Recent discussions
We have all our devices on Samsung Knox; I would like to try using Android Zero-Touch enrollment as well. Is that possible?
We got all our new company Samsung phones added into Samsung Knox. None of the distributors we work with are Android Zero Touch partners; we've asked them to join and they probably won't any time soon. I read that there's been some effort to unify Samsung Knox and Android Zero Touch, although in many cases it still seems like EMMs have better support for Android Zero Touch whereas Samsung would prefer you use their in-house EMM. We would like to try using the Android Zero Touch enrollment as well. Unlike Samsung, it seems like I can't even register my own customer account. So my questions: is there any possible way to get just a Zero Touch customer account set up, with no devices added, when none of the resellers I actually bought a device from are Android partners? Also, is there some way I could get some of our Knox enrolled devices to use Zero Touch?
Android COPE Devices randomly wiping
Hello, Recently our COPE profile in ZT is not functioning. The device will go through the enrollment, it gets registered correctly in our tenant (Entra/Intune) and we can get to the home screen just fine. However, after some time the device will receive the following notification: “Your organization has set up this device to be managed by your organization. If this is an error, contact your device’s provider. All data on the device will be deleted. Your device will automatically reset in 2 hour.” The config in ZT and the one in Intune match (token is correct and the DPC extras are fine). This profile was working up until 2 weeks ago. We’re stumped. We recreated a different COPE profiles with the required DPC extras as per Microsoft’s documentation, tried removing compliance policies and device configurations to make it a plain profile. No luck, still receives the reset notification. Phones tested: Samsung A15, Samsung A16 all running the latest Android 16OS with the latest security patch. Any help would be appreciated, thank you!
"Your administrator has not given you access to this item" - Intune issues with Google accounts and previously used apps
Basic set up: Managed Google Play + Intune Devices all set up as "Corporate-owned, fully managed user devices" Policies are set to allow all apps from store and to allow other accounts to be installed on devices. GSuite individual Google accounts with corporate email addresses signed in to all devices to allow for things like Photos backup. Problem: When migrating a user to a new device, some apps cannot be installed. When a user is signed into Google Play with their Google Account, any app that is already linked to their Google Account from their previous device (for example: WhatsApp, Samsung Notes, Translate), cannot be installed with the error "Your administrator has not given you access to this item". If I sign the user out from their Google account, install the app and then sign them in again, it all works fine, but this should not be necessary. It seems like the problem is stemming from the Play Store not liking the fact that the corporate Play Store profile is trying to install apps that the Google account has already signed in to previously. Any thoughts on fixes? Thanks.
Possible to deploy API commands via Provisioning Profiles in MDM?
Hello, We use WorkspaceONE UEM as our MDM. We sometimes use provisioning profiles to deploy commands to devices run-intents, but I'm not an expert on this subject by any means. I am curious if it is possible to use our MDM to deploy an API command to disable Factory Reset Protection. The command information is here: https://developer.android.com/reference/android/app/admin/FactoryResetProtectionPolicy I realize what a specific question this is. If I can provide more information, please let me know. Thanks in advance!2FA sign in error at Android Zero Touch portal
I am the IT admin/owner of our Android Zero Touch instance, and I am trying to log into the portal to view and interact with devices associated with our organization. Our zero touch instance is linked with our Intune tenant, and is working correctly. I keep getting the error that my sign in was rejected because it doesn't meet my organization's 2 step verification policy and to contact my IT admin for more information. I am that IT admin, and I can't login. My login information is correct, I have our account ID, and I'm just trying to get in touch with someone to help with the login. I can't even login to support portal to get help, so I had to use my personal Google account to post this.Compliance project for Android?
Hi all, For Apple (iOS/MacOS ) we use the macos security compliance project tooling (https://github.com/usnistgov/macos_security#readme) for mapping compliance guidelines. A short summary: The macOS Security Compliance Project (mSCP) is an open‑source framework that provides automated, customizable security guidance and baselines for macOS, producing documentation, audit checklists, configuration profiles, and remediation scripts. It supports major security standards, including NIST SP 800‑53, NIST SP 800‑171, DISA STIG, CNSSI 1253, CIS Benchmarks, CIS Critical Security Controls v8, CMMC 2.0 Levels 1–2, and the Netherlands BIO baseline. I haven't found such a project for Android, as anyone aware of such a project that maps security guidelines to available API's for Android Enterprise? Michel
Issue with Android Enterprise provisioning: afw#identifier invalid and Play Protect blocking app during QR enrollment
We are an organization using a third-party MDM / Device Policy Controller (DPC) solution to manage our Android Enterprise devices. The DPC application is published on Google Play and has been working for managed provisioning. Recently, we started facing issues during Android Enterprise enrollment, and we are seeking guidance on the correct and supported setup. Issues observed 1. afw#identifier enrollment When attempting enrollment using afw#<identifier>, the setup fails with errors such as invalid token, wrong setup, or unable to continue enrollment. This previously worked and now fails consistently, even though the DPC remains published on Google Play. 2. QR code–based provisioning When using QR code provisioning, the device completes initial setup but then Google Play Protect shows “App blocked by Play Protect” for the DPC. The DPC app is Play-approved and not sideloaded by end users. We have already submitted a Play Protect appeal through the official appeal form. 3. Distribution method For QR provisioning, the DPC APK is currently hosted on our own HTTPS server, and the QR includes: Device Admin component SHA-256 signature checksum Secure download location Despite this, Play Protect flags the app after provisioning. Clarifications we are seeking Are there recent changes or requirements for afw#identifier enrollment that could cause invalid token or setup errors? Does Play Protect apply additional checks during QR-based provisioning, even for Play-approved DPC apps? Is using a self-hosted APK download location still supported for Device Owner provisioning, or is Managed Google Play / Zero-Touch enrollment now required? Is there a supported way to allowlist or whitelist a legitimate enterprise DPC app so it is not blocked during provisioning? Are there recommended best practices for third-party MDM providers or enterprise customers to avoid Play Protect blocks during enrollment? We are not attempting to bypass Play Protect or supported security mechanisms. We want to ensure our Android Enterprise setup follows current Google-recommended practices and understand the correct approach going forward. Any guidance or clarification from the community or product experts would be appreciated.
