Unable to Add Work Profile on HONOR Magic V5 for Microsoft Intune Enrollment
Dear Android Enterprise Support Team, I am experiencing an issue while attempting to enroll my HONOR Magic V5 device into Microsoft Intune for device management. I just bought the device one week ago, but when I try to add a work profile, I receive the following error message: "Can't add work profile. A work profile can't be added to this HONOR Magic V5. If you have questions, contact your IT admin." This issue is preventing me from completing the enrollment process required by my organization. I have already consulted with my company’s global IT support team, and they confirmed that there is no alternative solution on our side. The only way to resolve this issue is for HONOR to make the HONOR Magic V5 compatible with the Microsoft Intune application and Android Enterprise work profile enrollment. Device Details: Model: HONOR Magic V5 OS Version: Magic OS 9.0.1 Android version: 15 Model: MBH-N49 Error Screenshot: attached as below Could you please advise if this device supports Android Enterprise work profiles or if there are any compatibility limitations? If there is a workaround or firmware update required, kindly provide guidance. Your prompt assistance would be greatly appreciated as this is impacting my ability to comply with company security policies.
Managed Configuration in Google Messages
Following Samsung's decision to start sunsetting Samsung Messages (and recommending Google Messages) on newer devices we are now evaluating GM across our estate. Devices are managed by Intune and we can see we can push App Config for RCS Messages and Archiving via the Config designer but after opening up GM I get the "Use Gemini" in my face. Currently we don't use Gemini on our devices - infact we remove it. I have found the option under Settings in GM to Hide the Gemini button but it would be good if we could push that config down with the App......searching round not found anything to date - any thoughts?
Zero Touch phones randomly wipe themselves
Hello, We are a large corporate and mostly use Samsung phones as Android devices. Enrolment is being done via ZT portal to a default profile which is Corporate Owned Work Profile provided via Microsoft Intune. We are noticing an increased amount of cases where users set up their phones (no QR code, no text token) with default configuration added using DPC extras and within first few hours they would reset to a factory default state without any notice. This has become a real issue as it is affecting more and more people. Devices enrolled without ZT do not suffer from this issue, even though they are using the exact same enrolment profile. I saw many posts like this here and elsewhere on the internet, but no actual solution. What is the problem here and is it being actively looked by Google?
Enable third party EMM (Intune)
So I am trying to enable Managed Google Play in Intune to use for Android device management. We already have a managed Google domain, but we have device management turned off. To my knowledge we only use it for Workplace. When I try to enable managed google play in Intune I get two different error messages Any ideas or tips of what we need to enable or open up in the Google admin console to enable third party EMM? Does the account I am using to enable managed google play have to be a google super admin or something?
Intune COPE Device - Google Calendar crashes
Hello everyone, We have the problem that when I want to make the Google Calendar app available on a COPE device, it crashes after the welcome screen with the message "action not allowed". On Work Profile Only/BYOD it works without any problems. Are you aware of this problem? Could this be related to Intune automatically/default blocking the Google accounts in COPE? Thanks, Regards, Daniel
[Day 2] Mission Intune : When Migration Becomes a Mission (Almost) Impossible
Good Morning Everyone 🕵️ Deep within the digital infrastructure, a high-stakes mission is being prepped. Five mobility experts have been deployed to solve a massive puzzle: migrating tens of thousands of smartphones to Microsoft Intune. The Goal: Ensure a fluid, secure, and uninterrupted transition for thousands of users. The Battlefront: A complex landscape filled with legacy policies, mixed configurations, and strict deadlines. It’s a race against the clock where one wrong move could start a domino effect. From scripts to security protocols—nothing is left to chance. Failure is not an option. Following Broadcom’s acquisition of VMware in 2023, the Workspace ONE product is now owned by Omnissa. Broadcom’s commercial strategy, which has influenced its spin-off companies, had become highly aggressive toward all customers. Consequently, we have decided to migrate the management of our Android and iOS tertiary fleet to Microsoft Intune.. While we are familiar with Intune, several limitations should be noted: Reporting: Intune offers basic reporting through Microsoft Endpoint Manager and Power BI integration, but lacks the advanced, customizable dashboards available in Workspace ONE. Deployment Performance: Application and configuration deployments can be slow, with status updates often delayed due to Intune’s reliance on periodic device check-ins rather than real-time communication. iOS Management: Intune provides full functionality only for devices enrolled via Apple Business Manager (ABM). Non-ABM devices have restricted supervision capabilities, limiting advanced configuration and app deployment. Error Handling: Intune does not display granular error codes in its console. Troubleshooting often requires log collection from the device or use of Microsoft Support tools, increasing diagnostic complexity. Conditional Access & Compliance: Intune integrates tightly with Azure AD for conditional access policies, which is a strength, but requires additional configuration and licensing for advanced scenarios. App Protection Policies: Strong for Microsoft 365 apps, but less flexible for third-party apps compared to Workspace ONE. Migration Strategy Overview The project aims to migrate the entire mobile fleet—a few tens of thousands Android and some iOs devices—between September 2023 and December 2024. Cybersecurity requirements mandate a shift from COBO (with personal Google accounts allowed) to COPE, reinforcing corporate control and reducing exposure to security risks. Key Challenges Technical Constraints: Devices incompatible with Android 13 require hardware replacement. For most employees, migration involves full device reset and Intune re-enrollment—a complex, time-consuming process. Security Limitations: Backup tools cannot be authorized, increasing the risk of data loss and user errors. A recurring issue is failure to remove Microsoft Authenticator configurations, creating significant support overhead. Performance Impact: The Samsung Galaxy A32, previously adequate under COBO, performs poorly under COPE, affecting user experience. Status and Strategic Decision By June 2024, progress is far below target. To mitigate operational disruption and support overload, the strategy shifts: forced migrations are discontinued. Migration now occurs only during: Hardware replacement (obsolescence, failure, or breakage) Voluntary device reset This approach prioritizes stability and resource optimization while maintaining compliance with security standards. We’ve been with Intune for almost two years, we make do with it and we are hardly surprised anymore when something doesn’t work. If you have any questions, don't hesitate to reach out via the comments below Kris
Unable to upload bulk CSV file to ZeroTouch
Hi Team, Is there currently an issue uploading a bulk .csv file to ZeroTouch? It's giving me an error. See below. Steps below: I downloaded the sample .csv file then updated it with my data, then uploading it again to the portal as is without changing the name or file extension as seeing above, yet its giving me an error. This was working not long ago, just wondering if there is currently an issue. Thanks
Fido2 key and their issues using them on Android
First, do Android support using Fido2 keys on Android? Yes, it does support both using bluetooth, NFC and USB authentication. For reference: https://developers.google.com/identity/fido/android/native-apps But does it mean that it is straight forward to use it in a enterprise environment without hiccups? No, the support lacks many features that both Windows and iOS has supported for long time. If I buy a modern Fido2 with OTP support, will it work straight out of the box for using the USB? No, you need to disable the OTP support first. Here is how you can do that from yubikey manager, this works for Yubikey. Other vendors might have something similar. But for Fido2 keys without OTP support, it should work out of the box for USB-C, like Google titan. Why this happens, dont know. Can we use NFC for Entra ID authentication like we can on Windows and iOS? No. Android does not currently support CTAP2 for NFC, only for USB-C input. CTAP1 (FIDO U2F) supports certificate based authentication, but CTAP supports user verification with PIN and biometrics. Entra ID requires UV (user verification) before accepting login. As far as I know, there is also support for bluetooth. But I dont have any fido2 keys that support bluetooth yet. So why does this matter? With Android you can have shared devices with secure login for multiple users with a single log in for all supported apps, auto log off and many other possibilities. https://learn.microsoft.com/en-us/entra/identity-platform/msal-shared-devices Other sources/discussions: https://www.reddit.com/r/yubikey/comments/1oncuh2/whats_the_point_of_nfc_on_android/ https://www.reddit.com/r/yubikey/comments/13tlzoc/fido2_inconsistent_across_windowsandroid/ https://fidoalliance.org/specifications/Set up a new Android Enterprise domain in Intune/EMM when an old-style Google Account is still connected
Hi, I have a situation similar to this older discussion - situation as follows: My EMM is MS Intune. Managed Goole Play Store was set up in April 2024 before the new method of creating Android Enterprise admin accounts on a managed Google domain - using a normal Gmail account This Gmail/Google account was forcibly deleted in the last month, presumably for inactivity, as the first linked discussion describes. Only the final termination email was ever sent to the recovery email, no other warnings were received. Recovery was not possible (it just said that no recovery methods were set up, even though there was a recovery email - hence the warnings...!) and now the account shows as nonexistent rather than potentially recoverable, although it's less than the quoted 30 days that recovery is available. I have seen (Community Manager) Lizzie's helpful posts and advice from a couple of years ago, including this article describing the potential for having support migrate the EMM bind from one account to another. However, I don't yet have another account to migrate to, since I would be moving from an old Gmail account to a new managed domain account - which I don't yet have, as I can't sign up as a 'new customer' to Android Enterprise within Intune, because the old bind still exists, and I haven't found anything to tell me how to sign up other than going through the EMM. I want to keep the old bind active so it doesn't break existing devices, even though I think that's what's stopping me signing up to Android Enterprise in the new way. Removing this existing orphaned bind will break everything, and Lizzie's info in other posts has suggested that the bind will stay mostly-working if left alone, whereas removing it will trigger retirement of all devices. MS/Intune support don't seem to be aware of the possibility of contacting Google support to migrate a bind, but even if they were, I don't yet know what to tell them (as I have no new destination account, of course). They just advise me that it will need a new account and re-enrolment of all devices, which I'm hoping to avoid. I know this is convoluted, but that's why I was hoping for help. Is there a way to get a new Android Enterprise admin account set up, using the new managed domain method, without breaking the existing bind - and then to migrate the bind across? Thanks Dev
