SOLVED

Can't add Google accounts to Android work profiles when managed by Intune

Copper Contributor

Hello all,

 

Wondering if others have run into this issue and have been able to find a workaround.

 

An organization I'm working with is using Google Enterprise for mail services instead of Office 365 / Exchange Online, but they want to leverage Microsoft Intune to manage BYOD Android devices.

 

What we're finding is that, once the device is enrolled in Intune, the ability to add Google accounts to the work profile is blocked.

 

In the OS' account settings for the work profile the ability to add Google accounts is grayed out. For apps installed via the managed Play Store, such as GMail, attempting to add a Google account results in a message that the "action is not allowed" and "this action is disabled". 

 

The result of this is Android users are unable to access their enterprise mail or other Google Enterprise services from their Android work profiles.

 

Other accounts, such as Hotmail or Yahoo, can be added without issue. All applicable configuration profiles and compliance settings have been removed from the device+user, and so far we haven't been able to identify any policies or settings that would only be restricting the addition of Google accounts.

 

My initial thought is maybe Intune inherently blocks the ability to add additional Google accounts because all enrolled Android devices share a common managed Google Play account, but I might be missing something.

 

Is this a known issue / limitation with Intune and Android work profiles?

 

Appreciate the assist.

 

 

40 Replies
We're in a similar situation and would like to understand your solution or workaround. What specific permissions or settings did you have to override?

As per Microsoft, they are saying google account is unable to add in work profile and there is no workaround as of now.

@PaulM2115 hope all is well. Could you provide some insight as to how you were able to get this to work using App configuration policy?

In the device configuration profile.. Users and Accounts settings, Personal Google Accounts settings.

The Dedicated home screen is also in there, allowing you to push out a locked home screen,.
In the device configuration profile.. Users and Accounts settings, Personal Google Accounts settings.

The Dedicated home screen is also in there, allowing you to push out a locked home screen,.
In the device configuration profile.. Users and Accounts settings, Personal Google Accounts settings.

The Dedicated home screen is also in there, allowing you to push out a locked home screen,.
In the device configuration profile.. Users and Accounts settings, Personal Google Accounts settings.

The Dedicated home screen is also in there, allowing you to push out a locked home screen,.
PaulM2115, that option only seems to appear for "Fully managed, dedicated, and corporate-owned work profile devices" not BYOD devices. And even then there are only options to Block.

@CBERNIER 

This works and gets us past the next hurdle but it doesn't work with Google accounts that are federated with Azure AD.  

@DavidFerguson1965 do you have additional details about what doesn't work, screenshots, and logs you can upload to support?

Courtenay,

Thanks for the link.

When I go through and try to follow the instructions, I eventually end up in the Device Restriction part, and nearly every option says 'Samsung Knox Only'.

Before I waste any meaningful life-force on this, has anything changed?

Short of it is, I just want to have a work profile on a Google Pixel Android phone, shoot Google Chrome down the pipe and the allow users to login to Chrome with their Google Accounts so it syncs and pulls through all their bookmarks, passwords etc. Right now, I'm getting the 'Blocked By Your IT Admin' when I tap on the greyed-out 'Google' underneath 'Add an account' (you're using an app outside of your work profile).

For what it's worth, the reason for this is because no one wants Edge and everyone wants Chrome. They've used their work email addresses to create Google accounts (no gmail but just a Google account attached to the work email address) so they can sync passwords and bookmarks etc.

Thanks for any further info you might be able to provide.
Hi, is this for Corporate Owned Personally Enabled? If so, Google accounts are not supported at this time. If you're receiving this on a Personal device with a Work Profile, please create a support request.

@CBERNIER 

 

Thanks Courtenay.

 

For the record of this thread:

 

Phone is a private, personally owned Google Pixel 7 Pro, latest Android OS. It is effectively a BYOD device.

 

Within M365, there is a managed Google Play Store setup etc with a bunch of authorised apps.

 

I get the Company Portal/Intune app and login to it, then follow all the (many many) prompts.

Low and behold, I now have a 'Work' tab in my app drawer with all the Google Play apps that the company allow.

One of these is for Google Chrome browser.


I would like the ability to login to the Google Chrome browser with the Google account I setup using my work email address (so a Google account without a Gmail address) so I can pull through all my bookmarks, settings and passwords into Google Chrome.

I get why this Google sign-in isn't readily available as Microsoft obviously want people to use Edge. With Android Edge, it pulls through all your Edge synced bookmarks, passwords and MS data.

If a support request will get me to where I want to be, I shall indeed do that and report back here when I'm successful. Or not. 

Thanks again.

Success!

I had to create a policy for Microsoft Intune and apply it as per the instructions. The mistake that I made was selecting the wrong non-intuitively named option when I was creating the policy. I needed:

Platform:

Android Enterprise

Profile type: (Personally-Owned Work Profile)
Device Restrictions

This was where I then selected:

Add and remove accounts
Allow all accounts types


All's well tht ends well. Thank you for your time.

That's great news, happy it worked out.
Hi,
Im unable to see the "allow all account" types option.where can we actually find this option?
Thank you in advance!
The setting is found under device configurtaion > Android Enterprise
Profile type = Personally-Owned Work Profile
Device restrictions > Work profile settings > Add and remove accounts > Allow all accounts types

@CBERNIER 

Thank you so much.I found the setting.
But,t here is one option add Domain allow-list. What can we put there to add specifically for google meet application??Screenshot attached.

If just Allow all accounts is mentioned then User will login to their Gmail and all other account personally which might cause some issue with respect to security.

Thank you,

allow domain-list.png