Forum Discussion
Fleet device settings
We have hundreds of frontline devices that are impacted by a change in MS-Authenticator behavior. We found that on individual devices we could change
Accessibility > Advanced Settings > Time to Take Action > 10 seconds
and the issue was resolved.
All devices are Work Managed in WS1 UEM. Is there a way to use Custom Settings profile to set this on devices?
I also looked at possibly using a simple app to pull up the setting for the user. I have seen other apps do this type of operation. But I cannot find a way to get the information to populate for the intent. Using adb I was able to see what it called each screen in Settings but it was always generic and not specific.
com.android.settings.Subsettings, com.android.settings.spa.SpaActivity.
Lookout for an OEM config app for your devices (vendor specific) if they provide that relevant setting.
I also recommend to ask MS why this is now necessary to be set in order to work and/or if this is most likely "only" a bug.
Thank you for the reply.
Yes, I checked KNOX Service Plugin - no luck. I also reached out to KNOX directly and they do not.
I have worked in MDM [WS1] for many years and doubted this could be done. It frustrates me that Android creates a Work Managed mode, has this notion of a Custom Settings profile - yet still full remote settings are not possible. I figured it was worth posting to see if there may be some way to leverage Custom Settings that I just wasn't aware of.
As far as MS. It's really just a behavior change - the functionality is still there. And with the settings set correctly the MS-Authenticator pop-up is accessible. Doubt that would be treated as a bug.
I fully agree and think i mentioned it in the community also already several times.
Default oem settings should be by 100% being able to be set remotely on a fully managed device.
Vendor specific ones ofc then on oem config apps from them.
But i fear that this dream will always stay and not come true...
I agree as well but I have to say if you have Knox AND WS1 right now you are already way better off than if you were using a random manufacturer and a less feature rich EMM like Intune. The Knox+WS1 combo will provide you with way more device level configurability even if this one particular configuration option isn't available.
Also, why be upset at the lack of configurability of this option versus the alternative of being upset at Microsoft for forcing a change to Authenticator and being upset at Google for force updating the Authenticator app through Play without giving you better version control over the roll out. Imagine if you had been able to test the new version of that app and then prevent the roll out from occurring to your devices until you have the mediation in place. Google Play sadly does not provide us with those levels of version control. In situations like this I'm not frustrated by WS1 or Samsung for not providing me with a way to plug a recently sprung leak. I'm frustrated at Google and Microsoft for causing the leak in the first place.
Thank you for the reply. I agree.
I understand that it is Android protecting themselves from admins changing configs in unpredictable ways. Or creating complex problems that cannot be untangled. Still - makes it frustrating when you have one largely siloed setting that you want to change. In this case I just want any notification to stay on the screen long enough for a human being to respond to it. Its simple to do on any 1 device...but we have hundreds.
What I do not get is how this can't be pulled up by an internal app for the user to change the setting manually. Still would require user action to set it - program could just make it so the user didn't have to "find" the setting. From what I can see there is no way to take the user to "Time to take action" directly.Yea, agreed. The real answer here is that there is a QA team internally for an internal app that we push. This App plus MS-Authenticator is required because the app accesses MS-EntraID and requires MFA [thus Authenticator]. That is really where this should have been caught. I am a contractor with this company, but I think that this is my only real path here. I appreciate any feedback you guys can give me if you disagree that this is about the best way to approach.
1. Put all Prod devices to defer OS Updates for 30 days [System Update profile]
2. All QA devices set to install Updates automatically.
3. All Prod assign MS-Authenticator set to Postpone 90 Days4. All QA devices MS-Authenticator set to High Priority
5. QA needs to test on-going basis with devices on all active Android OS versions in Production [get that information from Intelligence reporting]
It does nothing to alleviate the current pain [manually setting on devices]. I think this is the best way to prevent future occurrences in the field - but it'll require QA buy-in.
Is there a way to use Custom Settings profile to set this on devices?
The Custom Settings Profile in WS1 UEM has a rather specific purpose.
WS1 UEM sends configurations (/profiles) as XML data to the CustomDPC (“Hub”). The Hub then applies the configuration to the device using the appropriate APIs.
These XML data can be edited manually using the custom settings. This is usually used when new functions have been implemented in Hub but cannot yet be configured with the WS1 UEM interface.
The custom settings can therefore only be used to set settings that are explicitly built into the Hub. Unfortunately, it is not possible to change individual system settings.
Thank you for that reminder. I actually worked at VMware 10 years+ and knew this - but had totally forgotten that was custom settings purpose.
