Intune ending support for custom profiles for personally owned work profile devices in April 2025
Years ago, before Microsoft Intune provided the many Android settings available today, Microsoft Intune introduced custom configuration profiles for Android Enterprise personally owned work profile devices. Custom profiles allow admins to configure settings that weren’t built into the Microsoft Intune admin center, leveraging Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings used by device manufacturers. Today, admins can configure all of the settings available in custom policies for personally owned work profile devices through other policy types in the Microsoft Intune admin center. The one exception is configuration of Basic Wi-Fi profiles with a pre-shared key, which will be supported in Wi-Fi configuration profiles in the first quarter of calendar year 2025. Because custom profiles are harder to configure, troubleshoot, and monitor, and offer no additional benefits now that equivalent settings are available in the Microsoft Intune admin center, we’re ending support for custom profiles for Android Enterprise personally owned work profile devices on April 1, 2025. Note: This change only applies to custom profiles for Android Enterprise personally owned work profile devices and doesn’t impact custom profiles for Android device administrator devices. How does this affect you or your users? After Intune ends support for custom profiles for personally owned work profile devices in April 2025: Admins won’t be able to create new custom profiles for personally owned work profile devices. However, admins can still view and edit previously created custom profiles. Android Enterprise personally-owned work profile devices that currently have a custom profile assigned will not experience any immediate change of functionality. Because these profiles are no longer supported, the functionality set by these profiles may change in the future. Intune technical support will no longer support custom profiles for personally owned work profile devices. How to prepare for this change To prepare for this change, follow these steps to check if you have custom profiles for personally owned work profile devices and learn how to set up alternate policy types: Navigate to the Microsoft Intune admin center. Identify the custom policies in use in your tenant: Select Devices > Android > Configuration. Filter the Platform column by Android Enterprise to get a list of Android Enterprise policies. Sort the Policy type column and look for all the policies with policy type listed as Custom. (If none are found, then no action is needed.) Create policies with equivalent settings. See tables below for settings mapping. Assign the new policies to the same groups that had been assigned the custom profiles. Unassign all groups from the custom profiles. Test and confirm device behavior is unchanged, that the new profile settings fully replace functionality from the old custom profiles. Delete the custom profiles. Replacements for custom settings Below is a mapping from custom settings to the alternate settings that you should use instead. Work profile settings Custom setting Equivalent setting ./Device/Vendor/MSFT/Container/DisableRedactedNotifications Create a device restrictions policy > Work profile settings > General Settings > set Work profile notifications while device is locked to Block ./Device/Vendor/MSFT/WorkProfile/CustomGmsWorkProfileDomainAllowList Create a device restrictions policy > Work profile settings > General Settings > Add and remove accounts, set to Allow all accounts types and configure Google domain allow-list ./Device/Vendor/MSFT/WorkProfile/WorkProfileAllowWidgets Create a device restrictions policy > Work profile settings > General Settings > Allow widgets from work profile apps ./Microsoft/MSFT/WorkProfile/DisallowCrossProfileCopyPaste Create a device restrictions policy > Work profile settings > General Settings > Copy and paste between work and personal profiles ./Vendor/MSFT/Policy/Config/DeviceLock/MaxInactivityTimeDeviceLock Create a device restrictions policy > Password > Maximum minutes of inactivity until work profile locks ./Vendor/MSFT/WorkProfile/DisallowModifyAccounts Create a device restrictions policy > Work profile settings > General Settings > set Add and remove accounts to Block all account types. ./Vendor/MSFT/WorkProfile/Applications/<package>/PermissionActions Create an app configuration policy for Managed devices > Permissions > Add ./Device/Vendor/MSFT/WorkProfile/WorkProfileEnableSystemApplications Follow the steps to Manage system apps Wi-Fi settings Custom setting Equivalent setting ./Vendor/MSFT/WiFi/Profile/<SSID>/Settings Create a Wi-Fi policy with your chosen Wi-Fi configurations for personally owned work profile devices. Here you will also be able to configure Wi-Fi with a preshared key when it becomes available. ./Vender/MSFT/WiFi/<SSID>/Settings ./Vendor/MSFT/DefenderATP/Vpn Create an app configuration policy for managed devices and set Targeted app to Microsoft Defender: Antivirus and then configure VPN VPN settings Custom setting Equivalent setting ./Vendor/MSFT/VPN/Profile/<vpn name>/PackageList Create VPN profiles with your chosen VPN configuration for personally owned work profile devices ./Vendor/MSFT/VPN/Profile/<vpn name>/Mode ./Vendor/MSFT/DefenderATP/AntiPhishing Create an app configuration policy for managed devices and set Targeted app to Microsoft Defender: Antivirus and then configure Anti-Phishing. ./Vendor/MSFT/DefenderATP/DefenderExcludeAppInReport Create an app configuration policy for managed devices and set Targeted app to Microsoft Defender: Antivirus and then configure Hide app details in report and Hide app details in report for personal profile. ./Vendor/MSFT/DefenderATP/DefenderTVMPrivacyMode Create an app configuration policy for managed devices and set Targeted app to Microsoft Defender: Antivirus and then configure Enable TVM Privacy and Enable TVM Privacy for personal profile ./Vendor/MSFT/DefenderATP/Vpn Create an app configuration policy for managed devices and set Targeted app to Microsoft Defender: Antivirus and then configure VPN Stay tuned to this blog for updates! If you have any questions or feedback on this change, leave a comment on this post or reach out on X @IntuneSuppteam.How to Setup Microsoft Launcher on Android Enterprise Fully Managed Devices with Intune
Read this post for end-to-end steps on how to use the Microsoft Launcher, Android Enterprise Fully Managed Devices, and Intune! Watch the video included at the end of the post so you can see the experience your end user will have.
Support Tip: Intune announces support for Android Enterprise fully managed devices
Have you read the details on Intune’s support for Android enterprise fully managed device? If not, get up to speed by reviewing the Microsoft Intune support for Android Enterprise fully managed devices is now generally available post here: https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Microsoft-Intune-support-for-Android-Enterprise-fully-managed/ba-p/862232.
