Blog Post

Intune Customer Success
5 MIN READ

Archive: Microsoft Intune announces Preview 2 for Android Enterprise fully managed devices

Intune_Support_Team's avatar
Intune_Support_Team
Icon for Microsoft rankMicrosoft
Apr 18, 2019

By Priya Ravichandran | Intune Sr. PM

 

Updated 12/19/19 - We have received over 300 comments on the Android preview blog posts, and in those comments and occasional subsequent support cases, you helped us deliver Android Enterprise Fully Managed as generally available. You provided over 58 pieces of actionable feature feedback based on your experience with preview.

More information about the GA release can be found in our blog here: Microsoft Intune support for Android Enterprise fully managed devices is now generally available.

As this feature is now GA, new comments on this post will be turned off. As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page or our Twitter @IntuneSuppTeam. Your continued feedback helps make the product better, we are grateful for this community, thank you!

 

Preview 2 for Android Enterprise fully managed devices is here! Today we’re providing an update to our preview capabilities which were announced in January 2019 for the Android fully managed device solution. For context, Google used to refer to the fully managed device scenario as Corporate Owned Business Only (COBO), and it is one of the “Device Owner” (DO) management scenarios in the Android Enterprise solution set.

 

Before we share the latest updates, we wanted to thank you for all the usage and feedback during our initial preview. We’ve incorporated feedback from Preview 1. It’s been great to work with you and we look forward to hearing more.

 

What’s New in Preview 2

For this update, we focused on compliance and end user experiences. Here are the key new capabilities added into Preview 2:

  • Updated onboarding flow for key required policies
  • Added Device Owner compliance policies
  • Built conditional access workflows
  • Added device group targeting
  • Released a new end user app called ‘Microsoft Intune’ into the Play store as the app to be used on fully managed devices
  • Enabled support for access to the full Play store
  • Introduced Knox Mobile Enrollment (continue reading this post for a few limitations in preview for this feature)

 

These capabilities will add on to what we released in January:

  • Device enrollment using NFC, token entry, QR code and Zero Touch
  • Device configuration for user groups
  • App distribution and configuration for user groups
 
While we’re almost there, you’ll notice there are a few workflows not yet supported in this preview. These scenarios will be supported upon general availability, including:
  • App protection policies
  • Remote access policies with certificate support (i.e. Wi-Fi, VPN, Email)
  • Certificate management
  • Support for managing or enabling system apps
 
Updated Onboarding Scenarios
During onboarding, Intune will now enforce key policies to ensure the device is compliant before allowing the user to access the device. This includes enforcing password policies and installing some key apps to ensure the user is compliant with organizational requirements before they can continue to use the device to access corporate resources.
 
Figure 1: User is required to set a PIN per policy before proceeding
 
For more information on what to expect during onboarding, refer to onboarding fully managed devices.
 
Introducing the New Microsoft Intune App
As we mentioned earlier in this post, we are introducing a new end user app for Android fully managed devices. This new modern and light-weight app, simply called ‘Microsoft Intune’, will now enable the experiences end users know and love in the Company Portal app for fully managed devices, including managing compliance for their device. This new app is only for the fully managed scenario; in all other Android management scenarios, Company Portal continues to be the end user app.
 
Figure 2: New Microsoft Intune app
 
For use of the Microsoft Intune app, you need to set it as required (or available) for end users to get it onto their device and sign in. This component is rolling out and should be available to all by Wednesday, April 24th. If you have not gotten the update yet, you will see a blocking screen when you launch the Intune app. We are also working towards enabling automatic deployment of the Microsoft Intune app to all fully managed devices.
 
You can find the Microsoft Intune app listing in Google Play here.
 
Support for Compliance Policies and Conditional Access
Intune will now support the ability to create compliance policies on fully managed devices. The smaller set of compliance settings on a fully managed device reflect the smaller list of compliance settings available for fully managed devices. There is a greater degree of control and ability to lock down the device configuration since the scenario is intended for corporate owned devices.
 
Figure 3: Create Policies
In addition to compliance, this update provides conditional access support for fully managed devices. Users can now register their device in Azure Active Directory via the Microsoft Intune app and then view and resolve compliance issues in order to access corporate resources.

Enabling Access to the Consumer Play Store
Intune will now allow you to enable access to the full consumer store on the fully managed device. Many organizations recognize the need to allow end users to personalize the device assigned to them – including access to their favorite consumer apps.
 
Figure 4: Device Configuration setting to allow access to all apps in the Google play store

 

Users will have the ability to add their personal accounts to the device, if permitted by configuration. This way your end users can customize their device to support personal use as well as corporate use.

Figure 5: Personalized fully managed device with a user’s corporate and personal account

 

 

Known Issues
We’re still working on a few items. 
  • When using KME to set up Samsung Knox devices:
    • The username and password cannot be passed to the fully managed device from the KME portal. This will need to be manually entered.
    • The enrollment status of the device will not get updated in the KME portal.
  • In the Microsoft Intune app:
    • When trying to complete Azure Active Directory registration, you may see an error displayed. If this continues to occur, try again after some time.
    • When launching the app, you may see a screen that says, “Hang tight, we’re working to load your organization’s info.” You can check back in after some time to see if it has been resolved.
    • You may see that your “Device settings status” is “Noncompliant” with no way to resolve. In the Azure Portal, you will see that the device is not compliant with the “Has a compliance policy assigned” policy, even though a compliance policy is set. Factory resetting your device and enrolling again may resolve it.
 
Customer Support for This Preview
We outlined above that not all features are yet available for use with the Intune Android fully managed scenario. The preview features are fully supported through our usual Intune support channels and are clearly labeled with “(preview)” in the Intune console.
 
How Can You Reach Us?
As you use Preview 2 and test out the Android fully managed preview scenarios, we would appreciate your feedback on IT admin's enrollment profile configuration and end-user's device enrollment experiences. Keep us posted on your Android experience through comments on this blog post, through Twitter (#IntuneSuppTeam), and request any new features on UserVoice.

Documentation
 
Blog post updates: 
  • 4/19/19 with updated screen shots
  • 4/22/19 extended the app availability date, added in a few known issues
  • 12/19/19 with an update that this preview feature is now GA!
Updated Dec 19, 2019
Version 5.0
  • Priya_Ravichandran's avatar
    Priya_Ravichandran
    Icon for Microsoft rankMicrosoft
    Apr 25, 2019

    Hi,

     

    Thanks for all the feedback and validation on the Fully Managed Preview 2 release. We are actively reviewing your feedback and will provide updates to outstanding issues as they are available. Some initial updates:
    1. The Microsoft Authenticator app will be installed as a required app, along with the Microsoft Intune app, onto all fully managed devices during onboarding. Having these apps automatically installed  will provide conditional access support, and Microsoft Intune app users can see and resolve compliance issues.

    2. Regarding Intune App Protection Policies (APP) on Fully Managed devices, the new Microsoft Intune app does not have the APP logic built into it and we are working through our APP support on the Fully Managed devices. This is why this scenario is called out as a known gap in the preview 2.

     

    Thanks again for the tremendous response to the Preview. Please keep your feedback coming.

     

    Regards,

    Priya 

  • Priya_Ravichandran's avatar
    Priya_Ravichandran
    Icon for Microsoft rankMicrosoft
    May 01, 2019
    Hi,
     
    The change to the Android Device Policy App icon not showing is a result of a change made by Google on the platform. In addition to the play store approach called out by AndrewH5  above, the other way to access this is via Settings > Google > Device Policy.
     
    Note this does not prevent the Device Policy app from functioning on the device to apply policy sent out by Intune.
     
    Regards,
    Priya 
  • AndyH16's avatar
    AndyH16
    Brass Contributor
    Jun 27, 2019

    It's hardly surprising though, given the issues we're all still experiencing. I'm sure they want to get it in a much smoother state before release.

  • Intune_Support_Team's avatar
    Intune_Support_Team
    Icon for Microsoft rankMicrosoft
    Sep 09, 2019

    Hi PKlapwijk, thanks for the tag!

    There has been several reports on an issue using dynamic device groups with the deviceOSType value for "AndroidEnterprise" devices.

    Engineering is currently investigating, and will update this thread as soon as an update becomes available.

  • AndyH16's avatar
    AndyH16
    Brass Contributor
    Apr 24, 2019

    Actually, it turns out it was the User Account options being 'Blocked'. (I had forgot to exclude my user account from the policy). Creating a copy of the existing policy I took out the user settings and sure enough I now have a green tick. But we want to make use of the user account blocking to stop users from adding personal accounts. Not sure how we get around this one...

  • RiksV11340's avatar
    RiksV11340
    Copper Contributor
    May 15, 2019

    Device Configurations and compliance policies stopped working a while back, App Configuration policies do work but reporting says they are "Pending" forever. Also the onboarding window only shows apps installing but then jumps straight to the "desktop", before it asked to set the PIN code like it should.

  • Priya_Ravichandran's avatar
    Priya_Ravichandran
    Icon for Microsoft rankMicrosoft
    Jun 06, 2019

    Hi,

     

    Google has informed us that they are working through an issue around application installs via Google Play - which will also include the installation of apps during the onboarding flow. 

     

    We will provide updates as available.

     

    Regards,

    Priya 

  • tparris's avatar
    tparris
    Copper Contributor
    Jun 20, 2019
    Hello, This thread has been excellent, majority of my issues are sorted from reading through this so thank you all! Does anybody know why devices show up with the wrong serial number in Intune and why a Sync can't be started? My other main issue is App Protection Policies but hopefully MS will sort this soon. PKlapwijk - The way I have Knox setup (KME) is the end-user will be directed to an Intune webpage to enroll the device as them, from what I've worked out this is the only way. Hopefully MoZZa can confirm if there is another way of doing this? Thanks! :)