Archive: Microsoft Intune announces Preview 2 for Android Enterprise fully managed devices
Published Apr 18 2019 04:39 PM 55.5K Views

By Priya Ravichandran | Intune Sr. PM

 

Updated 12/19/19 - We have received over 300 comments on the Android preview blog posts, and in those comments and occasional subsequent support cases, you helped us deliver Android Enterprise Fully Managed as generally available. You provided over 58 pieces of actionable feature feedback based on your experience with preview.

More information about the GA release can be found in our blog here: Microsoft Intune support for Android Enterprise fully managed devices is now generally available.

As this feature is now GA, new comments on this post will be turned off. As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page or our Twitter @IntuneSuppTeam. Your continued feedback helps make the product better, we are grateful for this community, thank you!

 

Preview 2 for Android Enterprise fully managed devices is here! Today we’re providing an update to our preview capabilities which were announced in January 2019 for the Android fully managed device solution. For context, Google used to refer to the fully managed device scenario as Corporate Owned Business Only (COBO), and it is one of the “Device Owner” (DO) management scenarios in the Android Enterprise solution set.

 

Before we share the latest updates, we wanted to thank you for all the usage and feedback during our initial preview. We’ve incorporated feedback from Preview 1. It’s been great to work with you and we look forward to hearing more.

 

What’s New in Preview 2

For this update, we focused on compliance and end user experiences. Here are the key new capabilities added into Preview 2:

  • Updated onboarding flow for key required policies
  • Added Device Owner compliance policies
  • Built conditional access workflows
  • Added device group targeting
  • Released a new end user app called ‘Microsoft Intune’ into the Play store as the app to be used on fully managed devices
  • Enabled support for access to the full Play store
  • Introduced Knox Mobile Enrollment (continue reading this post for a few limitations in preview for this feature)

 

These capabilities will add on to what we released in January:

  • Device enrollment using NFC, token entry, QR code and Zero Touch
  • Device configuration for user groups
  • App distribution and configuration for user groups
 
While we’re almost there, you’ll notice there are a few workflows not yet supported in this preview. These scenarios will be supported upon general availability, including:
  • App protection policies
  • Remote access policies with certificate support (i.e. Wi-Fi, VPN, Email)
  • Certificate management
  • Support for managing or enabling system apps
 
Updated Onboarding Scenarios
During onboarding, Intune will now enforce key policies to ensure the device is compliant before allowing the user to access the device. This includes enforcing password policies and installing some key apps to ensure the user is compliant with organizational requirements before they can continue to use the device to access corporate resources.
 
Figure 1: User is required to set a PIN per policy before proceedingFigure 1: User is required to set a PIN per policy before proceeding
 
For more information on what to expect during onboarding, refer to onboarding fully managed devices.
 
Introducing the New Microsoft Intune App
As we mentioned earlier in this post, we are introducing a new end user app for Android fully managed devices. This new modern and light-weight app, simply called ‘Microsoft Intune’, will now enable the experiences end users know and love in the Company Portal app for fully managed devices, including managing compliance for their device. This new app is only for the fully managed scenario; in all other Android management scenarios, Company Portal continues to be the end user app.
 
Figure 2: New Microsoft Intune appFigure 2: New Microsoft Intune app
 
For use of the Microsoft Intune app, you need to set it as required (or available) for end users to get it onto their device and sign in. This component is rolling out and should be available to all by Wednesday, April 24th. If you have not gotten the update yet, you will see a blocking screen when you launch the Intune app. We are also working towards enabling automatic deployment of the Microsoft Intune app to all fully managed devices.
 
You can find the Microsoft Intune app listing in Google Play here.
 
Support for Compliance Policies and Conditional Access
Intune will now support the ability to create compliance policies on fully managed devices. The smaller set of compliance settings on a fully managed device reflect the smaller list of compliance settings available for fully managed devices. There is a greater degree of control and ability to lock down the device configuration since the scenario is intended for corporate owned devices.
 
Figure 3: Create PoliciesFigure 3: Create Policies
In addition to compliance, this update provides conditional access support for fully managed devices. Users can now register their device in Azure Active Directory via the Microsoft Intune app and then view and resolve compliance issues in order to access corporate resources.

Enabling Access to the Consumer Play Store
Intune will now allow you to enable access to the full consumer store on the fully managed device. Many organizations recognize the need to allow end users to personalize the device assigned to them – including access to their favorite consumer apps.
 
Figure 4: Device Configuration setting to allow access to all apps in the Google play storeFigure 4: Device Configuration setting to allow access to all apps in the Google play store

 

Users will have the ability to add their personal accounts to the device, if permitted by configuration. This way your end users can customize their device to support personal use as well as corporate use.

Figure 5: Personalized fully managed device with a user’s corporate and personal accountFigure 5: Personalized fully managed device with a user’s corporate and personal account

 

 

Known Issues
We’re still working on a few items. 
  • When using KME to set up Samsung Knox devices:
    • The username and password cannot be passed to the fully managed device from the KME portal. This will need to be manually entered.
    • The enrollment status of the device will not get updated in the KME portal.
  • In the Microsoft Intune app:
    • When trying to complete Azure Active Directory registration, you may see an error displayed. If this continues to occur, try again after some time.
    • When launching the app, you may see a screen that says, “Hang tight, we’re working to load your organization’s info.” You can check back in after some time to see if it has been resolved.
    • You may see that your “Device settings status” is “Noncompliant” with no way to resolve. In the Azure Portal, you will see that the device is not compliant with the “Has a compliance policy assigned” policy, even though a compliance policy is set. Factory resetting your device and enrolling again may resolve it.
 
Customer Support for This Preview
We outlined above that not all features are yet available for use with the Intune Android fully managed scenario. The preview features are fully supported through our usual Intune support channels and are clearly labeled with “(preview)” in the Intune console.
 
How Can You Reach Us?
As you use Preview 2 and test out the Android fully managed preview scenarios, we would appreciate your feedback on IT admin's enrollment profile configuration and end-user's device enrollment experiences. Keep us posted on your Android experience through comments on this blog post, through Twitter (#IntuneSuppTeam), and request any new features on UserVoice.

Documentation
 
Blog post updates: 
  • 4/19/19 with updated screen shots
  • 4/22/19 extended the app availability date, added in a few known issues
  • 12/19/19 with an update that this preview feature is now GA!
318 Comments

@tparris I have now set this up in my lab. The device is registered in KME and the device is during enrollment redirected to the QR code scanner to scan the Corporate owned, Fully managed QR code. Is that correct?

Copper Contributor

Some feedback from the recent testing I have performed.  The deployment process has been hit and miss when performing the deployment process using the same device. On occasions it would never finish the installation of the Authenticator and Intune apps, other occasions it will be instant (feels like its nearly impossibly quick to install the 2 apps - however they appear to have installed...) On other occasions it appears that all applications have installed prior to the two core apps installing. We use dynamic groups to allocate some apps, we also have apps required on all Android devices (thus testing deployment times between static and dynamic groups).  Then we come onto the Compliance policy issue, the allocation and removal of this policy does not seems to be consistent either.  We removed the policy in order for configuration policies to apply, enrolled a device during this time and the Password enforcement workflow at enrolment  still applied (which comes from the compliance policy). We have also seen applications stating that they are installed successfully, when there is no sign of them on the device.  All of the above recent points raised in this forum, I too have experienced, but then cannot replicate it reliably. 

 

That all said, when it does work, its a beautiful experience, that paired with the long awaited Microsoft Launcher for Enterprise will be make our end user experience truly great. We want to get to the point where all deployments are OOBE and performed by the end user, this is the final link to that panacea.  If you would like to see our experience, check out our video: How to Deploy Android Fully Managed Devices in Microsoft Intune on YouTube.  Although some sections have been sped up, this was a real deployment process using Fully Managed Android. 

 

The only other feature requests to MS I want is the ability to have an application configuration policy (like Outlook) for the Microsoft Launcher allowing us to control the look, feel, feeds and accounts used.  This will allow us to provide a consistent look and feel across different devices e.g. Samsung and Pixels etc. I would also like the Intune app configuration to be part of the enrolment process (there does not seem to be a reason to auto deploy it without then configuring it - the device is already user aware (based on the enrolment) - use that information to then register the device into AzureAD via the Intune app automatically.

Copper Contributor
@MoZZa Thanks for the response. Little annoying but nothing that's preventing the process from working which is a plus. I see the pre-load of usernames in KME but like yourself, is something I haven't tried yet, I do remember reading that any usernames or passwords set in KME do not go through to the phone... yet! @WietseD I've changed my compliance policy this morning to enforce a 6-digit passcode rather than a 4-digit, the device has synced since the change but no message has appeared on the phone. @Peter Klapwijk Hmm no that doesn't sound quite right. Having the device enrolled in KME should mean there is no need to scan a QR code. Once the MDM profile is configured in KME this should point the device to the correct token to enrol in Intune. In KME, can you see your device's profile set to the one you created for Intune?
Iron Contributor

Hi @Peter Klapwijk 

Once you link your KME to Intune, you no longer need to scan the QRCode.
Two reasons this could be happening

1. There is a typo in thw MDM JSON text.

2. The QR Code and therefore the token text has been refreshed.KME.png

 

Hope this helps. I have experienced both possible causes.

Hi @MoZZa thanks for the reply with printscreen!
I think it has something to do with the JSON. I used my token in that which I see on Corporate Owned, fully managed tab which is located above the QR code is that correct? 

Iron Contributor

Hi @Peter Klapwijk,

 

If you have copied the token string from the COFM; then it should work. 

Here is one of my profiles, obviously the X's would be your token string

e.g.

{"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN":"xxxxxxxxxxxxxxx"}

 

I use this method to build both Kiosk and COFM devices. When it works, past 3 days have been super fast to build devices, it is awesome.
I have had 2 project demo's and luckily they worked  a treat. 

Brass Contributor

Here's an odd one, not sure if anyone else has experienced it.

 

We have a number of Security groups created in Azure for use with assigning users and devices to certain apps and policies within Intune. This works great until, it seems, you hit a certain number of groups the the user/device is a member of. At which point it removes all the deployed apps from the Play Store and also uninstalls them from the device! Except for the default apps (Authenticator, Intune and Device Policy).

Removing the user/device from just one of the groups they are a member of and the apps all reappear in the Play Store (and any required ones install automatically).

 

But it seems to be different for different users. I know some users I've added into pretty much every group going (there's always one that need every app!) and it's had no effect.

Brass Contributor

@MoZZa @tparris @ictouk 

hey guys ... just around the password enforcement ... the behaviour I’m experiencing if that by setting this the Intune console reflects none compliance but doesn’t notify the user to update their settings ... after a call with Microsoft yesterday I’m told they will look into this as the experience should be a user notification ... hope this helps a little with awareness anyhow ...

@AndyH16  if I follow your explanation I am experiencing a similar issue ... I assign apps to groups of users which works great, when I assign apps to groups of devices I am seeing all but a few apps on the phone uninstall themselves, once I remove the device from the device group I see all the apps reinstall after a period of time (usually 20 mins or so) ... I’ve had a case open with Microsoft around this and they tell me that “whilst you can deploy apps to groups of device now, this isn’t supported and may behaviour unexpectedly, with the only supported and know working configuration being to deploy to groups of users” ...

 

Ona separate note ... Thanks all for taking the time to share experiences I have found it useful and of late this blog has really taken off ...

 

Cheers 

 

Brass Contributor

@robbamberIt sounds like a similar issue, though we have a mix of user and device group assignments for the apps. In fact it has just happened to me on my test device - I added the device to a 'Device Test Group' to test out a new app and all my apps disappeared (user and device assigned ones). I removed my user account from one group (at random, which means I lose access to that app) and all the apps have reappeared, including the new app which is assigned to the device group, apart from the one app that was assigned by the user group.

 

I think I've reported it before and didn't get anywhere.

thnx @MoZZa probably missed a space or something. After adding the JSON again, now the device skips the QR scan part and shows me a logon screen.


Only user actions which is left (besides authentication), is clicking Please click here to continue on a play.google.com page. 

Iron Contributor

@Peter Klapwijk  - Excellent! Makes for a pleasant user experience. In saying that, I did have someone ask if i could make it quicker.

I said, "Apart from pre-assigning devices to users, assigning their username and password too, so that they only have to click and not actually type their own names then NO LOL.

Brass Contributor

@MoZZa @AndyH16 @Peter Klapwijk 

Chaps I don't know if you have tried to deploy any custom apps from your own Managed Play Store, but I am seeing behaviour where the app settings are being removed when the phone is restarted, the app stays on the phone, it's just the default settings are removed ... offers of advise would be welcome.

Cheers.

Iron Contributor

@robbamber 
Are these custom LOB apps that you have created/developed or just apps approved from the Corporate Play Store?

Just checking a build with Chrome and other app config policies applied to see if they stay applied.

Brass Contributor

@MoZZa  It’s a LOB app that’s been developed ... Basically when it installs you have to apply the defaults when you first open the app, however what I am seeing is that I have to apply them again and again when I reboot the device ... 

cheers

Iron Contributor

@robbamber 
Have you created an App Config policy for the app, that may help. but with a custom app; it depends on how it has been put together.

Brass Contributor

@MoZZa 

Thanks for the reply, have tried an App Config policy but it only had the default settings for things like "Camera (read)" etc ... the developer is not involved and should be able to replicate so will see where it goes from here ... interestingly this isn't the case with a phone that isn't enrolled in Intune ...

Iron Contributor

@robbamber 

That is interesting that a non-enrolled device does not need the settings changed.

There must be a of using the App Config for Managed Apps and if the app is SDK-Enabled and configure using the key-value pairs. The developer should be able to provide these details or you may be able to extract them from the Apps manifest file.

Brass Contributor

Hi All, 

 

Seems that Fully Managed preview is going GA somewhere in Q4 and not July:

https://www.microsoft.com/nl-nl/microsoft-365/roadmap?rtc=3&filters=Microsoft%20Intune%2CAndroid

 

The page was edited 2 days ago. Pretty sure it was July before.

 

Greetings 

Iron Contributor

It was July Arrrgghhhhhhh :(

There are a few issues with the Android 9.0 updates which is causing a few issues with Kiosk device builds and the Fully-Managed builds.
I have a few tickets open with MS on Kiosk build issues. I spent the majority of yesterday talking to specialist engineers from Europe and North Carolina trying to sort some of the issues out. One of the issues is that Android 9.0 has either moved, removed or replaced the way quite a number of Dialogue UI's work. Where some were retired in 8.1.0 etc. Intune was able to still auto configure a setting as enabled or granted. Now with 9.0, some of these are behaving as if the legacy settings have finally been removed. This does not affect all MDM's. For example in the old world of Android Admin you could Disable/Enable the Power Dialogue UI so that devices could be set so that the power button would not allow the "Power-Off / Restart" dialogue to appear.

Intune, in Android Enterprise, no longer has this setting/key-pair listed as an option. The result is; Intune Kiosk and some of the newer Zebra MX devices cannot be switched off or restarted whilst in Kiosk mode. They can still be restarted via the console. Hopefully these issues are sorted and it will go GA asap!! Fingers Crossed!!!!!

Brass Contributor

Hi @WietseD 

I'm seeing the same too, I hope it's a mistake.

I've actually commented further back in the comments with this time line, but was corrected as the page had updated since the last time I had checked it, so hoping it gets updated back to July very soon!

 

 

Iron Contributor

@AndrewH5 I hope they correct it to early July. I have project managers grunting at the starting line waiting for it to go GA. All the devices I have rolled out are still classed as a pilot, with some proposing Go-Live dates set for August!!!!!!!!!!!!!
Come on MSFT, help us out :)

Brass Contributor

It's hardly surprising though, given the issues we're all still experiencing. I'm sure they want to get it in a much smoother state before release.

Iron Contributor

@AndyH16 Definitely. To be fair it is awesome when it works.
The issues at the moment are more to do with issues connecting to Samsung's KME servers. Usually get 3 to 10 failures before it suddenly finds it and the Android Device Policy screen pops up. I've logged calls with Samsung and even the automated reply took 2 days LOL

Brass Contributor

I've had very little/no problems with KME deploying my Android Enterprise devices. When the ability to pass through a users username as well, that will be great though.

What I'm mostly waiting on now is App Configuration to really go live, I have a number of apps like Citrix SSO that I can push configs to, but currently in AE I can't.

 

Brass Contributor

Goodmorning All, 

 

I was checking the same page again, MS changed it again yesterday. It is now rescheduled to Q3 CY2019.

https://www.microsoft.com/nl-nl/microsoft-365/roadmap?rtc=3&filters=Microsoft%20Intune%2CAndroid

 

Have a nice weekend!

Iron Contributor

@WietseD 
That is good news. However the one that surprised was the Managed Home Screen app.

MSFT.png

 

I have been using this on single & multi-app kiosk devices for  quite a while. I wondering if it is going to get an early makeover.

As far as I am concerned it has been one of the success of the Kiosk build. Consistent and configurable icon layouts no matter what device the build is pushed to.

Deploy Weblinks without the need for Widgets etc. lock down access to settings etc. AND works with KME just like  a Fully-Managed build (actually quicker!!)
Fingers crossed they keep moving in the same direction Smiley Happy

Brass Contributor

@MoZZa @WietseD @AndrewH5 

Hey guys ... have any of you had issues with App Config Policies applying? ... I have created a config for Outlook for things like "turn off focus", use "modern auth" etc ... however the settings aren't applying to my device at all ... console reports "pending" and has been for a couple hours now ... tried removing the Compliance Policy first as that was the issue with updating device configuration settings ... 

Cheers ... 

Brass Contributor

@robbamber hi, we don't use app policies yet, but based on some previous posts it looks like there are still problems with it. 

 

Best regards.

Copper Contributor

I might be too late to the plate, and I have stopped trying full managed functionality as I suffered the compliance policy issue, plus the never ending installation of the default apps. I thought I would take a fresh look at this, and was grateful that I did, it would seem that the majority of issues being suffered have been resolved. 

 

I have recently enrolled a couple of devices from OOBE into fully managed with everything applied (configuration and compliance policies) and noted that the enrollment was fast and reliable.  We are using dynamic groups to assign the apps and some policies, all of which are quickly assigned deployed to the devices.  Also performed some more testing on updating the configuration policies whilst a compliance policy is applied and all settings were updated quickly. We have seen some of the new functionality apply (as mentioned by @Peter Klapwijk  and these devices are nearing feature parity to where we need it to be. 

 

Feature Request: Make the Intune App setup as part of the enrolment process (similar to the process Apple DEP devices now go through).

Feature Request: As Authenticator App is a default app deployed, make this setup part of the compliance policy / enrolment process (however also make it something that can be excluded for businesses whom use MFA alternatives.   

Feature Request: Ability to set the launcher to Microsoft Launcher so that the experience can be standardised across different devices / vendor devices. 

Feature Request: More configuration settings that can customise the end user experience similar to supervised devices in iOS e.g. wallpaper, page layouts etc even if this is tied to Microsoft Launcher for Enterprise. 

Iron Contributor

HI @ictouk 

We are getting closer to full GA. MSFT are stepping up introducing the new features. This week I will be building 736 J6's (64 already being piloted). The business want them ready to roll out late 3rd early 4th quarter. Hopefully, MS can keep the momentum.

 

On another note, How many of you are deploying Zebra MX devices? 

Brass Contributor

@ictouk @MoZZa 

Hello, 

 

Good to hear you have some success. We tried to enrol 10 fully managed devices last week, it was no success at all. The success was 50-50. We needed to re-enroll some devices 2-3 times because they got stuck during enrollment. Then we had 4 or 5 users/devices were policies are pending. The policies never get enrolled even after days.

 

We decided it is still to early the enroll phones with endusers waiting next to you at the desk.

 

The few phones enrolled sucessfully are now our pilot devices and we hope Microsoft is reading this and get these issues sorted out soon. I know the product is not in GA. 

 

Greetings, 

 

Wietse

 

p.s. we don't have Zebra devices

Iron Contributor

@WietseD 

Hi,

We had issues here a couple of weeks ago. But it seemed to be stalling at the Knox stage. I contacted Samsung and they resolved the issue. I think we were hitting an MDM server that was having issues. They are now in the process of moving some of the larger government organisations to dedicated servers. Whether that was said to make us feel "special" or will actually be done, remains to be seen. 

 

I'm surprised you are still having issues with DevCon policies and Compliance policies. Ours have started to apply changes without disabling the compliance policy. This fits in with this article.

 

Brass Contributor

@MoZZa @WietseD @ictouk

Afternoon all ... don't know if anyone is using the same setup as myself ... I have a device which is VPN'd back to my infrastructure ... what I am seeing is my VPN disconnecting when refreshing the device policy "twice" ... steps are;
Phone turned on,
Connected to VPN,
Go into the Play Store and open "Android Device Policy" app,
Hit the refresh button in the top left twice,
VPN is automatically disconnected.
Don't know if anyone else has experienced this, or has any suggestions on a way forward? ...
Thanks

Iron Contributor

Hi @robbamber 

 

I haven't come across that issue, but I will be setting up a per-app VPN sometime next week. If you haven't resolved the issue by then, I'll feedback what my findings are.

Microsoft

Do we know when the Certificate Profiles support will be added as I have a few customers stuck because of this.

Iron Contributor

Hi @Anil Abraham ,
I posed this question to MS as I had an application that needed a certificate to determine which backend servers Tablets  should connect to (KIOSK BUILD). Unfortunately, there wasn't and eta on this. I managed to find a solution. Instead of the 3rd party's application looking for a certificate. It checked for the presence of an application being installed. This application is basically an empty .apk, and only published from my Google Dev site; to the corporate Play Store. When the app checks for the this app, it treats it as a certificate type authorisation. I then reused this method to point devices/app to DEV, TEST and PROD environments. This worked on Fully Managed, A4W and Kiosk builds.

Copper Contributor

Any update on fully managed android enterprise devices google backup service being enabled? This is a showstopper for us (and I'm sure many others) as users cannot backup or restore their data when enrolling into Intune.

 

Also been reported at user voice here: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/37876654-enable-google-backup-...

 

IMG_20190807_121153.jpg

Iron Contributor

Hi @Nathan23055 

When did this start? Luckily for my deployments (Kiosk) I disabled this. But, I am about to start deploying the first batch for another government sector of the Corporate-Owned Fully Managed and they are about to allow the Backup option.
Have you enabled it explicitly?

Brass Contributor

When Samsung KME and fully managed, if i set leave system apps in the KME mdm profile, it never enrolls, just says finishing updating

 

Is this a KME issue or Intune?

Iron Contributor

Hi @Adrian Bishop 

 

I have never seen this issue. Most of my builds don't have the system apps installed apart from one department. Never had an issue installing them though.
Sounds more like a KME issue BUT, to be fair KME's involvement in the build is to host all of your InTune requests and therefore the finger could be with InTune, What are the results if you do not install the system apps?

Copper Contributor

@MoZZa How do you enable backup services when it is not an available profile setting for Android enterprise devices in Intune? 

Copper Contributor

 @Adrian Bishop 

Hi , 

it's a very strange issue , same result with system app "just says finishing updating" Since last week . It was working well during 3 months on our Xcover4.

Today not anymore .

Iron Contributor

Hi @Adrian Bishop 

I have done a bit of testing. I only have Samsung devices, J5 (Android v8) , J6 (Android v9) and T580 (Android v8).
All built with KME to Kiosk and Fully-Managed and all with System apps enabled and disabled. No issues. I should have some Note 9's next week; I'll try on those.

Brass Contributor

Hi @MoZZa 

This is with a A5, i will try testing with an A30 later today

I have also logged a job with samsung, in case its an issue with KME

Copper Contributor

Hi 

Can anyone confirm what Office 365 licence is required to work with android fully managed devices?

We have got 100+ users with Office 365 E3 and Enterprise Mobility + Security E3 all working fine.

But have just started to use Office 365 E1 and Enterprise Mobility + Security E3 and having issues with devices compliance and device configuration policies. 

Thanks

Anyone seen this behavior:
We have one compliance policy for AE Work profile and one for Device Owner (DO). We assigned the compliance policy for Work profile to All users and now we see on DO devices that the one compliance setting from the Work profile policy is triggered on those devices (Device Threat Level).
The DO compliance policy is also still applied.

@jbwestward EMS E3 should be enough, which contains Intune.

Copper Contributor
Thanks @Peter Klapwijk I'll log a call with support.
Copper Contributor
Thanks @Peter Klapwijk I'll log a call with support.
Version history
Last update:
‎Dec 19 2019 10:16 AM
Updated by: