Dec 12 2019 11:44 AM
Dec 12 2019 11:44 AM
Wondering if others have run into this issue and have been able to find a workaround.
An organization I'm working with is using Google Enterprise for mail services instead of Office 365 / Exchange Online, but they want to leverage Microsoft Intune to manage BYOD Android devices.
What we're finding is that, once the device is enrolled in Intune, the ability to add Google accounts to the work profile is blocked.
In the OS' account settings for the work profile the ability to add Google accounts is grayed out. For apps installed via the managed Play Store, such as GMail, attempting to add a Google account results in a message that the "action is not allowed" and "this action is disabled".
The result of this is Android users are unable to access their enterprise mail or other Google Enterprise services from their Android work profiles.
Other accounts, such as Hotmail or Yahoo, can be added without issue. All applicable configuration profiles and compliance settings have been removed from the device+user, and so far we haven't been able to identify any policies or settings that would only be restricting the addition of Google accounts.
My initial thought is maybe Intune inherently blocks the ability to add additional Google accounts because all enrolled Android devices share a common managed Google Play account, but I might be missing something.
Is this a known issue / limitation with Intune and Android work profiles?
Appreciate the assist.
Dec 13 2019 01:30 AM
I've just run into exactly the same problem. We don't fully use Google like you do, but we do have a G-Suite set up so everyone can have a company Google account with authentication from Azure so you get all the benefits of signing into Chrome, SSO on sites that don't support Azure, etc.
Anyway, the closest setting I can find is "Add and remove accounts" in Device Configuration Profiles/Work Profile settings but that only has the option of Block and Not Configured.
If users can't sign into Chrome on Android it makes it all pretty useless.
Dec 17 2019 07:43 AM
I raised a ticket with Microsoft and spoke to an Intune Tech Lead. They're saying it's by design as Google accounts as personal and not for adding to work profiles.
Expressed a lot of disbelief and they'll get back to me...
Dec 17 2019 08:45 AMSolution
Hi @NotMacGyver I wanted to confirm that this is By-Design. Intune blocks the user from manually adding Google accounts to the Work Profile, and unfortunately there is no workaround.
Dec 17 2019 09:15 AM
@Matthew Butcher This makes Intune completely useless to anyone using G-Suite.
Dec 17 2019 09:36 AM - edited Dec 17 2019 09:38 AM
@Matthew Butcher Let's try another approach.
If there's no way of a user MANUALLY adding a G-Suite account, is there any way for the administrator to associate an Azure AD user with the Google account so it's there in the work profile by default?
We already sync Azure AD to G-Suite and use AAD for authentication for Google so this whole setup is supported (at least in one direction) so not allowing that sync'd Google account to be used from a Work Profile is a little odd to say the least.
Dec 17 2019 09:42 AM
Hi @OffColour1972, unfortunately we do not have a way to do this today.
Dec 17 2019 09:47 AM
Nov 02 2020 10:57 AM
there was a google devops talk last week, where someone had the same question.
The answer was, that there will be a new feature that will give us the possibility to assign an ou to a identity provider.
If we combine that with android 11 company owned devices that have work profiles on it, a login in gsuite apps will work.
I hope this will happen