Feb 07 2019 10:04 PM - edited Feb 07 2019 10:05 PM
So we're setting up app-based conditional access so that iOS and Android are forced to use the Outlook Mobile app instead of the built-in ones and then applying app protection policies to force PIN etc. We are not enrolling devices.
One customer wanted more information regarding the broker app requirement. We understand this is required so that Intune securely can communicate with the device and push down policies and we assume this is so that the apps themselves only talk to the broker app rather than each app talks directly to Intune.
But why are the broker apps different on iOS (Authenticator) and Android (Company Portal)? Most of their users already run the Authenticator so for iOS that is great but the Android users have to install the Company Portal which cause an extra step for the user and they also have privacy concerns for this. Why is that and are we likely to see this change in the future, only needing the Authenticator app on Android? Then we can save the Company Portal dicussion for the future when we start doing complete enrollment for some devices.
Hope someone knows something about this.
Feb 08 2019 06:26 AM
SolutionHi Jonas,
yes I can explain why, but I can't explain if it will change in future. Here is the reason for this:
Android has a way to share data between apps which the Intune product uses on the Android platform. Which data actually is shared I don't know, but there are various opportunities for which you can use this. For example to deliver new SDK versions to other apps on the Android platform. The Company Portal is maintained by the Intune product group where the Authenticator app is maintained by the Azure AD product group.
The sharing is officially documented here: https://docs.microsoft.com/en-us/intune/end-user-mam-apps-android
The Company Portal app is a way for Intune to share data in a secure location. Therefore, the Company Portal app is a requirement for all apps that are associated with app protection policies, even if the device is not enrolled in Intune.
For iOS this is not possible because Apple does not allow such a scenario due to his app model and containerization. So, for iOS there is absolutely no reason then to force usage of the Company Portal but the Authenticator as a broker makes totally sense.
So why does not Android switch to Authenticator as well? I think that's because of the different teams, Intune does not own the Authenticator and maybe the publishing of new versions then is not that fast as they would like it to have (that's the way how big companies and product ownership works).
You can use Microsoft Intune UserVoice to make a Design Change Request or support a maybe already existing one here:
https://microsoftintune.uservoice.com/forums/291681-ideas
best,
Oliver
Feb 11 2019 11:30 PM
Mar 21 2021 02:48 PM
Apr 14 2021 12:50 PM
Found this when researching the Required App for Conditional Access. It looks like Android can either use Authenticator or the company portal.
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-acces...
Apr 15 2021 03:25 AM
@Coopem16 That would be amazing that you'd only need Authenticator for Android going forward. Will see if I get the opportunity to test this in a future rollout.
Apr 15 2021 05:04 AM - edited Apr 15 2021 05:41 AM
Hi, I also did read the same information, but this information is about an approved app, not require app protection
Take a look at this Microsoft doc, it tells us to use the company portal app
Android app protection policy settings - Microsoft Intune | Microsoft Docs
Of course to be sure...I tested it... I downloaded Onedrive and when I logged in with my username and password it tells me to install the company portal first.
I did the same test but with the authenticator preinstalled. This time I did not ask me to immediately install the Company portal when I logged in.. but after a few seconds the same prompt... So make sure when you are requiring app protection the company portal is installed
If you want to know some more about app protection
Call4Cloud requiring Approved Apps or an App Protection Policy
Apr 15 2021 09:46 AM
Jul 12 2021 07:55 AM
@Rudy_Ooms_MVP After testing this it seems that the Company Portal is also required on Android for use of Outlook when hitting a CA policy with 'approved client app' requirement. Authenticator was not sufficient unfortunately.
Jul 12 2021 07:58 AM
Jul 12 2021 09:31 AM
Aug 10 2022 06:47 AM - edited Sep 01 2022 03:44 AM
It's been another year since this and it seems like many articles at docs.microsoft.com has been changed so that Company Portal is no longer required for App Protection policies. Anyone tried it yet? Back in March 2022 when we tried it the last time, Company Portal was still required.
Here's a list of updates:
This article was changed on 5th April 2022:
https://docs.microsoft.com/en-us/mem/intune/protect/app-based-conditional-access-intune
Before it said:
The user gets redirected to the app store to install a broker app when trying to authenticate for the first time. The broker app can be either the Microsoft Authenticator for iOS, or the Microsoft Company portal for Android devices.
Now it says:
The user gets redirected to the app store to install a broker app when trying to authenticate for the first time. The broker app can be the Microsoft Authenticator for iOS, or either the Microsoft Authenticator or Microsoft Company portal for Android devices.
---
This article was changed on 7th Jul 2022:
https://docs.microsoft.com/en-us/intune/end-user-mam-apps-android
Before it says but not anymore:
The Intune Company Portal is required on the device to receive App Protection Policies for Android devices.
---
This was changed on 7th July 2022:
https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-android
Before it said:
The Intune Company Portal is required on the device to receive App Protection Policies for Android devices.
Now it says:
Either the Intune Company Portal or the Microsoft Authenticator is required on the device to receive App Protection Policies for Android devices.
Aug 10 2022 06:58 AM
@Oliver Kieselbach Especially you maybe have tested it since you had great insights into it in 2019?
Aug 18 2022 08:12 AM
Although this article states that Authenticator can suffice as broker app on Android: Android app protection policy settings - Microsoft Intune | Microsoft Docs
In our testing this is not true, if we have APP deployed to Android then it still prompts the user to install InTune Company Portal app (which we don't want since that's kind of the point of MAM instead of MDM).
I'm hoping Microsoft teams can coordinate and clarify when we can get off the requirement for Company Portal to deploy APP on Android?
Aug 18 2022 08:34 AM
@NT-DW thanks for letting us know.
As a matter of fact, we're doing multiple implementations of this now at customers and see the same issue - Intune Company Portal is still required on Android devices to apply App Protection Policies. It's requested by Outlook once the policy is applied to the user.
I'll post feedback on the docs.microsoft.com pages and also see if I can log a support ticket.
Sep 01 2022 03:32 AM
Many hours later we still confirm that Intune Company Portal is still required on Android. Also had a support ticket with Microsoft [Case #:32525687] and they came to the same conclusion. So I will go ahead and post feedback on docs.microsoft.com.
Feb 24 2023 09:47 AM
Feb 28 2023 04:10 AM - edited Feb 28 2023 04:12 AM
@NT-DW Actually, after submitting the above, I think the article is correct. I have found the cause of the confusion:
In my testing, it seems that the 'Require approved client app' setting by itself can work on an Android device with Microsoft Authenticator installed.
However the 'Require app protection policy' setting, and applying app protection policies in Intune, do require the Company Portal app on Android.
This is slightly confusing since often the 'Require approved client app' setting (which can use Microsoft Authenticator or Company Portal on Android) is setup along with app protection policies (which can only use Company Portal on Android). But the current text in the article is actually correct, once you realise that a 'broker app' is not the same as 'app protection functionality'.
Perhaps the 'Require app protection policy' section should be worded more clearly:
'The broker app can be Microsoft Authenticator for iOS. On Android the broker app must additionally support app protection functionality, so the only supported broker app for this policy is Microsoft Company Portal for Android devices.'
Mar 07 2023 05:10 AM
Aug 14 2024 09:17 AM
@Oliver Kieselbach since the UserVoice link is broken, please consider voting for my issue in the MS Feedback Portal: App Protection Policies should use Authenticator for Android · Community (microsoft.com)
Feb 08 2019 06:26 AM
SolutionHi Jonas,
yes I can explain why, but I can't explain if it will change in future. Here is the reason for this:
Android has a way to share data between apps which the Intune product uses on the Android platform. Which data actually is shared I don't know, but there are various opportunities for which you can use this. For example to deliver new SDK versions to other apps on the Android platform. The Company Portal is maintained by the Intune product group where the Authenticator app is maintained by the Azure AD product group.
The sharing is officially documented here: https://docs.microsoft.com/en-us/intune/end-user-mam-apps-android
The Company Portal app is a way for Intune to share data in a secure location. Therefore, the Company Portal app is a requirement for all apps that are associated with app protection policies, even if the device is not enrolled in Intune.
For iOS this is not possible because Apple does not allow such a scenario due to his app model and containerization. So, for iOS there is absolutely no reason then to force usage of the Company Portal but the Authenticator as a broker makes totally sense.
So why does not Android switch to Authenticator as well? I think that's because of the different teams, Intune does not own the Authenticator and maybe the publishing of new versions then is not that fast as they would like it to have (that's the way how big companies and product ownership works).
You can use Microsoft Intune UserVoice to make a Design Change Request or support a maybe already existing one here:
https://microsoftintune.uservoice.com/forums/291681-ideas
best,
Oliver