Intune ending support for custom profiles for personally owned work profile devices in April 2025
Years ago, before Microsoft Intune provided the many Android settings available today, Microsoft Intune introduced custom configuration profiles for Android Enterprise personally owned work profile devices. Custom profiles allow admins to configure settings that weren’t built into the Microsoft Intune admin center, leveraging Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings used by device manufacturers. Today, admins can configure all of the settings available in custom policies for personally owned work profile devices through other policy types in the Microsoft Intune admin center. The one exception is configuration of Basic Wi-Fi profiles with a pre-shared key, which will be supported in Wi-Fi configuration profiles in the first quarter of calendar year 2025. Because custom profiles are harder to configure, troubleshoot, and monitor, and offer no additional benefits now that equivalent settings are available in the Microsoft Intune admin center, we’re ending support for custom profiles for Android Enterprise personally owned work profile devices on April 1, 2025. Note: This change only applies to custom profiles for Android Enterprise personally owned work profile devices and doesn’t impact custom profiles for Android device administrator devices. How does this affect you or your users? After Intune ends support for custom profiles for personally owned work profile devices in April 2025: Admins won’t be able to create new custom profiles for personally owned work profile devices. However, admins can still view and edit previously created custom profiles. Android Enterprise personally-owned work profile devices that currently have a custom profile assigned will not experience any immediate change of functionality. Because these profiles are no longer supported, the functionality set by these profiles may change in the future. Intune technical support will no longer support custom profiles for personally owned work profile devices. How to prepare for this change To prepare for this change, follow these steps to check if you have custom profiles for personally owned work profile devices and learn how to set up alternate policy types: Navigate to the Microsoft Intune admin center. Identify the custom policies in use in your tenant: Select Devices > Android > Configuration. Filter the Platform column by Android Enterprise to get a list of Android Enterprise policies. Sort the Policy type column and look for all the policies with policy type listed as Custom. (If none are found, then no action is needed.) Create policies with equivalent settings. See tables below for settings mapping. Assign the new policies to the same groups that had been assigned the custom profiles. Unassign all groups from the custom profiles. Test and confirm device behavior is unchanged, that the new profile settings fully replace functionality from the old custom profiles. Delete the custom profiles. Replacements for custom settings Below is a mapping from custom settings to the alternate settings that you should use instead. Work profile settings Custom setting Equivalent setting ./Device/Vendor/MSFT/Container/DisableRedactedNotifications Create a device restrictions policy > Work profile settings > General Settings > set Work profile notifications while device is locked to Block ./Device/Vendor/MSFT/WorkProfile/CustomGmsWorkProfileDomainAllowList Create a device restrictions policy > Work profile settings > General Settings > Add and remove accounts, set to Allow all accounts types and configure Google domain allow-list ./Device/Vendor/MSFT/WorkProfile/WorkProfileAllowWidgets Create a device restrictions policy > Work profile settings > General Settings > Allow widgets from work profile apps ./Microsoft/MSFT/WorkProfile/DisallowCrossProfileCopyPaste Create a device restrictions policy > Work profile settings > General Settings > Copy and paste between work and personal profiles ./Vendor/MSFT/Policy/Config/DeviceLock/MaxInactivityTimeDeviceLock Create a device restrictions policy > Password > Maximum minutes of inactivity until work profile locks ./Vendor/MSFT/WorkProfile/DisallowModifyAccounts Create a device restrictions policy > Work profile settings > General Settings > set Add and remove accounts to Block all account types. ./Vendor/MSFT/WorkProfile/Applications/<package>/PermissionActions Create an app configuration policy for Managed devices > Permissions > Add ./Device/Vendor/MSFT/WorkProfile/WorkProfileEnableSystemApplications Follow the steps to Manage system apps Wi-Fi settings Custom setting Equivalent setting ./Vendor/MSFT/WiFi/Profile/<SSID>/Settings Create a Wi-Fi policy with your chosen Wi-Fi configurations for personally owned work profile devices. Here you will also be able to configure Wi-Fi with a preshared key when it becomes available. ./Vender/MSFT/WiFi/<SSID>/Settings ./Vendor/MSFT/DefenderATP/Vpn Create an app configuration policy for managed devices and set Targeted app to Microsoft Defender: Antivirus and then configure VPN VPN settings Custom setting Equivalent setting ./Vendor/MSFT/VPN/Profile/<vpn name>/PackageList Create VPN profiles with your chosen VPN configuration for personally owned work profile devices ./Vendor/MSFT/VPN/Profile/<vpn name>/Mode ./Vendor/MSFT/DefenderATP/AntiPhishing Create an app configuration policy for managed devices and set Targeted app to Microsoft Defender: Antivirus and then configure Anti-Phishing. ./Vendor/MSFT/DefenderATP/DefenderExcludeAppInReport Create an app configuration policy for managed devices and set Targeted app to Microsoft Defender: Antivirus and then configure Hide app details in report and Hide app details in report for personal profile. ./Vendor/MSFT/DefenderATP/DefenderTVMPrivacyMode Create an app configuration policy for managed devices and set Targeted app to Microsoft Defender: Antivirus and then configure Enable TVM Privacy and Enable TVM Privacy for personal profile ./Vendor/MSFT/DefenderATP/Vpn Create an app configuration policy for managed devices and set Targeted app to Microsoft Defender: Antivirus and then configure VPN Stay tuned to this blog for updates! If you have any questions or feedback on this change, leave a comment on this post or reach out on X @IntuneSuppteam.How to Setup Microsoft Launcher on Android Enterprise Fully Managed Devices with Intune
Read this post for end-to-end steps on how to use the Microsoft Launcher, Android Enterprise Fully Managed Devices, and Intune! Watch the video included at the end of the post so you can see the experience your end user will have.
Android Enterprise (fully managed) App installation stuck at pending
Hi everyone I have an Android Device enrolled with the Android (fully managed) profile. There are several Apps that get deployed to this device. However, the installation stuck at "pending" as seen in my screenshot. After I click on the pending App, the Play Store opens. Then I click on cancel and then install. After that the App gets installed. My Managed Google Play Store Apps in Intune are all Required and targeted to "All users". The Apps get automatically installed on my personally-owned work profile Phones without any issues. When I look under Device install status from the deploying App, I see the device with Status "Failed" and Status Details "The application failed to install, possibly because of insufficient storage or an unreliable network connection. The installation will be retried automatically. (0xC7D24FBA)" Does anyone face the same issue or know how to solve it? Thanks for your help ❤️
Android Enterprise BYOD Wifi Profile - disable auto-connect not working
Hi all, Been dealing with this issue for Android devices. We're implementing EAP-TLS for an enterprise wifi. Devices are connected to the network. But one thing that brought attention to us is how the android devices keeps on re-enabling the auto connect setting on a device level. That means, devices will auto join the network even without user's consent. We tried using the built-in template inintunebut the option there forConnect automaticallyis not given. We pulled the diagnostics logs from company portal app and we can see that the wifi profile is actually set to<connectionMode>manual</connectionMode>. We also tried creating a custom wifi profile, uploaded the xml with<connectionMode>manual</connectionMode>but the device keeps re-enabling the auto connect setting. Is there any other setting that I missed with respect to autoconnect issue? If you guys could lead me to proper direction on how to resolve this, I'd really appreciate it.
