Support Tip: Intune announces support for Android Enterprise fully managed devices
Published Sep 26 2019 12:56 PM 7,488 Views

Have you read the details on Intune’s support for Android enterprise fully managed device? If not, get up to speed by reviewing the Microsoft Intune support for Android Enterprise fully managed devices is now generally available post here: https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Microsoft-Intune-support-for-And...

 

First off, we are grateful for this community. You tried out the Android Enterprise fully managed previews, you gave us feedback, and you helped each other out through three distinct releases. We received over 300 comments on the preview blog posts, and in those comments and occasional subsequent support cases, you helped us deliver this generally available release. You provided over 58 pieces of actionable feature feedback based on your experience with preview. Thank you!

 

Second, there are still a few known limitations in managing Android Enterprise fully managed devices:

 

  • Deployment
    • When provisioning via Knox Mobile Enrollment, the username and password cannot be passed to the fully managed device from the portal. This is a result of a restriction on how KME interacts with the platform and credentials will need to be manually entered.
  • Multi factor authentication
    • During enrollment of a fully managed device, the user will not have access to the Microsoft Authenticator app or the ability to receive a call or text message on the device being enrolled. As such, the user will need to have the ability to complete the multi factor authentication via a different method.
  • Policies
    • Intune will not be able to support the setting “Block user account changes” on Fully Managed devices as this currently causes device registration to fail. The setting will continue to be supported on Android Enterprise Dedicated devices.
    • Support for PKCS certs are not available today.

 

As we make changes that impact these limitations, we will be updating this post. Finally, we have seen both social mentions and a few cases regarding SCEP. There’s one SCEP fix we expect shortly. There is additional complexity in some of the cases, so we appreciate your patience while we parse through logs and determine the right path forward for a few of the SCEP scenarios.

 

Blog post updates:

  • 10/3/19: We have received reports from a few customers around Device Owner Compliance policies not evaluated, and the Work Profile is used instead. Engineering is investigating, and will update this post as soon as we have more insight.
  • 3/10/20: For the issue where Device Owner compliance policies are in a not evaluated state, and the Work Profile is used instead that was reported on 10/3/19, engineering has identified a fix, and are working on rolling this out with the 2003 service release. We'll update this article when the fix is live!
  • 4/16/20: With an update that a fix has been rolled out with the 2003 service release to address the Device Owner compliance policies previously referenced in past blog updates. If you continue to experience an issue with this, please let us know!
11 Comments
Silver Contributor

The title is confusing. Just name it "Limitations of current Android Enterprise fully managed implementation". Now it sounds like the previous post you link to, but it is not about the release, but about problems.

Brass Contributor

Will the "Block user account changes" be possible in the near future?

Copper Contributor

Despite all of this we still have massively inconsistent experiences with devices not showing as compliant after enrolment. One day a user will enrol and be compliant, the next day another user will enrol and show as non-compliant.

Hi @SunithM Do you still see that behavior with compliancy?

Brass Contributor

Scep is still hit and miss.

Recently began experiencing issues with required apps uninstalling shortly after enrollment. then they may come back later

Not there yet me thinks for general rollout

 

Copper Contributor

Hi,

we also have an issue with wifi (EapTls) profile using a SCEP certificate, we hope this to be solved soon in the coming SCEP fix.

@Intune_Support_Team almost 2 months later and still no solution for the compliance issue?

Copper Contributor

Any update on when MFA will be sorted? 

@Peter Klapwijk, checking with the PM - A fix has been identified, and the team is working on rolling this out with this month's service release (2003). An update to the post has been made, and we'll post another update when it's live!

 

@poynter2, the team is aware of this request and though we don't have an exact ETA to share at this time, stay tuned to our In development and What's new for new feature updates.

Copper Contributor

there is already an update on below? @Intune_Support_Team 

 

Multi factor authentication

  • During enrollment of a fully managed device, the user will not have access to the Microsoft Authenticator app or the ability to receive a call or text message on the device being enrolled. As such, the user will need to have the ability to complete the multi factor authentication via a different method.

Hi @Wilco86, the team is continuing to look into this feature, but do not have any more details to share at this time. Stay tuned to our In development and What's new docs for new announcements on new features. Thanks!

Version history
Last update:
‎Dec 19 2023 01:30 PM
Updated by: