SOLVED

force enrollment on android device

Steel Contributor

Hello,

 

i'm facing the following behavior and try to understand why this happens.

When a special user is signing in to Outlook for Android the following message appears:

 

"Help us to ensure the safety of your device.

To continue, you need to install the Intune Enterprise Portal App and register your device. This app helps you better protect organizational data."

 

I have no idea, why the device seems to be enforced to register in Intune. All the other devices in our company behave normal. (normal in my understanding 😉

Normal means: App Protection Policies are applied when using e.g. Outlook on an unregistered device.

 

Any idea is appreciated. 🙂

Patrick

13 Replies

@PatrickF11  On Android, the Intune Company Portal app is required to enforce app protection policies. End-users do not need to enroll their device, but the app is still required .

 

https://docs.microsoft.com/en-us/intune/end-user-mam-apps-android#access-apps

That is confusion reported to Microsoft log time ago.
On iOS user will be asked to install MS Authenticator ap which is ok.

But on Android they asked to use Company portal which is confusing. I already faced an issue with users who saw message to install Intune app an just aborted configuration because they didn't want to enroll phone. So on Android it is really essential to explain difference between Device Registration and Device Enrollment.

@eglockling Just to make it clear to me:

When i use an Android device and i did not have the Company Portal app installed, no app protection policy is applied? And: To apply the app protection policy the user is forced to install the intune company portal app. (no need to register within the app, right?)

So that means, once i have app protection policies set up for android devices, no user is able to use e.g. outlook, until he/she has the intune company portal app installed, because the Outlook app is covered by an app protection policy, right?

@Alexander Vanyurikhin You're right, that is really confusing..

What do you mean with "difference between Device Registration and Device Enrollment."

How can i register a android device without enrollment? Or do you mean: When the user only has the company portal app installed and not configured, this is registration. When the user has signed in to company portal app and went through the process, the device is enrolled.

@PatrickF11  That's correct.

best response confirmed by Steve Bucci (Microsoft)
Solution

@PatrickF11  You can sign-in to the Company Portal app on a device to register it, just don't complete the enrollment. There should be an option to "postpone" after signing-in. The Authenticator app is no longer required on iOS to enforce app protection policies, it is enforced by the mobile apps themselves.

@eglockling Thank you for your reply.

A quote from MS:

However, the user does not have to launch or sign into the Company Portal app before they can use apps that are managed by app protection policies.

So it seems not be necessary to sign in.

But what for should a user sign in, then?

 

Edit:

What i just tested: When a user has outlook already configured and i'm going to rollout the app protection policies the user isn't prompted to download the company portal app. And: The user isn't using the app protection policies and feels wonderfully free using outlook for android without any reglementations. 😕

@PatrickF11  Thanks for the follow-up. Good to know that the sign-in is not required.

"because the Outlook app is covered by an app protection policy, right?"
Just posting for the sake of clarity for others, not necessarily specific to your scenario, Patrick.
Outlook is covered by app protection policies if they assigned to that user group the end user is a member of. The Intune SDK is built-in to Outlook, but nothing is "activated" until a policy is applied.

@Steve Bucci Thank you for your reply. Thats why i said "...once i have app protection policies set up for android devices.."

 

Of course this is not the "fault" of intune. The admin should consider of the policies used, of course. 🙂

@PatrickF11 understood and you were totally correct.  I was just trying to expand on this for the next person to find the thread.  

Thanks for adding to the community knowledge. It is appreciated.

Hi @eglockling 

 

I am facing an issue where on my app, App Protection Policy is not working when i have Intune company portal app is installed and signed in. 


Where as if i have only installed Intune company portal app not signed in, policy gets applied. 
Could you please helps me to understand this scenario, Any idea is appreciated.

Thanks,
Swati



Hi,

Please take a look at my reply on the topic you just created
1 best response

Accepted Solutions
best response confirmed by Steve Bucci (Microsoft)
Solution

@PatrickF11  You can sign-in to the Company Portal app on a device to register it, just don't complete the enrollment. There should be an option to "postpone" after signing-in. The Authenticator app is no longer required on iOS to enforce app protection policies, it is enforced by the mobile apps themselves.

View solution in original post