Archive: Announcing new updates to the Android Enterprise fully managed devices preview
Published Jul 02 2019 12:28 PM 15.8K Views

Updated 12/19/19 - We have received over 300 comments on the Android preview blog posts, and in those comments and occasional subsequent support cases, you helped us deliver Android Enterprise Fully Managed as generally available. You provided over 58 pieces of actionable feature feedback based on your experience with preview.

More information about the GA release can be found in our blog here: Microsoft Intune support for Android Enterprise fully managed devices is now generally available.

As this feature is now GA, new comments on this post will be turned off. As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page or our Twitter @IntuneSuppTeam. Your continued feedback helps make the product better, we are grateful for this community, thank you!

As we work towards delivering full support for the Android Enterprise fully managed device scenario, we are updating the capabilities currently available in preview. We will support Intune app protection policies on Android Enterprise fully managed devices. This will start to roll out now and anticipate it will be available for everyone by the end of the second week in July.


Before we get to what’s new, a quick shout out - thank you for continuing to use this preview and providing extensive dialog. We will keep working to address feedback you have raised in the comments section on prior Android Enterprise fully managed blog posts (preview 1 and preview 2), Twitter, and through other feedback channels.

 

Support for app protection policies on fully managed devices

We are happy to announce that we now have support for Intune app protection policies on fully managed devices. In scenarios where organizations want an additional layer of app compliance controls beyond full device controls, the automatically deployed Company Portal app will serve as the agent for the app protection policies. All the app protection policies will be supported at parity with the rest of your device scenarios.

 

Updates to the Microsoft Intune app

We’ve added new features to the Microsoft Intune app (preview) for Android. Users on fully managed Android devices can now:

  • View and manage the devices they've enrolled through the Intune Company Portal or Microsoft Intune app
  • Contact their organization for support
  • Send their feedback to Microsoft
  • View terms and conditions, if set by their organization

devices.png

support.png

feedback.png
terms.png
 
Update availability
These features are rolling out now and we expect they’ll be fully available by the first week of July. We will update this post as soon as the roll out is complete so that you can be sure that you have the full set of updates to test out the features.
 
In development features
The following workflows are still in development:
  • Remote access policies with certificate support (i.e. Wi-Fi, VPN, Email)
  • Certificate management
  • Support for managing or enabling system apps
  • Support for Mobile Threat defense
     

Customer Support for This Preview
We outlined above that not all features are yet available for use with the Intune Android fully managed scenario. The preview features are fully supported through our usual Intune support channels and are clearly labeled with “(preview)” in the Intune console.

 

Known Issues

As discussed in the comments, we do have a known issue with this release. If you blocked “Account Changes” in the user and accounts blade, then you won’t be able to enroll new devices with this update. We are working on addressing this issue to allow the device to register but prevent any subsequent unapproved account changes.

usersandaccounts.PNG

 

How Can You Reach Us?
As you use Preview 2 and test out the Android fully managed preview scenarios, we would appreciate your feedback on IT admin's enrollment profile configuration and end-user's device enrollment experiences. Keep us posted on your Android experience through comments on this blog post, through Twitter (@IntuneSuppTeam), and request any new features on UserVoice.

 
Documentation


Blog post updates:

  • 12/19/19 with an update that this preview feature is now GA!
40 Comments
Brass Contributor

As it stands, the Intune app is still unusable for us due to the (device configuration) restrictions on adding/editing users accounts - yet other Microsoft apps are able to work fine. Is a fix still being worked on?

Brass Contributor

@AndyH16

I am also still seeing strange behaviour with the Intune App ... when the user logs into the app I am presented with the below image instead of the page to register the phone ... is this something you have seen? ... currently awaiting a response on my case logged with Microsoft ... cheers ...

Intune.jpg

Brass Contributor

I get that page but it loads, so the grey placeholders have the expected text. But when we try to continue you get a message stating that your organization has blocked access - which we have, with the device configuration - only, apps like Outlook allow you to add email and 365 accounts without issue.

I see no issues when the user logs on to the Intune app. I`m able to use the app to register the device. What I did notice, when we move on to get the device compliant the app shows we need to enable encryption. When we click Resolve, nothing happens, you are not redirected to set your startup PIN to start encryption.
When I click Resolve under for example the message the PIN is to short, I`m redirected to the correct settings tab.
Another issue I still see, the app configuration policy is applied, but still shows pending in the Intune portal.

Copper Contributor

Will "work profile" on a fully managed device be considered as another feature of fully managed device scenario or will this be a new scenario by itself to be supported in the future?

Brass Contributor

@Peter Klapwijk 

Thanks for the reply ..

I also have the same issue with clicking "Resolve" and nothing happening, then you have to manually navigate to the correct place in the settings and set the PIN ... 

In terms of configuration police showing as pending, I have seen something similar where the Configuration Policy update will not apply until any "Device Compliance" policies are removed ... once they are removed the Configuration Policy should apply, and then you can re-apply the Compliance Policy ...  

@Peter Meuser 

Hey Peter, the only update I have had in terms of "Work Profile" was around Compliance Policies ... as it stands Work Profiles do not work in terms of Device Compliance, only Device Owner Compliance policies ... but I'm told that feature parity will be achieved between the 2 for GA ...  

Copper Contributor

Hi Rob, with "work profile on a fully managed device" I am referencing to the so far missing support for "Company-owned devices for knowledge workers" (or "COPE" as called more traditionally). Please see this definition by Google: https://developers.google.com/android/work/overview

 

Brass Contributor

hey guys ... I'm posting in the hope that someone has a Samsung Note 9 and can test / confirm something for me ... 

The Note 9 devices are have are showing some very strange behaviour ... they are configured for "secure startup" so the user has to enter a PIN when they first turn on the device ... simple enough ...

However where I am struggling is that "rebooting the device from the Intune console puts the device into a state or constantly rebooting and having to enter my PIN" ... rebooting the phone manually works as expected ... 

The only way I've found to resolve this is to leave it for a random amount of time (18 hours is my best score) and then on that lucky attempt the phone will stay turned on again ...

Hoping someone has a Note 9 running Android 9 that they can try this with ...

Cheers 

 

Brass Contributor

@robbamberI have, albeit very briefly, experienced this with our devices (Moto G6, Android 9). I've issued reboots only for it to instantly reboot the device the moment it starts up - and checks the Device Policy, I assume. Though, after a couple of reboots they seem to behave.

Copper Contributor

I'm using Samsung KME to automatically enroll fully managed devices.

 

Some things I notice, after doing a factory reset to get into the Knox Enrollment state:

- When the device has an active 4G connection, no option offered to setup a WiFi connection instead.

- The Intune app gets installed, but not configured. The user has to start the app and complete some steps manually in order to get it managed by Intune.

 

Are this limitations to the current state of the Preview?

@Niels van Dijkalso noticed this with the Intune app. SSO would be nice instead of logging on manually for a second time.

Brass Contributor

@Peter Klapwijk @Niels van Dijk @AndyH16 @Peter Meuser 

Afternoon all ... don't know if anyone is using the same setup as myself ... I have a device which is VPN'd back to my infrastructure ... what I am seeing is my VPN disconnecting when refreshing the device policy "twice" ... steps are;

Phone turned on,

Connected to VPN,

Go into the Play Store and open "Android Device Policy" app,

Hit the refresh button in the top left twice,

VPN is automatically disconnected.

Don't know if anyone else has experienced this, or has any suggestions on a way forward? ...

Thanks.

Brass Contributor

Morning all.. looking at the what's new Week of Jul 1, 2019, it mentions

"When onboarding fully managed Android Enterprise devices, you can enable Azure Active Directory (AAD) registration before Intune onboarding is completed."

I can't any documentation on this, does anyone know what exactly this means?

@AndrewH5 Have no idea! Just send Intune support a question about it on Twitter :) curious what it is!

Brass Contributor

@AndrewH5 @Peter Klapwijk 

Im “assuming” it means once you do the initial enrolment there won’t be a requirement to sign into the Intune app afterwards ... but yes can’t find any confirmation ...

cheers

Brass Contributor

@AndrewH5 @Peter Klapwijk 

Just enrolled another device and the behaviour has changed, you now get prompted to register the device as part of the enrolment instead of afterwards.

Capture.JPG

Brass Contributor

Thanks @robbamber I've just done an enrol now and I'm getting the same. 

I had sent the Intune team a question on twitter and was getting sent to other documents at first, a PM then commented saying they'll take a look and get back to me on the Friday, but haven't heard anything yet.

Have to say this a is a better workflow though.

 

With the change to Scope tags coming, how are people handling their Android Enterprise Scope tags? 

With iOS you can create a dynamic group based on enrolment profile and then feed that to you scope tag.

But I haven't found anything "useful" for Android Enterprise, can't use the profile name as they would all have the same name.

Our scenario is, we have a number of offices and they mostly all use the same make and model of Android Device.

We want the "Admin" of each office to be able to reset Device passcodes if needed, but they shouldn't be able to see another office's Android devices.

So far I've not got close to working this one out using a Dynamic Device group, if we could include users (which we can't) in the dynamic query this would be really easy...

Brass Contributor

Hmm, I was hoping that workflow change would mean it would do away with the issues enrolling the Intune app when you have user account restrictions in place - it seems this isn't the case! So annoyingly our phones are getting to this step and not able to proceed any further.

 

I've had to temporarily turn off the user account restrictions - though my test Moto G6 is still being reluctant to enrol! Might just have to give it a bit more time.

Brass Contributor

@AndrewH5 @AndyH16 

This is certainly a better flow I think ...

in terms of the account restrictions stopping the register @AndyH16 I am still working around it by having a "secondary" policy apply after the device is registered, however this is still a manual move unfortunately … so kind of a step in the right direction ...

Do either of you guys have ADFS in environments? I am being prompted by the enrolment / registration process that the Chrome / Edge browser requires a certificate … can either install a certificate (which isn't available at the point of enrolment), or can press cancel and use domain credentials which is fine … but again not ideal ...

Cheers.

Brass Contributor

@robbamber We have an ADFS environment, I got a prompted last week regarding the browser needing a certificate (it was just one day) but it's no longer prompting us. I had put it down to a Firewall change on site rather than something else, didn't really put much thought into it.

Brass Contributor

@AndrewH5 

Cheers for the feedback will have to investigate further as I'm getting it every single time unfortunately.

Hi @Niels van Dijk, regarding using KME to set up Samsung KNOX devices, this is a current known issue and our engineering team is continuing to work on this. A current overview for Preview 2 for Android Enterprise fully managed devices and known issues is over at: https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Microsoft-Intune-announces-Preview-2-.... If there are any new issues that you are experiencing, please let us know!

@Intune_Support_Team would be nice if you could provide some information on this ""When onboarding fully managed Android Enterprise devices, you can enable Azure Active Directory (AAD) registration before Intune onboarding is completed.

@robbamber I have tested this 'new' enrollment/ registration a few times now. One time I got a SSO experience and didn`t need to provide my password during registration. Most of the times I needed to provide my password. So I assume at GA it will we the SSO experience....

Copper Contributor

@AndrewH5I had exactly the same issue and tried to resolve it with support.

 

intune.JPG

 

If you have blocked adding/changing accounts you won't be able to enroll devices anymore after this last update.

 

Because now you need to login to the Intune app before/during registration and it doesn't work in conjunction with the above settings.

Copper Contributor

Hi @Joni_Nieminen, thanks a lot for your feedback - that helped us to quickly identity our rollout-issue today!

@Intune_Support_Team: Are you aware of this situation? 

Copper Contributor

This suggestion came from @Intune_Support_Team which they had seen from another support request related to the issue. So yes, they should be aware of this!

We've wanted to update you all with a couple of updates to this blog:

  1. We've updated our What's New page for the week of July 1st with clarification to the AAD and APP on Android Enterprise Devices. More information can be found here: https://docs.microsoft.com/intune/whats-new#aad-and-app-on-android-enterprise-devices-
  2. We do have a known issue with this release. If you blocked “Account Changes” in the user and accounts blade, then you won’t be able to enroll new devices with this update. We are working on addressing this issue to allow the device to register but prevent any subsequent unapproved account changes.  

Lastly, we greatly appreciate your feedback! Keep us posted on your Android experience through comments on this blog post, through Twitter (@IntuneSuppTeam), and request any new features on UserVoice.

Iron Contributor

Does anyone know if Deployment Rings in the Google Play Store are supported in Intune?  For instance, I have a LOB app in my private store that i manage Internal Beta deployments for, does the Fully Managed Solution work for this since we dont really connect to Google Play with our actual IDs and it uses the @android-for-work.gserviceaccount.com domain. The Beta rings are managed via user ID (email Address) in the google play store. Any insight is appreciated.

Brass Contributor

Hi all,
Will Device Categories/Device Group Mapping (as detailed here https://docs.microsoft.com/en-us/intune/device-group-mapping ) become a supported feature for the AE Fully Managed devices?

Brass Contributor

When Samsung KME and fully managed, if i set leave system apps in the KME mdm profile, it never enrolls, just says finishing updating

 

Is this a KME issue or Intune?

 

@Adrian Bishop Used this setup in two tenants (KME and fully managed), no problem seen with that. 
Wrote an article about it how I set this up https://www.inthecloud247.com/setup-samsung-knox-mobile-enrollment-to-enroll-android-devices-in-micr...

Brass Contributor

@Adrian Bishop im having a very similar issue, it’s a strange one in that only one model type of a Samsung tablet is being effected. It sticks at the device updating, black bar at the top of the screen and google chrome looks like it’s prevented from showing to allow the user to sign in and complete the Enrollment. I can also confirm that "Disabling the system apps" in the KME Profile does allow the device to be enrolled. "Leaving the system apps" the in KME prevents the device from being enrolled.

Copper Contributor

@AndrewH5 It looks that we experience the same problems with our Samsung A5 devices. We are using a KME Profile with the system apps enabled. 

The strange thing is that it was working fine until two weeks ago. So something must has changed in Knox or in Intune. Our Samsung A8 devices still enrolls without any problems. Any ideas are welcome, because we have to migrate al our Samsung devices from Knox to Itune before the end of November this year. 

 

@Adrian Bishop What type of Android device are you using? We are using a KME Profile with the systems enabled and Android fully manged in Intune.

Brass Contributor

@rschpbwr 

I've done some further testing on our Samsung Tablets.

When it's running Android 8.1.0 and Knox 3.2, KME and QR Code (when system apps are enabled) Fail. If you disabled the system apps they enrol.

I updated the device to Android 9.0 and Knox 3.3, KME and the QR Code with system apps enabled now enrolled fine. I did get a certificate error from Google Chrome at the user login portion, but other than that it worked.

I have also had the chance to test a Samsung A3 and A5 (2018 models), both running Android 8 or 8.1, same issues with KME and QR code there.

I updated my Ticket I have raised with Microsoft to include this. Certainly does point to an issue with Intune rather than Samsung.

Hopefully it doesn't take too long to fix this..

Brass Contributor

@rschpbwr These wer also with Samsung A5. so there does seem to be an issue on the KME side

 

Brass Contributor

I have a ticket open with Microsoft and Samsung regarding the enrolment of Samsung devices with certain versions of Android.

Microsoft have confirmed that there is an issue. "Google has identified the issue between the version fo Chrome and Google CloudDPC. Google is looking to release a fix for this by the end of the week."

I hope this helps other here that have been seeing the same issues.

 

Thanks

Andrew

Copper Contributor

We tested our Samsung A5 devices again. Problem seems to be fixed. The Samsung internet browser is used during the enrollment to Intune.

Our Samsung A8 devices got some troubles now. But overall we are able to enroll our devices again.

Ready to leave Knox for the end of this year!

Copper Contributor

Hi! i have an issue when arriving at step "Register your device", i get a "Something went wrong" error.

I don't have any compliance or configuration policy assigned.

The device appear on Intune portal, as Compliant, and i can lock / restart the device.

@Intune_Support_Team, don't know where to get help for this Preview feature.

Copper Contributor

Hello @Intune_Support_Team 

After some Android-Fully-Managed Devices Enrollment, I notice that just after a "perfect" (easy for user, quick & without-error) enrolment way, My user is stuck to the Andorid home screen with only 4 apps : Intune, Authenticator, Intune Comp Portal, Android Device Policy.

I even saw "removed Apps by Admisnitrator" in notification bar...

All compliance & configuration Profile are OK on Intune admin portal but none of my app are deployed.

For a Samsung tablet, I had to wait till 2 days before applications start to download and install... My test user thought i had changed someting but I did nothing...


This morning, after 2 hours trying to synced policy localy on the device, I finally see the Application coming to the device... I just did

- 15min before, I had a assigned new AAD group (used for optional apps) to the user to check if this can provoque a electrochoc to the synced policy on the device
- 2 min before, I went to Android Account parameters, disabled Auto sync and reactivated it...


I still don't know what is the cause and the workaround but I think you have to work on that because it is the last big inconvenience before I can send Android Fully Managed to Production Users, the rest is almost perfect.

 

This morning, after 2 hours trying to synced policy localy on the device, I finally see the Application coming to the device ;

- 15min agos, I had a assigned new AAD group to user to check if this can provoque a electrochoc to synced policy on the device

- 2 min ago, I went to Android Account parameter, disable Auto sync and reactivate...

 

I still don't know what is the cause and the workaround but I think you have to work on that because it is the last big inconvenience before I can send Android Fully Managed to Production Users

 

 

 

 

 

 

Brass Contributor

@Julien LEFEBVRE  I'm not sure if this sounds like an issue I've experienced. If a user is a member of a magic number of AAD groups all the apps are wiped and not available in the Play Store - I think this number is 9 AAD groups. If I add/remove them from one more group all the apps return (reinstalled or made available).

 

I even sent Intune Support a video of this occurring and they pretty much shrugged and said the system is in preview...

 

Not sure if this is your issue, but thought I'd mention it.

Version history
Last update:
‎Dec 19 2019 10:17 AM
Updated by: