As explained in Android 12 Day Zero Support with Microsoft Endpoint Manager, Google’s Android 12 includes a number of changes that affect device management capabilities. One of these changes removes the ability of third-party applications, including Microsoft Intune, to access hardware identifiers on Android Enterprise personally-owned work profile devices. The impacted hardware identifiers are IMEI, MEID, and serial number.
Some VPN providers use the IMEI for device identification and Intune compliance queries as part of their network access control (NAC) solutions. Some NAC solutions also expose the IMEI, MEID, or serial number in their products and allow access rules to be created based on these IDs. In these scenarios, personally-owned work profile devices may not be able to connect to NAC-enabled networks after upgrading to Android 12. Instead, the devices are blocked from the network and users are prompted to check enrollment and compliance status, even when the device is enrolled and compliant.
Affected providers: Currently, these Intune-supported VPN and NAC providers are known to use the IMEI in their NAC solutions:
Citrix (VPN client is Citrix SSO, NAC product is Citrix Gateway)
F5 (F5 Access, F5 BIG-IP APM)
Ivanti, formerly Pulse Secure (Pulse Secure, PPS/PCS)
This NAC product supports integration with Intune and uses the IMEI to identify devices:
These NAC products also expose the IMEI, MEID, and serial number information currently returned by Intune:
Aruba ClearPass
Cisco ISE
Forescout CounterACT
If you experience NAC impact not listed here on Android 12 devices, please work with your NAC provider for guidance.
Resolution: Steps and functionality will vary based on your VPN and NAC provider. See below for provider-specific actions you might need to take:
We will update this post and Android 12 Day Zero Support with Microsoft Endpoint Manager with additional information we learn as testing continues, and when Android 12 releases. If you have questions or comments for the Intune team, reply to this post or reach out to @IntuneSuppTeam on Twitter.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.