Google Mobile Services (GMS) is a set of apps and APIs provided by Google that allow Android developers to provide functionality, such as Mobile Device Management (MDM), using Google’s services. In this post, we will walk you through solutions for managing Android devices with Microsoft Endpoint Manager - Intune in locations such as China, or scenarios where GMS are unavailable. If Android Enterprise and GMS are available, you can use them instead.
Management approaches
App Protection Policies (APP, also known as Mobile Application Management or MAM) are a great option for personal bring your own devices (BYOD). APP can be used without requiring device enrollment, which allows you to secure your organization’s data on personal devices without affecting end-user productivity. For example, you can deploy apps without requiring enrollment, then apply APP to require a PIN to open apps in a work context. To learn more about APP in Intune, see the App management overview and the App protection policies overview.
For corporate-owned devices where you may need stronger management controls on the device, Intune also offers support for MDM functionality. There are two MDM approaches for Android device management:
- Where Android Enterprise and GMS are available, use them as part of your Intune MDM strategy.
- In regions or countries where GMS is not available, use device administrator.
On both MDM and APP, the following areas deserve special attention when you plan for managing devices where there is no GMS:
- How end users download the Company Portal app
- Using Android device administrator for MDM
- Other considerations
How end users download the Company Portal app
To use Intune’s MDM and/or APP functionality, Android devices will need the Company Portal app installed. In many countries and regions, end users download the app from the Google Play Store. Where the store is not available, end users can obtain the Company Portal app from a number of documented app stores instead or the device manufacturer's app store.
Some app stores are preinstalled on devices from Chinese manufacturers (e.g. the Huawei or Xiaomi stores). Others are device-agnostic. It shouldn’t matter which app store your users leverage to get the Company Portal, as long as it’s one of the stores listed in Intune’s documentation.
Be aware that some app stores may behave differently from the Google Play Store in other ways. For example:
- Some stores do not auto-update apps by default. End users should enable auto-update for the Company Portal app to receive updates and fixes.
- Some stores default permalinks to specific versions of an app, which means that links may become out-of-date as new versions of the app are uploaded. When you create end-user documentation, link to the most recent Company Portal version. If you’d like to ensure end users are on a specific version (or newer) of the Company Portal, use Conditional Launch control for Company Portal.
- Some stores allow end users to download the app and sideload it. ("Sideloading" is when you don't use an app store to install an app.) Sideloaded apps don’t typically receive automatic updates or fixes, so users who choose to do this must regularly update and patch the app manually.
Finally, as an IT administrator, if you want to download and deploy the Company Portal, the app package (.APK file) is available in the Microsoft Download Center. Again, keep in mind that you will need to regularly keep the app up to date if you choose this installation method.
Using Android device administrator for MDM
Enabling device administrator enrollment
When you set up Intune for device management on Android, device administrator enrollment is disabled by default for new enrollments. If your management approach where Android Enterprise and GMS is not available, you will want to use these steps to enable device administrator.
To enable device administrator enrollment, follow the instructions in Set up device administrator enrollment. You can use enrollment restrictions to further customize how various types of Android devices enroll into management. For example, you can create a device type restriction that allows Android device administrator enrollment and assign it to a group that contains all users located in China. For other users in regions that support Android Enterprise, you can create another restriction that allows Android Enterprise work profile enrollment and blocks device administrator enrollment. You can read more on enrollment restrictions here.
Changes to device administrator
For full details about the settings, devices and user experiences that are changing, see Decreasing support for Android device administrator. The table below includes a summary for your reference. Devices manufactured by Samsung will not be impacted for most of these settings because extended support is provided through Intune’s integration with the Knox platform.
| Affected devices |
Affected settings |
Notes |
| Devices running Android 10 and later |
- Some password-related settings
- Ability to block camera
- Network access control for VPN*
- Marking devices as corporate-owned with IMEI or serial number*
- IMEI and serial number visibility*
- User experience of receiving a wi-fi profile
- Custom wi-fi profiles with pre-shared keys
*also affects Samsung Knox devices |
For devices affected by password-related changes, use the Password complexity setting instead to configure password-related requirements. For more information see our What’s New announcement. |
| Devices running Android 11 |
- Ability to deploy trusted root certificates
|
|
Other limitations
In locations where Google Mobile Services are unavailable, the following features are also unavailable:
- Google Play Protect
- SafetyNet device attestation
- Require threat scan on apps
- Deploying Android store apps from the Google Play Store
Next, some Mobile Threat Defense (MTD) vendors may not be available in China. Please reach out to your MTD vendor for details.
Finally, in environments where GMS is available, Intune relies on push notifications to speed tasks to finish. For example, if you try to remotely wipe the device, notifications generally get to the device in seconds. Where there is no GMS, push notifications are not currently available, so Intune waits for the next device check-in time to complete the tasks (generally every 8 hours).
For more information about these limitations, see How to use Intune in environments without Google Mobile Services.
Next steps and more resources
Managing Android devices can be complex and managing Android devices without GMS adds to the complexity. We understand you may find some of these limitations frustrating. Where GMS is available and devices can be updated to Android Enterprise, update where possible. Know that we are continuing to work on improvements to your management experience.
In the meantime, we would appreciate hearing from you how you manage Android devices where GMS is not available. How do your management needs differ from managing devices in other regions? What features are most critical to your organization? Are there any apps that you would like to see added to our list of APP partners? Use UserVoice for any feature requests, or feel free to comment back on the post below. Follow @IntuneSuppTeam on Twitter for any announcements.
Blog post updates:
10/6/20: Updated the table to include support for custom wi-fi profiles with pre-shared keys.
