[Day 1] Mobile Devices With a Sixth Sense: What Android Can Learn From Detection Dogs
Good afternoon everyone! Intro Alongside my passion for Android, which I’ve also made my profession, I spend a lot of my personal time working on scent detection training with dogs. Over the years I’ve trained my own dogs to search for items such as data carriers, phones, cannabis, and most recently one on cash. I wanted to participate in the festival because I had to skip the opportunity last year. But to contribute meaningfully, I wanted to create something that connects both worlds, Android and my other interests. This article is the result of that cross-pollination. The article is just a different perspective to discuss, a thought I had and a look in to what I think could be a good future. Android & detection / search dogs Enterprise mobility is still too often reduced to policies, profiles, and compliance checkboxes. A device shows compliant, an app is locked down, and the job seems done. But anyone who has worked with a well-trained detection dog knows that control is only half the story. The real value comes from analyzing behavior and context, and the ability to anticipate on what’s coming. Fun fact: Our nose, and a dogs nose, contain olfactory receptors, nerve cells that detect odor molecules, which is what we use to recognize a scent. An average human has around 2 to 6 million of those. A dog’s nose has around 250-300 million. They are capable of detecting so much more scents than we do. A detection dog doesn’t just smell an object. It smells the contents, the ingredients of what it’s made of and It detects deviations. It recognizes not only what is present, but also when a situation doesn’t match the pattern it expects. If something has disturbed the soil, it will recognize that. And as a handler you should be able to read to signals and act on it. If you want to go right, and the dog is showing that it recognizes a scent on the left, you should really go left and trust the signals your dog is sending you. As a dog handler I’m trusting my dog to make the right decisions, I just follow and guide the dog where needed. Lift him to higher grounds, or maybe mark areas of extra interest that I can see and I’ve been told to search. Its teamwork. Devices as Sensors Imagine a device that doesn’t only enforce policy but also understands what normal looks like in its environment. Not only checking whether something is allowed, but noticing when something is unexpected. A phone that has spent months connected only to Wi-Fi inside the warehouse but suddenly appears on 4G at two in the morning in another city, that may not be a direct policy violation, but it is something you and I would ask questions about. Any detection dog would pause, tilt its head, and quietly signal that something’s off. The ingredients to make devices smarter already exist. Smartphones capture motion, location, battery patterns, network behavior, app usage, and user interaction. Individually these are datapoints, but together they form a pattern, just like scent particles form a track for example. The interesting part is: the hardware has been ready for years. What we lack is interpretation. Fun fact: Did you know that when a dog is searching/sniffing, it can inhale and exhale up to 300 times per minute? If we would do this, we will start hyperventilating within seconds. I think Android could evolve in the same direction by learning baselines of enterprise-normal rather than relying solely on static policies. Once a baseline exists, devices can flag changes proactively, early before things escalate. An example Consider a warehouse worker scanning goods along the same aisle, during the same shift, using the same three apps every day. Android sees that, learns it, and identifies it as normal. But one Monday everything is different: roaming is active, a new route is taken, unfamiliar apps are running. Instead of asking only is this allowed?, the device could ask is this unusual?, should I report this?, is this risk or intentional deviation? As an IT admin, you could check those signals and take appropriate action. But maybe we want Android Enterprise to take their own actions up to a certain degree? This isn’t just security, it also improves stability, efficiency and less downtime. Combine all these and you might even have an employee who is actually happy with the work IT is doing. Instead of being the team who keeps blocking things, you become the IT admin that makes the devices just work when they need to. Closing note I am aware of different MDM’s providing such solutions such as WS1 and Knox Asset intelligence. But I think it could and should be so much better than that. It should be part of core Android OS, present for everyone, not just the one who can afford it but also the smaller companies with less budget. It shouldn’t be depending on a third party whether or not this works. Android Enterprise has matured. Policies are essential, but they’re not the finish line. The real opportunity lies in devices that understand normal, and detect subtle deviations before users even notice. Maybe it’s time our Android fleets developed a sense of intuition. Maybe it's time for Android fleets to develop their own sixth sense like a detection dog that quietly sits, nose raised, because it notices something no one else does yet.
GBoard - Suggestion Strip
Hi, We want to use GBoard on kiosk devices but we aren't able to remove the suggestion strip using managed configurations. All other settings can be configured fine though. The show suggestion strip configuration is set to disabled. But with versions 15.x and 16.x of GBoard it's still visible on the devices. And when checking the setting locally on the device it's still enabled (Disabling manually works fine) Back in version 14.x this configuration worked fine. Anyone else who has experienced the same thing? We've tested this on devices from Samsung, Bluebird, ELO, and Zebra. Android version doesn't seem to have any impact, just the GBoard version. // Magnus
Unable to upload bulk CSV file to ZeroTouch
Hi Team, Is there currently an issue uploading a bulk .csv file to ZeroTouch? It's giving me an error. See below. Steps below: I downloaded the sample .csv file then updated it with my data, then uploading it again to the portal as is without changing the name or file extension as seeing above, yet its giving me an error. This was working not long ago, just wondering if there is currently an issue. Thanks
Enable ADB debugging is grayed out - This setting is managed by your administrator
This issue was documented in 2021 but with no solution. My Chromebook is managed by my company and I am the manager. But Google tries to find the managed option to unlock for this to work in the administration interface for more than 15 days without success. By the way there are thousands of options in the admin interface it could be a clever feature to number them. If you are in front of the same issue please add your comments to this post. I hope that Google support will succeed to solve the issue soon because I developed my first app for Android on my Chromebook with Android Studio and I was able to download it to my phone before these 15 days.
Device screen sensitivity
Hello AE community, Our users encounter screen sensitivity issue while using a screen proctection on their devices, Device impacted is Samsung A9+, There is a setting to enhance screen sensitivity but it is not manageable thought Ivanti NMDM, or Knox Service Plugin. We also use Bluebird devices, for this manufacturer, sensitity setting is manageable using their OEM Config app. Is there another method to manage this setting ? Should i make a FER (Feature Enhancement Request) to Samsung directly ? Regards Batlac
REQUIRE_ENTRY flag not working as expected
Hello, I am working on a Mobile Device Management system and just received a bug report about the Require Entry option when resetting a password. Since I set the Require Entry option I expect that the device does not accept any new password changes until I unlocked it at least once with the new credentials. This did not work. I was able to change the password numerous times over the Google API without logging in once. In your documentation here: https://developers.google.com/android/management/reference/rest/v1/enterprises.devices/issueCommand#ResetPasswordFlag it' s outlined that the flag should force the device to not accept any other password changes over the Google API by admins until the user has entered the new password. REQUIRE_ENTRY Don't allow other admins to change the password again until the user has entered it. I traced the issue through my software and checked all requests. My initial request to Google services looks like this. { "type":"RESET_PASSWORD", "resetPasswordFlags":[ "REQUIRE_ENTRY" ], "newPassword":"111111" } Here is clearly observable that the REQUIRE_ENTRY flag is sent to Google. Furthermore Google also includes the flag in it's response. { "name":"RouterSuccess", "code":200, "message":"OK", "data":{ "name":"enterprises/LC01zoikuz/devices/33c202b53a9b800c/operations/1764168989992", "metadata":{ "@type":"type.googleapis.comgoogle.android.devicemanagement.v1.Command", "type":"RESET_PASSWORD", "createTime":"2025-11-26T14:56:29.992Z", "duration":"600s", "newPassword":"111111", "resetPasswordFlags":[ "REQUIRE_ENTRY" ], "userName":"enterprises/LC01zoikuz/users/107976853558892540833" } } } So I assume that my API calls are working fine. Now I started to look into the adb logs of my device. I sent two reset password commands, one with the Require Entry option enabled and one without. I grepped the logs for "password" as a keyword and compared the results with a tool. Those are the logs of my request with Require Entry enabled: 11-26 10:16:45.367 2770 6955 I SDPLog : Reset password with token for user 0 11-26 10:16:45.654 1301 8837 I keystore2: system/security/keystore2/src/security_level.rs:829 - In import_key. 1000, Some("synthetic_password_293151ba28441a0d") 11-26 10:16:45.654 1301 8837 I keystore2: system/security/keystore2/src/security_level.rs:832 - synthetic password changed : 1000 11-26 10:16:45.655 1301 8837 I keystore2: system/security/keystore2/src/database.rs:2158 - In store_new_key "synthetic_password_293151ba28441a0d", uid=103, cert=false, cert_chain=false rebound=false 11-26 10:16:45.672 2770 6955 I SyntheticPasswordCrypto: Deleted SP protector key synthetic_password_a94cb138ecf734eb 11-26 10:16:46.071 2770 6955 I PasswordPolicy: isExternalStorageForFailedPasswordsWipeExcluded() : no admin enforce password policy. 11-26 10:16:46.091 6382 24694 I clouddpc: [PolicyUpdaterImpl.java:fromCache:214] From cache started [passwordPolicies, passwordRequirements, encryptionPolicy] forceComplianceReport: false 11-26 10:16:46.091 6382 24694 I clouddpc: [EventLogManagerImpl.kt:logMessage:2049] Event logged: RequestPolicyUpdateFromCache details: [policyKeys=[passwordPolicies, passwordRequirements, encryptionPolicy], forceComplianceReport=false] metadata: [isNetworkConnected=true] 11-26 10:16:46.091 6382 7741 I clouddpc: [EventLogManagerImpl.kt:logMessage:2049] Event logged: PolicyUpdateStarted details: [policyKeys=[encryptionPolicy, passwordPolicies, passwordRequirements], forceComplianceReport=false] metadata: [isNetworkConnected=true] 11-26 10:16:46.092 6382 7741 I clouddpc: [PolicyUpdaterImpl.java:reApplyAndExecuteCompliance:597] Updating policies: [encryptionPolicy, passwordPolicies, passwordRequirements] from cache with force report: false reportApps: false 11-26 10:16:46.096 6382 7741 I clouddpc: [PasswordRequirementsHandler.kt:apply:79] passwordPolicies is set, ignoring passwordRequirements 11-26 10:16:46.112 6382 7741 I clouddpc: [DefaultPasswordUtils.java:setPasswordRelatedPolicy:129] Applying password quality (server enum value): 65536 with scope: 0 11-26 10:16:46.113 6382 7741 I clouddpc: [PasswordPoliciesHandler.kt:applyResetPasswordToken$java_com_google_android_apps_work_clouddpc_base_policy_handlers_handlers:384] Reset password token already active 11-26 10:16:46.153 6382 7741 I clouddpc: [EventLogManagerImpl.kt:logMessage:2049] Event logged: PolicyReapplied details: [policyKeys=[encryptionPolicy, passwordPolicies, passwordRequirements]] metadata: [isNetworkConnected=true] And these are the logs without Require Entry activated: 11-26 10:17:14.229 2770 4719 I SDPLog : Reset password with token for user 0 11-26 10:17:14.517 1301 8837 I keystore2: system/security/keystore2/src/security_level.rs:829 - In import_key. 1000, Some("synthetic_password_89ec84ca283671b1") 11-26 10:17:14.517 1301 8837 I keystore2: system/security/keystore2/src/security_level.rs:832 - synthetic password changed : 1000 11-26 10:17:14.518 1301 8837 I keystore2: system/security/keystore2/src/database.rs:2158 - In store_new_key "synthetic_password_89ec84ca283671b1", uid=103, cert=false, cert_chain=false rebound=false 11-26 10:17:14.536 2770 4719 I SyntheticPasswordCrypto: Deleted SP protector key synthetic_password_293151ba28441a0d 11-26 10:17:14.935 2770 4719 I PasswordPolicy: isExternalStorageForFailedPasswordsWipeExcluded() : no admin enforce password policy. 11-26 10:17:14.953 6382 24694 I clouddpc: [PolicyUpdaterImpl.java:fromCache:214] From cache started [passwordPolicies, passwordRequirements, encryptionPolicy] forceComplianceReport: false 11-26 10:17:14.954 6382 24694 I clouddpc: [EventLogManagerImpl.kt:logMessage:2049] Event logged: RequestPolicyUpdateFromCache details: [policyKeys=[passwordPolicies, passwordRequirements, encryptionPolicy], forceComplianceReport=false] metadata: [isNetworkConnected=true] 11-26 10:17:14.954 6382 7741 I clouddpc: [EventLogManagerImpl.kt:logMessage:2049] Event logged: PolicyUpdateStarted details: [policyKeys=[encryptionPolicy, passwordPolicies, passwordRequirements], forceComplianceReport=false] metadata: [isNetworkConnected=true] 11-26 10:17:14.955 6382 7741 I clouddpc: [PolicyUpdaterImpl.java:reApplyAndExecuteCompliance:597] Updating policies: [encryptionPolicy, passwordPolicies, passwordRequirements] from cache with force report: false reportApps: false 11-26 10:17:14.958 6382 7741 I clouddpc: [PasswordRequirementsHandler.kt:apply:79] passwordPolicies is set, ignoring passwordRequirements 11-26 10:17:14.974 6382 7741 I clouddpc: [DefaultPasswordUtils.java:setPasswordRelatedPolicy:129] Applying password quality (server enum value): 65536 with scope: 0 11-26 10:17:14.975 6382 7741 I clouddpc: [PasswordPoliciesHandler.kt:applyResetPasswordToken$java_com_google_android_apps_work_clouddpc_base_policy_handlers_handlers:384] Reset password token already active 11-26 10:17:15.012 6382 7741 I clouddpc: [EventLogManagerImpl.kt:logMessage:2049] Event logged: PolicyReapplied details: [policyKeys=[encryptionPolicy, passwordPolicies, passwordRequirements]] metadata: [isNetworkConnected=true] I compared both results but were not able to detect any differences on the device. Thank you and best regards lennartsp
AMAPI prepareEnvironment() randomly throws SecurityException right after enrollment — persists until device reboot
Hello everyone, I am implementing a custom Device Policy Controller (DPC) (device owner mode) and integrating the Android Management API (AMAPI) locally on the device using: EnvironmentClient.prepareEnvironment() AccountSetupClient.startAccountSetup() Both calls happen directly after device enrollment, inside a flow that starts within minutes after provisioning. Most of the time, everything works perfectly. However, randomly, prepareEnvironment() fails immediately after enrollment with: java.lang.SecurityException: Permission denied to call Android Device Policy app. And once this error happens, all subsequent calls to AMAPI continue to fail with the same exception — until the device is rebooted. After reboot, AMAPI works normally again. Sometimes onboarding works the first time, sometimes not, with no changes in our code or provisioning steps. We consistently see repeated Google Play Services / Dynamite module errors whenever the failure occurs: Invalid module.yaml info for apk: split_GoogleCertificates_installtime.apk DynamiteModule: Failed to load remote module: Failed to get module context GoogleCertificates: Failed to get Google certificates from remote DynamiteModule: LoadingException: Remote load failed. No local fallback found. Followed by AMAPI denying our DPC: Permission denied to call Android Device Policy app. java.lang.SecurityException: Permission denied to call Android Device Policy app. This state persists indefinitely until the next device reboot. I test on my Samsung Galaxy Tab A8 (SM-X200) We rely on AMAPI to complete Managed Google Play provisioning right after enrollment, and this intermittent failure is blocking many devices until they are rebooted. Any insights, known issues, or best practices from Google engineers or EMM partners would be extremely helpful. Thank you!
Fido2 key and their issues using them on Android
First, do Android support using Fido2 keys on Android? Yes, it does support both using bluetooth, NFC and USB authentication. For reference: https://developers.google.com/identity/fido/android/native-apps But does it mean that it is straight forward to use it in a enterprise environment without hiccups? No, the support lacks many features that both Windows and iOS has supported for long time. If I buy a modern Fido2 with OTP support, will it work straight out of the box for using the USB? No, you need to disable the OTP support first. Here is how you can do that from yubikey manager, this works for Yubikey. Other vendors might have something similar. But for Fido2 keys without OTP support, it should work out of the box for USB-C, like Google titan. Why this happens, dont know. Can we use NFC for Entra ID authentication like we can on Windows and iOS? No. Android does not currently support CTAP2 for NFC, only for USB-C input. CTAP1 (FIDO U2F) supports certificate based authentication, but CTAP supports user verification with PIN and biometrics. Entra ID requires UV (user verification) before accepting login. As far as I know, there is also support for bluetooth. But I dont have any fido2 keys that support bluetooth yet. So why does this matter? With Android you can have shared devices with secure login for multiple users with a single log in for all supported apps, auto log off and many other possibilities. https://learn.microsoft.com/en-us/entra/identity-platform/msal-shared-devices Other sources/discussions: https://www.reddit.com/r/yubikey/comments/1oncuh2/whats_the_point_of_nfc_on_android/ https://www.reddit.com/r/yubikey/comments/13tlzoc/fido2_inconsistent_across_windowsandroid/ https://fidoalliance.org/specifications/
Set up a new Android Enterprise domain in Intune/EMM when an old-style Google Account is still connected
Hi, I have a situation similar to this older discussion - situation as follows: My EMM is MS Intune. Managed Goole Play Store was set up in April 2024 before the new method of creating Android Enterprise admin accounts on a managed Google domain - using a normal Gmail account This Gmail/Google account was forcibly deleted in the last month, presumably for inactivity, as the first linked discussion describes. Only the final termination email was ever sent to the recovery email, no other warnings were received. Recovery was not possible (it just said that no recovery methods were set up, even though there was a recovery email - hence the warnings...!) and now the account shows as nonexistent rather than potentially recoverable, although it's less than the quoted 30 days that recovery is available. I have seen (Community Manager) Lizzie's helpful posts and advice from a couple of years ago, including this article describing the potential for having support migrate the EMM bind from one account to another. However, I don't yet have another account to migrate to, since I would be moving from an old Gmail account to a new managed domain account - which I don't yet have, as I can't sign up as a 'new customer' to Android Enterprise within Intune, because the old bind still exists, and I haven't found anything to tell me how to sign up other than going through the EMM. I want to keep the old bind active so it doesn't break existing devices, even though I think that's what's stopping me signing up to Android Enterprise in the new way. Removing this existing orphaned bind will break everything, and Lizzie's info in other posts has suggested that the bind will stay mostly-working if left alone, whereas removing it will trigger retirement of all devices. MS/Intune support don't seem to be aware of the possibility of contacting Google support to migrate a bind, but even if they were, I don't yet know what to tell them (as I have no new destination account, of course). They just advise me that it will need a new account and re-enrolment of all devices, which I'm hoping to avoid. I know this is convoluted, but that's why I was hoping for help. Is there a way to get a new Android Enterprise admin account set up, using the new managed domain method, without breaking the existing bind - and then to migrate the bind across? Thanks Dev
Android 15 - Cannot set default password app
We use Microsoft Intune to manage devices. For the devices which have upgraded to Android 15, the end users can no longer select Microsoft Authenticator as their default application for auto filling passwords. I cannot find any settings in Intune to allow it. All devices are fully managed corporate owned devices. The devices are all Google Pixel 8 or 8a devices. Is this a bug in 15 or am I missing something?
