Known Issue: Some management settings become permanent on Android 14
Published Dec 18 2023 04:53 PM 18.5K Views

Updated 4/15/24 - We have received the following updates from Google:

  • For personally-owned work profile devices:
    • Prevent app installations from unknown sources in the personal profile becoming permanent will be mitigated in the March security patch.
    • Threat scan on apps will still require a factory reset of the device to clear the settings.

 

Google recently identified two issues in Android 14 that make some management policies permanent on non-Samsung devices. When a device is upgraded from Android 13 to Android 14, certain settings are made permanent on the device. Additionally, when devices that have been upgraded to Android 14 are rebooted, other settings are made permanent on the device.

 

For example, let’s say you are managing a device with a personally-owned work profile running Android 13, with the settings Block camera and Block apps from unknown sources enabled in the management profile. When that device updates to Android 14, the camera will become permanently blocked, even if you later disable the Block camera setting in Intune. After the update to Android 14, when the device reboots, apps from unknown sources will also become permanently blocked, even if you later disable Block apps from unknown sources in Intune.

 

Due to the severity of the issue, we do not recommend updating non-Samsung devices to Android 14 at this time. On Android Enterprise devices, you can use Intune device restrictions policies to postpone system updates. For more details, see Managing system updates on Microsoft Intune managed Android Enterprise corporate devices.


Unfortunately, this is a bug at the operating system level, meaning the only way to fix it is for the device OEM to release an OS update containing patches to Android itself. Intune and other device management providers do not have control over when these patches will be available.

Issue 1: A device that has been upgraded to Android 14 is rebooted

When devices that have been upgraded to Android 14 are rebooted, certain settings are made permanent on the device. Devices that shipped with Android 14 will not be affected.


This issue currently affects devices enrolled with personally-owned work profiles.

 

Settings affected

 

Personally-owned work profile

  • Threat scan on apps
  • Block apps from unknown sources

Fully managed, Dedicated and Corporate-owned work profile
Google recently released a fix for this issue on fully managed, dedicated, and corporate-owned fully managed devices. Prior to this, the following settings could also have become permanent on devices after rebooting:

Fully managed and Dedicated:

  • Add new users
  • Allow users to enable app installation from unknown sources in the personal profile
  • Bluetooth configuration
  • Camera
  • Date and Time changes
  • Developer settings
  • External media
  • Factory reset
  • Microphone adjustment
  • System error warnings
  • Tethering and access to hotspots
  • Threat scan on apps
  • USB file transfer
  • USB storage
  • Volume changes
  • Wi-Fi access point configuration

Corporate-owned work profile:

  • Date and Time changes
  • Developer settings
  • Tethering and access to hotspots
  • Threat scan on apps
  • Wi-Fi access point configuration

 

Issue 2: A device is upgraded from Android 13 to Android 14

When a device is upgraded from Android 13 to Android 14, certain settings are made permanent on the device.

 

The following enrollment types are affected by this issue:

  • Fully managed
  • Dedicated
  • Corporate-owned work profile
  • Personally-owned work profile

 

Settings affected

 

Fully managed and Dedicated

  • Allow users to enable app installation from unknown sources in the personal profile
  • Beam data using NFC
  • Bluetooth configuration
  • User removal
  • Wi-Fi access point configuration


Corporate-owned work profile

  • Allow users to enable app installation from unknown sources in the personal profile
  • Beam data using NFC
  • Bluetooth configuration
  • Camera
  • Copy and paste between work and personal profiles
  • Developer settings
  • Roaming data services
  • Tethering and access to hotspots
  • USB file transfer
  • User removal
  • Users can configure credentials
  • Wi-Fi access point configuration

Personally-owned work profile

  • Camera (set to ‘Block’)
  • VPN (set to ‘Enabled’)
  • Copy and paste between work and personal profile
  • Prevent app installations from unknown sources in the personal profile
  • Add or remove accounts (set to ‘Block all account types’)
  • One lock for device and work profile

Next steps

Currently, the only way to clear settings that have become permanent is:

  • (Personally-owned work profile) Remove the work profile from the device.
    • Note: If configured, the settings Threat scan on apps and Block apps from unknown sources cannot be cleared by removing the work profile.
  • (All enrollment types) Factory reset the device.

 

Google is currently sharing patches with other device OEMs for these issues, which OEMs will integrate into their OS update images going forward. Device OEMs will determine if, and how, their devices will receive these fixes. When released, these OEM patches will prevent these issues in the future, but if a device has already upgraded to Android 14 and experienced the issue, any settings that have been made permanent will remain on the device.

 

We’ll continue to provide updates on this post as they’re available. If you have any questions leave a comment below or reach out to us on X @IntuneSuppTeam.

 

Post updates:

12/19/23: Updated post to clarify the affected settings under Issues 1 & 2.

04/15/24: Updated post with latest update from Google.

6 Comments
Version history
Last update:
‎Apr 15 2024 12:55 PM
Updated by: