Forum Discussion

navs1699's avatar
navs1699
Copper Contributor
Mar 11, 2024

Android Fully managed enrollment

Hi, i am trying to enrol Android devices as Enterprise Corporate owned fully managed. I have successfully managed this using the Samsung A10, A32 and A33 devices but some users in the field using these same devices are having issues.  They can go through the steps below on their device 

 

  1. Reset phone to factory default.
  2. Tap 5 or more times on the white area of the welcome \ getting started screen
  3. It will ask you to scan a QR code - scan the correct one 
  4. Connect to WIFI network - make sure it’s a good Wi-Fi signal and no captive portal or login screen.
  5. Agree that it’s a managed device  \ belongs to your organization.
  6. Setup your phone - choose continue
  7. Agree that the device isn't private.
  8. Phone Checks for updates and carries on with setup
  9. Welcome to chrome: choose use without account
  10. Asks you to login to work m365 account - with MFA
  11. At this point it says logged in successfully but then takes them to a screen which says "Cant setup device" and gives them three options:
  1. Sign in - you just end up in a loop between steps 10 & 11 above
  2. Help & feedback - which doesn't help
  3. Factory reset - which again just loops between steps 1 - 11.

 

I've checked the devices are on the latest Android and One UI they support and cant find any differences.  Anything else i can look at, any useful logs in intune which might give me a clue as to what's going wrong?

Intune android
  • SebastiaanSmits's avatar
    SebastiaanSmits
    Steel Contributor
    Mar 11, 2024
    Hi,

    I would start checking two parts:

    - Is there a Conditional Access policy that checks for Intune enrollment, you can search the Conditional Sign in logs to see if and what Policy is applied to the devices: https://learn.microsoft.com/en-us/entra/identity/monitoring-health/how-to-view-applied-conditional-access-policies#view-conditional-access-policies-in-microsoft-entra-sign-in-logs

    - Are they hitting the right Platfrom restriction Policy that allows Android Enterprise? You can find this Device > Android >Android Enrollment > Enrollment Restrictions.
    • navs1699's avatar
      navs1699
      Copper Contributor
      Mar 11, 2024
      Hi

      I don't believe any conditional access policy exists yet but i'll need to reach out to someone who can confirm that, but there are no Android Enrolment restrictions - just the default all user for Android as well as the others.

      Another note, i checked under devices > monitor > enrolment failures and i can't see anything relating to the user or their device in there either.
      • SebastiaanSmits's avatar
        SebastiaanSmits
        Steel Contributor
        Mar 11, 2024
        I would definitetly make sure no CA Policy is getting in the way. It is happening after authentication (successful means the username password is accepted but there are more conditions that is blocking) so CA is suspect.

        But you never encountered this problem yourself, this is only for users that are in the field?
  • navs1699's avatar
    navs1699
    Copper Contributor
    Apr 25, 2024
    Hi, just picking this up again, our M365 accounts have MFA setup, the ones that are affected by the issue have MFA call back rather than a code via the authenticator app, and i was wondering if when enrolling an Android device as company owned fully managed, should the user be able to perform the MFA call back on the device they enrolling or should they perform the MFA on another device?

Resources