Android Enterprise General Discussions

Basic set up: Managed Google Play + Intune Devices all set up as "Corporate-owned, fully managed user devices" Policies are set to allow all apps from store and to allow other accounts to be installed on devices. GSuite individual Google accounts with corporate email addresses signed in to all devices to allow for things like Photos backup.  Problem: When migrating a user to a new device, some apps cannot be installed. When a user is signed into Google Play with their Google Account, any app that is already linked to their Google Account from their previous device (for example: WhatsApp, Samsung Notes, Translate), cannot be installed with the error "Your administrator has not given you access to this item". If I sign the user out from their Google account, install the app and then sign them in again, it all works fine, but this should not be necessary. It seems like the problem is stemming from the Play Store not liking the fact that th

hi allWe already have purchased these handsets from a Phone reseller.NOT a google zero touch / enterprise partner.is there any way we can get them onto GZT?please help 

We're experiencing an intermittent issue with Managed App Configuration on Android Enterprise devices and are looking to understand whether others have seen similar behaviour.Environment:Android Enterprise Dedicated/Fully Managed devices Honeywell devices (CT32 and EDA series) MDM: Hexnode Application: UKG Pro Mobile App configuration deployed via Managed App Configuration through Android EnterpriseIssue:From time to time, and without any obvious trigger, the UKG application appears to lose its managed configuration (tenant URL and related settings). Users are then unable to access the application as expected.What we've observed:The device remains enrolled and managed. The policy is still present within Hexnode. Other device management functions continue to work normally. Re-syncing the policy from Hexnode immediately restores the configuration and resolves the issue.The behaviour appears random, and we have not yet been able to identify a clear pattern related to device model, Android

Hello,We are looking to implement the functionality to provision eSIM profiles on devices with Android 15+. However, we encountered a telecom provider that requires the EID of the devices before providing us with the eSIM activation code.In this initial stage, we are simply trying to obtain the EIDs of all devices so that we can send them to the telecom provider and receive the eSIM activation code in return. To obtain the EID, we are using the following approach: `euiccManager.createForCardId(slot).eid` However, we are encountering this issue as noted here:*Must have carrier privileges on subscription to read EID for cardId=0 [java.lang.SecurityException: Must have carrier privileges on subscription to read EID for cardId=0]* The same issue occurs with `euiccManager.eid`.According to the documentation mentioned above, Android 15 introduced the possibility of managing eSIM profiles without requiring carrier privileges. However, it seems that the same should also app

We report the version numbers of certain apps on managed devices. I've noticed an unusual update pattern with some apps for some time now.Although we use a payload for Managed Google Play to automatically update public apps, and the affected devices are actively in use, some apps are still running old versions. Updates for some apps simply aren't being performed. The adoption rate for current versions then continues to decline over time. The cause seems to be an Android feature. Unused apps are disabled after a certain amount of time. For example, on Samsung devices, the affected apps are listed under "Deep sleeping apps" in the device's battery settings. In the app settings and in the Play Store, the apps are shown as disabled. It seems that Deep Sleep is preventing updates in Managed Google Play. The affected apps must be launched or enabled manually. In general, I think it’s fine to save device resources by turning off unused apps. But in an enterprise environment, we do want to mai

I know that some new Google Play Console accounts are able to publish apps without completing the testing requirement. However, I don't know exactly how they are doing it. I would like to understand the process and the conditions under which a new Play Console account can publish an app directly to production without going through the testing phase. in individual account

Hi all,I'm running a self-hosted Fleet MDM instance for personal/homelab use and I'm trying to enroll my own Android phone using a work profile. I've hit the "your organization has reached its usage limits" error during enrollment, despite having zero devices enrolled.Setup details:- Created a brand new Managed Google Play Accounts Enterprise via the "Sign up for Android only" path- Enterprise was created successfully- Enrollment token generated successfully- 0 devices currently enrolled- Enrollment proceeds normally — gets all the way through the work profile setup and hangs on "Updating phone" — then fails with "Your device can't be set up because your organization has exceeded its usage limits"  My use case is purely personal — I'm a hobbyist running Fleet MDM at home to manage my own devices, not building a commercial EMM product.   Is there any way to get this quota lifted for a single personal device? Is the AE Compliance team the right contact, and if so, how do I reach them?Tha

I am using Android Management API to build my own device management system. I am not an Android partner, but I integrated Android Management API into my platform.I successfully enrolled a device, and on the device side it shows as enrolled correctly. Also, in the enrollment history/logs, I can see that the device enrollment was successful.However, the problem is that the device does not appear in the active devices list/system dashboard after enrollment.So currently: The device shows as enrolled on the physical device Enrollment history/logs show successful enrollment But the device is missing from the active/managed devices list Could you please help me understand why this happens and how to resolve it?

Hi @Lizzie,We have Microsoft Intune connected to Managed Google Play since 24/06/2020 using a Gmail account. We have 468 Android devices enrolled and cannot disconnect.When we try to use the Upgrade option in Intune to migrate to a corporate domain account (*hidden), Google returns the error: "Someone at xxx.com.br has already signed up."We cannot identify who originally registered the domain on Android Enterprise side. We need Google support to either:Release/migrate the domain binding so we can reconnect properly through IntuneMicrosoft support confirmed this must be resolved on Google's side. Can you help escalate this? *Email domain hidden in line with Community Guidelines

I am very concerned about the Enhanced GPP features coming soon that are currently being piloted in other regions. https://security.googleblog.com/2023/10/enhanced-google-play-protect-real-time.html This is not a welcome feature whatsoever for the fully managed space where we have business apps written internally that are being installed on business devices, owned by that business. In no way do we want Google sitting in between deciding whether a very legitimate app written internally for an organization should be installed on devices that are purchased and owned by the same organization on fully managed devices. I would like a way to disable GPP completely, or at a minimum whitelist applications from scanning as we don't want Google interfering in the business operations.  GPP is a helpful consumer protection features but fully managed devices should have the ability to be opted in or out of the program. Otherwise GPP can incorrectly flag a mission critical app and

Hi everyone I am struggling to create an AE policy for COPE devices (in our case Samsung) to allow developers to sideload apps into the work profile for testing and debugging purposes. We are using Intune and the only policy (beside enable Development mode) which should affect this behavior is enabled: Is there anyone else who tried this already? In our scenario the app is installed via adb install into the personal and work profile. After a few seconds DPC is removing the app from the work profile… 03-17 09:56:09.195 1010307 4220 32308 I clouddpc: [PackageChangeHandlerImpl.kt:handlePackageInstalled:349] CloudDPC didn't request play to install the package com.company.staff.android.debug, and it wasn't sideloaded by CloudDPC.03-17 09:56:09.195 1010307 4220 32308 I clouddpc: [PackageChangeHandlerImpl.kt:resetReapplySchedule:457] About to schedule policy re-apply for : [blockApplicationsEnabled, playStoreMode, crossProfilePolicies, applications]03-17 09:56:09.196 10316 6724 6724 I BudsCon

As far as we have been able to determine Microsoft is not providing APK files of its applications to customers. We have a need to manage MS Edge on some devices located in China and therefore cannot use the Google Play Store or associated MDM tooling. We want to distribute the APK instead as a side-loaded app. Is there a APK provide (APK Mirror or other) that is considered ‘trustworthy’ and/or are people aware of a way to get a trusted APK of MS Edge for distribution via a MDM? 

We’re currently using a mix of Android 13 and 14 devices (specifically Zebra mobile computers). With some recent update, across all applications users see popups to perform autofill on form inputs. We’re currently using SOTI’s Mobicontrol EMM along with SOTI’s Surf browser. So this isn’t limited to Chrome.This also occurs on the Search Apps input field.Is there any way to completely disable this? It’s causing significant impact.

Looking for input from other AMAPI customers / EMM operators.We run a small managed Android fleet using Android Management API +Android Device Policy. The workflow is dedicated-device, kiosk-modeas default state, with periodic supervisor-driven transitions in andout of kiosk for short operational windows.Our pain point is latency on routine kiosk transitions. When we PATCH adevice's policyName from a non_kiosk variant to a kiosk variant, timefrom API call to device-side behaviour change varies enormously:  - Best case:  ~30 seconds (Cloud DPC awake)  - Typical:    3 to 8 minutes  - Worst seen: >4 hours (Cloud DPC asleep on idle devices, especially                on certain Vivo Funtouch builds)Verified via device.lastStatusReportTime. Cloud DPC on idle devicessimply doesn't check in often. Our own WebSocket channel delivers in<300 ms RTT, so the latency is in the Cloud DPC poll cadence, not inour code or network.What we've already done:  - Play Integrity attestation  - Stable app

Hi Community,we're running shared Android devices (1,000+) with Microsoft Managed Home Screen (MHS) enrolled via Intune in Dedicated Device mode.The Problem: Users couldn't open PDFs from within apps – the "Open with…" picker dialog never appeared, so files simply didn't open.Microsoft's suggested fix: Add the system app with package ID android to the allowed apps list in MHS and include it in the Device Restrictions policy. After deploying this app, the "Open with…" dialog started appearing correctly and PDF opening works as expected.Before we roll this out to 1,000+ devices, we have two questions:1. What exactly does enabling the android system app unlock? The package android is essentially the Android framework / core OS package. We're not sure what capabilities or UI surfaces get exposed by whitelisting it in MHS beyond the intent picker. Does it give users access to any system settings, dialogs, or functionality they shouldn't have on a kiosk/dedicated device?2. Is there a safer o

Looking for input from other AMAPI customers / EMM operators.We run a small managed Android fleet using Android Management API +Android Device Policy. The workflow is dedicated-device, kiosk-modeas default state, with periodic supervisor-driven transitions in andout of kiosk for short operational windows.Our pain point is latency on routine kiosk transitions. When we PATCH adevice's policyName from a non_kiosk variant to a kiosk variant, timefrom API call to device-side behaviour change varies enormously:  - Best case:  ~30 seconds (Cloud DPC awake)  - Typical:    3 to 8 minutes  - Worst seen: >4 hours (Cloud DPC asleep on idle devices, especially                on certain Vivo Funtouch builds)Verified via device.lastStatusReportTime. Cloud DPC on idle devicessimply doesn't check in often. Our own WebSocket channel delivers in<300 ms RTT, so the latency is in the Cloud DPC poll cadence, not inour code or network.What we've already done:  - Play Integrity attestation  - Stable app

I recently updated Android Studio to the latest version, and since the update I am unable to install any plugins from the Marketplace or from disk. Every attempt results in an error saying the plugin cannot be installed or downloaded.Here is what I have already checked: My internet connection is working normally Firewall settings are fully open for Android Studio Proxy settings are configured correctly and match Android’s recommended configuration I also tested the same process on my MacBook, and I get the exact same error I tried restarting Android Studio, invalidating caches, and reinstalling plugins manually — nothing works The issue started only after updating Android Studio   It seems like Android Studio is unable to reach the plugin repository even though the network is fine.Question: What could be causing Android Studio (on both Windows and macOS) to fail when installing plugins after an update, and what steps can I take to fix this?

dear community,some days ago i've Retired a Android COPE (Corporate owned work profile enabled) Device from Intune. In Addition, the Device record where also removed from Samsung Knox Mobile Enrollment Service.I've found out, that on the device itself under Device admins the App "Enrollment Service" is in place and cannot be deactivated.Samsung Support told me already, that "Enrollment Service" is not coming from them, this comes from MDM System.Microsoft Support (what a surprise) had absolutely no idea what im talking about.Now, i want to try my luck here in Android Enterprise community.Did someone else had this Situation, especially with Intune?Google Statement about Retire (RELINQUISH_OWNERSHIP)https://developers.google.com/android/management/deprovision-device#relinquish_ownership_commandIn my point of view, the Device should be fully personal after that action.But when a Device Admin App is still in place which cannot be deactivated, this is then weird.For example: If user, who ca

We are observing an issue with Android Management API Lost Mode state synchronization.Issue Summary: When Lost Mode is exited manually by the user on the device (by entering the correct device password/PIN), the device successfully exits Lost Mode locally. However, the Android Management API device resource continues to report the device state as LOST.Environment:Android Management API Android Device Policy Lost Mode initiated using START_LOST_MODE command Device owner / fully managed deviceSteps to Reproduce:Issue START_LOST_MODE command using Android Management API. Device successfully enters Lost Mode. Verify device resource state changes to: "state": "LOST" On the device, manually unlock Lost Mode using the correct device password/PIN. Device exits Lost Mode successfully on the device UI. Fetch device resource again using: enterprises.devices.getObserved Behavior:Device UI exits Lost Mode successfully. However, API response still returns: "appliedState": "LOST" Issuing STOP_LOST_MO

Android Enterprise managed Play application deployment issue observed recently:In multiple deployments, managed applications are correctly approved, assigned, and synced to devices, but installation intermittently fails on select devices with errors related to missing or invalid install IDs (“No install ID found”).Behavior observed: Same application installs successfully on some devices within the same policy/group Affected devices remain stuck in pending/not installed state Policies, compliance, and Play configuration appear correct Issue appears intermittent and difficult to reproduce consistently Troubleshooting already performed: Clearing Google Play Store and Google Play Services data Republishing applications Re-adding apps from Managed Google Play Refreshing/re-syncing devices Reprovisioning affected devices Android bug reports have now been collected from impacted devices for deeper analysis.Interesting edge case because the deployment request successfully reaches

I created a custom dpc and was testing it . In order to validate the frp i did a factory reset on my device from the boot menu . I got a lock at the top asking for the device owner's mail id . It entered it.But it kept on saying " please sign in with on of the owner's account for this device"I mean how can it be wrong it is hard coded in my dpc code. I am really annoyed would really appreciate some help . P.S. -> The phone was mint stock didnt had any mail id set, before installing the dpc.

I am currently developing an EMM using the official AMAPI. For the requirement of "eSIM silently (without user interaction) downloaded to the device and successfully activated", it is required to directly call the interface to download EISM without using an activation code. However, the activation code field in the AddEsimParams field of the AMAPI interface is a mandatory item. How can I implement this feature