Work Profile Contacts in Android Auto BYOD
Hey there, is it possible to List the Contacts from the Android Work-Profile in Android Auto? People in our Organization are not able to search for Work-Profile-Contacts via Android Auto. When Contacts from the Work-Profile are calling, the Name is showing up correctly and is also correctly displayed in the caller history, but when using the Phone app on the cars display it's not possible to find the contacts. What have we tried so far: Installed Android Auto App on Work-Profile Enabled "Connected Apps" Contact Sync via Outlook App Contact Sync via Gmail / Google Contacts Installed Google Phone App on both profiles and set it to the Default call Application Installed Samsung Phone App on both profiles and set it to the Default call Application Enabled the Work Profile Switch in the Android Auto setting (seems only usefull for notifications) Tried different Phone and Car Vendors One more Information: When Using the Call or Contact App on Personal-Profile and searching for Work Contacts, they are showing up as expected. I believe maybe it's not supported by Google? Is anybody facing the same issue or are there some Workaround i have not thought about=
365 App Sign in & Edit Issues
Hello, I am attempting to edit a word document saved on OneDrive. I have the 365 app. The document opens and states I cannot edit unless I sign in. When clicking to sign it, it then states it cannot put my personal email (which is what the subscription is under) I need to put a work or school email and if it doesn't work then to contact said work or school. However, my subscription is my personal email and I am logged into the app with my personal email. I'm confused and need support please! Exact wording opening document: "This account does not allow editing on your device. For an account with full access, contact your organizational out your subscription plan" **For reference: I have frequently used my android phone for editing documents Exact wording when signing in: "We couldn't find a work or school account with that email address"
Intune Android Fully Managed - Play Store Error
Hi all, I've just noticed that our Android Fully Managed handsets are getting an error when opening the Play Store, which says Update Google Play Store - Google Play Store won't run unless you update. We have never seen this before and have been running this profile for 18 months now. I've tried clearing the Store cache, uninstalling Play Store updates, no avail. I even wiped my device, but it's still the same. Any help would be much appreciated. Thanks.From the frontlines: Revolutionizing healthcare workers experience
I'm Catarina Rodrigues and recently, I've had the opportunity to have several conversations with healthcare customers on how Intune can effectively manage devices in frontline critical environments. In this “From the frontlines” blog, I want to share with you some of my learnings. Technology has revolutionized the healthcare sector, where hospitals are replacing paper with digital systems to ensure patient information is securely stored and easily accessible. Doctors can now check patient files and statuses on the go as they move around the hospital. Nurses can check their patients’ exams digitally and first responders in ambulances get access to essential information that helps save lives. As shared in From the frontlines: Frontline worker management with Microsoft Intune , Intune allows healthcare organizations to secure mobile devices and manage data access, while ensuring a great user experience. Intune supports multiple platforms, making it the ideal solution for unified endpoint management. It allows for the configuration of devices to meet specific needs, whether for individual users, shared devices, or dedicated use. Let's look at an example of how Intune can enhance healthcare operations and patient care: The Nurses station in the Hospital’s ICU Nurses in the Intensive Care Unit (ICU) manage some of the most complex patient cases within the hospital and are typically responsible for multiple patient beds on the same floor. They typically have a short time window to act, need access to patient records and must easily communicate with other departments in the hospital. To modernize workflows and improve patient care, IT admins of a hospital are looking at ways to implement the use of Android tablets in the nurses’ station of the ICU. With this device, they are hoping to provide the nurses access to essential information, such as a live feed of patient rooms, vital signs and recent exam results, allowing them to monitor significant changes in their patient’s health. To build such a reliable and safe solution, IT admins need to consider the following requirements: These Android devices are shared by different people throughout the day, as nurses work in shifts. Users must sign in using their credentials to ensure they are verified and authorized hospital staff. New versions of essential applications need to be tested before moving to production. System and application updates need to happen during a specified maintenance window. This device is used to communicate with other hospital services via message or voice. This device can only connect to approved networks. Considering these requirements, we can set up these devices as Android Enterprise Dedicated with Microsoft Entra Shared Device Mode (Fig. 1) to enable nurses to use them even as shifts change. Fig. 1 – Setting up a Corporate-Owned Android Enterprise Dedicated with Microsoft Entra shared mode enrolment profile. Nurses must sign in and authenticate to access this information, thereby protecting their patients' personal information. With Managed Home Screen, nurses will see a login screen that they can use to authenticate once (Fig. 2). From that point onward, during their shift, they’re signed in to all applications seamlessly and can trigger access using a PIN. IT admins work with the developers of essential applications to enable phased deployments of new application versions using testing tracks in assignments. IT admins can use application configuration policies to manage settings of essential applications. System and applications updates can be scheduled to occur during a maintenance window to avoid disruption in the critical ICU department. Lastly, by utilizing Intune configuration profiles, IT admins can set up Microsoft Teams to function as a walkie-talkie, enabling the voice feature. For security measures, Wi-Fi connectivity is limited to the hospital's network. These profiles can also be used to set up a custom wallpaper with hospital branding or even a widget to display weather conditions. This is just an example of how Intune can assist healthcare organizations in managing their FLW devices. Other examples include doctors being able to check patient files and calendars on their managed corporate iPhones, or hospitals having an admission system at the entrance that allows patients to check-in easily upon arrival for their consultation. This blog is part of a series: “From the frontlines:”. We’ll publish additional blogs on other healthcare scenarios and industries, such as retail and airlines, in the upcoming months. Check out From the frontlines: Frontline worker management with Microsoft Intune to see all other “From the frontlines:” blogs! Stay tuned! Please refer to the documentation here for more guidance: For information on how to set up shared Android devices refer to: Enroll Android Enterprise dedicated, fully managed, or corporate-owned work profile devices in Intune You can find more information on Managed Home Screen and how it can improve the user experience refer to: Configure the Microsoft Managed Home Screen app If you’d like to learn more about how Microsoft Entra Shared Device Mode can help your users easily sign in and sign out leveraging single sign-on review: Shared Device Mode overview - Microsoft identity platform To learn about how to setup maintenance windows and define application update conditions refer to: Corporate-owned Android Enterprise device restriction settings in Microsoft Intune Let us know if you have any questions by leaving a comment on this post or reaching out on X @IntuneSuppTeam.Blocking and removing apps on Intune managed devices (Windows, iOS/iPadOS, Android and macOS)
By: Michael Dineen - Sr. Product Manager | Microsoft Intune This blog was written to provide guidance to Microsoft Intune admins that need to block or remove apps on their managed endpoints. This includes blocking the DeepSeek – AI Assistant app in accordance with government and company guidelines across the world (e.g. the Australian Government’s Department of Home Affairs Protective Policy Framework (PSPF) Direction 001-2025, Italy, South Korea). Guidance provided in this blog uses the DeepSeek – AI Assistant and associated website as an example, but you can use the provided guidance for other apps and websites as well. The information provided in this guidance is supplemental to previously provided guidance which is more exhaustive in the steps administrators need to take to identify, report on, and block prohibited apps across their managed and unmanaged mobile devices: Support tip: Removing and preventing the use of applications on iOS/iPadOS and Android devices. iOS/iPadOS devices For ease of reference, the below information is required to block the DeepSeek – AI Assistant app: App name: DeepSeek – AI Assistant Bundle ID: com.deepseek.chat Link to Apple app store page: DeepSeek – AI Assistant Publisher: 杭州深度求索人工智能基础技术研究有限公司 Corporate devices (Supervised) Hide and prevent the launch of the DeepSeek – AI Assistant app The most effective way to block an app on supervised iOS/iPadOS devices is to block the app from being shown or being launchable. Create a new device configuration profile and select Settings Catalog for the profile type. (Devices > iOS/iPadOS > Configuration profiles). On the Configuration settings tab, select Add settings and search for Blocked App Bundle IDs. Select the Restrictionscategory and then select the checkbox next to the Blocked App Bundle IDs setting. Enter the Bundle ID: com.deepseek.chat Assign the policy to either a device or user group. Note: The ability to hide and prevent the launch of specific apps is only available on supervised iOS/iPadOS devices. Unsupervised devices, including personal devices, can’t use this option. Uninstall the DeepSeek – AI Assistant app If a user has already installed the app via the Apple App Store, even though they will be unable to launch it when the previously described policy is configured, it’ll persist on the device. Use the steps below to automatically uninstall the app on devices that have it installed. This policy will also uninstall the app if it somehow gets installed at any point in the future, while the policy remains assigned. Navigate to Apps > iOS/iPadOS apps. Select + Add and choose iOS store app from the list. Search for DeepSeek – AI Assistant and Select. Accept the default settings, then Next. Modify the Scope tags as required. On the Assignments tab, under the Uninstall section, select + Add group or select + Add all users or + Add all devices, depending on your organization’s needs. Click the Create button on the Review + create tab to complete the setup. Monitor the status of the uninstall by navigating to Apps > iOS/iPadOS, selecting the app, and then selecting Device install status or User install status. The status will change to Not installed. Personal Devices – Bring your own device (BYOD) Admins have fewer options to manage settings and apps on personal devices. Apple provides no facility on unsupervised (including personal) iOS/iPadOS devices to hide or block access to specified apps. Instead, admins have the following options: Use an Intune compliance policy to prevent access to corporate data via Microsoft Entra Conditional Access (simplest and quickest to implement). Use a report to identify personal devices with specific apps installed. Takeover the app with the user’s consent. Uninstall the app. This guide will focus on option 1. For further guidance on the other options refer to: Support tip: Removing and preventing the use of applications on iOS/iPadOS and Android devices. Identify personal devices that have DeepSeek – AI Assistant installed and prevent access to corporate resources You can use compliance policies in Intune to mark a device as either “compliant” or “not compliant” based on several properties, such as whether a specific app is installed. Combined with Conditional Access, you can now prevent the user from accessing protected company resources when using a non-compliant device. Create an iOS/iPadOS compliance policy, by navigating to Devices > iOS/iPadOS > Compliance policies > Create policy. On the Compliance settings tab, under System Security > Restricted apps, enter the name and app Bundle ID and select Next. Name: DeepSeek – AI Assistant Bundle ID: com.deepseek.chat Under Actions for noncompliance, leave the default action Mark device noncompliant configured to Immediately and then select Next. Assign any Scope tags as required and select Next. Assign the policy to a user or device group and select Next. Review the policy and select Create. Devices that have the DeepSeek – AI Assistant app installed are shown in the Monitor section of the compliance policy. Navigate to the compliance policy and select Device status, under Monitor > View report. Devices that have the restricted app installed are shown in the report and marked as “Not compliant”. When combined with the Require device to be marked as compliant grant control, Conditional Access blocks access to protected corporate resources on devices that have the specified app installed. Android devices Android Enterprise corporate owned, fully managed devices Admins can optionally choose to allow only designated apps to be installed on corporate owned fully managed devices by configuring Allow access to all apps in Google Play store in a device restrictions policy. If this setting has been configured as Block or Not configured (the default), no additional configuration is required as users are only able to install apps allowed by the administrator. Uninstall DeepSeek To uninstall the app, and prevent it from being installed via the Google Play Store perform the following steps: Add a Managed Google Play app in the Microsoft Intune admin center by navigating to Apps > Android > Add, then select Managed Google Play app from the drop-down menu. r DeepSeek – AI Assistant in the Search bar, select the app in the results and click Select and then Sync. Navigate to Apps > Android and select DeepSeek – AI Assistant > Properties > Edit next to Assignments. Under the Uninstall section, add a user or device group and select Review + save and then Save. After the next sync, Google Play will uninstall the app, and the user will receive a notification on their managed device that the app was “deleted by your admin”: The Google Play Store will no longer display the app. If the user attempts to install or access the app directly via a link, the example error below is displayed on the user’s managed device: Android Enterprise personally owned devices with work profile For Android Enterprise personally owned devices with a work profile, use the same settings as described in the Android Enterprise corporate owned, fully managed devices section to uninstall and prevent the installation of restricted apps in the work profile. Note: Apps installed outside of the work profile can’t be managed by design. Windows devices You can block users from accessing the DeepSeek website on Windows devices that are enrolled into Microsoft Defender for Endpoint. Blocking users’ access to the website will also prevent them from adding DeepSeek as a progressive web app (PWA). This guidance assumes that devices are already enrolled into Microsoft Defender for Endpoint. Using Microsoft Defender for Endpoint to block access to websites in Microsoft Edge First, Custom Network Indicators needs to be enabled. Note: After configuring this setting, it may take up to 48 hours after a policy is created for a URL or IP Address to be blocked on a device. Access the Microsoft Defender admin center and navigate to Settings > Endpoints > Advanced features and enable Custom Network Indicators by selecting the corresponding radio button. Select Save preferences. Next, create a Custom Network Indicator. Navigate to Settings > Endpoints > Indicators and select URLs/Domains and click Add Item. Enter the following, and then click Next: URL/Domain: https://deepseek.com Title: DeepSeek Description: Block network access to DeepSeek Expires on (UTC): Never You can optionally generate an alert when a website is blocked by network protection by configuring the following and click Next: Generate alert: Ticked Severity: Informational Category: Unwanted software Note: Change the above settings according to your organization’s requirements. Select Block execution as the Action and click Next, review the Organizational scope and click Next. Review the summary and click Submit. Note: After configuring the Custom Network Indicator, it can take up to 48 hours for the URL to be blocked on a device. Once the Custom Network Indicator becomes active, the user will experience the following when attempting to access the DeepSeek website via Microsoft Edge: Using Defender for Endpoint to block websites in other browsers After configuring the above steps to block access to DeepSeek in Microsoft Edge, admins can leverage Network Protection to block access to DeepSeek in other browsers. Create a new Settings Catalog policy by navigating to Devices > Windows > Configuration > + Create > New Policy and selecting the following then click Create: Platform: Windows 10 and later Profile type: Settings Catalog Enter a name and description and click Next. Click + Add settings and in the search field, type Network Protection and click Search. Select the Defender category and select the checkbox next to Enable Network Protection. Close the settings picker and change the drop-down selection to Enabled (block mode) and click Next. Assign Scope Tags as required and click Next. Assign the policy to a user or device group and click Next. Review the policy and click Create. When users attempt to access the website in other browsers, they will experience an error that the content is blocked by their admin. macOS macOS devices that are onboarded to Defender for Endpoint and have Network Protection enabled are also unable to access the DeepSeek website in any browser as the same Custom Network Indicator works across both Windows and macOS. Ensure that you have configured the Custom Network Indicator as described earlier in the guidance. Enable Network Protection Enable Network Protection on macOS devices by performing the following in the Microsoft Intune admin center: Create a new configuration profile by navigating to Devices > macOS > Configuration > + Create > New Policy > Settings Catalog and select Create. Enter an appropriate name and description and select Next. Click + Add settings and in the search bar, enter Network Protection and select Search. Select the Microsoft Defender Network protection category and select the checkbox next to Enforcement Level and close the Settings Picker window. In the dropdown menu next to Enforcement Level, select Block and select Next. ck Add Scope Tags as required and select Next. Assign the policy to a user or devices group and select Next. Review the policy and select Create. The user when attempting to access the website will experience the following: http://www.deepseek.com showing error: This site can't be reached Conclusion This blog serves as a quick guide for admins needing to block and remove specific applications on their Intune managed endpoints in regulated organizations. Additional guidance for other mobile device enrollment methods can be found here: Support tip: Removing and preventing the use of applications on iOS/iPadOS and Android devices. Additional resources For further control and management of user access to unapproved DeepSeek services, consider utilizing the following resources. This article provides insights into monitoring and gaining visibility into DeepSeek usage within your organization using Microsoft Defender XDR. Additionally, our Microsoft Purview guide offers valuable information on managing AI services and ensuring compliance with organizational policies. These resources can help enhance your security posture and ensure that only approved applications are accessible to users. Let us know if you have any questions by leaving a comment on this post or reaching out on X @IntuneSuppTeam.
SMS Texting and syncing through Office 365
Before I switched from Comcast Business Exchange Account, I was able to set something in my Android phone to sync SMS messages to my Exchange account. Now that I use Office 365 Email for Business, I can't figure out how to set my Android 7 phone (Samsung S8) to continue syncing my SMS messages to my Office 365 Business email account. The usual methods of going to "setting" on the phone don't work. How do I link the two together again.New policy implementation and web enrollment for Android personally owned work profile
We’re happy to announce two improvements for the management of Android personally owned work profile devices with Microsoft Intune, which will be released later this year. A new implementation for how Intune delivers policies to devices Web based enrollment These updates modernize how Microsoft Intune manages devices and improves the enrollment flow. Action may be required by you as we move to the new implementation. Keep reading to understand what’s changing, actions, and timelines you need to know. What’s changing New implementation We’re finalizing our work on moving the Android personally owned work profile implementation to the latest and greatest available – Google’s Android Management API (AM API). It has been almost a decade since Intune released support for Android personally owned work profile management. At that time, we accomplished this by building a custom device policy controller (DPC), in the form of the Intune Company Portal app. A lot has changed since then. Google released AM API and its companion app, Android Device Policy, which enforces AM API policy on devices. This is now Google’s recommended implementation, which we used to deliver the three corporate Android Enterprise management methods: corporate owned work profile, fully managed, and dedicated. Google no longer recommends use of custom DPCs and they’re deprecating associated functionality. The benefits of moving personally owned work profile management to AM API include: Faster release of new features across all four Android Enterprise management options. Consistent behaviors across all four Android Enterprise management options. The Microsoft Intune app will replace the Company Portal app as the user app (to manage devices, contact their IT department, collect logs, and more), providing an updated user experience and aligning it with the corporate Android Enterprise management options. Enables Intune to support the latest Android platform management capabilities, which are unavailable with custom DPC implementations. Web based enrollment The move to AM API also enables us to build a web-based enrollment flow for personally owned work profile devices, similar to web based device enrollment for iOS. The benefits of this include: Users don’t need to manually install an app to start Intune enrollment since they can start enrollment from a webpage instead. Users can access enrollment from any of the four different entry points which all launch the same webpage: Productivity apps (when the user is required to enroll before accessing corporate resources) The Company Portal app The Microsoft Intune app (new!) A URL (new!) This gives you more options for how to guide your users to get set up. 3. Android enrollment is more consistent with the iOS web-based enrollment flow. How to configure and monitor Web based enrollment We will release a new setting that will allow you to switch your tenant to the new web-based enrollment for all personally owned work profile enrollments going forward. We recommend that you configure this in a test tenant first, try out and document the user flow, and prepare your helpdesks accordingly before opting in on your main tenant. Once you opt in, there isn’t an option to opt out. In 2026, we’ll automatically configure all personally owned work profile enrollments across all tenants to be web enrollments. New implementation Devices enrolled before web-based enrollment releases aren't immediately impacted by the new implementation. We’ll release a new setting that allows you to migrate device groups to the new implementation. As a best practice, we encourage admins to evaluate migrating a smaller device set before migrating all devices. Before moving devices to the new implementation, you may want to email users or configure custom notifications to inform them of what to expect. In 2026, we’ll automatically migrate all remaining devices using the custom DPC implementation over to the new AM API implementation. Monitoring There’ll be a new report that will show how many personally owned work profile devices are on the new implementation, how many still need to move, how many are targeted and pending moving (since it may roll out over hours or days), and how many attempted to move but hit an error. Using this new report, you can see which devices are in each state. How this will affect your users Web based enrollment After you opt in to web based enrollment or after it is changed to the default for all in 2026, all devices (on all Android OS versions) will enroll with the web based flow. Their devices will be managed with AM API. After enrollment, Intune will install a few apps automatically to ensure streamlined management. Microsoft Intune: User-facing app to manage devices, contact the IT department, collect diagnostic logs, and more. Company Portal: For mobile app management (MAM). Android Device Policy: To enforce AM API policies. This app is installed in a “hidden” state, so users don’t see it in their app list and can’t launch it. Microsoft Authenticator: To provide single sign on for users’ work account. New implementation When a device is moved to the new implementation (either through admin configuration or the later automatic move), devices won’t unenroll and users won’t lose access to corporate resources. Moving enrolled devices to the new implementation will be supported on any device running supported Android OS versions for user-based management methods at that time. The changes on the device will be: The Microsoft Intune app will install, and it will be the app for users to interact with instead the Company Portal. Users will not see a notification about this app installing. The Android Device Policy app will install to enforce policies. Users will not see a notification about this app installing and it will be in a “hidden” state on their device. If a device connected to corporate Wi-Fi with username and password authentication, when they move to AM API, they will lose access to corporate Wi-Fi until they sign in to the corporate Wi-Fi again. To avoid any potential disruption, we encourage you to move to certificate Wi-Fi authentication instead (as mentioned below). Timeline We'll update these timelines to provide more specific timeframes in the coming months. First half of 2025: Use this time to revise any relevant policy configurations, update your internal documentation, and prepare your helpdesk teams, as advised below. Second half of 2025: You’ll be able to opt in for all enrollments of personally owned work profile devices to be web-based enrollments on AM API. You’ll be able to set a configuration policy to migrate groups of previously enrolled devices over to the new implementation. First half of 2026: All enrollments will be web enrollments for devices running all Android OS versions. All devices still on the custom DPC implementation and running supported Android OS versions for user-based management methods at that time will be automatically moved over to AM API. How to prepare We recommend you make these changes to prepare for the upcoming release and provide the most streamlined experience for users. Replace custom policies: Intune is ending support for custom configuration polices for personally owned work profile devices with Intune's April (2504) service release. Custom policies are not supported in the new implementation. Replace all custom policies with equivalent policies using this setting mapping. Certificate authentication for Wi-Fi: If you’re using username and password authentication for Wi-Fi policies, we strongly encourage you to move to certificate authentication instead. Devices that are connected to corporate Wi-Fi with username and password authentication will lose access to corporate Wi-Fi when they are moved to AM API until the user signs into the corporate Wi-Fi network again. Devices using certificate authentication for Wi-Fi won’t lose access, and it’s also a more secure authentication method. Evaluate biometric configuration: Devices on the new implementation won’t apply polices that prevent users from using face, fingerprint, iris, or trust agent to unlock their device. However, policies that prevent this at the work profile level are still supported. If you have this configured at the device level, consider blocking face, fingerprint, iris, and trust agents at the work profile level to protect work resources in an equivalent way. Review enrollment restrictions: In enrollment restrictions (also referred to as device platform restrictions) the “Android Enterprise (work profile)” restriction for personally owned work profile devices has a setting to Allow or Block “Personally owned” devices. This configuration will not apply to devices on AM API and the setting will be removed from the Intune admin center in the first half of 2026 when devices are moved to AM API. As communicated in the Intune Android 12 blog, this setting does not work reliably on devices running Android 12 and later. Conceptually, personally owned work profile management is meant for personal devices, so blocking personal devices from enrolling and only allowing corporate devices isn’t recommended. If you currently have the “Personally owned” setting set to Block for personal work profile devices, you should plan an alternate way for blocking these devices. Options include using a corporate management method instead (such as corporate owned work profile) or configuring the personal work profile enrollment restriction to block enrollments for all users except for users in a specified group. Update Android OS: Intune currently supports Android 10 and later on personally owned work profile devices and plans to maintain support for the four most recent Android versions going forward. We recommend you guide users to update to their device’s latest supported Android version for the best experience. Helpdesk preparation: Inform your helpdesk teams of these coming changes so they know what to expect. For devices on the new implementation, diagnostic logs are collected using the Microsoft Intune app (instead of the Company Portal). We’ll publish more information about the new enrollment flow before it’s released so you can prepare. Plan to update any user instructions you have once we release the web-based enrollment flow and devices are managed with the new implementation. iOS web based enrollment: We recommend you consider setting up web based device enrollment for iOS now or when we release Android web based enrollment for a more consistent and improved user experience. Changes to be aware of A few defaults will change as part of the move to the new implementation. Required app installation behavior: In the custom DPC implementation, users can uninstall required apps, but they are reinstalled automatically within a few hours. In the new implementation, users won’t be able to uninstall required apps from their device, which is the same experience as on corporate Android Enterprise devices. Caller ID and contact search: In the custom DPC implementation, the settings to “Display work contact caller-id in personal profile” and “Search work contacts from personal profile” are two independent settings. In AM API, they are controlled with a single setting. If you have blocked either, Intune automatically blocks both for devices on the new implementation. Intune will update the policy user interface to have a single setting once all devices are on the new implementation. Screen timeout: In the custom DPC implementation, you can configure screen timeouts either for the full device or for the work profile under “Maximum minutes of inactivity until work profile locks.” In AM API, you can only configure this at the work profile level. Intune will set this to the lesser of the two when devices move to the new implementation. We will remove the device level setting from policies when all devices are on AM API. Work profile password: AM API doesn’t support password requirements at the work profile level for devices on Android 11 and earlier. Because of this, any devices on Android 11 and earlier that have configuration or compliance policies that set a password requirement at the work profile level that web enroll or move to AM API will have their work profile level password requirement applied at the device level to ensure corporate data is protected. If the device also has a device level password requirement, Intune will compare it with the work profile level password requirement and apply whichever is the most restrictive requirement at the device level. For the smoothest user experience, consider guiding users to update their devices to Android 12 or later or revise your policies for devices on Android 11 and earlier to set device level password requirements rather than work profile level password requirements. TeamViewer support: For devices on the new implementation, support for using TeamViewer to remotely administer devices will be added in the first half of 2026 when all devices are moved to the new implementation. If you opt in to web enrollment or move devices to the new implementation before that time, you will not be able to use TeamViewer on those devices until the first half of 2026. TeamViewer will continue working for devices on the custom DPC implementation. Stay tuned to this blog for updates! If you have any questions or feedback on this change, leave a comment on this post or reach out on X @IntuneSuppTeam. Post updates 02/19/25: Updated the Timeline and How this will affect your users + New Implementations sections. 04/08/25: Updated these sections: How to configure and monitor, How this will affect your users, Timeline, How to prepare, and Changes to be aware of. 04/09/25: Updated the Changes to be aware of section to include details about TeamViewer supportability.From the frontlines: Frontline worker management with Microsoft Intune
So, here we are. You’ve been asked to start managing frontline devices for your organization with Intune. You may be a pro with Intune management - with experience managing Windows devices, personal mobile devices, or corporate-owned productivity user based mobile devices. Maybe you just completed your migration efforts from another product to Intune for some portion of your device estate. Or this may be your first interaction with Intune. Regardless of where you’re starting from, managing frontline worker devices in Intune is simple, and you can even leverage existing Intune policies you already configured. So, get out that rugged bar code scanner, Android tablet, kiosk device, shared iPad, wearable device, or any other frontline worker device and let’s get started! My name is Dan Andersen, Principal PM Manager at Microsoft. My team partners directly with engineering to assist in product development and our worldwide team has assisted over 1,800 enterprises successfully onboard their device scenarios into Intune. In this post I’m introducing a blog series focused on frontline worker (FLW) device management. Why focus on FLW? This space represents a multitude of devices and use-cases that have enabled frontline workers, and we’ve worked with others like you to craft great FLW solutions. We will use this series to share these solutions and options with you and hopefully make your FLW journey with Intune seamless and exciting. Before getting into the series, if you’re looking for some background on FLW usage examples, check out the Microsoft Intune Blog: Microsoft Intune empowers frontline workers in retail and beyond. Throughout this year we’ll deliver monthly blogs delving into FLW use-cases and how to manage these devices. We’ll dive into key scenarios and explain how to approach them and at times, specifically how to configure them. Instead of rewriting product documentation, we’ll include links to more details when applicable, and keep the posts focused on enabling success. Each blog post will be published here in the Microsoft Intune Customer Success blog and include “From the Frontlines:” in the title for easy searching. For quick reference, we’ll keep this table updated as we publish the series, so stay tuned here or follow us @IntuneSuppTeam on X for more in the coming months! Blog Topics Publish date From the frontlines: Revolutionizing healthcare worker experience February 28, 2025 From the frontlines: Accelerating retail worker shared device experience (Part one) March 25, 2025 From the frontlines: Accelerating retail worker shared device experience (Part two) April 23, 2025From the frontlines: Accelerating retail worker shared device experience (Part two)
By: Vignesh Mitsume – Sr Product Manager | Microsoft Intune Welcome to part two of "Accelerating retail worker shared device experience." In Part one, we explored how Intune empowers frontline workers by enabling shared device usage among associates in a 24/7 retail business environment, with enhanced productivity and security. Now, we'll dive into how Intune optimizes the management of devices running multiple apps, that are utilized by both associates and customers. I'm Vignesh Mitsume, and in my previous roles, I’ve had the privilege of working with leading companies in the beverage and other retail industries. In these roles, I collaborated closely with sales and marketing teams, addressing their system, infrastructure, and reporting requirements as they interacted with supermarkets and convenience stores. In this blog, I'll be sharing some of my experiences with customer scenarios. Technology's evolution in retail: The rise of shared devices The retail industry has undergone a significant digital transformation, with technology playing a pivotal role in streamlining operations and enhancing customer experiences. Historically, retail operations were fragmented, with separate systems for employees and customers. Today, modern kiosks, tablets, and smart screens are bridging this gap, enabling self-service ordering, inventory tracking, and real-time assistance—all from a single device. Whether it's self-checkout stations in grocery stores, smart fitting rooms in fashion retail, or digital vending machines in the beverage industry, shared devices have become the backbone of efficient retail operations. Many of these devices operate on either the Android or iOS platform. Today, we'll explore how Contoso Eateries and Contoso Pastries, which are competitors in integrating technology into their business practices, are Intune to efficiently manage their dedicated devices by enabling multi-app kiosk modes for both platforms. This strategy aids their frontline workers in effectively managing business operations. Scenario 1 – Contoso Eateries Contoso Eateries is a chain of eateries that aims to deploy Android tablets in their stores. Each store will have one tablet used as a point of sales (POS) device for billing customers, managing inventory, and placing restock orders from the central distribution warehouse by the store manager. The IT admin team wants to manage these devices centrally and restrict access to any other apps. To achieve this, the IT admin team first creates a Microsoft Entra security group for grouping and targeting the devices and leveraging enrollment time grouping (new for Android in our April 2025 release). Once the assignment group is ready they create Android Enterprise dedicated devices with the default token type, corporate-owned dedicated device (Fig. 1), which enrolls the device without any user affinity. Note: Microsoft Entra security dynamic device groups can be created based on the enrollment profile name; however, static groups that use enrollment time grouping will expedite app and policy provisioning during device enrollment. Fig. 1 – Setting up an Android Enterprise corporate-owned dedicated device. Next, they add the POS and organization specific inventory management applications from the Managed Google Play Store, along with the Microsoft Managed Home Screen application. These apps are assigned to the groups created earlier specifically for the devices enrolled using the Android enterprise dedicated device enrollment profile (Fig. 1). After the applications are added and assigned, they restrict the device functionality to allow only the use of POS and organization specific inventory management applications. This is done by creating a device restriction configuration profile to setup the device into multi-app kiosk mode (Fig. 2), which ensures users can only access the applications placed in the Microsoft Managed Home Screen. This configuration profile is then assigned to the Microsoft Entra device group previously created. Fig. 2 – Configuration profile to restrict device as dedicated multi-app kiosk devices. In addition to the mandatory configuration, Contoso Eateries wants to customize their Managed Home Screen experience. Therefore, they also create an app configuration policy for their Managed Home Screen. Result: The device is restricted to POS and organization specific inventory management applications within the managed home screen (Fig. 3). Contoso Eateries will keep the POS application open for customer self-checkout, while using the organization specific inventory management application to replenish stocks during non-business hours. Fig. 3 – Personalized user experience on an Android device. Scenario 2 – Contoso Pastries Contoso Pastries aims to provide a similar experience for their frontline workers and customers as Contoso Eateries, but with iPads instead of Android tablets. The Contoso Pastries IT admin team wants to manage these devices centrally and restrict access to any other apps. Contoso Pastries gets all their iPads from an Apple Authorized Reseller, ensuring that all devices are added to their Apple Business Manager (ABM) account by the reseller, with supervised mode enabled by default. Note: If ABM is not available, then Apple configurator can also be used to enable supervise mode to achieve the requirements. To comply with Contoso Pastries’ requirements, the HQ IT team creates an enrollment profile to enroll the devices without user affinity. Then, they create a device filter (Fig. 4) to filter for devices enrolled using this profile. Fig. 4 – Device filter for specified enrollment profile. Next, they add their line-of-business POS app and organization specific inventory management applications to Intune and assign to all devices using the above created device filters (Fig. 5). This avoids the processing delay of dynamic device groups and reduces management overhead associated with creating and maintaining multiple security groups. Fig. 5 – Assigning to all devices along with device filters For iOS/iPadOS devices, they’ll configure the entire device to function like a managed home screen by removing unwanted apps and retaining only the required ones. As a first step, they allow only the Contoso POS and organization specific inventory management applications by configuring device restriction profile (Fig. 6). Fig. 6 – Device restriction profile. To further customize the home screen appearance and dock configuration, the admin creates a device features configuration profile and adds the necessary apps accordingly (Fig. 7) Fig. 7 – Device features configuration profile in the Microsoft Intune admin center. Result: Once the device is dispatched to the stores and the store manager turns it on, the device is enrolled into Intune with all the specified configurations applied. The device is then restricted to POS and organization-specific inventory management applications (Fig. 8). This setup ensures that the POS application remains open for customer self-checkout, while the organization-specific inventory management application is used for stock replenishment during non-business hours. Fig. 8 – Personalized user experience on an iPad. With Intune, frontline worker scenarios in the retail industry can be managed effectively, ensuring that both associates and customers benefit from streamlined operations and enhanced user experiences. As demonstrated by Contoso Eateries and Contoso Pastries, Intune's capabilities in managing dedicated devices, whether on Android or iOS/iPadOS platforms, provide a robust solution for modern retail environments. By leveraging features such as multi-app kiosk modes and customized home screen configurations, businesses can maintain control over their devices while empowering their frontline workers to perform their tasks efficiently. By adopting Intune, organizations can ensure that their frontline workers are equipped with the right tools to handle business operations seamlessly, ultimately driving productivity and customer satisfaction. Please refer to the following documentation for more guidance: For information on how to set up Android dedicated devices refer to: Enroll Android Enterprise dedicated devices in Intune To find more information on Managed Home Screen and how it can improve the user experience refer to: Configure the Microsoft Managed Home Screen app If you’d like to learn more about enrolling iOS/iPadOS using Apple Business Manager refer to: Set up automated device enrollment (ADE) for iOS/iPadOS To learn about filters refer to: Using Filters in Intune Stay tuned for more interesting contents in this blog series, we’re keeping the initial blog updated with each posting for your reference: From the frontlines: Frontline worker management with Microsoft Intune . If you have any questions or want to share how you’re using frontline devices in Intune, leave a comment below or reach out to us on X @IntuneSuppTeam or @MSIntune. You can also connect with us on LinkedIn: aka.ms/IntuneLinkedSome extensions don't work on Android Edge Canary when returning to the app
I am using Edge Canary and have installed several extensions through the developer options, but some of the extensions are not working when I resume from the background. The extensions that don't work seem to be automatically disabled internally, so I can disable them from the extension options and then re-enable them to use them again. (However, in the latest Canary build, if this problem occurs, the app crashes when I try to open the extension options.) This issue occurs with uBlock Origin, Stylus, etc., and probably occurs with the Manifest V2 extension. This issue occurs on multiple devices and occurs even after reinstalling, so it is not device-dependent.
