Day Zero support for Android 13 with Microsoft Intune

Intune_Support_Team · ‎Aug 17 2022

Historically, Google releases a new Android version every year in late Q3/early Q4, and mandates that by mid-Q4, apps uploaded to the Play Store “target,” or are optimized to run on, the previous year’s API version. Android 13 has officially been released by Google. Our Microsoft Endpoint Manager app protection policies (APP) and mobile device management (MDM) teams have been working hard to make sure Microsoft Intune customers are supported on the new OS release. In this post, we’ll share some of what we’ve found from testing the latest Android beta builds and highlight other noteworthy changes that you should be aware of.

Most APP and MDM scenarios will continue to be fully compatible with Android 13. However, Google has made some significant changes in this release that affect management capabilities available to Intune, particularly for management via device administrator mode. Google has been decreasing management support for device administrator since the release of Android 10 in 2019. As a result, customers should not use device administrator for devices that can be managed by Android Enterprise and/or app protection policies. For more resources on moving from device administrator to Android Enterprise, see the additional information in Decreasing support for Android device administrator.

We’ll update this blog post with new items we discover during our continued testing. We also encourage you to read through Google’s Android 13 change documentation, Behavior Changes for Apps Targeting Android 13, and Behavior Changes for Apps Targeting Android 12 to identify other changes that may be relevant to your organization. Keep us posted on what APP and MDM learnings you find from your testing too!

Versioning vs targeting

When we say “Day Zero support” on Android, we are typically referring to two things: OS version and API targeting.

OS version is the version of Android that a device is running. New versions of Android are released every year or so, first on Google Pixel devices and later by various OEMs as they build out support. This year, the OS version is Android 13.
- Date of release: Android 13 was officially released August 15th.
API targeting is set within Intune client apps. Google mandates that apps must target the two most recent versions to be approved in the Play store. This year, we’re targeting Android 12 (API 31).
- Date of client app support of API31 targeting:
  - Company Portal: mid-November
  - Microsoft Intune: November 1
  - Managed Home Screen: November 1

Throughout this doc, you may see changes attributed to either Android 13 readiness or API 31 targeting readiness. It is important to note their differing release dates.

Changes for MDM scenarios

Starting with the release of Android 13, there will be a new runtime permission for sending notifications from an app. Users enrolling an Android 13 device into management will need to allow the permission for Intune client apps to enable the best user experience with notifications.

What to expect:

On device administrator and personally-owned work profile scenarios, we recommend guiding your users to allow permission, so they receive important notifications on device compliance.

On corporate-owned devices with a work profile and on fully managed devices, the Microsoft Intune app will display the permission prompt. If the user swipes away the prompt, the notifications permission state will not change. For example, if it's not allowed by default, as will be the case on Android 13 devices, the permission will remain disabled. Note that the prompt will only display for profiles that are enrolling into management on Android 13 devices. Devices already enrolled that are upgrading to Android 13 will continue to follow the current notification permissions on the device.

Changes to device administrator

On API 31, apps that the user hasn’t interacted with for eight or more days may be placed in the “restricted” bucket. This allows the OS to prioritize saving battery life over performing important background tasks on the device. If your users don’t open the Company Portal app very frequently, the Company Portal may not be able to run correctly.

What to expect:

For new Android 13 enrollments to device administrator, we recommend guiding your users to disable battery optimization for the Company Portal to ensure Company Portal will run on the device. Company Portal will notify the user that they need to disable battery optimization for the app. This notification cannot be dismissed. Tapping on the notification will guide them through the process:

Sign into the Company Portal app with your work or school account.
Tap “Settings”.
Next to “Battery Optimization,” flip the switch to “turn off”.

See: Turn off battery optimization in Company Portal app to learn more.

Note: Depending on the OEM, there may be additional battery optimization settings that users should disable. We recommend checking with the OEM for specific settings.

If you have developed an OEMConfig app or other management app for your organization, we recommend checking with the developers to ensure that the app can continue to run as normal.

Changes to personally-owned work profile

When Company Portal targets API 31 (November 1), Google is deprecating the ability to set a required password type and minimum password length for device configuration and compliance profiles. According to Google, overly complex passwords are difficult for users to remember. Brute force attempts to remember the password cause security and performance issues. You can read Google’s full statement on the deprecation in their DevicePolicyManager document.

What to Expect:

Starting in mid-November, admins will be able to configure the following password complexity requirements in their device configuration and device compliance policies:

None: No password required.
Low: Pattern or PIN with repeating (4444) or ordered (1234, 4321, 2468) sequences.
Medium: PIN with no repeating (4444) or ordered (1234, 4321, 2468) sequences, length at least 4. Or alphabetic, length at least 4. Or alphanumeric, length at least 4.
High: PIN with no repeating (4444) or ordered (1234, 4321, 2468) sequences, length at least 8. Or alphabetic, length at least 6. Or alphanumeric, length at least 6.

We recommend that admins with current required password type and minimum password length configurations update to using the password complexity setting once it’s released for devices running Android 12 or higher. Stay tuned to What’s new for the release of this feature.

If you continue to use the required password type and minimum password length settings without configuring the password complexity setting, new devices running Android 12 or higher will default to password complexity High.

Changes for APP scenarios

Similar to MDM scenarios, Android 13 devices will have notifications disabled by default. Users with APP-protected apps will need to allow a new runtime permission to enable notifications.

What to expect:

APP-protected apps will prompt the user to “allow” or “not allow” the post notifications runtime permission. If the user selects “not allow,” the app will not be able to send notifications. If you have developed an OEMConfig app or other management app for your organization, we recommend checking with the developers to ensure that the app can continue to run as normal.

Other ways to prepare for Android 13

Update apps: Encourage your users to update to the latest version of the Company Portal, Intune, Edge, and other APP-supported apps. The latest version will provide the best experience with devices running Android 13.
Check compatibility for other managed apps: As with previous major Android OS updates, check mobile app compatibility with your app providers to confirm your users' apps work with Android 13. You’ll see a “What’s New for the app” notice in the Google Play app store, in-app details, or updates on an application’s website. Some apps provide Day Zero support, while others update over time.

How can you reach us?

Keep us posted on your Android 13 experience through comments on this blog post, through Twitter @IntuneSuppTeam, and request any new features on our Intune Feedback Portal. We will update this post with any additional information we learn as testing continues, and when Android 13 releases.

Post updates:

12/22/22: Added a note to the disable battery optimization section.

12/12/22: Updated with steps to disable battery optimization.

10/12/22: The timeline for API 31 support and new password complexity feature has been updated.

Tim_bl · ‎Aug 18 2022

Hello @Intune_Support_Team,

How do we need to reflect this password complexity low, medium, high on Intune policies? Do you need to adjust the current Intune policies manually based on the description of low, medium, high? Compared to some other MDM solutions they created a password policy where you only can select the 'low, medium, high' in a dropdown, but this isn't the case in Intune, right?

Thank you!

hgjoe · ‎Aug 18 2022

@Intune_Support_Team

will it be possible to automatically grant the Notifications runtime permission for BYOD Work profile applications? As per other EMM providers' documentations it seems that it is possible to grant this permission automatically.

Ryan Spooner · ‎Aug 18 2022

Historically, Microsoft have said you only support the last 4 versions of Android on your various apps and platforms. Currently that means you support version 9 to version 12. At what point in time does that minimum version increment to 10? Is it from now?

Intune_Support_Team · ‎Aug 18 2022

Hi all,

@Tim_bl, great question! To reflect the new settings once released, the password complexity setting will need to be updated to either None, Low, Medium or High. If the current settings remain without change, new devices running Android 12 or higher will default to password complexity High.

@hgjoe The new settings will require user to select 'Allow' or 'Not allow', though we are checking your request with the team, and we'll loop back once info is available to share.

@Ryan Spooner Thanks for the info! Currently we are providing support to Android 8.0 and later (Operating systems and browsers supported by Microsoft Intune). Should the support to versions change in the future, here is a doc that provides info regarding supported versions and staying up to date: Staying up to date on Intune new features, service changes, and service health.

Thanks!

Intune_Support_Team · ‎Aug 18 2022

Hi @hgjoe Looping back, thank you for the feedback, and we've relayed the info onto the relevant team to enquire. At this moment, there's nothing on the immediate roadmap, but we'd love to get your feedback here: Microsoft Intune · Community, and other users can comment and vote!

hgjoe · ‎Aug 18 2022

@Intune_Support_Team

Thanks for the update.

It seems that WS1 can do it, so Intune why not?

https://kb.vmware.com/s/article/88379

Sorry for saying this but this is far away from Zero day supporting Android 13...

Tim_bl · ‎Aug 19 2022

Hello @Intune_Support_Team,

Thank you for replying. What I actually tried to find out is where do we see this 'None, Low, Medium or High' setting? It is not in the device restriction configuration profile, nor in the compliance policy for Android personally owned, right? I only noticed this within APP Within 'in development' and 'what's new'

https://docs.microsoft.com/en-us/mem/intune/fundamentals/whats-new#password-complexity-for-android-d...
But this is not for work profile devices?

Thank you for clarifying.

AntMan1982 · ‎Aug 22 2022

@Intune_Support_Team I have updated my Pixel 6 Pro with Android 13 when it became available. This is a personally owned-company managed phone. It is now giving an error we previously ran into with our Samsung devices, where the Google Play Store in the work profile would crash. The only known workaround at the moment is to disable the eSim for the duration of my need to use the store. Any thoughts around this would be appreciated!

Simon1919 · ‎Aug 23 2022

Hi team, thanks for the update

Regarding the password policy change, I can see the 'old' version of these password policies in my Compliance Policy for Android.

Is the date for the switchover to the new version of these settings on the Intune console scheduled to be November 1st?

I'd like to make this cutover without my policies defaulting to 'High' - I'd prefer medium.

How would I achieve a smooth cutover to the new version of these settings without impacting users and forcing them to change their PINs?

Thanks!

Intune_Support_Team · ‎Aug 23 2022

@hgjoe - We're always looking at new capabilities and areas to invest in. No timelines to share currently but stay tuned to our In development and What’s new docs for new features coming to Intune. We’ll also keep this post updated as soon as we have more info to share. Thanks for the feedback!

Tim_bl · ‎Aug 26 2022

@Intune_Support_Team ,

I noticed the settings you are referring to (low, medium high) aren't even available in Intune yet:
https://docs.microsoft.com/en-us/mem/intune/fundamentals/in-development#new-password-complexity-requ...

Can you specify when they become available in Intune? Till than you cannot transition....

Thank you.

juju_v · ‎Aug 29 2022

Hi @Intune_Support_Team ,

the documentation said this;

"

If you currently use the Required password type and Minimum password length settings in your device configuration and compliance policies on Android 12+, then we recommend using the new Password complexitysetting instead.

If you continue to use the Required password type and Minimum password length settings, and don't configure the Password complexity setting, then new devices running Android 12+ will default to the High password complexity.

There is no impact for existing devices with the Required password type and Minimum password length settings configured.

"

Basically if I don't react to this change it will be set to High for new devices and keep everything untouched for already enrolled devices. If I do make a change though, this will affect all devices immediately right?

Thanks

chetanmdm · ‎Aug 29 2022

Right now, there is "Required Password Type" setting in both "Work Profile Settings" and also in "Password (for the whole device)". Will the change occur in both places in "Work Profile Settings" and "Password" (for the whole device) sections or just one of these? If one of these, which one, for Work Profile only or for whole device?

carlosbh · ‎Sep 01 2022

Hi, there is a typo on the text.

What to Expect:

~~Before~~ After November 1, admins will be able to configure...

Looking forward to testing these new settings and help to improve compliance with Android devices.

Regards,

Daniel-We · ‎Sep 14 2022

I don't think that this is a typo. @carlosbh

On 1st November they will release an app update to Google Play for Company Portal. Which is then targeting API Level 31.

However, on admin side there will be a new configuration setting BEFORE 1st November we will then have to take care of as described.

Otherwise it will default to complexity = high

@Intune_Support_Team We have this settings in place. Do we only have to set the new key/value pair once available and leave the old settings as being configured or should we remove/blank them? eg. set "Min Password length" to empty field and set "Req password type" to "Device default".

Thanks!

T_Kuisma · ‎Sep 16 2022

M365 admin center -> Health -> Message center -> "Plan for Change: Updates to password configurations for Android Enterprise personally-owned work profile devices - MC420038 · Published Aug 26, 2022" says:

"To accommodate this, a new option to configure password complexity will be available in Intune’s October (2210) service release for Android 12 or higher."

https://admin.microsoft.com/#/MessageCenter/:/messages/MC420038

Simon1919 · ‎Sep 16 2022

@T_Kuisma Thanks for confirming - you are the real MVP. Happy Friday to you

T_Kuisma · ‎Oct 13 2022

Do I understand the timeline correctly, that the Company Portal will be updated before we get the policy actually available?

"When Company Portal targets API 31 (November 1), Google is deprecating the ability to set a required password type and minimum password length for device configuration and compliance profiles."

and

"Starting in mid-November, admins will be able to configure the following password complexity requirements in their device configuration and device compliance policies"

Does that mean, that between 1st of Nov and mid-Nov all new Android 12+ devices will default to HIGH, and the policy is not yet available in Intune?

besiktas97 · ‎Nov 10 2022

@T_Kuisma: Thats indeed true, the policy is still not available and all the new devices that you will get from now on with OS13 will get the new password ''policy'' of Google and will set as default HIGH when you get them in Intune.

hgjoe · ‎Nov 18 2022

@Intune_Support_Team

Password complexity setting is available now for Android 12+ devices.

There is not one place where the definition of Low complexity level is accurate, it is not in sync with the official Google documentation. Please fix this in the corresponding MS documentations (Day Zero Blog post, What's new in Intune, Android BYOD configuration profile and compliance policy settings lists).

https://developer.android.com/reference/android/app/admin/DevicePolicyManager#PASSWORD_COMPLEXITY_LO...

On the other hand, it is not clear if we need to create a new compliance and restriction policy for Android 12+ devices, or it is enough to edit the existing policies and set the desired complexity level.

The configuration profile and compliance policy settings pages recommend to create a NEW policy for Android 12+ devices, but do we really need to do this?

MC467614 post recommends update the policies where pw type and length configurations are in place to also set the desired pw complexity level.

Lastly, What's new in Intune documentation does not mention that the configured pw complexity level will apply to devices when new CP version is released in December.

If we update our existing policies to also set the pw complexity level (which is not stricter than the current pw type and length), should we face any user side effects for already enrolled Android 12+ devices when the new CP version is released?

Thanks

hgjoe · ‎Nov 18 2022

@Intune_Support_Team

Password complexity setting is available now for Android 12+ devices.

There is no one place where the definition of Low complexity level is accurate, it is not in sync with the official Google documentation. Please fix this in the corresponding MS documentations (Day Zero Blog post, What's new in Intune, Android BYOD configuration profile and compliance policy settings lists).

https://developer.android.com/reference/android/app/admin/DevicePolicyManager#PASSWORD_COMPLEXITY_LO...

On the other hand, it is not clear if we need to create a new compliance and restriction policy for Android 12+ devices, or it is enough to edit the existing policies and set the desired complexity level.

The configuration profile and compliance policy settings pages recommend to create a NEW policy for Android 12+ devices, but do we really need to do this?

MC467614 post recommends update the policies where pw type and length configurations are in place to also set the desired pw complexity level.

Lastly, What's new in Intune documentation does not mention that the configured pw complexity level will apply to devices when new CP version is released in December.

If we update our existing policies to also set the pw complexity level (which is not stricter than the current pw type and length), should we face any user side effects for already enrolled Android 12+ devices when the new CP version is released?

Thanks

chetanmdm · ‎Nov 21 2022

Right now, there is "Required Password Type" setting in both "Work Profile Settings" and also in "Password (for the whole device)". Will the change occur in both places in "Work Profile Settings" and "Password" (for the whole device) sections or just one of these? If one of these, which one, for Work Profile only or for whole device? Can someone from Microsoft please confirm this? This information is not provided at all.

Tim_bl · ‎Nov 29 2022

For more info on what to expect see this docu page that is modified accordingly to this whole Android BYOD passcode thing: https://learn.microsoft.com/en-us/mem/intune/configuration/device-restrictions-android-enterprise-pe...

chetanmdm · ‎Nov 29 2022

So with this change, we can no longer have personal Android users to have pattern password for their whole device and PIN for Work Profile only in Android 12+ devices? How do we target a new policy for Android 12+ devices without affecting the Android 12+ ones that have already enrolled??

Intune_Support_Team · ‎Nov 30 2022

Hi @chetanmdm, if you change an existing policy with the Required password type and Minimum password length settings that already configured, then Android Enterprise 12+ devices will automatically use the Password complexity setting with the High complexity which will block Patterns.

For Android Enterprise 12+ devices, it's recommended to create a new policy and configure the Password complexity setting to take advantage of the available options. When configured to None, Intune doesn't change or update this setting, and by default, the OS may not require a password/allow pattern/PIN. More info can be found here to configure the settings to your preference: https://learn.microsoft.com/mem/intune/configuration/device-restrictions-android-enterprise-personal... Hope this helps!

chetanmdm · ‎Dec 01 2022

Hello @Intune_Support_Team, assuming I will create a new policy with "Low" password complexity requirement for Android 12+ devices, how do I target that only for newly enrolling Android 12+ devices without impacting my already enrolled Android 12+ devices? If I make the distribution group based on Android OS version (12+), won't it impact my existing Android 12+ devices which I do not want to disturb?

Nick_Knight · ‎Dec 01 2022

Hello @Intune_Support_Team

Regarding the password complexity on Android 12+ devices, is it possible to set a minimum passcode to 6 digits?

I can only see 4 (Medium) and 8 (high).

Thanks

chetanmdm · ‎Dec 05 2022

@Intune_Support_Team Could you please confirm if the password complexity is set to low/medium/high in new policy, it would force the user to have the PIN/Password for the whole device too and it's not just for Work Profile in newly enrolling Android 12+ devices? Meaning any newly enrolling Android 12+ user who had pattern password for the device must change it to PIN/Password for whole device too when the setting is low/medium/high?

Intune_Support_Team · ‎Dec 06 2022

Hi @chetanmdm to ensure current devices are not impacted by a new policy, it would be best to create a new device group and include the new Android devices, then assign the user to the group. When implementing the complexity on personally owned devices with a work profile, there are two passwords affected by this Password complexity setting:

The device password that unlocks the device
The work profile password that allows users to access the work profile

@Nick_Knight When settings Password complexity to 'Medium', the length, alphabetic length, or alphanumeric length must be at least 4 characters, and you should be able to set a password consisting of 6 characters.

When set to 'High', the length must be at least 8 characters, unless you are leveraging either alphabetic or alphanumeric password whereby the length must be at least 6 characters.

If you are settings a PIN consisting of numbers, please ensure that the PIN does not consist of repeating, ordered or sequences as these are blocked.

Hope this helps!

Cathy_in_Maine · ‎Dec 08 2022

I'm using Endpoint Manager. Enrolled 18 Android tablets last year. They are registered as Corporate Owned Dedicated Devices. Currently running Android 11 & 12. All was fine until recently.

We're a health care organization. Each tablet is at the front desk of one of our clinics. They have one app on them: athenaCapture. This app needs to be updated but because the tablets are Corporate managed, users are not able to update the app. In Endpoint, some of them are updated to the latest version of the app and some are not.

This is when I discovered that even though Endpoint shows them as "there" none of these tablets are reporting in. For example, I had one tablet in front of me and ran a remote restart - nothing happened. Then it said 'restart complete."

Now ALL tablets are showing Out of Compliance and when I do a "locate device" on the one in front of me, it fails.

How do I use Endpoint to manage these devices? What am I missing (besides the hair I've pulled out??

TeckieGeo · ‎Dec 09 2022

Has anyone run into an issue with new work profile enrollments failing when running android 13?

Neo-exMSFT · ‎Dec 15 2022

@TeckieGeo Are you using Samsung device?

https://us.community.samsung.com/t5/Galaxy-S22/S22-wont-add-work-Profile/td-p/2459952

https://www.reddit.com/r/Intune/comments/zh5689/intune_mdm_samsung_s22_work_profile_that_fails/?utm_...

@Intune_Support_Team

Could you check?

TeckieGeo · ‎Dec 15 2022

Thanks for the info Neo. Yes it is a Samsung device. A couple of days ago we tried what those links suggested and it worked. I tested with a pixel and did not have those issues, so this issue might fall more under Samsung.

Intune_Support_Team · ‎Dec 20 2022

Hi @TeckieGeo, we are aware of an issue affecting Samsung S22 running Android 13, and it is currently under investigation. We'll keep this thread posted as soon as we have more information to share. Thanks!

TeckieGeo · ‎Dec 20 2022

One of the last comments in this Samsung forum has an updated workaround. Installing the "Android Device Policy" app worked perfectly, no need to delete accounts.

S22 wont add work Profile - Page 2 - Samsung Community - 2459952

Intune_Support_Team · ‎Dec 28 2022

Hi @TeckieGeo, thanks for the feedback! Confirming that we've been working with our Samsung and Google friends who have issued a fix. More information can be found under our post here: (Resolved) Known Issue: Devices Upgrading to Android 13 cannot enroll into management. Should you have any further issues, please let us know. Thanks!

carlosbh · ‎Jan 11 2023

Hi @Intune_Support_Team,

So the recommendation would be to create a new device configuration profile and compliance policy separated for Android12+ devices only? Or update the settings of existing ones? I am sorry but this is not clear for a standard scenario where devices running Android 10/11 also exist.

Secondly, is there a final date that we can retain to plan this change accordingly?

Regards,

adwinp · ‎Jan 17 2023

I'd like to report issues with apps not loading under a Company Portal provisioned work profile in Android 13 on Xiaomi devices. This issue has been reported by multiple users on different Xiaomi devices on Android 13 (Xiaomi 12 series & Mix Fold 2; flagship devices less than 1 year old).
I've thus raised a feedback/BUG issue in the feedback forum for your consideration:
https://feedbackportal.microsoft.com/feedback/idea/e9ea9bb4-cb96-ed11-a81b-6045bdaf6a9e

DiegoSegura · ‎Jun 08 2023

@Intune_Support_Team

Would you be able to provide some clarification on the information around the new password complexity options for BYOD Android 12+ detailed here: https://learn.microsoft.com/en-us/mem/intune/protect/compliance-policy-create-android-for-work#andro.... Specifically when the high password complexity will automatically apply to devices if the password complexity is not set in the policy. The documentation says newly enrolled BYOD Android 12+ devices will default to a complexity of high if the password complexity is not set on the policy used to manage these devices. The documentation also states that for any devices that are already enrolled/managed with a policy that uses the 'Required password type' and 'Minimum password length' those devices will continue to use these settings and will not be affected by the new password complexity options. However, this section of the documentation goes on to say that: "If you change an existing policy with the Required password type setting that's already configured, then Android Enterprise 12+ devices will automatically use the Password complexity setting with the High complexity."

Is this "change" referring to a change in the policy settings only or does this also include changes to the assignment of the policy? Meaning, can I adjust the scope of an exiting policy using the Required password type setting without devices in that policy automatically using the High password complexity?

The use case is I must use the high password complexity in order to meet my organization set minimum requirements, but I don't want to subject all currently managed devices with the required password type setting to a more complex password policy immediately. My goal is to test the device behavior of a BYOD Android 12+ device that is currently managed with the required password type setting when it's scoped to a new policy with the password complexity of high. I will do this by assigning a second policy with the password complexity set, and excluding the same device from the existing policy that I use to manage all BYOD Android devices and does not have a password complexity set. Will this exclusion made to the assignment of the existing policy cause all of my Android 12+ devices to automatically use the high password complexity?

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Day Zero support for Android 13 with Microsoft Intune

Versioning vs targeting

Changes for MDM scenarios

Changes to device administrator

Changes to personally-owned work profile

Changes for APP scenarios

Other ways to prepare for Android 13

How can you reach us?