Possible to deploy API commands via Provisioning Profiles in MDM?
Hello, We use WorkspaceONE UEM as our MDM. We sometimes use provisioning profiles to deploy commands to devices run-intents, but I'm not an expert on this subject by any means. I am curious if it is possible to use our MDM to deploy an API command to disable Factory Reset Protection. The command information is here: https://developer.android.com/reference/android/app/admin/FactoryResetProtectionPolicy I realize what a specific question this is. If I can provide more information, please let me know. Thanks in advance!
Organization Has Reached Its Usage Limits" Error with 0 Devices - Troubleshooting Guide
I'm developing a custom MDM solution using Google Android Management API. Successfully created enterprise enterprises/LC02x32bm6 with work email domain, but getting: "Can't set up device. Your organization has reached its usage limits." Key Details: Enterprise created successfully via API Enrollment token generated successfully 0 devices currently enrolled Cloud Console shows 0% API quota usage Billing account linked to project GET /api/enterprise/callback → Returns enterpriseName POST /api/enterprise/enrollment-token → Returns enrollment token Device enrollment → ❌ "Usage limits" error Has anyone encountered this "usage limits" error with 0 devices? Android Management API usage is 0%. Any insights appreciated! Happy to share code snippets or API responses if helpful.
Issue with Android Enterprise provisioning: afw#identifier invalid and Play Protect blocking app during QR enrollment
We are an organization using a third-party MDM / Device Policy Controller (DPC) solution to manage our Android Enterprise devices. The DPC application is published on Google Play and has been working for managed provisioning. Recently, we started facing issues during Android Enterprise enrollment, and we are seeking guidance on the correct and supported setup. Issues observed 1. afw#identifier enrollment When attempting enrollment using afw#<identifier>, the setup fails with errors such as invalid token, wrong setup, or unable to continue enrollment. This previously worked and now fails consistently, even though the DPC remains published on Google Play. 2. QR code–based provisioning When using QR code provisioning, the device completes initial setup but then Google Play Protect shows “App blocked by Play Protect” for the DPC. The DPC app is Play-approved and not sideloaded by end users. We have already submitted a Play Protect appeal through the official appeal form. 3. Distribution method For QR provisioning, the DPC APK is currently hosted on our own HTTPS server, and the QR includes: Device Admin component SHA-256 signature checksum Secure download location Despite this, Play Protect flags the app after provisioning. Clarifications we are seeking Are there recent changes or requirements for afw#identifier enrollment that could cause invalid token or setup errors? Does Play Protect apply additional checks during QR-based provisioning, even for Play-approved DPC apps? Is using a self-hosted APK download location still supported for Device Owner provisioning, or is Managed Google Play / Zero-Touch enrollment now required? Is there a supported way to allowlist or whitelist a legitimate enterprise DPC app so it is not blocked during provisioning? Are there recommended best practices for third-party MDM providers or enterprise customers to avoid Play Protect blocks during enrollment? We are not attempting to bypass Play Protect or supported security mechanisms. We want to ensure our Android Enterprise setup follows current Google-recommended practices and understand the correct approach going forward. Any guidance or clarification from the community or product experts would be appreciated.
ZTE Enrollment Profiles Issue
Greetings everyone! New day, new challenge. I’ve received a number of Zebra tablets. We already use ZTE, which works fine, but as you know it assigns devices to a single profile based on the serial number. The issue is: These tablets (same model) will be used for many different purposes, and I don’t think it’s efficient to take each device out of the box, read the serial number, and manually assign it to a different ZTE profile. I could easily end up managing 200 different profiles. So my question is: Is there a way to let the device choose which group or category it should belong to during enrollment? For example, during setup the device could ask the user which category it belongs to and based on that selection it would automatically join the correct group and receive the appropriate configuration. Is this possible? Or am I dreaming? 😄 Has anyone faced this issue and found a good solution? Thanks in advance!
Intune Migrate Managed Google Play Account to Managed Google Domain
Hi there, I’m looking for clarification on Microsoft's recent update about upgrading tenants from a Managed Google Play account to a Managed Google Domain account in Intune. Intune Android Enterprise Update We have 130+ Android Enterprise devices enrolled in Intune with an old Gmail account we dont have direct access to. Our Intune connection was originally set up using this account back in 2023. Now we have the option to "Upgrade" our account but we need to understand the risks before we proceed. Microsoft says that we can continue managing devices under the new Entra‑linked Managed Google Domain account without deprecating the old method, and without device impact. Is the migration fully in‑place and non-disruptive? Meaning: No need to retire devices No re-enrollment No break in Managed Google Play sync No loss of approved apps or assignments Is this migration guaranteed to perform an in-place transition of the administrative account without: Breaking the existing Android Enterprise binding Generating a new enterprise ID Requiring any user/device actions Interrupting app delivery or policy deployment? Any advice from someone who has already completed the upgrade would be great! Thank you in advance for any clarification.Option for MDM to place app shortcuts on home screen
We have a great wish to place shortcuts for specific apps on the home screen when the app is installed (or at a later point), but this doesn't seem to be possible. When we discuss this with our MDM provider (SOTI), we are told, it is a Google/Android limitation, and this seems a bit strange to me; is it really not possible to place shortcuts on the home screen to your own liking? I hope this resonates with others - or even better; that I can be corrected, and there is a smart and easy way to achieve this goal. We run all our Android devices as fully managed, if that is relevant.
Android Expert Forum & Feature Request
Hey As I saw that bunch of question have been left unanswered on the expert forum is no one at Google monitoring the feed? I just wanted to post it here as the conversations seem to get more traction here. Is there official thread where feature request could be sent, I have been supporting mobile device management over way over a decade and in that time I have seen all sorts of things and there would be some features that would help greatly in managing enterprise environments with Android. Couple examples: It would be great if there would be a way to deploy some contact numbers to the devices on device address book, such service desk or onsite support number. This is especially needed for dedicated devices which usually do not have any email accounts associated with them and getting common contacts deployed to all devices is quite labor intensive with the current tools. Another one is the OS update management, which is lacking quite a bit, especially as I need to do a comparison to Apple and how their new OS update delivery works, it just makes the Android one lack in features. I would really want to see that on enteprise owned device we would have an override for downloading the OS updates via mobile data, as this is huge pain point when wi-fi networks are not available on some sites, and if the end users are not the most technically savvy, it would allow us admins to at least keep the fleet to some what up to date, obviously there still would probably be some issues, but the current status of the OS update policies is lacking. Also not sure should the update installation recognize on going phones calls when it is set to do the updates in automatic mode? As initially when we tried to apply it we got bunch of notifications that the updates where triggered during a phone call. /rant Thanks,