22%3EUserVoice%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20class%3D%22TextRun%20SCXW92287006%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW92287006%20BCX8%22%3E.%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW92287006%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3EWe%20will%20update%20this%20post%20with%20any%20additional%20information%20we%20learn%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW92287006%20BCX8%22%3Eas%20testing%20continues%2C%20and%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW92287006%20BCX8%22%3Ewhen%20Android%201%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW92287006%20BCX8%22%3E2%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW92287006%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ereleases.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20class%3D%22EOP%20SCXW92287006%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3EPost%20updates%3A%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22EOP%20SCXW92287006%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E9%2F14%2F21%3A%20Updated%20with%20a%20note%20that%20Intune%20will%20not%20display%20Wi-Fi%20MAC%20address%20for%20newly%20enrolled%20personally-owned%20work%20profile%20devices%20and%20devices%20managed%20with%20device%20administrator%20running%20Android%209%20and%20above.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2621665%22%20slang%3D%22en-US%22%3E%3CP%3ERead%20this%20for%20more%20info%20on%20%23Android12%20and%20Microsoft%20Endpoint%20Manager%20-%20Intune%20support.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2621665%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAndroid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EApp%20Protection%20Policies%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Endpoint%20Manager%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Version history
Last update:
‎Sep 14 2021 02:22 PM
Updated by: