unable to enroll the Samsung S25 ultra into Intune as BYOD.
Hi Team, We are unable to enroll the Samsung S25 Ultra devices in Intune as BYOD. We are getting the "Can't add work profile " error during the enrollment process. So far we received couple of requests for same issue and the affected users count is increasing day by day. We have reached to Microsoft team as well, they suggested to check with Samsung team.
Common identifier between AMAPI & Require for setup app for validation
We are enrolling devices using AMAPI by generating a QR code with an assigned policy either for work profile or fully managed enrollment. During enrollment, the device prompts for a require for setup app, which, after configuration, returns RESULT_OK, marking the setup as complete and finalizing the device enrollment. Before returning RESULT_OK, To identify the enrolling device, the backend gets the device ID and enterprise ID from the Pub/Sub provisioning notification. The device ID (which matches the GSF ID) is then sent by the require for setup app to the backend for validation. This identifier is also used to enforce enrollment limits based on the enterprise license count. The Issue: Up to Android 14, retrieving the GSF ID was possible. However, in Android 15, it now returns null. Question: Is there an alternative identifier that can be used to identify the enrolling device—one that the backend can retrieve and that the setup app can also access during enrollment? Below is the information we receive from Pub/Sub when a device is enrolled: { "name": [*Hidden for privacy reasons] "managementMode": "PROFILE_OWNER", "state": "PROVISIONING", "enrollmentTime": "2025-04-04T06:17:02.751Z", "lastPolicySyncTime": "2025-04-04T06:17:02.817Z", "softwareInfo": { "androidVersion": "15", "androidDevicePolicyVersionCode": 10323580, "androidDevicePolicyVersionName": "128.32.3 (10323580)", "androidBuildNumber": "AP3A.240905.015.A2", "deviceKernelVersion": "5.15.149-android13-8-00010-gc2e0ba41ba85-ab12040008", "bootloaderVersion": "unknown", "androidBuildTime": "2025-03-11T13:26:50Z", "securityPatchLevel": "2025-03-01", "primaryLanguageCode": "en-IN", "deviceBuildSignature": "c9009d01ebf9f5d0302bc71b2fe9aa9a47a432bba17308a3111b75d7b2143456", "systemUpdateInfo": { "updateStatus": "UP_TO_DATE" } }, "hardwareInfo": { "brand": "Redmi", "hardware": "mt6835", "deviceBasebandVersion": "MOLY.NR17.R1.TC8.PR2.SP.V1.P51,MOLY.NR17.R1.TC8.PR2.SP.V1.P51", "manufacturer": "Xiaomi", "serialNumber": [*Hidden for privacy reasons] "model": "23124RN87I", "enterpriseSpecificId": [*Hidden for privacy reasons] }, "policyName": [*Hidden for privacy reasons] "memoryInfo": { "totalRam": "5865836544", "totalInternalStorage": "806965248" }, "userName": [*Hidden for privacy reasons] "enrollmentTokenName": [*Hidden for privacy reasons] "securityPosture": { }, "ownership": "PERSONALLY_OWNED" } *Updated by Community admin - removed due to privacy reasons 4 April
Managed Google Play private app not available on Corporate-owned devices with work profile
Hi community, I'm encountering a strange issue and could use some guidance. A Google developer account released an app to Managed Google Play (so it's automatically private and not available on the public store) and entered our organization ID in the appropriate field. We can find the app on the iframe in our MDM (Microsoft Intune in this case), select it, and assign it to groups. Everything looks good: BYOD deployments (Personally-owned devices with work profiles) can install the app from the Managed Google Play store. However, COPE devices (Corporate-owned devices with work profiles) cannot search for it, and it's also not visible in the app collections we've created. Could there be a setting in the Google developer account's store listing that prevents availability for COPE devices? I've exhausted all options in Intune, including multiple store syncs, with no success. Intune is telling me, that the App is available to install on the specific COPE devices, but it does simply no appear. The only thing left to check is the Google developer account that released the app for us. Has anyone else experienced this issue? Any hints or suggestions would be greatly appreciated. Thanks! Walter[Community tips] What guidance do you provide with new devices?
Hello everyone, I recently helped a family member set up their new phone (after their old one had a long and fruitful life 😃). It struck me how important it is to help, when needed, to guide someone through using a new device and highlight key features that they may be used to using (and any new ones). This made me think, this is a key area for work devices too and so I thought it might be interesting to hear how we do this across the community. For example, do you provide documentation with step-by-step instructions, guidance on device usage and key information, or assistance when switching device types or operating systems? It would be great to hear any tips you have for supporting colleagues with new devices, plus anything that would make your life easier when creating useful resources. Thanks so much, Lizzie
Enhancing Android Enterprise OS Update Management
Hi, The way the Android API implements OS update management on Android Enterprise devices is not particularly useful for devices with user affinity. Are there any upcoming API changes for EMM solutions like Microsoft Intune? From my experience with the current API: AUTOMATIC – The OS update is installed as soon as it becomes available via OTA, which is not practical for real-time scenarios. WINDOWED – Similar to AUTOMATIC but with the limitation that OS updates can only be installed within a defined maintenance window. This means that if a user needs to update their device due to a software bug fixed in the latest OS version, they may not be able to do so immediately if the maintenance window is set outside working hours. Source: https://support.google.com/work/android/answer/13791272?hl=en#zippy=%2Cmanaging-system-updates-using-system-update-policies Suggested Improvements: Provide an option to control OS updates on BYOD (Work Profile only). I understand that when enrolling a device through Work Profile, only the work container can be managed via EMM. Google may need to reconsider this approach. It would be beneficial to have an approach similar to Apple’s, where EMM admins can manage OS updates (e.g., push specific updates, set deadlines, etc.) through DDM (Declarative Device Management - Source: https://support.apple.com/en-gb/guide/deployment/depc30268577/web ), even on BYOD devices (Device Enrollment) — without requiring supervision like DO (Device Owner mode). I’m aware that Samsung Knox E-FOTA exists, but it is limited to Samsung devices. Expanding this capability to all Android devices (like Google Pixel devices) would greatly improve update management in enterprise environments. BR, Marco
Problem Joining Work Profile From Android Device
I created an enrollment token for an enterprise for work profile, and I ensured that setAllowPersonalUsage("PERSONAL_USAGE_ALLOWED"); was set for the token. How ever when I try to join from my android 11(tecno) and android 14(google pixel 7) device with work profile via the ADP app, I get : Can't add work Profile A work profile can't be added to this Pixel. If you have questions, contact your IT admin. However from my emulator device running Android 15, I could join the enterprise using work profile.
Non-work app in the Work profile
I have a work profile and I have company apps installed from intune. I also have 'personal' apps in the Work profile. These were added by me using the Work profile version of the Google Play store. As a result, I have work and non-work apps co-existing in the Work profile. My question is if my Employer can see those non-work apps and the app data which are in the Work profile?
