Archive: Microsoft Intune announces Preview 2 for Android Enterprise fully managed devices
Published Apr 18 2019 04:39 PM 55.5K Views

By Priya Ravichandran | Intune Sr. PM

 

Updated 12/19/19 - We have received over 300 comments on the Android preview blog posts, and in those comments and occasional subsequent support cases, you helped us deliver Android Enterprise Fully Managed as generally available. You provided over 58 pieces of actionable feature feedback based on your experience with preview.

More information about the GA release can be found in our blog here: Microsoft Intune support for Android Enterprise fully managed devices is now generally available.

As this feature is now GA, new comments on this post will be turned off. As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page or our Twitter @IntuneSuppTeam. Your continued feedback helps make the product better, we are grateful for this community, thank you!

 

Preview 2 for Android Enterprise fully managed devices is here! Today we’re providing an update to our preview capabilities which were announced in January 2019 for the Android fully managed device solution. For context, Google used to refer to the fully managed device scenario as Corporate Owned Business Only (COBO), and it is one of the “Device Owner” (DO) management scenarios in the Android Enterprise solution set.

 

Before we share the latest updates, we wanted to thank you for all the usage and feedback during our initial preview. We’ve incorporated feedback from Preview 1. It’s been great to work with you and we look forward to hearing more.

 

What’s New in Preview 2

For this update, we focused on compliance and end user experiences. Here are the key new capabilities added into Preview 2:

  • Updated onboarding flow for key required policies
  • Added Device Owner compliance policies
  • Built conditional access workflows
  • Added device group targeting
  • Released a new end user app called ‘Microsoft Intune’ into the Play store as the app to be used on fully managed devices
  • Enabled support for access to the full Play store
  • Introduced Knox Mobile Enrollment (continue reading this post for a few limitations in preview for this feature)

 

These capabilities will add on to what we released in January:

  • Device enrollment using NFC, token entry, QR code and Zero Touch
  • Device configuration for user groups
  • App distribution and configuration for user groups
 
While we’re almost there, you’ll notice there are a few workflows not yet supported in this preview. These scenarios will be supported upon general availability, including:
  • App protection policies
  • Remote access policies with certificate support (i.e. Wi-Fi, VPN, Email)
  • Certificate management
  • Support for managing or enabling system apps
 
Updated Onboarding Scenarios
During onboarding, Intune will now enforce key policies to ensure the device is compliant before allowing the user to access the device. This includes enforcing password policies and installing some key apps to ensure the user is compliant with organizational requirements before they can continue to use the device to access corporate resources.
 
Figure 1: User is required to set a PIN per policy before proceedingFigure 1: User is required to set a PIN per policy before proceeding
 
For more information on what to expect during onboarding, refer to onboarding fully managed devices.
 
Introducing the New Microsoft Intune App
As we mentioned earlier in this post, we are introducing a new end user app for Android fully managed devices. This new modern and light-weight app, simply called ‘Microsoft Intune’, will now enable the experiences end users know and love in the Company Portal app for fully managed devices, including managing compliance for their device. This new app is only for the fully managed scenario; in all other Android management scenarios, Company Portal continues to be the end user app.
 
Figure 2: New Microsoft Intune appFigure 2: New Microsoft Intune app
 
For use of the Microsoft Intune app, you need to set it as required (or available) for end users to get it onto their device and sign in. This component is rolling out and should be available to all by Wednesday, April 24th. If you have not gotten the update yet, you will see a blocking screen when you launch the Intune app. We are also working towards enabling automatic deployment of the Microsoft Intune app to all fully managed devices.
 
You can find the Microsoft Intune app listing in Google Play here.
 
Support for Compliance Policies and Conditional Access
Intune will now support the ability to create compliance policies on fully managed devices. The smaller set of compliance settings on a fully managed device reflect the smaller list of compliance settings available for fully managed devices. There is a greater degree of control and ability to lock down the device configuration since the scenario is intended for corporate owned devices.
 
Figure 3: Create PoliciesFigure 3: Create Policies
In addition to compliance, this update provides conditional access support for fully managed devices. Users can now register their device in Azure Active Directory via the Microsoft Intune app and then view and resolve compliance issues in order to access corporate resources.

Enabling Access to the Consumer Play Store
Intune will now allow you to enable access to the full consumer store on the fully managed device. Many organizations recognize the need to allow end users to personalize the device assigned to them – including access to their favorite consumer apps.
 
Figure 4: Device Configuration setting to allow access to all apps in the Google play storeFigure 4: Device Configuration setting to allow access to all apps in the Google play store

 

Users will have the ability to add their personal accounts to the device, if permitted by configuration. This way your end users can customize their device to support personal use as well as corporate use.

Figure 5: Personalized fully managed device with a user’s corporate and personal accountFigure 5: Personalized fully managed device with a user’s corporate and personal account

 

 

Known Issues
We’re still working on a few items. 
  • When using KME to set up Samsung Knox devices:
    • The username and password cannot be passed to the fully managed device from the KME portal. This will need to be manually entered.
    • The enrollment status of the device will not get updated in the KME portal.
  • In the Microsoft Intune app:
    • When trying to complete Azure Active Directory registration, you may see an error displayed. If this continues to occur, try again after some time.
    • When launching the app, you may see a screen that says, “Hang tight, we’re working to load your organization’s info.” You can check back in after some time to see if it has been resolved.
    • You may see that your “Device settings status” is “Noncompliant” with no way to resolve. In the Azure Portal, you will see that the device is not compliant with the “Has a compliance policy assigned” policy, even though a compliance policy is set. Factory resetting your device and enrolling again may resolve it.
 
Customer Support for This Preview
We outlined above that not all features are yet available for use with the Intune Android fully managed scenario. The preview features are fully supported through our usual Intune support channels and are clearly labeled with “(preview)” in the Intune console.
 
How Can You Reach Us?
As you use Preview 2 and test out the Android fully managed preview scenarios, we would appreciate your feedback on IT admin's enrollment profile configuration and end-user's device enrollment experiences. Keep us posted on your Android experience through comments on this blog post, through Twitter (#IntuneSuppTeam), and request any new features on UserVoice.

Documentation
 
Blog post updates: 
  • 4/19/19 with updated screen shots
  • 4/22/19 extended the app availability date, added in a few known issues
  • 12/19/19 with an update that this preview feature is now GA!
318 Comments
Brass Contributor

Yes, I want to keep this option set too, to prevent users from adding non-work accounts. Though, I have found that one user was able to add a personal account via the OneDrive app and then, because the block was configured, I couldn't remove the account from the phone! Had to temporarily switch the options off to get rid of it!

Iron Contributor

@AndyH16 ,

The blocking of users being able to add accounts, has only worked well for me on Kiosk devices. I dare say that if KME is used and you also enter the user accounts in there, would that override the users adding accounts as it is put i place by the System Account. I have not tried this on Fully Managed devices yet. Will try later.

Brass Contributor

Hey guys, apologies for the delay in replying, currently on annual leave…

@WietseDI would personally wait until GA, as I believe a number of things are currently being addressed, rumours have it that this will be end of June.

@ictoukI agree I have seen issues with Compliance so will not be planning on making this a production device until further functionality issues are resolved. In particular I can see a miss-match in the Work Profile and Device Owner profiles which I am told the gab will be bridged by the time GA is announced. I also see an issue where the finger print, or "low security biometric" is not enforced with the Compliance policy, but something like Encryption in the same policy set is, so something not quite right there either.

@ictoukI notice @AndyH16 has already replied, but I agree the issue with device registration is down to the Add/Change/Delete User accounts config, in particular I narrowed it down to the "change" setting. What I have done for the test users is to enrol the device with no restrictions, then once registered move the device to a group which has all the policies targeted at it. Not ideal in the longer term, but allows the testing to continue.

@MoZZaI am using the functionality for Add/Change/Delete accounts in Fully Managed and appears to work ok, apart from the last comment around device registration.

@WietseD@ictouk @MoZZa don’t know if you guys have seen this, but my latest issue appears to be when I remove a device configuration setting, for example "prevent screen capture", the setting doesn’t appear to revert on the phone which is causing me an issue.

Cheers guys,

Rob

Brass Contributor

Hi @robbamber where are you hearing rumours that GA will be end of June?

The Microsoft road map was updated to say that GA would be later this year in Q4 now?

I'm hoping GA is sooner rather than later, want to move away from another MDM solution..

 

Brass Contributor
Copper Contributor

We are having similar issues with fully managed devices. Policies are stuck in a pending state when applied to the user. Compliance policies are also never evaluated... Additionally, Intune doesn't show that a compliance policy is applied and therefore deems the device non compliant due to the default policy. We are using the new Intune app with no success on either of these. I have opened a ticket in hopes to gain some progress. 

Brass Contributor

@J_Kozare you using a VPN or anything or are you talking direct to Intune? 

Iron Contributor

Hi @J_Koz ,
Are you using existing Compliance Policies (i.e A4W)? If yes, then create a new 'Device Owner' for AE. These are cut down versions of regular policies as a lot of the compliance requirements are handled by the Device Config. What you will then see is that the Built-In policy applies to the device and you should get 3 green success ticks. Also, your new Device Owner policy will be applied now and you should be good to go. Remember that if you need to make device config changes, un-assign the compliance policy, make the device config changes and then re-add the compliance policy. This will not be required when on GA, if not before. Crossing my fingers for July :)

Brass Contributor

Hi @MoZZa … I wasn't aware you had to unassign the config policy, make changes and then re-apply it … I currently have some test devices applying a configuration that is no longer set, however I didn't remove the assignment and re-apply it … have you experienced this?

Cheers.

Iron Contributor

Hi @robbamber,

Sorry, I should have said you will need to un-assign the Compliance policy, make changes to the Device Config Policy. Once it has gone out to all of your devices. Re-enable the Compliance Policy. This is not an issue with a handful of devices, but with 1k +; it can be time consuming :)
MS have said that this "bug" will be resolved when it hits GA.

 

Brass Contributor

@MoZZa thanks for the reply … I'll give that a go when I return to the office next week … bit of a poor show that the Compliance policies are having that impact on the Device Config policies … hopefully it gets sorted by GA, if not before would be even better.

Iron Contributor

@robbamber , 
Hope it helps. Just had a load of Note9's passed over to me and they want all the system apps enabled. Luckily i don't have to edit the QR code anymore LOLMan LOL

Brass Contributor

@MoZZaare they being enrolled as Android 8? I was still experiencing missing default apps last week with Note 9 devices which were Android 9, but the Android 8 ones I enrolled were fine ...

Iron Contributor

@robbamber  the Note9's are 9.0 the J5's 8.01 and the J6's a mixture, as they are getting the 9.0 upgrade at the moment.
I don't know what has happened to the system as I am trying to build an 8.0.1 and 9.0 devices, but neither has been able pull down MS Authenticator and MS Intune. Don't know why this has just started happening here

Brass Contributor

@MoZZa that sounds like the problems I've been having. We are mostly using Samsing Active tab2, J6's and A5's currently. All the devices have been effected at some point over the last two weeks with this issue. I haven't found out why or a fix yet.

Iron Contributor

@AndrewH5 

I have a J5, Note9 and a J6 on a completely different Knox Enrollment portal and Azure tenant and all 3 are failing in various ways. 
J5 & Note9 (built via QR Code) still "installing" 2 required apps; after an hour.
The J6 (KME+Intune build), stalls trying to enroll the device.
These are the first time I had these issues. Such a pain. Does that mean MS are "doing stuff" readying themselves for GA go-live???

Brass Contributor

Hi all, 

 

Maybe i missed something, but after enrolling android devices the google backup service is stopped. We need this to allow users migrate settings from their current devices and also create backups. I don't see any policies applied for this. 

 

How can we enable this? Thank you.

Hi,

 

Google has informed us that they are working through an issue around application installs via Google Play - which will also include the installation of apps during the onboarding flow. 

 

We will provide updates as available.

 

Regards,

Priya 

Copper Contributor

@MoZZa thank you for the info. I ended up finding these workaround myself after trial and error. I truly appreciate you taking the time to respond. After removing the compliance policy the restriction and app policies pushed without issue. 

 

I also had the issues with apps never downloading during enrollment. I found that remotely restarting the device sometimes helped.


 

Brass Contributor

@Priya_Ravichandran is this also about Google backup services?

 

Thank you

Brass Contributor

@MoZZacurious to know how your enrolment went with the Android v9.0 devices? Did the core apps stay present after enrolment or are they missing? … from my limited testing before annual leave I found enrolling devices with v8.x was fine, as it was after an upgrade to v9.0 afterwards, but enrolment as v9.0 to begin with meant they were missing ...

Thanks.

Rob

Iron Contributor

@robbamber 
I have had a mixed bag of results. After running a few test builds, 2 in 10 will enrol and install the required apps, but then uninstall all the required apps apart from MS Authenticator, MS Intune and Android Device Policy. I thought it may be linked to not logging in to MS Intune soon enough after the build is complete but this proved not to be the case after leaving v8.0 and v9.0 over night and the apps remained. Any device that has presented this issue; i have wiped and has worked fine on the next run. I also tested to see if it was due to the devices not having a Compliance Policy applied. again this proved not to be the case. HOWEVER, the odd thing I noticed was devices that completed OK have a compliance state of 'Not Evaluated'. Whereas the "app removing" devices had a state of 'Not Compliant'. I can only surmise that there could be a bug in the enrolment process, where the device does not fit into any build mode and therefore attempts to rollback, don't just very odd. It is becoming less and less frequent but I was able to get 2 out of 10 builds to do this.

Brass Contributor

@MoZZaI have just tried your suggestions around removing the Compliance Policies before changing the Device Configuration Policy and then Re-Applying the Compliance, which appears to have resolved the issue of persistent device configuration settings ... so big thanks for that!! ... hopefully MS will get that little "bug" sorted ASAP ... 

 

On the flip side, just trying to re-enrol a device and I'm back in the age old position of the Authenticator and Intune apps stuck downloading at the beginning of the process ... going to give it a few more minutes before starting over ...

Iron Contributor

@robbamber  - The issue of the the MS apps taking an age to download, disappeared over the weekend. I left a device for over 2 hours and eventually it completed the 2 apps. Although according to the process, these apps are downloaded before you r required apps come down, in my case 18 apps. However as soon as the 2 apps were ticked; all of the other apps had downloaded in the background anyway. leads me to believe there may be Google or MS bug. This has happened on 2 different Intune tenants and 2 different Knox consoles.

Copper Contributor

I'm having the app download issue also, getting crazy variances when enrolling Android 6 and 7 devices.

Some devices take 2 minutes to install the Microsoft Apps, but others can take two hours+. Android 8 devices seem to be unaffected.

Brass Contributor

Hi All, 

 

Did anyone else notice Google Backup services do not work anymore on AE devices?

 

Hi all, 

 

Maybe i missed something, but after enrolling android devices the google backup service is stopped. We need this to allow users migrate settings from their current devices and also create backups. I don't see any policies applied for this. 

 

How can we enable this? Thank you.

 

I hope someone knows how to fix this.

Brass Contributor

@WietseD… apologies in advance if you have considered the below I am not using Google Backup but ... just thinking out loud about the Google Backup, are you able to add other accounts to the device, such as a Google E-Mail account? … I know I had an issue with the "Account Changes" setting in a Device Configuration Policy being set to Block, don't know if this maybe impacting your scenario … cheers 

 

UDPATE - Looking at the below link it appears the functionality maybe missing from Fully Managed at present. The ability to allow Google Backup appears to only be present for Android, not Enterprise.

https://docs.microsoft.com/en-us/intune/device-restrictions-android

Brass Contributor

@robbamber Thanks for your response, i can understand policies not being available but the service seems to be disabled completely. 

 

That is strange because it is allowed to let a user use his personal gmail account to download apps apart from the business store. Users want to be able to create backups on their devices. I hope a solution will come shortly or we have to skip fully managed for now. 

 

update: seems default to be disabled on managed devices. I hope MS will create a policy for this.

https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setBackupServiceEnable...)

Brass Contributor

@WietseDI have just checked on a couple of my Fully Managed devices, and can also confirm that under "Backup and restore" the "Google account - Backup service not available" is greyed out.

@MoZZa @WietseD also having fun enrolling a device this morning ... 55 minutes and counting for the Authenticator and Intune apps to download ... 

Copper Contributor

@robbamber 

 

Mind sharing what devices and what os version? We have like over 20 devices that are clocking plus 3 hours now. Android 8/9 devices are going through in under 2 minutes.

Brass Contributor

@RiksV11340They are Note 9 devices, running Android 9. I started enrolling one at 10.51 this morning and it is still attempting the Intune and Authenticator Apps!

Iron Contributor

@robbamber 

I had the issue again today. Note9 (9.0) and J6 (9.0). However I restarted both devices, twice and boom!!! within seconds they kicked in and built, no further issues.

Brass Contributor

@MoZZa it finished enrolling by itself some 4/5 hours after I first began, hoping MS were preparing some new features for us being patch Tuesday ;)

 

On a different note ... I am planning to use Fully Managed Intune with apps deployed to a corporate play store which is linked in Intune to a corporate google account ... simple enough ...

 

However I have noticed today that on a device, when you go to the Play Store and view the Account, the account populated (from my understanding) looks to be a service account created upon enrolment for what would be the old style Android For Work Intune configuration ... so it is expecting this to be managed with an old type Google Admin account ... 

 

I was expecting this to reflect the users corporate account not a random service account that I don’t have the ability to manage OR change to another account as the randomly generated one requires authorisation ...

 

Currently chasing MS for an explanation to see if it is me that is missing something, or a preview bug that is under development ...

 

Keen to get your opinion.

Thanks

 

 

Iron Contributor

@robbamber  - I was hoping the same thing, could they be throttling the connections using this type of enrolment; similar to what they did when organisations using their FastTrack; benefited from favourable speeds.

 

When you build a fully managed device, you are prompted to login twice and need to login once again thereafter.

NOTE*** I am using KME, and not scanning the QR code to enable being able to ship the devices directly to the user.

The first one is your Microsoft Online login screen. (Login with your test user account, or in my case this is where the users who will the devices shipped directly to them will enter their email address/UPN and password.

The second one which will have the email/UPN entered earlier already present in the UserName text box, enter password.
(logging into your organisation)

Then it should show the branding of the organisation and start to setup the device etc.

All the apps assigned to the user's group will be deployed.

Then login to the Intune App to fully register/enrol/owner the device, do the usual to continue.

When you check accounts, you will now see 2 accounts. The randomly generated managed account with a red briefcase and the device owner account blue photo icon.

My description is a bit scrappy but hopefully you'll get the flow.

I am also building Kiosk devices this way, 

 

 

Brass Contributor

Hi All, 

 

Enrolling devices by QR still gives us problems. At first apps where not deployed during enrollment, this seems to be resolved by MS/Google and seems to work consistent now. The problem of policies not being deployed is still there for us:

https://paste.pics/28f50400b010c8a6215687dd3c5d6940

 

I waited an entire night, still hanging at the above screen. I tried with and without Compliance policies. Sometimes it passes this step and somes it hangs forever. Anyone found a workaroud or should this be resolved by MS. 

ps. we use dynamic groups for assigning policies,

 

Your help is very appreciated. 

 

Wietse

Brass Contributor

@WietseD 

I enrolled a device with QR yesterday and I am still experiencing delays with the enrolment.

 

I believe this is probably down to either ongoing work with the CDN in the background in preparation for GA, or the required apps are installing ahead of the Microsoft Intune and Authenticator apps (which I don’t believe they should do) causing a delay, but have not had that confirmed by Microsoft.

 

My device yesterday took a couple hours and I rebooted it from the Intune console a couple of times in that period. 

 

Cheers, Rob.

Brass Contributor

@robbamber 

Thank you rob, a reboot from the console indeed gets me passed the policy deployment screen. 

 

Greetings!

Brass Contributor

@WietseD 

Not to peddle my own blog ... but I’ve been writing some of my experiences at RobBBIT.co.uk (redirects to Wordpress blog) if it’s of interest to you.

Cheers

Iron Contributor

@robbamber @WietseD 
I enrolled a few devices yesterday and zero delays. Everything came down very fast. One thing I observed wither EVERY device was that the MS Authenticator came down instantly, I mean, as soon as I set the PIN and it returned to the "Set Up Your Work Phone" screen; the app was ticked. a few seconds later the MS Intune app was ticked. I even rebuilt the devices a few times. This was for Fully Managed and Dedicated devices; QR code and KME methods. Hope it wasn't just a good Monday :)

Brass Contributor

@MoZZa 

Hi, yes you are having better days than us:) We found another issue while enrolling devices. While logging in into de Intune-app, the app does not show content anymore. Just some placeholder text or something.

 

https://paste.pics/64b7e15fcd02f198cd2785dd0bbf095e


We cannot continue and wiping/reboot etc. does not help, very strange this is. Maybe this is because MS is preparing things in the background.

 

Greetings!

Brass Contributor

@WietseD 

Hello, we are experiencing the same as you with regards to the Intune App. I've tried wiping/deleting the device and enrolling again, however it it seems that the Intune app stays at the same page, "Lets set up your device...."

Tried tapping postpone, but that then sits at the postpone page with a loading circle forever it seems.

 

When enrolling a device, we've also found that it is much quicker once again, the required apps are installing very fast and the "other" non Microsoft apps that I have set as required are then installing once on the main Android home screen. I like this flow, it's a good user experience.

 

Iron Contributor

@AndrewH5 @WietseD 
There are some crazy inconsistencies at the moment. i am about to test build dome SM-T580, T585 Samsung tablets. I will report back shortly.

Brass Contributor

@MoZZa @WietseD @AndrewH5 

Morning guys, I have experienced the “Intune App no text” issue a number of times, in the end waiting seemed to resolve it, but pretty unhelpful when you want to get a user registered ...

hopefully enrolment is better today for me as I have to build a device ... 

do you guys assign apps as required for all enrolled devices, so they appear under the Microsoft Apps on the enrolment screen, or are you assigning them to a user group afterwards so the enrolment of the Microsoft Required Apps is quicker? ...

 

Also an FYI in case you didn’t know, I’ve had it confirmed if you want to deploy your own APK files you must register for a Google Play Developer account with the same account you connected within Intune ... the functionality present in Intune to upload APKs was unfortunately for a legacy Android management method and will be removed in the near future ... it caught me out I assumed because it allowed me to upload and assign an APK it was meant to work ...

 

Also (2), I’m told that under enrolment restrictions the “Android” and “Android for work” will be getting renamed and “Android fully managed” will be making an appearance ...

 

Cheers

Iron Contributor

Hi @robbamber 
That is very odd, personally I haven't experienced the "No Text" issue. I add the additional apps as 'Required' and assign the Dept's user group. That way you can have departmental specific builds, and as I am using KME, the devices are sent straight to the users ( well they will be once the project goes LIVE).

If I need to create Weblinks for any of the teams; i create an .APK and then use my Google Developer Account to publish it to the Corporate Play Store.

It's a bit of overkill but some departments have Kiosk-dedicated and Fully-Managed devices. Kiosk devices publish the Intune Weblinks as app icons and to replicate the same user experience on the Fully-Managed; this is the only way I have discovered that works.

 

Previously, Android Kiosk and Android Fully Managed were tagged the same. Now we have:

 

Android(Dedicated) - Kiosk

Android(Fully Managed_ Corporate-Owned Fully Managed

Android(Work Profile) - Android For Work

Android - Only one device shows up as android amongst the thousands we have.

Makes reporting and scripting reports and filtering the csv output 

easier.

Brass Contributor

@MoZZa @AndrewH5 

Guys, good news today, enrolled 2 devices and they flew past the Require Authenticator and Intune apps, unreliably quicker than yesterday!

Still getting just a bunch of lines the same as @WietseD image further up the blog for the Intune app POST enrolment however.

 

Also I have seen strange behaviour when initiating a reboot from the Intune console, whereby sometimes the phone gets stuck in a loop of reboots and requires hard resetting and re-enrolling ... don't know if anyone has experienced this?

 

Cheers.

Hi guys,

When I purchase Samsung Knox (free without license), will that be a 'zero touch' deployment like with Apple DEP? Or (at this moment) it only registers the devices at the Samsung Knox portal and after starting the device the end-user will than be redirected to Intune to logon? Or do I need to purchase a license to get everything fully automated?
Thnx!

Copper Contributor
Hello, This thread has been excellent, majority of my issues are sorted from reading through this so thank you all! Does anybody know why devices show up with the wrong serial number in Intune and why a Sync can't be started? My other main issue is App Protection Policies but hopefully MS will sort this soon. @Peter Klapwijk - The way I have Knox setup (KME) is the end-user will be directed to an Intune webpage to enroll the device as them, from what I've worked out this is the only way. Hopefully @MoZZa can confirm if there is another way of doing this? Thanks! :)
Iron Contributor

Hi @tparris 

Great to see that sharing info and experiences in this forum is paying dividends in resolving issues.

The serial number issue is something I have brought up with MS. They create a, Intune serial number on Kiosk and Full Managed devices. however they still interrogate the hardware for other details.  They said there is one reason, some devices have 2 or 3 serial numbers. build serial numbers, stock serial numbers and the regular serial numbers. And therefore they could be reporting back the wrong one!!!! Doesn't make sense because all other types of enrolment appear to be able extract the correct serial number. I think this may change in the future, when Kiosk and Fully managed become more prevalent than they are already.

The enrolment side of things for KME Fully Managed devices is the only way I know. Works very well. There is a way to pre-load the user names within KME but I have not tried this as yet or should I say got it to work :)

Brass Contributor

Goodmorning All, 

 

I was just testing password policies on fully managed devices. I want to enforce a password, so i selected "password required, no restrictions". I was hoping users get a notification to update their password settings. However nothing happings, i only see the password policy failing. I remember in DeviceAdmin mode this does work and users receive a notification. Am i doing it wrong in AE?

 

Thank you! 

 

 

Copper Contributor

Hey @WietseD at the start of preview 2 I raised a support call with MS on an unrelated issue and discussed the password configuration. It was noted that the only password enforcement was performed at deployment and came from the compliance policy settings. It appears that the password enforcement settings in the configuration policies does not do anything currently. It does seem to fail and succeed based on whether the current password meets the criteria, so seems to be acting more like a compliance check (rather than config enforcement).

At this will be fixed to make feature parity with AE for Work and iOS etc. 

Version history
Last update:
‎Dec 19 2019 10:16 AM
Updated by: