Forum Discussion

Hotaru's avatar
Hotaru
Level 1.5: Cupcake
2 months ago

Impact of Intune's NFC restriction setting on IC card reading and Nearby Share

Hello,

I'm managing Android Enterprise devices via Intune and would like to confirm the behavior of a specific device restriction setting related to NFC.

■ Device: AQUOS wish4 (Android), enrolled as a fully managed device
■ Policy applied: Device configuration profile with "Beam data using NFC (work-profile level)" set to Block

■ Policy configuration path in Intune Admin Center:
Microsoft Intune Admin Center > Devices > Manage devices > Configuration

  • Platform: Android Enterprise
  • Profile type: Template > Device restrictions
  • Configuration settings > General
    - Beam data using NFC (work-profile level): Block

○ Background and expectation:
My understanding is that this setting is intended to block NFC-based data transfer (i.e., Android Beam) within the work profile.
However, I initially assumed it might also block general NFC usage, such as reading contactless transit cards or using mobile wallet services.

○ Test scenario and results:
After applying the policy to a fully managed AQUOS wish4 device, I observed the following:

  • The NFC toggle remains available and functional under:
    Settings > Connection settings > More connection settings > NFC
  • I installed an app that reads contactless transit cards used for public transportation (e.g., Suica or PASMO in Japan) and confirmed that it successfully retrieved the card balance via NFC

○ Interpretation:
Based on this behavior, I suspect that the policy only affects the deprecated Android Beam feature, which used NFC for peer-to-peer file sharing.
It does not block general NFC functionality such as card reading or mobile payments, nor does it impact newer sharing technologies like Nearby Share or Quick Share, which rely on Bluetooth and Wi-Fi Direct.

■ Questions:

  1. Is my understanding correct that "Beam data using NFC (work-profile level)" only restricts Android Beam functionality and does not affect general NFC usage?
  2. Is there a way to restrict Nearby Share / Quick Share on fully managed Android devices via Intune, or would that require a different configuration or approach?

Any insights, documentation references, or shared experiences would be greatly appreciated.

Thank you!

Devices
EMM
fully managed
Management
microsoft intune
Security
Work Profile

3 Replies

  • Moombas's avatar
    Moombas
    Level 4.1: Jelly Bean
    2 months ago

    First of all, be aware that the Wish 4 seem not to be AER (i only see Aquos Wish without a number) which can cause problems in management possibilities.

     

    I want to add here a description from the MS sides related this setting:

    "Beam data using NFC (work-profile level): Block prevents using the Near Field Communication (NFC) technology to beam data from apps. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow using NFC to share data between devices."

    So, apps can't share data via NFC Beam, which doesn't mean they can't read it or it in general is turned off.

     

    I also see no option in our MDM to do so, only for (COPE (guess) and) fully managed devices if you have an OEM config app that has this option available for your devices (https://play.google.com/store/apps/details?id=jp.co.sharp.android.shoemconfig&hl=de).

  • Michel's avatar
    Michel
    Level 3.0: Honeycomb
    2 months ago

    Hi,

     

    1. Yes, that is correct. It focusses on the deprecated Android Beam feature and it not really relevant for recent versions of Android
    2. Not with Intune but you might have success with other MDM platforms. Some OEM's like Samsung offer blocking NFC or sharing from a device via the OEMConfig option. 

     

    Not sure if there is an AMAPI api for this, but I assume there is. Could not find it directly. 

     

    Compliments for your testing and sharing the results, shows you really put in some effort to get to the bottom of this 

  • Emilie_B's avatar
    Emilie_B
    Google Community Manager
    2 months ago

    Hi Hotaru​ and welcome to the Customer Community! 

     

    I just wanted to jump in and check if you could confirm the behaviour you were enquiring about - I think Michel​ and Moombas​ have shared some really valuable info (thanks to you both!). 

     

    I have contacted our team to see if they could offer further guidance - please see below: 

     

    To block Nearby Share, an indirect approach would be to restrict Bluetooth as Nearby Share relies heavily on Bluetooth for device discovery and initial connections (this is something you'd need to test to validate). 

     

    In InTune Console, If "Block Bluetooth" is set to True, it disables Bluetooth entirely on the device. Bluetooth configuration disables the user from making changes to the Bluetooth toggle. This is available for fully managed, dedicated, and corporate-owned work profile devices.

     

    IT admins can block users from sharing data from their device using NFC beam using policy (outgoingBeamDisabled). This subfeature is optional since NFC beam function is no longer supported in Android 10 and higher.

     

    Also, from InTune documentation https://learn.microsoft.com/en-us/intune/intune-service/configuration/device-restrictions-android-for-work?tabs=aecorporate 

    Beam data using NFC (work-profile level): It only prevents using the Near Field Communication (NFC) technology to beam data from apps.

    Therefore, It does not block the general NFC functionality of the device hence the behaviour is to read PASMO & SUICA from the personal profile

     

    I hope this is helpful - please keep us updated on your progress (and don't hesitate to reach out if you need anything additional!). 

     

    Thanks,

    Emilie