Archive: Microsoft Intune announces Preview 2 for Android Enterprise fully managed devices
Published Apr 18 2019 04:39 PM 55.5K Views

By Priya Ravichandran | Intune Sr. PM

 

Updated 12/19/19 - We have received over 300 comments on the Android preview blog posts, and in those comments and occasional subsequent support cases, you helped us deliver Android Enterprise Fully Managed as generally available. You provided over 58 pieces of actionable feature feedback based on your experience with preview.

More information about the GA release can be found in our blog here: Microsoft Intune support for Android Enterprise fully managed devices is now generally available.

As this feature is now GA, new comments on this post will be turned off. As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page or our Twitter @IntuneSuppTeam. Your continued feedback helps make the product better, we are grateful for this community, thank you!

 

Preview 2 for Android Enterprise fully managed devices is here! Today we’re providing an update to our preview capabilities which were announced in January 2019 for the Android fully managed device solution. For context, Google used to refer to the fully managed device scenario as Corporate Owned Business Only (COBO), and it is one of the “Device Owner” (DO) management scenarios in the Android Enterprise solution set.

 

Before we share the latest updates, we wanted to thank you for all the usage and feedback during our initial preview. We’ve incorporated feedback from Preview 1. It’s been great to work with you and we look forward to hearing more.

 

What’s New in Preview 2

For this update, we focused on compliance and end user experiences. Here are the key new capabilities added into Preview 2:

  • Updated onboarding flow for key required policies
  • Added Device Owner compliance policies
  • Built conditional access workflows
  • Added device group targeting
  • Released a new end user app called ‘Microsoft Intune’ into the Play store as the app to be used on fully managed devices
  • Enabled support for access to the full Play store
  • Introduced Knox Mobile Enrollment (continue reading this post for a few limitations in preview for this feature)

 

These capabilities will add on to what we released in January:

  • Device enrollment using NFC, token entry, QR code and Zero Touch
  • Device configuration for user groups
  • App distribution and configuration for user groups
 
While we’re almost there, you’ll notice there are a few workflows not yet supported in this preview. These scenarios will be supported upon general availability, including:
  • App protection policies
  • Remote access policies with certificate support (i.e. Wi-Fi, VPN, Email)
  • Certificate management
  • Support for managing or enabling system apps
 
Updated Onboarding Scenarios
During onboarding, Intune will now enforce key policies to ensure the device is compliant before allowing the user to access the device. This includes enforcing password policies and installing some key apps to ensure the user is compliant with organizational requirements before they can continue to use the device to access corporate resources.
 
Figure 1: User is required to set a PIN per policy before proceedingFigure 1: User is required to set a PIN per policy before proceeding
 
For more information on what to expect during onboarding, refer to onboarding fully managed devices.
 
Introducing the New Microsoft Intune App
As we mentioned earlier in this post, we are introducing a new end user app for Android fully managed devices. This new modern and light-weight app, simply called ‘Microsoft Intune’, will now enable the experiences end users know and love in the Company Portal app for fully managed devices, including managing compliance for their device. This new app is only for the fully managed scenario; in all other Android management scenarios, Company Portal continues to be the end user app.
 
Figure 2: New Microsoft Intune appFigure 2: New Microsoft Intune app
 
For use of the Microsoft Intune app, you need to set it as required (or available) for end users to get it onto their device and sign in. This component is rolling out and should be available to all by Wednesday, April 24th. If you have not gotten the update yet, you will see a blocking screen when you launch the Intune app. We are also working towards enabling automatic deployment of the Microsoft Intune app to all fully managed devices.
 
You can find the Microsoft Intune app listing in Google Play here.
 
Support for Compliance Policies and Conditional Access
Intune will now support the ability to create compliance policies on fully managed devices. The smaller set of compliance settings on a fully managed device reflect the smaller list of compliance settings available for fully managed devices. There is a greater degree of control and ability to lock down the device configuration since the scenario is intended for corporate owned devices.
 
Figure 3: Create PoliciesFigure 3: Create Policies
In addition to compliance, this update provides conditional access support for fully managed devices. Users can now register their device in Azure Active Directory via the Microsoft Intune app and then view and resolve compliance issues in order to access corporate resources.

Enabling Access to the Consumer Play Store
Intune will now allow you to enable access to the full consumer store on the fully managed device. Many organizations recognize the need to allow end users to personalize the device assigned to them – including access to their favorite consumer apps.
 
Figure 4: Device Configuration setting to allow access to all apps in the Google play storeFigure 4: Device Configuration setting to allow access to all apps in the Google play store

 

Users will have the ability to add their personal accounts to the device, if permitted by configuration. This way your end users can customize their device to support personal use as well as corporate use.

Figure 5: Personalized fully managed device with a user’s corporate and personal accountFigure 5: Personalized fully managed device with a user’s corporate and personal account

 

 

Known Issues
We’re still working on a few items. 
  • When using KME to set up Samsung Knox devices:
    • The username and password cannot be passed to the fully managed device from the KME portal. This will need to be manually entered.
    • The enrollment status of the device will not get updated in the KME portal.
  • In the Microsoft Intune app:
    • When trying to complete Azure Active Directory registration, you may see an error displayed. If this continues to occur, try again after some time.
    • When launching the app, you may see a screen that says, “Hang tight, we’re working to load your organization’s info.” You can check back in after some time to see if it has been resolved.
    • You may see that your “Device settings status” is “Noncompliant” with no way to resolve. In the Azure Portal, you will see that the device is not compliant with the “Has a compliance policy assigned” policy, even though a compliance policy is set. Factory resetting your device and enrolling again may resolve it.
 
Customer Support for This Preview
We outlined above that not all features are yet available for use with the Intune Android fully managed scenario. The preview features are fully supported through our usual Intune support channels and are clearly labeled with “(preview)” in the Intune console.
 
How Can You Reach Us?
As you use Preview 2 and test out the Android fully managed preview scenarios, we would appreciate your feedback on IT admin's enrollment profile configuration and end-user's device enrollment experiences. Keep us posted on your Android experience through comments on this blog post, through Twitter (#IntuneSuppTeam), and request any new features on UserVoice.

Documentation
 
Blog post updates: 
  • 4/19/19 with updated screen shots
  • 4/22/19 extended the app availability date, added in a few known issues
  • 12/19/19 with an update that this preview feature is now GA!
318 Comments
Iron Contributor

Hi @WietseD 
That's interesting. My fully-managed ones were taking about 35 minutes plus to complete, but the dedicated ones were taking about an hour to even start pulling down the policies and apps. Came in this morning and they were all completed OK.

Brass Contributor

Hello @MoZZa 

 

It looks to me like there is something going on. I waited for an our and the device goes past the error. 

I will continue my quest with microsoft, thanks for helping. I will give an update once i have it. 

 

Greetings and have a nice weekend.

Iron Contributor

Check out IT197460 in the Intune Health Dashboard... might be related (especially to the Something Went Wrong message).

Cheers,

S

Brass Contributor

@Steve Prentice 

 

Thank you for letting me this know, i will check this one for futher updates. 

 

Greetings!

Iron Contributor

Enrolling anything into Intune the past couple days has been met with challenges for us. I started receiving errors at signin on new laptops that I had never seen before. No error code, just a bunch of garbled %word%word%word 

 

Also once machines did enroll they would just miss apps - always a Win32 app, which for key things like VmWare Horizon client not having an MSI package this is an annoyance.

Hi @DBR14, as enrollment appears to not be working as expected, please open a support case via the Intune Admin console's Help and Support or any of the methods here, as this will help the team capture all the information needed to resolve the issue. Also, please private message us with your support case number for us to follow up on.

Thank you!

Copper Contributor

Hi ,

 

Since this Morning , i have many people who get application uninstalled without any actions...Anyone get the same issue ?

all my devices are in Fully managed user mode .

 

Regards

 

Aymen.

Hi @Aymen_HMAID, there was a service incident over the weekend that had impacted Fully Managed Devices which has since been resolved. Could you attempt to retry to confirm that it's been resolved?
If you still experience an issue with Fully Managed Devices, please open a support case via the Intune Admin console's Help and Support or any of the methods here, as this will help the team capture all the information needed to resolve the issue. Also, please private message us with your support case number for us to follow up on.

Thank you!

Brass Contributor

@Aymen_HMAID 

 

We have experienced this over the last few months

 

Periodically apps get uninstalled. i have an open ticket with MS regarding the issue.

Brass Contributor

@Aymen_HMAID Fortunately we did not experienced this. 

 

Device enrollment started to work again(Fully Managed). 

 

Best regards. 

Copper Contributor

I am still getting the issue where apps are being uninstalled, the device setup completes as expected, but then once it is complete all the apps apart from Authenticator, Device Policy, InTune and Company Portal disappear from managed play store and only those 4, the system apps, OneDrive and Word remain on the device.

 

We were hoping to launch this month, what's happened?


Jon

Copper Contributor

We are not having any issues, and we are enrolling devices to Intune in production.

 

Have you got your apps assigned to user groups rather than device groups?

Copper Contributor

Yes we have but the user is in the group, we also have apps assigned to device groups with the same error. However during enrolment all apps are listed. Oddly OneDrive and Word remain but they have the exact same deployment settings as apps that have been removed.

Iron Contributor

Hi @JonMRoberts1984 ,
The only time I had this issue was when signing into the Intune app was not part of the build process. I also deploy apps by user group only on Fully-Managed devices.

 

Copper Contributor

Also whilst the device has policies applied to it, they all show as pending in Azure AD

Copper Contributor

@MoZZaThe weird thing is we haven't touched any of our policies or AD groups linked to them since our last successful build, I have checked the audit logs. We have 10 users trialling the devices and they are still working fine, it appears to be any devices that have been built since the weekend.

Copper Contributor

This has just started working on my test device and all apps that were removed by admin are showing again. I will rebuild and see if it happens again.

Brass Contributor

@JonMRoberts1984

Your not alone mate, i have open ticket with MS for the very same reason

 

we have seen it happen weeks after enrollment, user will install app, moments later its removed by device admin.

 

Version history
Last update:
‎Dec 19 2019 10:16 AM
Updated by: