[Day 2] Mission Intune : When Migration Becomes a Mission (Almost) Impossible
Good Morning Everyone đ”ïž Deep within the digital infrastructure, a high-stakes mission is being prepped. Five mobility experts have been deployed to solve a massive puzzle: migrating tens of thousands of smartphones to Microsoft Intune. The Goal: Ensure a fluid, secure, and uninterrupted transition for thousands of users. The Battlefront: A complex landscape filled with legacy policies, mixed configurations, and strict deadlines. Itâs a race against the clock where one wrong move could start a domino effect. From scripts to security protocolsânothing is left to chance. Failure is not an option. Following Broadcomâs acquisition of VMware in 2023, the Workspace ONE product is now owned by Omnissa. Broadcomâs commercial strategy, which has influenced its spin-off companies, had become highly aggressive toward all customers. Consequently, we have decided to migrate the management of our Android and iOS tertiary fleet to Microsoft Intune.. While we are familiar with Intune, several limitations should be noted: Reporting: Intune offers basic reporting through Microsoft Endpoint Manager and Power BI integration, but lacks the advanced, customizable dashboards available in Workspace ONE. Deployment Performance: Application and configuration deployments can be slow, with status updates often delayed due to Intuneâs reliance on periodic device check-ins rather than real-time communication. iOS Management: Intune provides full functionality only for devices enrolled via Apple Business Manager (ABM). Non-ABM devices have restricted supervision capabilities, limiting advanced configuration and app deployment. Error Handling: Intune does not display granular error codes in its console. Troubleshooting often requires log collection from the device or use of Microsoft Support tools, increasing diagnostic complexity. Conditional Access & Compliance: Intune integrates tightly with Azure AD for conditional access policies, which is a strength, but requires additional configuration and licensing for advanced scenarios. App Protection Policies: Strong for Microsoft 365 apps, but less flexible for third-party apps compared to Workspace ONE. Migration Strategy Overview The project aims to migrate the entire mobile fleetâa few tens of thousands Android and some iOs devicesâbetween September 2023 and December 2024. Cybersecurity requirements mandate a shift from COBO (with personal Google accounts allowed) to COPE, reinforcing corporate control and reducing exposure to security risks. Key Challenges Technical Constraints: Devices incompatible with Android 13 require hardware replacement. For most employees, migration involves full device reset and Intune re-enrollmentâa complex, time-consuming process. Security Limitations: Backup tools cannot be authorized, increasing the risk of data loss and user errors. A recurring issue is failure to remove Microsoft Authenticator configurations, creating significant support overhead. Performance Impact: The Samsung Galaxy A32, previously adequate under COBO, performs poorly under COPE, affecting user experience. Status and Strategic Decision By June 2024, progress is far below target. To mitigate operational disruption and support overload, the strategy shifts: forced migrations are discontinued. Migration now occurs only during: Hardware replacement (obsolescence, failure, or breakage) Voluntary device reset This approach prioritizes stability and resource optimization while maintaining compliance with security standards. Weâve been with Intune for almost two years, we make do with it and we are hardly surprised anymore when something doesnât work. If you have any questions, don't hesitate to reach out via the comments below Kris
Google Deleted Account that Links Managed Play Store
Hello all, We're facing an issue with our Intune/Managed Google Play connector. Google has deleted the account set up specifically to connect to our Managed Google Play instance in Intune. This has been an active link, with the last new device registered about 2 weeks ago and apps on devices being updated since then. We are currently unable to enroll new devices or add new apps. We are also unable to attempt to recover the account and have not been able to find a way to contact Google directly about the account issue. Barring being able to recover the account, are there ways for us to lessen the impact of creating a new account for the linkage? Or are we going to have to have all our Android BYOD users re-enroll their devices?
Issue with Copy/Paste Restriction in Intune MDM on Android Devices (Clipboard Editor Interaction)
Hi all, Iâm currently experiencing an issue while setting up Intune MDM on Android devices related to restricting copy and paste to unmanaged apps. Specifically, the issue occurs when users copy text from the Teams app and try to paste within teams app. Here's what happens: After copying text, a message "Your organisation's data cannot be pasted here" immediately appears in the clipboard hud. The copied data seems blocked from being viewed, as the error message appears even before a paste attempt. Despite this, users can manually paste the copied content by long-pressing or selecting "Paste" from the text box. However, when trying to use the "paste from clipboard" feature, the warning message above is pasted instead of the copied content. Weâve set the Intune policy to allow copy/paste within managed apps, but the clipboard interaction seems to be problematic, especially with Gboard. It appears that Gboard, possibly due to Android 13 and 14âs Clipboard Editor, is treated as an unmanaged app, causing Intuneâs data protection policies to block its access to the clipboard in a read-only state. Just to clarify: I want users to be able to copy and paste txt within managed apps only. So the allowed behavior of pasting with long press is fine, but I want to get rid of the block that we're getting. Hereâs what weâve tried: Added various exclusions to the Intune policy, including Gboard, Clipboard Editor, and other related apps (full list below), but the issue persists. Testing different configurations hasnât led to a final solution, and there seems to be limited documentation specifically addressing this clipboard component in relation to Intune's data policies. Weâve escalated the issue internally but wanted to see if anyone in the community has encountered a similar problem or found a solution. Hereâs the list of exclusions weâve already added to the policy: Clipboard: com.android.clipboard SMS: com.google.android.apps.messaging SMS: com.android.mms SMS: com.samsung.android.messaging Native phone app: com.android.phone Google Play Store: com.android.vending Android system settings: com.android.providers.settings Android system settings: com.android.settings Google Maps: com.google.android.apps.maps Gboard: com.google.android.inputmethod.english Samsung: com.sec.android.inputmethod Gboard: com.google.android.inputmethod.latin Gboard: com.google.android.apps.inputmethod.hindi Gboard: com.google.android.inputmethod.pinyin Gboard: com.google.android.inputmethod.japanese Gboard: com.google.android.inputmethod.korean Gboard: com.google.android.apps.handwriting.ime Gboard: com.google.android.googlequicksearchbox Gboard: com.samsung.android.svoiceime Gboard: com.samsung.android.honeyboard Gboard: com.android.inputmethod.latin Teams app: com.microsoft.teams Any insights or suggestions would be greatly appreciated! This is my first time posting so apologies if this is the wrong space.Android Enterprise work profile does not support wearOS yet
Hi, We recently moved to android enterprise with work profile (using Intune) for all of our android users. And we just found out that with android enterprise with work profile does not support wearOS yet so that our users cannot add their corporate email account (O365) to the outlook app on their samsung watch or pixel watch. we tried to contact microsoft about this and microsoft said that this is not up to Microsoft but it is up to Google Android whether they would like to support wearOS for work profile. Can Google confirm if they would like to provide some support for work profile in the future for wearOS as well? I know that any development of newly feature in android system are fully confidential but it would be good for android end users to know if Google has a plan to support this in the future or not.
Fido2 key and their issues using them on Android
First, do Android support using Fido2 keys on Android? Yes, it does support both using bluetooth, NFC and USB authentication. For reference: https://developers.google.com/identity/fido/android/native-apps But does it mean that it is straight forward to use it in a enterprise environment without hiccups? No, the support lacks many features that both Windows and iOS has supported for long time. If I buy a modern Fido2 with OTP support, will it work straight out of the box for using the USB? No, you need to disable the OTP support first. Here is how you can do that from yubikey manager, this works for Yubikey. Other vendors might have something similar. But for Fido2 keys without OTP support, it should work out of the box for USB-C, like Google titan. Why this happens, dont know. Can we use NFC for Entra ID authentication like we can on Windows and iOS? No. Android does not currently support CTAP2 for NFC, only for USB-C input. CTAP1 (FIDO U2F) supports certificate based authentication, but CTAP supports user verification with PIN and biometrics. Entra ID requires UV (user verification) before accepting login. As far as I know, there is also support for bluetooth. But I dont have any fido2 keys that support bluetooth yet. So why does this matter? With Android you can have shared devices with secure login for multiple users with a single log in for all supported apps, auto log off and many other possibilities. https://learn.microsoft.com/en-us/entra/identity-platform/msal-shared-devices Other sources/discussions: https://www.reddit.com/r/yubikey/comments/1oncuh2/whats_the_point_of_nfc_on_android/ https://www.reddit.com/r/yubikey/comments/13tlzoc/fido2_inconsistent_across_windowsandroid/ https://fidoalliance.org/specifications/
Intune Enrollment QR Code - Two connection types
Hi, all I'm trying to modify our original enrollment token (Intune - Fully Managed Device QR Code) so that the device can enroll using mobile data OR any wifi network. I managed to add this to an existing QR code android.app.extra.PROVISIONING_USE_MOBILE_DATA":true, Unfortunately, using such a QR code on a phone that does not have mobile data transmission means that the enrollment process no longer asks for the WIFI network and ends in failure. To sum up, I want to create an enrollment code that works as follows: 1. Allow enrollment using mobile data. 2. If mobile data does not work - ask for any WIFI.
Intune not adding PROVISIONING EXTRAS - Zero-Touch
Hi, Have an issue when linking Intune to Zero-touch. When connecting the 2, it does not add any "PROVISIONING EXTRAS" I can create it manualy, with the EMM DPC and DPC extras. When i asign it manualy it work, but when it's set to "Enterprise Default Profile" it will look at the DPC extras from intune (That is Empty) and then just ask for QR or code to the Profile. The Intune profile that is selected as default is a "Corporat-owned, fully managed user device" profile in ZT Have been in contact with Microsoft regarding this for 3 months, and they cannot help me, they only thing they can say is "The profile maybe Corrupt" and we need to create a new one. We have 250 devices added to ZT by this point Have tried unlinking, and linking after waiting 24 hours, and so on. But nothing have worked. I was hoping that someone in here can help me with this đ
