Fido2 key and their issues using them on Android
First, do Android support using Fido2 keys on Android? Yes, it does support both using bluetooth, NFC and USB authentication. For reference: https://developers.google.com/identity/fido/android/native-apps But does it mean that it is straight forward to use it in a enterprise environment without hiccups? No, the support lacks many features that both Windows and iOS has supported for long time. If I buy a modern Fido2 with OTP support, will it work straight out of the box for using the USB? No, you need to disable the OTP support first. Here is how you can do that from yubikey manager, this works for Yubikey. Other vendors might have something similar. But for Fido2 keys without OTP support, it should work out of the box for USB-C, like Google titan. Why this happens, dont know. Can we use NFC for Entra ID authentication like we can on Windows and iOS? No. Android does not currently support CTAP2 for NFC, only for USB-C input. CTAP1 (FIDO U2F) supports certificate based authentication, but CTAP supports user verification with PIN and biometrics. Entra ID requires UV (user verification) before accepting login. As far as I know, there is also support for bluetooth. But I dont have any fido2 keys that support bluetooth yet. So why does this matter? With Android you can have shared devices with secure login for multiple users with a single log in for all supported apps, auto log off and many other possibilities. https://learn.microsoft.com/en-us/entra/identity-platform/msal-shared-devices Other sources/discussions: https://www.reddit.com/r/yubikey/comments/1oncuh2/whats_the_point_of_nfc_on_android/ https://www.reddit.com/r/yubikey/comments/13tlzoc/fido2_inconsistent_across_windowsandroid/ https://fidoalliance.org/specifications/
Android 15 - Cannot set default password app
We use Microsoft Intune to manage devices. For the devices which have upgraded to Android 15, the end users can no longer select Microsoft Authenticator as their default application for auto filling passwords. I cannot find any settings in Intune to allow it. All devices are fully managed corporate owned devices. The devices are all Google Pixel 8 or 8a devices. Is this a bug in 15 or am I missing something?My application was rejected
Hello, good afternoon everyone. I'm writing to this forum to ask for help. A few weeks ago, I applied for the EMM and Enterprise Android Partner program. My application was rejected without any explanation in the emails. I'd like to know the requirements to join the program. We are a development company based in Guatemala and the United States (and soon in Mexico and Colombia), as we currently have a client requesting an MDM system for their Android device retail store. This is our first time applying to this program so we can offer our services to this client and any future clients who might be interested. If you could send me the program requirements so I can apply correctly, I would be very grateful. Have a good afternoon. Greetings from Guatemala.
Intermittent QR Code Provisioning Failures with Identical Source Code
I am experiencing inconsistent behavior with QR code provisioning for Android Enterprise and am seeking guidance from the community. The Issue: QR code provisioning works intermittently, but the failure pattern is inconsistent. A provisioning QR code generated from a specific APK build will work reliably. However, subsequent builds of the exact same source code from the same Android Studio project will sometimes fail. The device displays a generic "Contact your IT admin" error. What I've Verified: The APK is properly signed and the checksum in the QR code is correct. The server delivers the APK with the correct application/vnd.android.package-archive MIME type. The DeviceAdminReceiver is correctly declared in the manifest and the associated XML resource exists. The package name and component name in the QR code are 100% accurate. Comparing a "working" APK and a "failing" APK in APK Analyzer shows no differences in the core components (package name, receivers, resources). Question: Has anyone else encountered this? Are there known issues with Android's provisioning service being sensitive to certain aspects of the APK build output that are not related to the core functionality or signature? Any insight into how to achieve consistent, reproducible builds for provisioning would be greatly appreciated.
Help Needed: Re-registering MDM After Already Signed Up Error
Hello Android Enterprise Community, I’m trying to set up my MDM, but I keep encountering the following error: "Someone at testmdm.xyz has already signed up." I have previously attempted to remove the Android Enterprise enrollment from my domain, unlinked the MDM, and followed all standard steps. However, I am unable to re-register the MDM, and my attempts to enroll devices fail. I would greatly appreciate guidance on: How to fully clear any previous Android Enterprise enrollment associated with my domain Steps to re-register an MDM successfully Any best practices or troubleshooting tips to avoid this issue in the future Thank you in advance for your help. Any advice from experienced admins or Google support is highly welcome. jasonbayton Best regards, Khaled
Issues with use of Personal Digital Certificates on Android Devices Managed via Google Workspace MDM
Hello everyone, I’m reaching out from my company as we have encountered an issue with the installation and use of personal digital certificates issued by FNMT (Spain) on Android devices managed through Google Workspace MDM. The certificates install correctly, but apps that should use them (e.g., for Wi-Fi authentication or access to internal services) do not detect or recognize these certificates. We have tested on unmanaged Android devices, and the certificates work fine there, so it seems related to Google Workspace MDM management. We’ve confirmed with the certification authority (FNMT) that their certificates comply with standards. Google mentioned that MDM should not block certificates unless there is a policy configured to do so. However, this problem seems to persist regardless. Additionally, other companies have reported similar issues with personal certificates issued by different certification authorities, which suggests a possible systemic incompatibility or configuration issue within the Google Workspace MDM environment affecting the proper functioning of these certificates. Has anyone else experienced this? Are there known workarounds or configuration tips that could help? Any insights or advice would be greatly appreciated. Thanks in advance! Francisco
How to view and remove enrolled devices, and how quotas are applied
We are developing a solution using Android Management. While enrolling a fully managed device, provisioning now fails with: - "Can't set up device" - "Since your organization reached its usage limits, this device can't be set up." This did not occur until yesterday. We are trying to determine whether this quota limit is enforced by the Android Management API (EMM side) or by Google Workspace when connecting to a third‑party EMM. If the limit is on the EMM side, is the quota granted per project? We have two Google Cloud projects using the Android Management API; the issue is only affecting the newer project. Questions: 1) Where can we monitor quota usage for Android Management? 2) If we have reached a quota, is there a way to remove previously enrolled test devices, and would that resolve the issue? 3) Where can we find detailed information about quotas and currently enrolled devices?
Android 15 Setup Wizard loops at “Accept Google Services” on Lenovo Tab M11 (TB311FU)
Hi all, I'm running into a blocking issue provisioning brand-new (and factory-reset) Lenovo Tab M11 - TB311FU devices on Android 15 with Android Management API (fully managed / dedicated, kiosk). On Android 14 everything worked fine with the exact same policy and enrollment flow. The issue only started after updating to Android 15. (this is my test device, i constantly factory reset it) Expected behavior: Standard QR (6-tap) provisioning to proceed past the “Accept Google Services” screen, install Android Device Policy, enroll to my enterprise, and apply the kiosk policy, install app, and done. What happens instead: After Wi-Fi and scanning the AMAPI QR token, Setup Wizard reaches “Accept Google Services”. Tapping Accept shows a spinner, then it returns to the same screen (loop). I simply cannot get past this point. If I reboot at this point, on the very first Welcome screen the device sometimes becomes unresponsive (neither 6-tap nor “Next” reacts) until I factory reset again. Is there a known Android 15 Setup Wizard issue that can cause a loop at “Accept Google Services” on Lenovo TB311FU? Any workarounds you'd recommend to get past the acceptance loop? When factory resetting, and setting up the tablet without scanning the qr code, i get past the Google Services no problem. When i install via qr-code on new fresh never used before tablets, that come pre-installed with Android 14, i don't have any issues. Same policy, same everything... except the Android version. Thanks in advance! /B
Why openNetworkConfiguration not working in enrolled device?
I have enrolled a device and want to use managed wifi on that device. I have used following configuration- "openNetworkConfiguration": { "Type": "UnencryptedConfiguration", "NetworkConfigurations": [ { "GUID": "inovex_wifi", "Name": "INovex-Dev", "Type": "WiFi", "WiFi": { "SSID": "INovex-Dev", "Security": "WPA-EAP", "EAP": { "Outer": "EAP-TLS", "Identity": "faruk", "DomainSuffixMatch": ["dms.mobi-manager.com"], "ServerCARefs": ["ca_inovex"], "ClientCertType": "Ref", "ClientCertRef": "client_inovex" } } } ], "Certificates": [ { "GUID": "ca_inovex", "Type": "Server", "X509": "ca_base64" }, { "GUID": "client_inovex", "Type": "Client", "PKCS12": "client_base64" } ] } My expection is This network automatically save in wifi list As I set client and server certificate the device should connect automatically For information I have used freeradius server for authentication.Need understand some point of this feature - 3.6. Managed configuration management
I have implemented this following feature - 3.6. Managed configuration management. Everything understand but got stuck in point - 3.6.3. The EMM's console must allow IT admins to set wildcards (such as $username$ or %emailAddress%) so that a single configuration for an app such as Gmail can be applied to multiple users. Not understand how to implement this wildcards in one policy for different devices and also let me know for gmail it is supported or not? Thanks in advance.
