Intune Management Capabilities for Samsung Devices
Dear Team, Greetings, I would like to better understand the management capabilities available for Samsung Android devices, with Intune . Specifically, I am looking for clarity on whether these devices can be fully managed through Intune instead of relying on the Samsung Knox management tool, including support for application deployment, patch distribution, firmware updates, and other administrative functions. Any slides reference would be good for my internal discussion ?.[Day 2] Mission Intune : When Migration Becomes a Mission (Almost) Impossible
Good Morning Everyone 🕵️ Deep within the digital infrastructure, a high-stakes mission is being prepped. Five mobility experts have been deployed to solve a massive puzzle: migrating tens of thousands of smartphones to Microsoft Intune. The Goal: Ensure a fluid, secure, and uninterrupted transition for thousands of users. The Battlefront: A complex landscape filled with legacy policies, mixed configurations, and strict deadlines. It’s a race against the clock where one wrong move could start a domino effect. From scripts to security protocols—nothing is left to chance. Failure is not an option. Following Broadcom’s acquisition of VMware in 2023, the Workspace ONE product is now owned by Omnissa. Broadcom’s commercial strategy, which has influenced its spin-off companies, had become highly aggressive toward all customers. Consequently, we have decided to migrate the management of our Android and iOS tertiary fleet to Microsoft Intune.. While we are familiar with Intune, several limitations should be noted: Reporting: Intune offers basic reporting through Microsoft Endpoint Manager and Power BI integration, but lacks the advanced, customizable dashboards available in Workspace ONE. Deployment Performance: Application and configuration deployments can be slow, with status updates often delayed due to Intune’s reliance on periodic device check-ins rather than real-time communication. iOS Management: Intune provides full functionality only for devices enrolled via Apple Business Manager (ABM). Non-ABM devices have restricted supervision capabilities, limiting advanced configuration and app deployment. Error Handling: Intune does not display granular error codes in its console. Troubleshooting often requires log collection from the device or use of Microsoft Support tools, increasing diagnostic complexity. Conditional Access & Compliance: Intune integrates tightly with Azure AD for conditional access policies, which is a strength, but requires additional configuration and licensing for advanced scenarios. App Protection Policies: Strong for Microsoft 365 apps, but less flexible for third-party apps compared to Workspace ONE. Migration Strategy Overview The project aims to migrate the entire mobile fleet—a few tens of thousands Android and some iOs devices—between September 2023 and December 2024. Cybersecurity requirements mandate a shift from COBO (with personal Google accounts allowed) to COPE, reinforcing corporate control and reducing exposure to security risks. Key Challenges Technical Constraints: Devices incompatible with Android 13 require hardware replacement. For most employees, migration involves full device reset and Intune re-enrollment—a complex, time-consuming process. Security Limitations: Backup tools cannot be authorized, increasing the risk of data loss and user errors. A recurring issue is failure to remove Microsoft Authenticator configurations, creating significant support overhead. Performance Impact: The Samsung Galaxy A32, previously adequate under COBO, performs poorly under COPE, affecting user experience. Status and Strategic Decision By June 2024, progress is far below target. To mitigate operational disruption and support overload, the strategy shifts: forced migrations are discontinued. Migration now occurs only during: Hardware replacement (obsolescence, failure, or breakage) Voluntary device reset This approach prioritizes stability and resource optimization while maintaining compliance with security standards. We’ve been with Intune for almost two years, we make do with it and we are hardly surprised anymore when something doesn’t work. If you have any questions, don't hesitate to reach out via the comments below Kris
Android COPE Devices randomly wiping
Hello, Recently our COPE profile in ZT is not functioning. The device will go through the enrollment, it gets registered correctly in our tenant (Entra/Intune) and we can get to the home screen just fine. However, after some time the device will receive the following notification: “Your organization has set up this device to be managed by your organization. If this is an error, contact your device’s provider. All data on the device will be deleted. Your device will automatically reset in 2 hour.” The config in ZT and the one in Intune match (token is correct and the DPC extras are fine). This profile was working up until 2 weeks ago. We’re stumped. We recreated a different COPE profiles with the required DPC extras as per Microsoft’s documentation, tried removing compliance policies and device configurations to make it a plain profile. No luck, still receives the reset notification. Phones tested: Samsung A15, Samsung A16 all running the latest Android 16OS with the latest security patch. Any help would be appreciated, thank you!
We have all our devices on Samsung Knox; I would like to try using Android Zero-Touch enrollment as well. Is that possible?
We got all our new company Samsung phones added into Samsung Knox. None of the distributors we work with are Android Zero Touch partners; we've asked them to join and they probably won't any time soon. I read that there's been some effort to unify Samsung Knox and Android Zero Touch, although in many cases it still seems like EMMs have better support for Android Zero Touch whereas Samsung would prefer you use their in-house EMM. We would like to try using the Android Zero Touch enrollment as well. Unlike Samsung, it seems like I can't even register my own customer account. So my questions: is there any possible way to get just a Zero Touch customer account set up, with no devices added, when none of the resellers I actually bought a device from are Android partners? Also, is there some way I could get some of our Knox enrolled devices to use Zero Touch?
Possible to deploy API commands via Provisioning Profiles in MDM?
Hello, We use WorkspaceONE UEM as our MDM. We sometimes use provisioning profiles to deploy commands to devices run-intents, but I'm not an expert on this subject by any means. I am curious if it is possible to use our MDM to deploy an API command to disable Factory Reset Protection. The command information is here: https://developer.android.com/reference/android/app/admin/FactoryResetProtectionPolicy I realize what a specific question this is. If I can provide more information, please let me know. Thanks in advance!
"Your administrator has not given you access to this item" - Intune issues with Google accounts and previously used apps
Basic set up: Managed Google Play + Intune Devices all set up as "Corporate-owned, fully managed user devices" Policies are set to allow all apps from store and to allow other accounts to be installed on devices. GSuite individual Google accounts with corporate email addresses signed in to all devices to allow for things like Photos backup. Problem: When migrating a user to a new device, some apps cannot be installed. When a user is signed into Google Play with their Google Account, any app that is already linked to their Google Account from their previous device (for example: WhatsApp, Samsung Notes, Translate), cannot be installed with the error "Your administrator has not given you access to this item". If I sign the user out from their Google account, install the app and then sign them in again, it all works fine, but this should not be necessary. It seems like the problem is stemming from the Play Store not liking the fact that the corporate Play Store profile is trying to install apps that the Google account has already signed in to previously. Any thoughts on fixes? Thanks.Compliance project for Android?
Hi all, For Apple (iOS/MacOS ) we use the macos security compliance project tooling (https://github.com/usnistgov/macos_security#readme) for mapping compliance guidelines. A short summary: The macOS Security Compliance Project (mSCP) is an open‑source framework that provides automated, customizable security guidance and baselines for macOS, producing documentation, audit checklists, configuration profiles, and remediation scripts. It supports major security standards, including NIST SP 800‑53, NIST SP 800‑171, DISA STIG, CNSSI 1253, CIS Benchmarks, CIS Critical Security Controls v8, CMMC 2.0 Levels 1–2, and the Netherlands BIO baseline. I haven't found such a project for Android, as anyone aware of such a project that maps security guidelines to available API's for Android Enterprise? Michel
Organization Has Reached Its Usage Limits" Error with 0 Devices - Troubleshooting Guide
I'm developing a custom MDM solution using Google Android Management API. Successfully created enterprise enterprises/LC02x32bm6 with work email domain, but getting: "Can't set up device. Your organization has reached its usage limits." Key Details: Enterprise created successfully via API Enrollment token generated successfully 0 devices currently enrolled Cloud Console shows 0% API quota usage Billing account linked to project GET /api/enterprise/callback → Returns enterpriseName POST /api/enterprise/enrollment-token → Returns enrollment token Device enrollment → ❌ "Usage limits" error Has anyone encountered this "usage limits" error with 0 devices? Android Management API usage is 0%. Any insights appreciated! Happy to share code snippets or API responses if helpful.
Issue with Android Enterprise provisioning: afw#identifier invalid and Play Protect blocking app during QR enrollment
We are an organization using a third-party MDM / Device Policy Controller (DPC) solution to manage our Android Enterprise devices. The DPC application is published on Google Play and has been working for managed provisioning. Recently, we started facing issues during Android Enterprise enrollment, and we are seeking guidance on the correct and supported setup. Issues observed 1. afw#identifier enrollment When attempting enrollment using afw#<identifier>, the setup fails with errors such as invalid token, wrong setup, or unable to continue enrollment. This previously worked and now fails consistently, even though the DPC remains published on Google Play. 2. QR code–based provisioning When using QR code provisioning, the device completes initial setup but then Google Play Protect shows “App blocked by Play Protect” for the DPC. The DPC app is Play-approved and not sideloaded by end users. We have already submitted a Play Protect appeal through the official appeal form. 3. Distribution method For QR provisioning, the DPC APK is currently hosted on our own HTTPS server, and the QR includes: Device Admin component SHA-256 signature checksum Secure download location Despite this, Play Protect flags the app after provisioning. Clarifications we are seeking Are there recent changes or requirements for afw#identifier enrollment that could cause invalid token or setup errors? Does Play Protect apply additional checks during QR-based provisioning, even for Play-approved DPC apps? Is using a self-hosted APK download location still supported for Device Owner provisioning, or is Managed Google Play / Zero-Touch enrollment now required? Is there a supported way to allowlist or whitelist a legitimate enterprise DPC app so it is not blocked during provisioning? Are there recommended best practices for third-party MDM providers or enterprise customers to avoid Play Protect blocks during enrollment? We are not attempting to bypass Play Protect or supported security mechanisms. We want to ensure our Android Enterprise setup follows current Google-recommended practices and understand the correct approach going forward. Any guidance or clarification from the community or product experts would be appreciated.
