Android 15 - Cannot set default password app
We use Microsoft Intune to manage devices. For the devices which have upgraded to Android 15, the end users can no longer select Microsoft Authenticator as their default application for auto filling passwords. I cannot find any settings in Intune to allow it. All devices are fully managed corporate owned devices. The devices are all Google Pixel 8 or 8a devices. Is this a bug in 15 or am I missing something?
Benefits of an EMM
What are the benefits of using a device management tool? Device management tools have had many different terms of the years… Mobile Device Management (MDM), Enterprise Mobility Management (EMM), Unified Endpoint Management (UEM). Whatever you prefer, they are undoubtedly the cornerstone of any successful IT project that involves hardware assets. Boiling down the core functionality of these tools, they allow IT admins the ability to use a single tool to view all of the hardware assets within their organisation, distribute applications and apply configurations based on their needs. Let’s start with the basics: Why do you need an EMM? As you have probably been able to discern from the different terms for device management tools, there’s quite a few benefits that are offered by introducing an EMM to your organisation. We can boil them down into three key buckets: Asset enablement and management I love a good spreadsheet as much as the next person, but monitoring what devices are within your organisation and have access to your corporate data simply cannot be done by a static tool. EMMs provide you a great platform to see all the assets within your organisation, who is using them and if they are compliant with your organisation's security policies. IT helpdesks are overwhelmed with inbound tickets and an EMM’s asset management capabilities can really help streamline this process. An EMM, integrated into your LDAP, can help shave minutes off every inbound request. Let’s run through a quick scenario that you may have faced: An end user can’t connect their phone to the WiFi in the office, they’ve followed your guidance and dropped an email into your IT team's support distribution list saying “I’ve come into the office and my phone can’t connect to the WiFi, it worked yesterday!”. Normally the first response will be to ask the user for details about their impacted device such as the device’s serial number, phone number and version of OS. But by simply copying their LDAP and pasting it into your EMM, you’re able to view all of the devices assigned to that user, as well as all of the details you’d usually have to ask for. Your EMM will likely present you with the initial steps to resolve the issue too. In this instance the user’s device is no longer compliant with the security policies, allowing you to respond with actionable information for your end user; update your device! Securing corporate assets and data Let’s start with the big one, is the Android platform secure? Our answer is, absolutely! The 2024 security paper should be able to answer any question you have if this is something you’d like to explore further. Now we’ve established the platform is secure, let’s get into why you need an EMM to secure your assets and data. Android Enterprise is designed to be flexible enough to meet your organisations security needs and EMM’s are the key to unlocking that functionality. In some instances simply enrolling devices into an EMM is enough thanks to Android Work Profile. But we can’t forget those working in regulated industries where data retention and handling is critical. My rule of thumb is, how can we keep devices secure without providing too much friction for end users? EMMs give you all the ingredients you need as an IT decision maker to create policies that meet your organisations requirements while also being considerate to end users. It goes without saying that all organisations should have a password policy applied, and for a lot of folks this may be sufficient. But depending on the type of work your users do there may be a requirement to add additional controls, such as preventing cross profile data sharing in Work Profile. As you go deeper into the realms of keeping your corporate data secure, data loss prevention becomes a real concern and you may need to further understand exactly what is happening on your devices. AI is a real inflection point for IT admins and a great point of reference for this topic. While AI is bringing game changing tools to users, the rapid rate of development and rollout is putting strain on security teams trying to evaluate the functionality to understand what data is being processed on device or in the cloud. Android Enterprise has already rolled out controls for IT admins to control what device features are available in Work Profile or on managed devices, but there are certain OEM native features, such as keyboards, where a global control may not be an option. This is where Android Enterprise’s flexibility really shines, allowing you to use various EMM controls to limit functionality through app configurations or, in this example, setting a different default keyboard. Keep an eye out for future discussions about how to determine if an AI process is being handled on device or in the cloud. Unlock hidden savings Downtime caused by device issues directly impacts workforce productivity. When a user's device fails, productivity grinds to a halt. Not only because they can’t perform their work, but they also need to wait for IT to resolve the issue. By enrolling your devices into an EMM you can transform existing IT support processes and enable the team to resolve more issues remotely. EMMs provide automation capabilities that create reports and alerts. This automation can proactively inform end-users if their devices are about to become non-compliant with corporate policies, reducing access issues and the subsequent support tickets. Beyond these automated alerts, EMM reporting tools also provide valuable insights for strategic decision-making. For example, reports from your EMM can be used to help you to make informed decisions about device refreshes, by reviewing historical data within your EMM you can reliably view the battery health of your devices and the average remaining storage on your devices. Upon reviewing the data you could see that perhaps you can get another year out of the existing hardware or if the amount of device storage needs increasing when it comes to selecting new devices. Now let’s focus on the process transformation enabled by these tools. By deeply integrating an EMM into your support flow you can drastically reduce the time to resolution of most device related issues. I’ve frequently seen IT teams that haven’t done this require end users to “swing by their desk” with an issue, while this comes with the best intentions it is extremely disruptive to end user productivity. Let’s imagine a user has an issue with one of their applications, if the user was in person it is likely that a member of IT staff will try all the basics such as deleting device cache, reinstalling the application and eventually updating the devices firmware. In contrast, with devices enrolled in an EMM, the IT team can quickly identify the user via LDAP within the EMM console. The console will provide immediate insights into the device's compliance status, potentially revealing that the user’s device is non-compliant with security policies and providing a clear path to resolution. Why do your users need you to have an EMM? As an IT admin the goal when rolling out technology to an organisation should be to remove friction and empower our users, an EMM is a fantastic tool to enable this. Seamless access The utility of an EMM starts from the moment a user enrolls their device. If you’ve connected your EMM to your identity provider, the user can use the same login credentials they use on their other devices, coupling this with an SSO provider will allow them to seamlessly sign in to their applications. Immediately online “What's the WiFi password?” While we can’t solve this for you at home, an EMM at least prevents this question from being asked in the workplace. Creating a WiFi policy allows you to push down your WiFi credentials to all devices enrolled into your EMM. Quite a few organisations rely on VPN connectivity for their users to connect to corporate networks, this is also no problem for an EMM. Application distribution Smartphones have a vast amount of functionality out of the box, but I’m yet to come across a phone that ships with every app you need! While there is an element of enjoyment to scrolling through the Play Store and finding the apps you need, it can be very cumbersome when you have to do more than a handful. By using an EMM integrated managed Google Play you can approve applications for use within your organisation, creating a curated list of apps that your users can download. Additionally, you can also decide which applications are pushed to your users. Meaning those apps will automatically install on your users device once they have completed enrollment into your EMM. I would generally recommend limiting this to applications that are critical to your end users, such as email and calendar, but you can always change this based on feedback from your users. How do you choose an EMM? We’ve covered just a handful of the benefits of an EMM here, but there is so much more! This space has been evolving at a rapid pace ever since its inception, every day EMM’s receive dozens of feature requests and each has their own interpretation of how best to present information to IT admins. Go in with a plan Before you engage an EMM for evaluation, build out a plan for what you are trying to achieve with your devices. This will not only help you get a better grasp of the discussion but also ensure you have a clear success criteria for your proof of concept. To help you with your plan, here’s a few questions you’re likely to be asked: How many devices are you looking to enroll? Are you buying the devices for your users (corporately owned) or will they use their own devices (BYOD)? What do your users do with their devices? What apps do your users need? Who is your identity provider? What security policies do you need to comply with? When do you plan on starting this project? How to find an EMM You can’t go wrong with one of our Android Enterprise Recommended EMM partners! Thanks for reading! Are there any other key features that you utilise within your EMM that we haven’t covered here? Let us know!
[EMM] My Android EMM Registered account is forced to re-register Android Enterprise.
Hello all, I have my business account registered with Android EMM Registration for about 5 years. About a month ago, there was a problem with API connection with an error message 'UNAUTHENTICATED' reason 'CREDENTIALS_MISSING' which impact on device enrollment and app push service. I have no luck finding ways to fix it and I cannot open any support case with my free account. I decided to reconfigure Android EMM Registration with the same account. Google directed me to newly register enterprise account ended up with same account but different 'Client ID' and 'Google Service Account Email Address'. All my apps in private store and previous managed app are missing. Is there any way to bind my email account back to Google Client ID? so I don't have to separate manage apps and devices on my EMM system. Note When I login to Play Work, I still can see my previous 'Client ID' profile. However, on EMM system, it shows my new client profile. Regards, BKP
(COPE) Hide app in work profile
Hello, I have a small case I'd like to submit to the community for help please. A customer use Mobile Iron, and use Zero Touch to enroll our Android 14 products. In their DPC extras, they enabled the system apps and need to keep that way: "android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true, "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{ "workProfileEnabled": true, "quickStart":"true" } Now after the device is enrolled, the Work profile is filled with bunch of apps including unwanted ones like Netflix, Adobe, YT kids, ... From Mobile Iron, they want to hide/disable some apps, using "setApplicationHidden" but it doesn't work. At OEM side, we tested this API with the Test DPC and it works properly. My thinking was that as we are in COPE, and the apps that the customer wants to remove are from the Personal space, then this is not working as the MDM cannot interact with Personal space content. Does this make sense? Are there a way to hide the unwanted apps from the Work profile, despite having "leave all system apps" enabled from the ZT DPC extras? Anyone has any suggestions please? Thanks!
Google Advertising- ID ( AD-ID)
Hi i´m looking for an option to disable/clear the Advertising-ID (AD-ID) on a fully managed Device, i found the KB https://support.google.com/googleplay/android-developer/answer/6048248?hl=en Is there any option to remove or clear the AD-ID from EMM/MDM side without a User action? and is there any more detail information how AD-ID is working on an managed Device? Appreciate your feedback BjoernIntune not adding PROVISIONING EXTRAS - Zero-Touch
Hi, Have an issue when linking Intune to Zero-touch. When connecting the 2, it does not add any "PROVISIONING EXTRAS" I can create it manualy, with the EMM DPC and DPC extras. When i asign it manualy it work, but when it's set to "Enterprise Default Profile" it will look at the DPC extras from intune (That is Empty) and then just ask for QR or code to the Profile. The Intune profile that is selected as default is a "Corporat-owned, fully managed user device" profile in ZT Have been in contact with Microsoft regarding this for 3 months, and they cannot help me, they only thing they can say is "The profile maybe Corrupt" and we need to create a new one. We have 250 devices added to ZT by this point Have tried unlinking, and linking after waiting 24 hours, and so on. But nothing have worked. I was hoping that someone in here can help me with this 🙃
Fido2 key and their issues using them on Android
First, do Android support using Fido2 keys on Android? Yes, it does support both using bluetooth, NFC and USB authentication. For reference: https://developers.google.com/identity/fido/android/native-apps But does it mean that it is straight forward to use it in a enterprise environment without hiccups? No, the support lacks many features that both Windows and iOS has supported for long time. If I buy a modern Fido2 with OTP support, will it work straight out of the box for using the USB? No, you need to disable the OTP support first. Here is how you can do that from yubikey manager, this works for Yubikey. Other vendors might have something similar. But for Fido2 keys without OTP support, it should work out of the box for USB-C, like Google titan. Why this happens, dont know. Can we use NFC for Entra ID authentication like we can on Windows and iOS? No. Android does not currently support CTAP2 for NFC, only for USB-C input. CTAP1 (FIDO U2F) supports certificate based authentication, but CTAP supports user verification with PIN and biometrics. Entra ID requires UV (user verification) before accepting login. As far as I know, there is also support for bluetooth. But I dont have any fido2 keys that support bluetooth yet. So why does this matter? With Android you can have shared devices with secure login for multiple users with a single log in for all supported apps, auto log off and many other possibilities. https://learn.microsoft.com/en-us/entra/identity-platform/msal-shared-devices Other sources/discussions: https://www.reddit.com/r/yubikey/comments/1oncuh2/whats_the_point_of_nfc_on_android/ https://www.reddit.com/r/yubikey/comments/13tlzoc/fido2_inconsistent_across_windowsandroid/ https://fidoalliance.org/specifications/
Need understand some point of this feature - 3.6. Managed configuration management
I have implemented this following feature - 3.6. Managed configuration management. Everything understand but got stuck in point - 3.6.3. The EMM's console must allow IT admins to set wildcards (such as $username$ or %emailAddress%) so that a single configuration for an app such as Gmail can be applied to multiple users. Not understand how to implement this wildcards in one policy for different devices and also let me know for gmail it is supported or not? Thanks in advance.
