Fido2 key and their issues using them on Android
First, do Android support using Fido2 keys on Android? Yes, it does support both using bluetooth, NFC and USB authentication. For reference: https://developers.google.com/identity/fido/android/native-apps But does it mean that it is straight forward to use it in a enterprise environment without hiccups? No, the support lacks many features that both Windows and iOS has supported for long time. If I buy a modern Fido2 with OTP support, will it work straight out of the box for using the USB? No, you need to disable the OTP support first. Here is how you can do that from yubikey manager, this works for Yubikey. Other vendors might have something similar. But for Fido2 keys without OTP support, it should work out of the box for USB-C, like Google titan. Why this happens, dont know. Can we use NFC for Entra ID authentication like we can on Windows and iOS? No. Android does not currently support CTAP2 for NFC, only for USB-C input. CTAP1 (FIDO U2F) supports certificate based authentication, but CTAP supports user verification with PIN and biometrics. Entra ID requires UV (user verification) before accepting login. As far as I know, there is also support for bluetooth. But I dont have any fido2 keys that support bluetooth yet. So why does this matter? With Android you can have shared devices with secure login for multiple users with a single log in for all supported apps, auto log off and many other possibilities. https://learn.microsoft.com/en-us/entra/identity-platform/msal-shared-devices Other sources/discussions: https://www.reddit.com/r/yubikey/comments/1oncuh2/whats_the_point_of_nfc_on_android/ https://www.reddit.com/r/yubikey/comments/13tlzoc/fido2_inconsistent_across_windowsandroid/ https://fidoalliance.org/specifications/
Android Enterprise Partner Application/Quota Status
Hi, We own and manage an asset management solution used by various clients. Recently (in the last 12 months) we have implemented an MDM/EMM type of solution that uses the Android Management API to enrol/register devices and assist clients with their asset management processes and managing risk through the Android Management API. Now, from an Android Management API perspective, we understand the permissible usage policies and believe we do comply with the requirement. When we originally started the endeavour, the quota on how many device can be registered was a default of 500 devices. We recently noted when some clients try to enrol/register devices, that during the set up process on their devices, that it states that they have reached the usage capacity limits. When we checked the project(s) associated with the clients, most have between 200 - 380 devices enrolled/registered which is below the 500 device qouta. More recently, we noted that the Android Management API permissible usage policies were changed/updated on 29 October 2025 from a default of 500 devices to having to request an initial quota of 500. This means that that enterprises or projects we have recently set up would fail. We submit a request for a quota increase on earlier projects and a request for an initial quota on a new project. This was more than a week, or 7 working days, ago. We also submit an application to become and Android Enterprise Partner on the 12th of November 2025 which we received a response with additional questions about two days later which we responded to promptly. The challenge here is managing client expectations and frustrations in not being able to enroll/register and additional devices, with one client looking to enrol/register over 5000 devices and another prospective client having over 15000 devices. Is there any way we can see the progress on the quota increase/initial quota requests and progress of the partner application or whether there is any other questions or concerns we can remediate to move forward? Its been a challenging week trying to manage our frustrated clients and really want to use the Android Management API and Android Enterprise much more in the future but the limitations are prohibiting us from doing so. Any assistance or perhaps someone we can contact would be appreciated.My application was rejected
Hello, good afternoon everyone. I'm writing to this forum to ask for help. A few weeks ago, I applied for the EMM and Enterprise Android Partner program. My application was rejected without any explanation in the emails. I'd like to know the requirements to join the program. We are a development company based in Guatemala and the United States (and soon in Mexico and Colombia), as we currently have a client requesting an MDM system for their Android device retail store. This is our first time applying to this program so we can offer our services to this client and any future clients who might be interested. If you could send me the program requirements so I can apply correctly, I would be very grateful. Have a good afternoon. Greetings from Guatemala.
Custom DPC app being blocked by google play services
Hi We have a custom MDM app which was built to enroll android devices with Device Owner. We have a backend which serves the configuration requires to install/block apps and settings. We are not using Android official management APIs, A few days ago we received a google play protect update on some of our devices and now whenever we try to enroll the devices using QR code enrollment it gets blocked by google play protect. Please help us understand what is required to bypass this so that we can continue to use our custom MDM app. thanks!
How to view and remove enrolled devices, and how quotas are applied
We are developing a solution using Android Management. While enrolling a fully managed device, provisioning now fails with: - "Can't set up device" - "Since your organization reached its usage limits, this device can't be set up." This did not occur until yesterday. We are trying to determine whether this quota limit is enforced by the Android Management API (EMM side) or by Google Workspace when connecting to a third‑party EMM. If the limit is on the EMM side, is the quota granted per project? We have two Google Cloud projects using the Android Management API; the issue is only affecting the newer project. Questions: 1) Where can we monitor quota usage for Android Management? 2) If we have reached a quota, is there a way to remove previously enrolled test devices, and would that resolve the issue? 3) Where can we find detailed information about quotas and currently enrolled devices?
Why openNetworkConfiguration not working in enrolled device?
I have enrolled a device and want to use managed wifi on that device. I have used following configuration- "openNetworkConfiguration": { "Type": "UnencryptedConfiguration", "NetworkConfigurations": [ { "GUID": "inovex_wifi", "Name": "INovex-Dev", "Type": "WiFi", "WiFi": { "SSID": "INovex-Dev", "Security": "WPA-EAP", "EAP": { "Outer": "EAP-TLS", "Identity": "faruk", "DomainSuffixMatch": ["dms.mobi-manager.com"], "ServerCARefs": ["ca_inovex"], "ClientCertType": "Ref", "ClientCertRef": "client_inovex" } } } ], "Certificates": [ { "GUID": "ca_inovex", "Type": "Server", "X509": "ca_base64" }, { "GUID": "client_inovex", "Type": "Client", "PKCS12": "client_base64" } ] } My expection is This network automatically save in wifi list As I set client and server certificate the device should connect automatically For information I have used freeradius server for authentication.Need understand some point of this feature - 3.6. Managed configuration management
I have implemented this following feature - 3.6. Managed configuration management. Everything understand but got stuck in point - 3.6.3. The EMM's console must allow IT admins to set wildcards (such as $username$ or %emailAddress%) so that a single configuration for an app such as Gmail can be applied to multiple users. Not understand how to implement this wildcards in one policy for different devices and also let me know for gmail it is supported or not? Thanks in advance.Common identifier between AMAPI & Require for setup app for validation
We are enrolling devices using AMAPI by generating a QR code with an assigned policy either for work profile or fully managed enrollment. During enrollment, the device prompts for a require for setup app, which, after configuration, returns RESULT_OK, marking the setup as complete and finalizing the device enrollment. Before returning RESULT_OK, To identify the enrolling device, the backend gets the device ID and enterprise ID from the Pub/Sub provisioning notification. The device ID (which matches the GSF ID) is then sent by the require for setup app to the backend for validation. This identifier is also used to enforce enrollment limits based on the enterprise license count. The Issue: Up to Android 14, retrieving the GSF ID was possible. However, in Android 15, it now returns null. Question: Is there an alternative identifier that can be used to identify the enrolling device—one that the backend can retrieve and that the setup app can also access during enrollment? Below is the information we receive from Pub/Sub when a device is enrolled: { "name": [*Hidden for privacy reasons] "managementMode": "PROFILE_OWNER", "state": "PROVISIONING", "enrollmentTime": "2025-04-04T06:17:02.751Z", "lastPolicySyncTime": "2025-04-04T06:17:02.817Z", "softwareInfo": { "androidVersion": "15", "androidDevicePolicyVersionCode": 10323580, "androidDevicePolicyVersionName": "128.32.3 (10323580)", "androidBuildNumber": "AP3A.240905.015.A2", "deviceKernelVersion": "5.15.149-android13-8-00010-gc2e0ba41ba85-ab12040008", "bootloaderVersion": "unknown", "androidBuildTime": "2025-03-11T13:26:50Z", "securityPatchLevel": "2025-03-01", "primaryLanguageCode": "en-IN", "deviceBuildSignature": "c9009d01ebf9f5d0302bc71b2fe9aa9a47a432bba17308a3111b75d7b2143456", "systemUpdateInfo": { "updateStatus": "UP_TO_DATE" } }, "hardwareInfo": { "brand": "Redmi", "hardware": "mt6835", "deviceBasebandVersion": "MOLY.NR17.R1.TC8.PR2.SP.V1.P51,MOLY.NR17.R1.TC8.PR2.SP.V1.P51", "manufacturer": "Xiaomi", "serialNumber": [*Hidden for privacy reasons] "model": "23124RN87I", "enterpriseSpecificId": [*Hidden for privacy reasons] }, "policyName": [*Hidden for privacy reasons] "memoryInfo": { "totalRam": "5865836544", "totalInternalStorage": "806965248" }, "userName": [*Hidden for privacy reasons] "enrollmentTokenName": [*Hidden for privacy reasons] "securityPosture": { }, "ownership": "PERSONALLY_OWNED" } *Updated by Community admin - removed due to privacy reasons 4 April
GSF ID not generated after device enrollment on Android 15
Hi everyone, We’re facing an issue with devices running Android 15 — after successfully enrolling them in our Android Enterprise setup (Device Owner / Fully Managed mode), the Google Services Framework (GSF) ID is not being generated. This issue did not occur on Android 13 or 14; the GSF ID was available immediately after enrollment. However, on Android 15, the GSF ID remains empty even after waiting and rebooting. We’ve already tried: Factory reset and re-enrollment Checking Google Play Services version Ensuring the device is connected to the internet Waiting for Play Store sync Despite that, the GSF ID is still missing. Could anyone confirm if there’s a known change in Android 15 related to GSF ID generation, or if additional permissions/configuration are required for enterprise-enrolled devices to obtain it? Any guidance or workaround would be greatly appreciated.Zero Touch Enrollment Network Specifications
Hello! I'm looking for information regarding the network specifications for the Zero Touch Enrollment as well as any phone-home network requests. Are there any logs we can pull from ZTE or the Android device during enrollment? The reason I'm asking: We have thousands of devices that have been enrolled in SOTI MobiControl over the last few years, and about 1000 of these were enrolled via ZTE. We've had no issues with this until early March. I can't find a rhyme or reason for this, but certain devices that were successfully enrolled, configured by an MDM, QC'd, boxed up, shipped to the end user, and then powered on will get the message below before the eSIM is activated. These are Honeywell CT47 devices with dual SIM cards (1 physical Nano SIM and 1 eSIM). The device above was added to ZTE using the IMEI number over a month ago and was successfully enrolled, but when powered on later and connected to Wi-Fi, it reset itself before the eSIM could be activated. This issue is only happening to devices that are factory reset while on-site and connected to the Wi-Fi only. My best guess is that the Wi-Fi network is blocking something during the enrollment process, as this reset issue is not happening on devices that have been enrolled and working for months. Thanks for your time!
