Fido2 key and their issues using them on Android
First, do Android support using Fido2 keys on Android? Yes, it does support both using bluetooth, NFC and USB authentication. For reference: https://developers.google.com/identity/fido/android/native-apps But does it mean that it is straight forward to use it in a enterprise environment without hiccups? No, the support lacks many features that both Windows and iOS has supported for long time. If I buy a modern Fido2 with OTP support, will it work straight out of the box for using the USB? No, you need to disable the OTP support first. Here is how you can do that from yubikey manager, this works for Yubikey. Other vendors might have something similar. But for Fido2 keys without OTP support, it should work out of the box for USB-C, like Google titan. Why this happens, dont know. Can we use NFC for Entra ID authentication like we can on Windows and iOS? No. Android does not currently support CTAP2 for NFC, only for USB-C input. CTAP1 (FIDO U2F) supports certificate based authentication, but CTAP supports user verification with PIN and biometrics. Entra ID requires UV (user verification) before accepting login. As far as I know, there is also support for bluetooth. But I dont have any fido2 keys that support bluetooth yet. So why does this matter? With Android you can have shared devices with secure login for multiple users with a single log in for all supported apps, auto log off and many other possibilities. https://learn.microsoft.com/en-us/entra/identity-platform/msal-shared-devices Other sources/discussions: https://www.reddit.com/r/yubikey/comments/1oncuh2/whats_the_point_of_nfc_on_android/ https://www.reddit.com/r/yubikey/comments/13tlzoc/fido2_inconsistent_across_windowsandroid/ https://fidoalliance.org/specifications/
GBoard - Suggestion Strip
Hi, We want to use GBoard on kiosk devices but we aren't able to remove the suggestion strip using managed configurations. All other settings can be configured fine though. The show suggestion strip configuration is set to disabled. But with versions 15.x and 16.x of GBoard it's still visible on the devices. And when checking the setting locally on the device it's still enabled (Disabling manually works fine) Back in version 14.x this configuration worked fine. Anyone else who has experienced the same thing? We've tested this on devices from Samsung, Bluebird, ELO, and Zebra. Android version doesn't seem to have any impact, just the GBoard version. // MagnusDo certifications matter when researching new devices?
Hey everyone, Episode 3 of The Secure Element went live last month! Bigdogburr (our go-to security expert) sat down with Brian Wood from Google’s Device Security and Privacy team to unpack how devices get approved for use in the US federal government. Spoiler: it’s not simple! From government-approved labs running tests, to annual re-certifications, to the role of NIAP (National Information Assurance Partnership) — there’s a lot going on behind the scenes to make sure devices are truly secure and trustworthy. When you’re looking at new devices, do you pay attention to security certifications or accreditations? If so, what certifications are you most interested in your region? Or do you focus on something else entirely? Let me know your thoughts below — I’d love to hear how you approach this! Chat soon, Emilie
Android 15 - Cannot set default password app
We use Microsoft Intune to manage devices. For the devices which have upgraded to Android 15, the end users can no longer select Microsoft Authenticator as their default application for auto filling passwords. I cannot find any settings in Intune to allow it. All devices are fully managed corporate owned devices. The devices are all Google Pixel 8 or 8a devices. Is this a bug in 15 or am I missing something?
Samsung Devices: Can't call from a personal app
Hi everyone we received some reports from our users in the last couple of month that suddently the phone app on COPE devices (Samsung A-series) starts to show "Can't call from a personal app" - Your organisation only allows you to make calls from work apps. Workaround: Reboot the device. For most of the reports this workaround has to take place once and the message is gone forever. A very small amount of devices starts to show this message again after a couple of weeks. Rebooting is resolving the issue again. Any idea of how to prevent this? Even emergency calls are not possible if this error is appearing! Does anyone else have seen this behavior? Raised a case with Samsung today. Thanks! Daniel
WPCO Enrollment into Google Workspace using Zero Touch
Hi there! I am implementing Zero Touch enrollment for our newly purchased Android devices. It is working well and our testing devices end up in "Fully Managed" state after enrollment. I have been wondering if the enrollment could be adjusted so the device ends up in "Work profile on corporate-owned" (WPCO) state instead. I have done a little research and Android spec should allow a device to end up in WPCO state after it is enrolled via Zero Touch. Is this end result achievable with following combination? Device: Samsung with Android 14 Enrollment: Zero Touch during device setup EMM: Google Workspace Google Workspace AFAIK does not have any switch for this in UI. Could the management mode be configured during Zero Touch by using DPC extras set in Zero Touch portal? Developer oriented documentation suggests this is governed by EXTRA_PROVISIONING_MODE. I have tried following Custom Configurations in Google Zero Touch portal so far (all targeting com.google.android.apps.work.clouddpc) : { "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": { "com.google.android.apps.work.clouddpc.EXTRA_FORCED_DOMAINS": "[\"mycompany.com\"]", "PROVISIONING_MODE": "MANAGED_PROFILE" } } and { "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": { "com.google.android.apps.work.clouddpc.EXTRA_FORCED_DOMAINS": "[\"company.com\"]" }, "android.app.extra.PROVISIONING_MODE": "2" } and { "android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME": "com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver", "android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM": "<SIG-CHECK>", "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION": "https://play.google.com/managed/downloadManagingApp?identifier=setup", "android.app.extra.PROVISIONING_ROLE_HOLDER_SIGNATURE_CHECKSUM": "<SIG-CHECK>", "android.app.extra.PROVISIONING_ROLE_HOLDER_PACKAGE_DOWNLOAD_LOCATION": "https://play.google.com/managed/downloadManagingApp?identifier=setup", "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": { "com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN": "<TOKEN>", "com.google.android.apps.work.clouddpc.EXTRA_FORCED_DOMAINS": "[\"company.com\"]", "PROVISIONING_MODE": "MANAGED_PROFILE" } } In all three case the devices goes trough Zero Touch enrollment. Device Policy is installed. User is required to log in with a Google Account with company.com account. The device ended up in "Fully Managed" state in all three cases...My application was rejected
Hello, good afternoon everyone. I'm writing to this forum to ask for help. A few weeks ago, I applied for the EMM and Enterprise Android Partner program. My application was rejected without any explanation in the emails. I'd like to know the requirements to join the program. We are a development company based in Guatemala and the United States (and soon in Mexico and Colombia), as we currently have a client requesting an MDM system for their Android device retail store. This is our first time applying to this program so we can offer our services to this client and any future clients who might be interested. If you could send me the program requirements so I can apply correctly, I would be very grateful. Have a good afternoon. Greetings from Guatemala.
zero-touch; Owner credentials lost
Hi, we have a few Zebra devices registered for zero-touch and plan to use zero-touch for all regular mobile devices. the registration and all existing accounts linked to it was created by team members that are unfortunately no longer with us. i do have access to one account with administrator permissions but the account with the "owner" permission was not handed over and credentials are basically lost. which steps are necessary to recover ownership?
Intermittent QR Code Provisioning Failures with Identical Source Code
I am experiencing inconsistent behavior with QR code provisioning for Android Enterprise and am seeking guidance from the community. The Issue: QR code provisioning works intermittently, but the failure pattern is inconsistent. A provisioning QR code generated from a specific APK build will work reliably. However, subsequent builds of the exact same source code from the same Android Studio project will sometimes fail. The device displays a generic "Contact your IT admin" error. What I've Verified: The APK is properly signed and the checksum in the QR code is correct. The server delivers the APK with the correct application/vnd.android.package-archive MIME type. The DeviceAdminReceiver is correctly declared in the manifest and the associated XML resource exists. The package name and component name in the QR code are 100% accurate. Comparing a "working" APK and a "failing" APK in APK Analyzer shows no differences in the core components (package name, receivers, resources). Question: Has anyone else encountered this? Are there known issues with Android's provisioning service being sensitive to certain aspects of the APK build output that are not related to the core functionality or signature? Any insight into how to achieve consistent, reproducible builds for provisioning would be greatly appreciated.
Custom DPC app being blocked by google play services
Hi We have a custom MDM app which was built to enroll android devices with Device Owner. We have a backend which serves the configuration requires to install/block apps and settings. We are not using Android official management APIs, A few days ago we received a google play protect update on some of our devices and now whenever we try to enroll the devices using QR code enrollment it gets blocked by google play protect. Please help us understand what is required to bypass this so that we can continue to use our custom MDM app. thanks!
