Intune Android Enterprise - Enable Samsung System Apps

Copper Contributor

Hi All

We are currently looking at trialing intune as our MDM solution using the android Enterprise Platform. We are using  samsung devices that are fully corporate owned.

 

After successfully enrollment Android Enterprise limits the applications but also remove core system apps such as SMS , Camera etc

I need to Enable Samsung OEM applications that were disabled by Android Enterprise

 

I have experience with other MDMs  where remote scripts can be sent e.g 

enable_system_app com.sec.android.app.camera

enable_system_app com.samsung.android.messaging

 

Is there a scripting function within intune to send android scripts to enable apps and functions

I can see there is a samsung knox plugin available, but Ideally we do not want to purchase additional Samsung knox licenses or subscription to enable this functionality if possible .

 

Any advice would be gratefully received and appreciated

 

Thanks 

 

Jason

29 Replies

Hi there, @King_Of_Comms

 

Intune unfortunately does not have the ability today to enable system apps in the Device Owner scenarios. However, you are able to modify the QR code as you mention with the settings in your post, there just a few things to consider when doing this:

 

  1. This is outside of the Intune code path, so we have no control over it. I would recommend testing to see if you are ok with the behavior you can observe.
  2.  Once the apps are enabled, they cannot be disabled unless the device is reset.

Hi @Matthew Butcher,

 

i've tried to add the following code to my qr code but this has no effect. 

 

 "android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true 

 

Are you able to help? 

Hi @markusrathke,

 

This option will perform the following:

 

  • It enables all system applications specific to that OEM and it is not knowable until the device is provisioned
  •  Once they are enabled, they cannot be disabled a la carte or in bulk until the device is factory reset

As this is outside of the Intune code base, unfortunately the only direction I can give you if you are experiencing issues would be to work with the OEM and or Google.

Ok, but thanks for your fast reply :)

Read the comments under this disccussion 

https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Microsoft-Intune-announces-Preview-2-...

It is discussed in the comments.

 

Or use Samsung Knox Mobile Enrollment where you have the option to leave the apps enabled when enrolling in to Intune.

Thanks for the links. I was aware of the "Preview situation" but don't know how long i have to wait for GA release.

I will try Samsung Knox in the meantime :)

@King_Of_CommsHi, I have managed to get this to work by editing the QR code to include a line

 

You need to add the Bold Text below.

 

"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true

Thanks for your Swift reply and advise, most appreciated , I will definitely give this a try as drawing blanks elsewhere, can you advise or recommend whats best to edit the qr code
not had much experiencing in doing that before but want to learn as im sure its relativity straight forward, just conscious 3rd party tools may be unsecure and inject other lines etc into the code
thanks Peter, have bumped the thread , im sure many others are on the same page regardign this functionality request. going to have a look @matthew Butchers Workaround in the interim
looks promising.

HI all

 

just wonder where to DL the qr code in the intune tune console . i can obviously see the qr token but  i can't see an option to save/dl.

also wondered what software you guys are using to edit your qr codes and how

Thanks

 

 

ok worked out how to dl , just need a few tips on editing the code and injecting the script

Do you add this line to to the advance rule box within dynamic membership rules ?
ive tried adding the code to my rule and intune errors
"Failed to save dynamic group. Dynamic membership rule validation error: Invalid characters found in the rule.Invalid characters found in the rule: :

heres the rule i attempted to use
(device.enrollmentProfileName -match "AFW CO - SU")
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true

anything immediately obvious in my syntax that would cause an error? I have attempedt with open/close brackets and removing the quotations but no joy so far

@King_Of_CommsI am not sure where this dynamic membership error is coming. But you need to use a converter/tool to convert the Intune console QR code to text mode. Then you append the following to your converted text:

 

"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED": true

 

After this you convert the new text back to QR code and distribute it internally for the enrollment purposes.

@Joni_Nieminen 

I added the line:
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED": true
to the end of the text and converted it back to a QR Code. When I try to scan the code to enrol a Samsung mobile I see the following message:
Cannot create work profile
The security policy prevents the creation of a managed device because a custom OS is or has been installed on this device.

Would anyone have any thoughts? We have blocked "Rooted devices" on our Android Device Policy.

 

@Jim Rorrisonsorry for the late response!

 

This problem sounds unrelated to the customized QR code; does the enrollment work properly with the default QR code?

@Joni_Nieminen Hi Joni, 

 

My fault, got the syntax wrong when adding the line to the QR Code. I have corrected and tested on a Samsung Galaxy a20. Seemed to work fine and left behind required apps such as Text Messaging and Camera. A couple of pre-installed Samsung apps (Netflix) also got through but not many.

 

Our normal enrolement QR Code works fine with other brands - tested on Nokia and Huawei.

 

Great solution, saves going down the Samsung Knox route.

I'm glad you got it solved!
Hi, How did you get this working? I cant seem to locate anywhere within Intune to amend the enrolment QR code? I require some system apps that have been removed at enrollment so looking to apply the "android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true line to the QR code, but I have no idea how to do this - your help or anyones help would be greatly appreciated!