Support for a Single VPN Instance Shared Across All Users on a Corporate-Owned Device
Hello everyone, I am exploring how to reduce resource usage on corporate-owned Android devices that are configured with multiple users or profiles. Currently, Android's VPN framework is per-user: Each user (or work profile) maintains its own VPN state. An Always-On VPN can only be configured within the context of the current user or profile. This means that if a device has several users, each user needs to run a separate VPN instance. This design results in unnecessary duplication: Multiple VPN processes or tunnels are active on the same device. System resources (CPU, battery, memory) are consumed redundantly. The VPN app itself must be installed and configured multiple times. My request/idea: Enable a single VPN instance at the device level (not just per-user), so that one VPN tunnel can secure network traffic across all users and profiles. This would: Greatly reduce resource waste. Simplify deployment and management for IT admins. Prevent the need for each user or profile to maintain its own VPN connection. Questions for the community and Google team: Is there any existing mechanism (documented or OEM-specific) that allows a VPN to operate at the device scope rather than user scope? Are there any roadmap plans to support device-level VPN in Android Enterprise? If not currently supported, could this be considered as a feature request for future Android versions? This would be particularly valuable for dedicated devices and shared device scenarios where multiple users must access corporate resources, but IT only wants to maintain one VPN tunnel. Looking forward to your insights and to hear whether others face the same challenge. Thank you.
New devices only receive "Enterprise Default Profile" instead of default profile
Hey there, this is my first post here as I could not find a ticket system for Zero Touch. Since a couple of weeks all new devices only getting the "Enterprise Default Profile" automatically assigned which I deleted during zero touch tenant setup in "Configurations". The default profile I created does not get automatically applied anymore. Unfortunately I can change the default assignment profile to whatever I want but newly added devices still are getting the "Enterprise Default Profile". Changing the device profile after the initial upload (including wrong DPC info) to the created target profile works in bulk. Once changed manually the devices apply the correct DPC. Multiple zero touch instances are affected. How to fix the default assignment profile for newly added devices? Any suggestions?Disable random mac address during EMM enrollment
My company is trying to provision tablets via headwind MDM. We have no problem on some of our networks, but the location they are being provisioned at at-scale have a strict no-random-mac address rule on their network. Thus far I have been unable to figure out how to create a QR code that will disable random mac address on the SSID of the network the device connects to when enrolling in our MDM. Is there a field I am missing? Surely there must be a way to overcome this.Seeing spike in HARDWARE_BACKED_EVALUATION_FAILED for Android 16 devices.
We are seeing a spike in HARDWARE_BACKED_EVALUATION_FAILED in https://developers.google.com/android/management/reference/rest/v1/enterprises.devices#securityrisk field in AMA Device response. We are seeing this mostly in the Android 16 customers and for some users it went away without any change on their side. So it does not seem anything wrong with the devices and seems random. Anyone else facing this with AMA or play integrity?
Zebra HC50, HC20, TC21 - Zero-Touch enrollment isn't available. Check your internet connection and try again
We experiencing issues where we currently are unable to proceed with the enrolment of our Zebra devices to our EMM (WSOne). When we boot the Zebra Handset we get an error Can't finish setup. Zero-touch enrollment isn't avaialble. Check your internet connection and try again. We've tried from different network but getting same error. Their was another post about the same issue affecting Samsung S series devices which apparently samsung has fixed. Not sure how we get that fixed for the Zebra handsets
problematic re-enrollment following smartphone reset under Android 15
Hey Everyone, Since a couple of weeks, we are encountering a problem with the re-enrollment of devices that have moved to Android 15. our employees arrive on the next screen : I reproduced the incident under the following conditions : Step 1 , the device is enrolled on Omnissa WSP1 in COBO with personnal Google Account Step 2 , for some reasons, the device is erased (example : 10 errors code) Step 3 , the profil in KME or Zero Touch is Microsoft Intune & no more Omnissa Step 4 , It seems that the KME or ZERO Touch verification did not happen at the right time. Step 5 , our employees have to proove the use of the device like a personal device ! We didn't encounter this problem for devices in Android 13 or 14. The devices i used : Motorola g54 5G Android 15 V1TDS35H.83-20-5-5 security patch : 1 july 2025 Samsung A35 - SM-A356B Android 15 AP3A.240905.015.A2.A356BXXS5BYF3 security patch : 1 july 2025 We have several thousand devices left to migrate to Microsoft Intune, this new enrollment behavior is unacceptable for 100% company devices. Our fleet is fully managed in KME or Zero Touch. Can you investigate this incident? Chris
Control Wi-Fi Calling settings
Hi there, hope you're well. Just wondering is it possible to control the Wi-Fi Calling settings within Android via MDM? The closest thing I've seen is to use Knox Asset Intelligence to check Wi-Fi Calling setting status on Samsung devices: https://docs.samsungknox.com/admin/knox-asset-intelligence/dashboard/network-insights/wifi-calling-setting-status/ Thank you for your help & input in advance!
Google Keyboard configuration Intune
Hi, I would like to know how to configure the Google Keyboard using Microsoft Intune. Specifically, I need to set up the keyboard with dual language support (Italian and German) on my Android devices managed through Intune. Could anyone help me achieve this goal?
Intune - Android Enrollment Default Profile
Hi, We’ve noticed that our Android devices are no longer enrolling automatically, which is resulting in the default profile being applied from the auto-created policy in the Google Zero-Touch customer portal. I’ve reviewed the portal settings, and the correct profile is still assigned by default. This process previously worked as expected. Many thanks, Joe.
