Issues with Android Enterprise enrollment in Intune (Corporate Identifiers; enrollment tokens)

%3CLINGO-SUB%20id%3D%22lingo-sub-2012442%22%20slang%3D%22en-US%22%3EIssues%20with%20Android%20Enterprise%20enrollment%20in%20Intune%20(Corporate%20Identifiers%3B%20enrollment%20tokens)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2012442%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20writing%20this%20post%20to%20draw%20attention%20to%20some%20issues%20I've%20come%20across%20with%20Intune%20recently.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.)%20The%20first%20issue%20is%20that%20the%20Corporate%20Identifiers%20(IMEI's%2Fserial%20numbers)%20are%20not%20documented%20accurately%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fenrollment%2Fcorporate-identifiers-add%23identify-corporate-owned-devices-with-imei-or-serial-number%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EIdentify%20corporate-owned%20devices%20with%20IMEI%20or%20serial%20number%3C%2FA%3E%26nbsp%3B).%26nbsp%3B%20It%20should%20be%20nice%20and%20clear%20in%20the%20docs%20articles%2C%20and%20unfortunately%20it's%20just%20not%2C%20and%20instead%20is%20misleading.%26nbsp%3B%20IMEI%20DOES%20work%20to%20make%20Android%20Enterprise%20-%20Work%20profile%20devices%20be%20marked%20automatically%20upon%20enrollment%20as%20%22Ownership%20%3D%20Corporate%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.)%20Unfortunately%2C%20IMEI%20%2F%20SN%20cannot%20be%20used%20for%20the%20same%20purpose%20when%20enrolling%20devices%20as%20Fully%20Managed.%26nbsp%3B%20This%20is%20a%20bit%20of%20a%20problem%2C%20because%20of%20the%20next%20issue....%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3.)%20The%20enrollment%20token%20for%20Android%20Enterprise%20Fully%20Managed%20is%20non-revocable%20%2F%20non-expiring.%26nbsp%3B%20Meanwhile%20the%20other%20two%20corporate-aimed%20enrollment%20types%20-%20Dedicated%20%2F%20COPE%20-%20have%20their%20enrollment%20profile%20tokens%20both%20auto-expiring%20and%20revocable.%26nbsp%3B%20The%20docs%20articles%20explain%20when%20you'd%20want%20to%20revoke%20the%20tokens%3A%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%23808080%22%3E%3CEM%3ERevoke%20tokens%3C%2FEM%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%23808080%22%3E%3CEM%3EYou%20can%20immediately%20expire%20the%20token%2FQR%20code.%20From%20this%20point%20on%2C%20the%20token%2FQR%20code%20is%20no%20longer%20usable.%20You%20might%20use%20this%20option%20if%20you%3A%3C%2FEM%3E%3C%2FFONT%3E%3C%2FP%3E%3CUL%3E%3CLI%3E%3CFONT%20color%3D%22%23808080%22%3E%3CEM%3Eaccidentally%20share%20the%20token%2FQR%20code%20with%20an%20unauthorized%20party%3C%2FEM%3E%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20color%3D%22%23808080%22%3E%3CEM%3Ecomplete%20all%20enrollments%20and%20no%20longer%20need%20the%20token%2FQR%20code%3C%2FEM%3E%3C%2FFONT%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3EBut%20strangely%2C%20the%20Fully%20Managed%20enrollment%20type%20is%20left%20in%20the%20dark%20with%20no%20protection%20either%20from%20Corporate%20Identifiers%2C%20or%20revocable%2Fexpiring%20tokens.%26nbsp%3B%20Might%20as%20well%20point%20out%20here%20too%20that%20Intune's%20Enrollment%20Restrictions%20do%20not%20help%20with%20Fully%20Managed%20either.%26nbsp%3B%20So%20essentially%20anyone%20can%20BYOD%20to%20Android%20Enterprise%20Fully%20Managed%2C%20as%20long%20as%20they're%20allowed%20to%20enroll%20any%20number%20of%20devices%20and%20haven't%20exceeded%20their%20maximum%20allowed%20number%20of%20devices.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20do%20get%20that%20BYOD%20devices%20enrolled%20as%20Fully%20Managed%20would%20be%20a%20fairly%20low%20threat%2C%20but%20it%20is%20still%20unclear%20why%20this%20gap%20has%20been%20left%20open.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2012442%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAndroid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAndroid%20Enterprise%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Frequent Contributor

I'm writing this post to draw attention to some issues I've come across with Intune recently.

 

1.) The first issue is that the Corporate Identifiers (IMEI's/serial numbers) are not documented accurately (Identify corporate-owned devices with IMEI or serial number ).  It should be nice and clear in the docs articles, and unfortunately it's just not, and instead is misleading.  IMEI DOES work to make Android Enterprise - Work profile devices be marked automatically upon enrollment as "Ownership = Corporate".

 

2.) Unfortunately, IMEI / SN cannot be used for the same purpose when enrolling devices as Fully Managed.  This is a bit of a problem, because of the next issue....

 

3.) The enrollment token for Android Enterprise Fully Managed is non-revocable / non-expiring.  Meanwhile the other two corporate-aimed enrollment types - Dedicated / COPE - have their enrollment profile tokens both auto-expiring and revocable.  The docs articles explain when you'd want to revoke the tokens:

Revoke tokens

You can immediately expire the token/QR code. From this point on, the token/QR code is no longer usable. You might use this option if you:

  • accidentally share the token/QR code with an unauthorized party
  • complete all enrollments and no longer need the token/QR code

But strangely, the Fully Managed enrollment type is left in the dark with no protection either from Corporate Identifiers, or revocable/expiring tokens.  Might as well point out here too that Intune's Enrollment Restrictions do not help with Fully Managed either.  So essentially anyone can BYOD to Android Enterprise Fully Managed, as long as they're allowed to enroll any number of devices and haven't exceeded their maximum allowed number of devices.

 

I do get that BYOD devices enrolled as Fully Managed would be a fairly low threat, but it is still unclear why this gap has been left open.

0 Replies