Archive: Microsoft Intune announces Preview 2 for Android Enterprise fully managed devices
Published Apr 18 2019 04:39 PM 55.6K Views

By Priya Ravichandran | Intune Sr. PM

 

Updated 12/19/19 - We have received over 300 comments on the Android preview blog posts, and in those comments and occasional subsequent support cases, you helped us deliver Android Enterprise Fully Managed as generally available. You provided over 58 pieces of actionable feature feedback based on your experience with preview.

More information about the GA release can be found in our blog here: Microsoft Intune support for Android Enterprise fully managed devices is now generally available.

As this feature is now GA, new comments on this post will be turned off. As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page or our Twitter @IntuneSuppTeam. Your continued feedback helps make the product better, we are grateful for this community, thank you!

 

Preview 2 for Android Enterprise fully managed devices is here! Today we’re providing an update to our preview capabilities which were announced in January 2019 for the Android fully managed device solution. For context, Google used to refer to the fully managed device scenario as Corporate Owned Business Only (COBO), and it is one of the “Device Owner” (DO) management scenarios in the Android Enterprise solution set.

 

Before we share the latest updates, we wanted to thank you for all the usage and feedback during our initial preview. We’ve incorporated feedback from Preview 1. It’s been great to work with you and we look forward to hearing more.

 

What’s New in Preview 2

For this update, we focused on compliance and end user experiences. Here are the key new capabilities added into Preview 2:

  • Updated onboarding flow for key required policies
  • Added Device Owner compliance policies
  • Built conditional access workflows
  • Added device group targeting
  • Released a new end user app called ‘Microsoft Intune’ into the Play store as the app to be used on fully managed devices
  • Enabled support for access to the full Play store
  • Introduced Knox Mobile Enrollment (continue reading this post for a few limitations in preview for this feature)

 

These capabilities will add on to what we released in January:

  • Device enrollment using NFC, token entry, QR code and Zero Touch
  • Device configuration for user groups
  • App distribution and configuration for user groups
 
While we’re almost there, you’ll notice there are a few workflows not yet supported in this preview. These scenarios will be supported upon general availability, including:
  • App protection policies
  • Remote access policies with certificate support (i.e. Wi-Fi, VPN, Email)
  • Certificate management
  • Support for managing or enabling system apps
 
Updated Onboarding Scenarios
During onboarding, Intune will now enforce key policies to ensure the device is compliant before allowing the user to access the device. This includes enforcing password policies and installing some key apps to ensure the user is compliant with organizational requirements before they can continue to use the device to access corporate resources.
 
Figure 1: User is required to set a PIN per policy before proceedingFigure 1: User is required to set a PIN per policy before proceeding
 
For more information on what to expect during onboarding, refer to onboarding fully managed devices.
 
Introducing the New Microsoft Intune App
As we mentioned earlier in this post, we are introducing a new end user app for Android fully managed devices. This new modern and light-weight app, simply called ‘Microsoft Intune’, will now enable the experiences end users know and love in the Company Portal app for fully managed devices, including managing compliance for their device. This new app is only for the fully managed scenario; in all other Android management scenarios, Company Portal continues to be the end user app.
 
Figure 2: New Microsoft Intune appFigure 2: New Microsoft Intune app
 
For use of the Microsoft Intune app, you need to set it as required (or available) for end users to get it onto their device and sign in. This component is rolling out and should be available to all by Wednesday, April 24th. If you have not gotten the update yet, you will see a blocking screen when you launch the Intune app. We are also working towards enabling automatic deployment of the Microsoft Intune app to all fully managed devices.
 
You can find the Microsoft Intune app listing in Google Play here.
 
Support for Compliance Policies and Conditional Access
Intune will now support the ability to create compliance policies on fully managed devices. The smaller set of compliance settings on a fully managed device reflect the smaller list of compliance settings available for fully managed devices. There is a greater degree of control and ability to lock down the device configuration since the scenario is intended for corporate owned devices.
 
Figure 3: Create PoliciesFigure 3: Create Policies
In addition to compliance, this update provides conditional access support for fully managed devices. Users can now register their device in Azure Active Directory via the Microsoft Intune app and then view and resolve compliance issues in order to access corporate resources.

Enabling Access to the Consumer Play Store
Intune will now allow you to enable access to the full consumer store on the fully managed device. Many organizations recognize the need to allow end users to personalize the device assigned to them – including access to their favorite consumer apps.
 
Figure 4: Device Configuration setting to allow access to all apps in the Google play storeFigure 4: Device Configuration setting to allow access to all apps in the Google play store

 

Users will have the ability to add their personal accounts to the device, if permitted by configuration. This way your end users can customize their device to support personal use as well as corporate use.

Figure 5: Personalized fully managed device with a user’s corporate and personal accountFigure 5: Personalized fully managed device with a user’s corporate and personal account

 

 

Known Issues
We’re still working on a few items. 
  • When using KME to set up Samsung Knox devices:
    • The username and password cannot be passed to the fully managed device from the KME portal. This will need to be manually entered.
    • The enrollment status of the device will not get updated in the KME portal.
  • In the Microsoft Intune app:
    • When trying to complete Azure Active Directory registration, you may see an error displayed. If this continues to occur, try again after some time.
    • When launching the app, you may see a screen that says, “Hang tight, we’re working to load your organization’s info.” You can check back in after some time to see if it has been resolved.
    • You may see that your “Device settings status” is “Noncompliant” with no way to resolve. In the Azure Portal, you will see that the device is not compliant with the “Has a compliance policy assigned” policy, even though a compliance policy is set. Factory resetting your device and enrolling again may resolve it.
 
Customer Support for This Preview
We outlined above that not all features are yet available for use with the Intune Android fully managed scenario. The preview features are fully supported through our usual Intune support channels and are clearly labeled with “(preview)” in the Intune console.
 
How Can You Reach Us?
As you use Preview 2 and test out the Android fully managed preview scenarios, we would appreciate your feedback on IT admin's enrollment profile configuration and end-user's device enrollment experiences. Keep us posted on your Android experience through comments on this blog post, through Twitter (#IntuneSuppTeam), and request any new features on UserVoice.

Documentation
 
Blog post updates: 
  • 4/19/19 with updated screen shots
  • 4/22/19 extended the app availability date, added in a few known issues
  • 12/19/19 with an update that this preview feature is now GA!
318 Comments
Copper Contributor

Device Configurations and compliance policies stopped working a while back, App Configuration policies do work but reporting says they are "Pending" forever. Also the onboarding window only shows apps installing but then jumps straight to the "desktop", before it asked to set the PIN code like it should.

Iron Contributor

After testing for a day or so, I have been able to apply Compliance Policies (Built-in no longer moans about no policy applied to the device)

App configs are working and device configs too. No longer able to override 'Device will be wiped after x failed login attempts', May have to go back to OMA-URI custom configs again. Something I was hoping to avoid.... Oh well...

Brass Contributor

Hello, 

 

Is anyone else experiencing that all apps installed by the user are removed automatically once the “Android Device Policy" app runs a sync? 

I am investigating this with support but the issue still exists. 

Iron Contributor

Hi @WietseD 

 

This will happen if you are using an account that already has apps assigned (via a group) but they are not assigned by the group that is associated with your new Corporate-Owned Fully Managed Devices. If you assign the apps required to your new group (I chose Required for mandatory apps) and available for all the remaining ones in the Corp Play Store. You should then be able to check the Android Device Policy app to see how many apps are installed and how many are available.
Hope this helps.

Brass Contributor

hi @MoZZa 

 

The way we like to use it:

We enroll the device with our corp play account and assign only a few mandatory apps(like outlook etc). Then the user is free to add his personal play account to install his own apps. This works but the installed apps from his personal account are deleted after a while. 


Is the above situation supported and achievable with your previous answer?

 

Thanks! 

Iron Contributor

Hi @WietseD ,

 

To enable the user to install his own apps, you will have to enable "Allow Access to all Apps in Google Play Store" option. This is in your Device Configuration Profile for the devices. Setup a profile Device Owner, Android Enterprise. The user should then be able to access and install all apps.

The method I use:

Enrol device using QR Code method in Intune.

This should pull down the Microsoft Authenticator, Microsoft Intune and Android Device Policy apps.

login as the user (after the usual policy agreement screens), mandatory apps are pulled down and access to the Corp Play Store is granted.

Currently, I do not grant access to the public play store on the devices in my environment.GPStore.png

Copper Contributor

@MoZZa  You said that you're compliance policies are working, what devices are you using and do you have your compliance policies deployed to a user group? I have a compliance policy for device owner devices set and assigned to a user group. All of the devices state that they are not compliant after registering the device through the Intune app. Intune states that the devices are not evaluating the compliance policy.

Iron Contributor

@RiksV11340 

I have tested this on Samsung Note 9, Samsung J5, J6 and Tab A (SM-580.
The policy has to be configured as Device Owner and Android Enterprise. Otherwise the built-in policy will state that there are no policies applied and therefore; report as non-compliant. After that, the devices showed up as compliant. The Compliance policy subset is fairly small because the device is built via the config policy.

Deleted
Not applicable

We are enrolling Android Enterprise (Work Profile) at the moment for our users. I just found that you can't deploy apps for Work Profile users via a device deployment. It all goes by user deployement.

 

For Full Managed devices you can enroll it via device enrollment. But when a user has a smartphone and a full managed device tablets as toolbox, they can also install the apps we enroll for Work Profile purposes. This is not wat we want.

Copper Contributor

@MoZZaYeah, thats how I have it setup exactly and it wont work. I tried recreating the compliance policy, but no avail.

 

@DeletedThis topic is about Fully managed devices...

But we are using Device groups to assign for example Outlook and it works fine for AE Workprofile. Installation works fine in the Workprofile including an App configuration profile.

Iron Contributor

@Deleted 

For the fully managed devices I deployed are allowed to install any of the approved apps in the Corporate Play Store. The organisation has no issues with that. Plus they can only see apps which are available for all enrolled devices. Ring-fenced apps (special licensed apps etc.) are only available to designated groups. When further lock-downs are required; I have deployed Full Kiosk Mode devices. Some single app and some multi app models.

Iron Contributor

Hi @RiksV11340 

Very odd. One thing I have discovered, is that the devices are behaving similar to how the Full Kiosk Builds behaved a few months ago.

Either they would drop the App and Device config settings after 24 hours. You would then have to make a change to the policies/profiles to push them back out again. Basically the devices weren't really checking in. Some of the Fully Managed ones are suffering from an issue where, when you change the Trust Agent settings, In my case switching off any Biometrics and then re-enabling it; the settings remain disabled. will see if I can trigger it somehow. So far no joy. 

 

Brass Contributor

Hello, 

 

We are currently having the problem that policies do not get applied. I tried recreating policies, re-register, wiping etc. but still policies are at state "pending". Did anyone found a workaround for this?

 

Thank you

Deleted
Not applicable

@WietseD

 

You could have this problem when you also apply comliance policies. Remove the assignment and the configuration policies will apply. But the pending status won't go away. 

 

Check the Device Policy app on your device to see if the configuration policies are applied.

Iron Contributor

@Deleted @WietseD 

 

I have applied a  policy to 250+ Kiosk devices and a similar number of fully managed devices. They are all Samsung kit. The same policy is being pushed out to both platforms. When you interrogate the device you will now see that both policies (if the criteria is met) will show as successful. However, when you view the devices blade, they will show as Not Evaluated for the Kiosk devices. This discrepancy could be down to different values being evaluated to produce the results. Similar to the Kiosk and fully managed devices not reflecting the serial number of the hardware, but have an Intune generated one. but they are able to list the other hardware  details, IMEI, Make, Model MAC Address etc...

Brass Contributor

@Deleted @MoZZa 

 

Thanks after removing the compliance policy the normal policies where deployed immediately.

 

Iron Contributor

@WietseD @Deleted 

Hi Guys just had a similar experience to what @WietseD  was hit with. Compliance policy causing Dec=vice Configs to be switched off.

After a few runs I can say that if you have a compliance policy in place BEFORE you build the device, even the start screen requesting that you enter a pin etc. is overridden. If you then remove the custom policy, the built-in policy will still remain; flagging the device as compliant. Kiosk devices retain all device configs even with the compliant policy applied. i will do some more testing today...

Brass Contributor

Hello All, 

 

My collegue just informed me about something else i didn't noticed before. When registering a device all system apps are gone/removed/hidden?. Apps like clock, photo gallery, camera, notes and many more are not present anymore. I think system apps should be there. I don't have policies to hide these apps applied. 

 

Does anyone know why this is happening?

 

Iron Contributor

@WietseD 

You can get around this by using 2 methods.

1. Use 3rd party apps for calculator, cam and gallery etc. (mainly for Kiosk)

2. Edit the QR and add a line that sets the system apps to enabled. They are disabled by default. The only issue with this method is that building the devices has to be done from the edited QR Code. If you're using Knox or similar, you can enable them there.

 

Brass Contributor

@MoZZa thank again for your quick answer. I just found the instructions, we will give it a try. 

Iron Contributor

@WietseD 

Hope it works for you :)

Copper Contributor

@WietseD @MoZZa  - Can you please share the editing QR code instructions? I am in the same boat with system apps :s

 

Thanks!

Iron Contributor

See my comments on the Preview 1 blog post, that should help walk you through it.

 

https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Microsoft-Intune-announces-preview-of...

Copper Contributor

Great! Found it and giving it a try!

 

Brass Contributor

Hi all, 

 

I was testing further and found a different way to register a device. 

 

If we download the "Android Device Policy" app and scan our QR code from there, the devices gets fully managed with a work profile. 

I cannot exactly find this combination in the documentation except at the following page:

https://support.google.com/work/android/answer/6191949?hl=en&ref_topic=6151012

"Can I have a work profile on a fully managed device?"

 

This combination seems ideal for us because we can deploy work apps seperately from the personal account and still have full control.

Is this combination supported by intune?

 

Thanks for your answer.

 

Wietse

 

 

Iron Contributor

@WietseD 

This config is not supported from what MS have said to me in the past.
If you create a Full Managed Corporate Owned build. You do not need to download any software.

Tap the white space repeatedly on a new/factory reset device.

This will start the build process off.

When requested connect to Wi-Fi,.

The QR Code you created contains the URL to download the QR Code Reader (8.0 or earlier. 9.0 devices QR Code built-in). It also contains the URL to download the Android Device Policy app.
Then whatever settings you configured in your device config; will be deployed.

If you use Knox Enrolment, You add the QR Code token string (amongst other strings) to the profile.

This means when you connect it to  Wi-Fi, accept the usual T's&C's and it will build the device, no need to even scan QR Code!

This method works for Kiosk and Fully Managed setups.
I did a similar setup to what you mentioned, but MS said it was not supported (I was only messing around to fair).

At the time they only supported BYOD and COSU setups

 

Oh, I forgot to say that in the end I "skirted" around the support side of things by using Knox Configure to deploy the Company Portal App' so that Intune could manage the "Work Profile". Knox Configure then managed the local device, putting in restrictions where necessary.

This meant it was really a Work Profile / BYOD setup but with native apps etc. managed by knox. 

Brass Contributor

@MoZZa thanks again for your quick answer

Copper Contributor

I am seeing a weird issue with app protection policies - I have a few policies targeting unmanaged devices however, these policies are getting applied to fully managed devices.  I am aware app protection policies are not supported in this preview but I would have assumed that unmanaged device policies would not affect the fully managed devices...  I am stuck now in that I will have to disable email access for unmanaged devices which is a big NO or halt with testing...  Unless anyone else knows a work around or fix?

 

Also I have enabled factory reset protection emails in device config but this doesn't appear to be working - anyone else tried this?

 

 

 

Brass Contributor

Hello @Roisinc I've noticed the same behaviour that you have explained with regards to application protection policies that are set for unmanged devices also applying to fully managed devices. I don't have a work around for this other than informing our test users that they will also have to set a pin to access their Outlook App.  Hopefully it doesn't take too long for this to be resolved.

Copper Contributor

Device Configuration Profiles on Fully Managed Devices with Compliance Policies remain in a pending state: I am currently testing Fully Managed Android with Intune and noted some of this thread having some of the same challenges I have recently experienced.  My setup includes Intune, Conditional Access and App protection policies (all of which will cause issues later on). Our test devices are: Pixel3a and an Honor A8, The Pixel is Enrolled using an NFC card and the Honor A8 using the QR Code. At the start of Preview 2 both of these devices enrolled successfully. 

 

We have a compliance policy assigned to all Android devices (and this correctly configures the enrollment workflow for PIN requirements etc.) We also have two device policies assigned to a dynamic devices group (All devices categorised as AndroidEnterprise using device.deviceOSType -contains "AndroidEnterprise") and this also worked perfectly at the initial release of Preview 2, then we noticed that the device configuration policies had stopped updating on existing devices and refused to deploy to newly enrolled devices with them in the assignments plane stating "pending" forever more. After a support call with MS Support, it was noted in this thread by @WietseD that removing the compliance policy then allowed the configuration policy to apply. I can confirm this is also the case in our environment, however this has some side effects.  We have the setting enabled that "any device without a compliance policy is non-compliant", which means that our Conditional Access policies then kick in to prevent access to the applications (as non-compliant devices are blocked access). 

 

More testing: If you make changes to the configuration policy and then remove the compliance policy, those config changes are not updated on the devices until you make a change to the configuration policy whilst the compliance profile removed, the devices never seem to update.  Make a change to the config profile whilst the compliance policy is off and all the config changes then replicate down to the devices within seconds. If you remove the compliance policy, the device configuration profile will apply to the devices, if you then re-apply the compliance policy, the device configuration profile will persist but not update until the compliance policy is once again removed. 

 

The Company Portal App: Another interesting side effect, we do not deploy the old company portal to the fully managed devices by default, and the new Intune app is pushed automatically, which we then use to register the device into Azure AD. However, because we have App protection policies and Conditional Access policies applied across the Organisation applications on Fully Managed devices cannot run. To fix this, deploy the old Company Portal App to the devices (do not need to sign in, just install it) and the applications protected by protection policies and CA can now sign in and run properly. If you then remove the Company Portal, the applications will promptly remove any corporate accounts. 

 

 

Brass Contributor

Hi, has anyone experienced an issue during enrollment where after entering corporate credentials, they get a pop up saying No Certificates Found, and that chrome needs one, you click on install and there is nothing to install. If you leave it long enough or click cancel, you get the sign in page stating:

 

You cant get there from here

You must use MS Edge to access this resource

Get the app here

 

but i cannot proceed.

Any ideas? This is a Samsung SM-A520F

We have had it working with Work Profiles.

Thanks

Brass Contributor

@neilcarden hello, we have tested al lot of things with samsung a50 devices but did not ran into this problem. 

Greetings

Iron Contributor

@neilcarden Hi, Sounds like conditional access issues,

The certificate thing appears to be quite common. if you cancel it continues onto to work.

Copper Contributor

I noticed that the Compliance policy setting "Require the device to be at or under the Device Threat Level" is missing for Fully Managed devices. We have a requirement that all our managed devices run an up-to-date AV client, in the case of Android that comes down to the Lookout MTD.

It is not mentioned as a gap in above blog, but apparently I cannot set this compliance setting, so is MTD integration for Fully Managed Android devices not there yet?

Brass Contributor

@MoZZa - you were right! Thanks for that.

Brass Contributor

hi guys ... I am seeing issues with Samsung Note 9 devices missing the Camera and Gallery apps after enrolling with Fully Managed Android Intune, has anyone else seen this behaviour? 

 

I had the issue a few months ago with Preview 1, but this seemed to be resolved, but has re-appeared.

 

I have just enrolled a couple more Note 9 devices with Version 8 of Android and they DO have the Camera and Gallery available, but Version 9 of Android, or devices already enrolled do not... currently upgraded from Android 8 to 9 to see if the apps are still present.

 

Cheer. 

Iron Contributor

Hi@robbamber ,

I have seen this too, on J5's and J6's. Also, if you have Fully Managed Kiosk Devices that update to Android 9, you will no longer be able to power off or restart the device without exiting Kiosk mode first. Bit of a pain to be fair. If you enrol the devices using Knox Enrolment, you can set the profile to enable or disable the system apps. But that means you have all or none! It would be nice to be able to enable the ones you want the users to have access

to i.e. Camera, Gallery, Calendar, Calculator etc. I have been able to edit a QR Code to enable the System Apps on both Corporate-Owned and Fully Managed Kiosk. But does anyone know if there is a way to customise the Device Configuration Profile to include the System Apps you want. Can it be done by White-Listing the ones you want users to have access too?

Brass Contributor
Has anyone else had problems when enrolling devices with the Installing required apps section hanging for a very long period of time? I had a number of Samsung Tablets this afternoon with this problem, it wasn’t limited to the WiFi network I was on, as a test I tried the same enrolment on another Tablet just using it’s 4g Sim connection and neither tablet downloaded the required apps after 30 minutes. I just reset the devices and gave up at this point. Haven’t had this problem with the apps before, but it just had to be when I was demoing to a department today...
Iron Contributor

Hi @AndrewH5 ,

From about 14:00 (UK time), I enrolled 67 Samsung J6's, 2 Note 9's and a couple of Tab A's (580's & 585's) and 1 Zebra device. I didn't have any issues. The only slow down came when some of the devices started pulling down Android 9.0. Apart from that, no issues. 585's built on 4G, All the rest on Wi-Fi.

What enrollment type/method are you using?

Brass Contributor

hi @MoZZa @AndrewH5 

i am having issues with the fully managed devices so unfortunately can’t comment @MoZZa on the whitelisting as this isn’t available to fully managed devices that I’m aware of, only kiosk devices ...

i have experienced massive delays enrolling devices “intermittently” over the last few weeks, sometimes it works within a minute of 2 and other times it’s 3 hours and I gave up and wiped the device again.

in terms of camera and gallery apps, when enrolling a note9 with android 8 it seems to work fine, and continues to with and OS upgrade to android 9,. 

@AndrewH5 enrolling a device which is android 9 to begin with I no longer have the camera or gallery apps.

cheers guys, look forward to seeing if you experience the same behaviours.

Brass Contributor

Hi all, 

 

I like to know if anyone is already using fully managed in production. I know it is still in preview but we are almost at the point of rolling out a large number of mobile devices. We do not have a lot of requirements but only be able to push policies, remote install apps, wipe etc. Any recommendations on this? 

 

Thank you!

Iron Contributor

Hi @WietseD

 

Yep, we rolled out ~250 Samsung J6's via Knox once Preview 1 came about... working ok with Outlook managed by MAM.

 

Cheers,

 

Steve

Brass Contributor

@Steve Prentice thank you for your quick answer.

Copper Contributor

HI @WietseD  we have the usual "production users" on fully managed devices aka The IT department. Due to some of the recent Compliance Policy issues experienced, we have had to delay preview roll out to some early adopters as our requirement for these users requires that there devices are secured in a particular manner. Eagerly awaiting for this to go GA.

Iron Contributor

Hi @WietseD ,

 

I am readying 1000 devices to be rolled out shortly. From the early adopters, The only way to guarantee  a compliant state; is to push out the DCP and then apply the Compliance Policy. Any updates made to the DCP will require you to un-assign Compliance Policy BEFORE you make the changes. Word on the street is that this should be sorted very soon, apparently before GA.

Brass Contributor

Thanks all, we really appreciate this information!

Copper Contributor

New Intune App - Register Your Device: Action Not Allowed

 

We have just attempted to deploy a new device and an unwelcoming issues has returned (I figured out how to get around it last time, but now cannot work out what we did).  The phone enrols, and once you juggle the compliance policy issue and get everything installed, we then opened up the new Intune App to register the device into Azure AD - which we have performed successfully loads of times in the past. Now the app displays an error message "Action not allowed" and this message is coming form the Android Device Policy App. When you clear this the Intune App displays a message stating that "something went wrong" but supplies no more information. Anyone else overcome this issue?

Brass Contributor

@ictoukI think that was to do with turning off the Disable Add/Change/Delete User Accounts in the Device Config.

Copper Contributor

@AndyH16  Thanks for the prompt reply, and you are correct (strange - thought that we have always had those set to block).  That is frustrating though as I want to have my devices registered (being corporate owned and fully managed, this registration should be part of the automated workflow), I do not want to rely upon the users doing this, nor do I want the user to add their own credentials e.g. google, or remove them for that matter. Thanks again. 

Version history
Last update:
‎Dec 19 2019 10:16 AM
Updated by: