"Can't add work profile"

%3CLINGO-SUB%20id%3D%22lingo-sub-2248259%22%20slang%3D%22en-US%22%3E%22Can't%20add%20work%20profile%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2248259%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EDevice%3C%2FSTRONG%3E%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.lenovo.com%2Fus%2Fen%2Ftablets%2Fandroid-tablets%2Flenovo-tab-series%2FLenovo-TB-7305%2Fp%2FZZITZTATB37%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3ELenovo%20Tab%20M7%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3EOS%3C%2FSTRONG%3E%3A%20Android%209%3C%2FP%3E%3CP%3E%3CSTRONG%3EIssue%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E-%20I%20(think)%20I've%20setup%20InTune%20correctly%20for%20%22Multi-app%20Kiosk%20Corporate%20Owned%20Dedicated%20Devices%22%3C%2FP%3E%3CP%3E-%20Just%20unboxed%20a%20new%20tablet%3C%2FP%3E%3CP%3E-%20Installed%20a%20QR%20reader%20app%20(there%20was%20no%20native%20QR%20reader)%3C%2FP%3E%3CP%3E-%20Scanned%20the%20QR%20code%20in%20MEM%20Enroll%20devices%2FCorporate-owned%20dedicated%20devices%20%2F%20custom_profile%20%2Ftoken%3C%2FP%3E%3CP%3E-%20This%20then%20prompted%20me%20to%20download%20the%20Android%20Device%20Policy%20app%3C%2FP%3E%3CP%3E-%20Once%20that%20opened%2C%20it%20asked%20me%20to%20scan%20the%20QR%20code%20again%3C%2FP%3E%3CP%3E%3CSTRONG%3E-%20After%20that%2C%20I%20receive%20the%20error%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%22Can't%20add%20work%20profile%3C%2FP%3E%3CP%3EA%20work%20profile%20can't%20be%20added%20to%20this%20device.%20If%20you%20have%20questions%2C%20contact%20your%20admin%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EWhat%20does%20this%20mean%20and%20how%20do%20I%20overcome%20it%3F%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22IMG_6089.jpg%22%20style%3D%22width%3A%20749px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F268778iC8B6B26E6BCDF932%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22IMG_6089.jpg%22%20alt%3D%22IMG_6089.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2248259%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2248481%22%20slang%3D%22en-US%22%3ERe%3A%20%22Can't%20add%20work%20profile%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2248481%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EHow%20is%20the%20MDM%20scope%20defined%20and%20are%20there%20any%20enrollment%20restrictions%20configured%3F%3C%2FLINGO-BODY%3E
Occasional Contributor

DeviceLenovo Tab M7

OS: Android 9

Issue:

- I (think) I've setup InTune correctly for "Multi-app Kiosk Corporate Owned Dedicated Devices"

- Just unboxed a new tablet

- Installed a QR reader app (there was no native QR reader)

- Scanned the QR code in MEM Enroll devices/Corporate-owned dedicated devices / custom_profile /token

- This then prompted me to download the Android Device Policy app

- Once that opened, it asked me to scan the QR code again

- After that, I receive the error:

"Can't add work profile

A work profile can't be added to this device. If you have questions, contact your admin"

 

What does this mean and how do I overcome it?

IMG_6089.jpg

9 Replies
Hi,

How is the MDM scope defined and are there any enrollment restrictions configured?

@Rudy_Ooms 

Hi,
I'm unsure where the "MDM scope" is defined in MEM. I did not configure any enrollment restrictions. Appears the defaults are in there:

image.png

@Rudy_Ooms ,
I did configure some device restrictions...

Would any of these have a bearing on the issue?

powerappsRocks_0-1617338267783.png

 

 

 

And also no changes to the default policy? To be sure your device restrictions are not the issue, you could remove the device/user from the group to test it out?

The device: android 9, isn't android 9 go? I am not sure all apps are working on that edition? could you perhaps test it on another device?

RE: Change to "default policy":
- I'm unsure what the default policy is

- The only term "policy" I can find in MEM portal is "Compliance Policy" under /devices/Android

- This is not configured so I assume its "default"(?)

powerappsRocks_0-1618328556553.png

- There is no device/user to remove as the device has never been setup (the subject of this post is stopping me)

RE: Android 9:
- What do you mean by "...isn't android 9 go?"
- I don't have another Android device to test on (procured 4 of these M7 tabs only)

@powerappsRocks 

 

Hi,
The Lenovo Tab M7 runs the Go version of Android 9 (if i believe google ;) )

 

https://arstechnica.com/gadgets/2018/04/android-go-review-googles-scattershot-attempt-at-a-low-end-a...

 

A few other things in Android Go have been disabled for performance reasons—or at least, don't work on our ZTE Tempo Go. Most of these are flagship-centric features you would not expect to get on a low-end device.

 

-Split-screen support. Side-by-side apps are apparently too much for 1GB of memory.
-Daydream VR. Totally reasonable.
-The "Android for Work" work profile.
-Android Wear. No smartwatches allowed.
-Android Auto.
-No on-by-default storage encryption. You can manually enable it though.

Thank you for the continued discussion.

So does this mean that the Lenovo TabM7 is not supported by InTune?

 

Or, do you have further ideas on how I can get this working?

 

Looks like the only Lenovo tabs that are supported are M10's (https://androidenterprisepartners.withgoogle.com/devices/#!?AER&search=lenovo). 

Hi, I guess so, but if you want to be sure you could try it out with another android device. (if you have on of course)

Right on. I RMA'd the tab7's in favor of m10's. They'll be here tomorrow and I'll try them out using the same profile.

Thanks again for all the help. I'll report back on findings.