Forum Discussion

tomexum's avatar
tomexum
Level 1.6: Donut
24 days ago

Fleet device settings

We have hundreds of frontline devices that are impacted by a change in MS-Authenticator behavior. We found that on individual devices we could change 

Accessibility > Advanced Settings > Time to Take Action > 10 seconds

and the issue was resolved.

 

All devices are Work Managed in WS1 UEM. Is there a way to use Custom Settings profile to set this on devices? 

 

I also looked at possibly using a simple app to pull up the setting for the user. I have seen other apps do this type of operation. But I cannot find a way to get the information to populate for the intent. Using adb I was able to see what it called each screen in Settings but it was always generic and not specific.

com.android.settings.Subsettings, com.android.settings.spa.SpaActivity.

  • Moombas's avatar
    Moombas
    Level 4.1: Jelly Bean
    23 days ago

    Lookout for an OEM config app for your devices (vendor specific) if they provide that relevant setting.

    I also recommend to ask MS why this is now necessary to be set in order to work and/or if this is most likely "only" a bug.

  • tomexum's avatar
    tomexum
    Level 1.6: Donut
    23 days ago

    Thank you for the reply.

    Yes, I checked KNOX Service Plugin - no luck. I also reached out to KNOX directly and they do not. 

    I have worked in MDM [WS1] for many years and doubted this could be done. It frustrates me that Android creates a Work Managed mode, has this notion of a Custom Settings profile - yet still full remote settings are not possible. I figured it was worth posting to see if there may be some way to leverage Custom Settings that I just wasn't aware of.

    As far as MS. It's really just a behavior change - the functionality is still there. And with the settings set correctly the MS-Authenticator pop-up is accessible. Doubt that would be treated as a bug.

    • Moombas's avatar
      Moombas
      Level 4.1: Jelly Bean
      23 days ago

      I fully agree and think i mentioned it in the community also already several times.

      Default oem settings should be by 100% being able to be set remotely on a fully managed device.

      Vendor specific ones ofc then on oem config apps from them.

       

      But i fear that this dream will always stay and not come true...

      • mattdermody's avatar
        mattdermody
        Level 2.2: Froyo
        23 days ago

        I agree as well but I have to say if you have Knox AND WS1 right now you are already way better off than if you were using a random manufacturer and a less feature rich EMM like Intune. The Knox+WS1 combo will provide you with way more device level configurability even if this one particular configuration option isn't available.

        Also, why be upset at the lack of configurability of this option versus the alternative of being upset at Microsoft for forcing a change to Authenticator and being upset at Google for force updating the Authenticator app through Play without giving you better version control over the roll out. Imagine if you had been able to test the new version of that app and then prevent the roll out from occurring to your devices until you have the mediation in place. Google Play sadly does not provide us with those levels of version control. In situations like this I'm not frustrated by WS1 or Samsung for not providing me with a way to plug a recently sprung leak. I'm frustrated at Google and Microsoft for causing the leak in the first place. 

  • tomexum's avatar
    tomexum
    Level 1.6: Donut
    23 days ago

    Thank you for the reply. I agree.

    I understand that it is Android protecting themselves from admins changing configs in unpredictable ways. Or creating complex problems that cannot be untangled. Still - makes it frustrating when you have one largely siloed setting that you want to change. In this case I just want any notification to stay on the screen long enough for a human being to respond to it. Its simple to do on any 1 device...but we have hundreds.
    What I do not get is how this can't be pulled up by an internal app for the user to change the setting manually. Still would require user action to set it - program could just make it so the user didn't have to "find" the setting. From what I can see there is no way to take the user to "Time to take action" directly.

  • tomexum's avatar
    tomexum
    Level 1.6: Donut
    23 days ago

    Yea, agreed. The real answer here is that there is a QA team internally for an internal app that we push. This App plus MS-Authenticator is required because the app accesses MS-EntraID and requires MFA [thus Authenticator]. That is really where this should have been caught. I am a contractor with this company, but I think that this is my only real path here. I appreciate any feedback you guys can give me if you disagree that this is about the best way to approach.
    1. Put all Prod devices to defer OS Updates for 30 days [System Update profile]
    2. All QA devices set to install Updates automatically.
    3. All Prod assign MS-Authenticator set to Postpone 90 Days

    4. All QA devices MS-Authenticator set to High Priority

    5. QA needs to test on-going basis with devices on all active Android OS versions in Production [get that information from Intelligence reporting]

     

    It does nothing to alleviate the current pain [manually setting on devices]. I think this is the best way to prevent future occurrences in the field - but it'll require QA buy-in.

  • Alex_Muc's avatar
    Alex_Muc
    Level 2.3: Gingerbread
    22 days ago

    Is there a way to use Custom Settings profile to set this on devices? 

     

    The Custom Settings Profile in WS1 UEM has a rather specific purpose.

    WS1 UEM sends configurations (/profiles) as XML data to the CustomDPC (“Hub”). The Hub then applies the configuration to the device using the appropriate APIs.

    These XML data can be edited manually using the custom settings. This is usually used when new functions have been implemented in Hub but cannot yet be configured with the WS1 UEM interface.

    The custom settings can therefore only be used to set settings that are explicitly built into the Hub. Unfortunately, it is not possible to change individual system settings.

  • tomexum's avatar
    tomexum
    Level 1.6: Donut
    22 days ago

    Thank you for that reminder. I actually worked at VMware 10 years+ and knew this - but had totally forgotten that was custom settings purpose.