Zero Touch phones randomly wipe themselves
Hello, We are a large corporate and mostly use Samsung phones as Android devices. Enrolment is being done via ZT portal to a default profile which is Corporate Owned Work Profile provided via Microsoft Intune. We are noticing an increased amount of cases where users set up their phones (no QR code, no text token) with default configuration added using DPC extras and within first few hours they would reset to a factory default state without any notice. This has become a real issue as it is affecting more and more people. Devices enrolled without ZT do not suffer from this issue, even though they are using the exact same enrolment profile. I saw many posts like this here and elsewhere on the internet, but no actual solution. What is the problem here and is it being actively looked by Google?
Enable third party EMM (Intune)
So I am trying to enable Managed Google Play in Intune to use for Android device management. We already have a managed Google domain, but we have device management turned off. To my knowledge we only use it for Workplace. When I try to enable managed google play in Intune I get two different error messages Any ideas or tips of what we need to enable or open up in the Google admin console to enable third party EMM? Does the account I am using to enable managed google play have to be a google super admin or something?
Intune COPE Device - Google Calendar crashes
Hello everyone, We have the problem that when I want to make the Google Calendar app available on a COPE device, it crashes after the welcome screen with the message "action not allowed". On Work Profile Only/BYOD it works without any problems. Are you aware of this problem? Could this be related to Intune automatically/default blocking the Google accounts in COPE? Thanks, Regards, Daniel
[Day 2] Mission Intune : When Migration Becomes a Mission (Almost) Impossible
Good Morning Everyone đ”ïž Deep within the digital infrastructure, a high-stakes mission is being prepped. Five mobility experts have been deployed to solve a massive puzzle: migrating tens of thousands of smartphones to Microsoft Intune. The Goal: Ensure a fluid, secure, and uninterrupted transition for thousands of users. The Battlefront: A complex landscape filled with legacy policies, mixed configurations, and strict deadlines. Itâs a race against the clock where one wrong move could start a domino effect. From scripts to security protocolsânothing is left to chance. Failure is not an option. Following Broadcomâs acquisition of VMware in 2023, the Workspace ONE product is now owned by Omnissa. Broadcomâs commercial strategy, which has influenced its spin-off companies, had become highly aggressive toward all customers. Consequently, we have decided to migrate the management of our Android and iOS tertiary fleet to Microsoft Intune.. While we are familiar with Intune, several limitations should be noted: Reporting: Intune offers basic reporting through Microsoft Endpoint Manager and Power BI integration, but lacks the advanced, customizable dashboards available in Workspace ONE. Deployment Performance: Application and configuration deployments can be slow, with status updates often delayed due to Intuneâs reliance on periodic device check-ins rather than real-time communication. iOS Management: Intune provides full functionality only for devices enrolled via Apple Business Manager (ABM). Non-ABM devices have restricted supervision capabilities, limiting advanced configuration and app deployment. Error Handling: Intune does not display granular error codes in its console. Troubleshooting often requires log collection from the device or use of Microsoft Support tools, increasing diagnostic complexity. Conditional Access & Compliance: Intune integrates tightly with Azure AD for conditional access policies, which is a strength, but requires additional configuration and licensing for advanced scenarios. App Protection Policies: Strong for Microsoft 365 apps, but less flexible for third-party apps compared to Workspace ONE. Migration Strategy Overview The project aims to migrate the entire mobile fleetâa few tens of thousands Android and some iOs devicesâbetween September 2023 and December 2024. Cybersecurity requirements mandate a shift from COBO (with personal Google accounts allowed) to COPE, reinforcing corporate control and reducing exposure to security risks. Key Challenges Technical Constraints: Devices incompatible with Android 13 require hardware replacement. For most employees, migration involves full device reset and Intune re-enrollmentâa complex, time-consuming process. Security Limitations: Backup tools cannot be authorized, increasing the risk of data loss and user errors. A recurring issue is failure to remove Microsoft Authenticator configurations, creating significant support overhead. Performance Impact: The Samsung Galaxy A32, previously adequate under COBO, performs poorly under COPE, affecting user experience. Status and Strategic Decision By June 2024, progress is far below target. To mitigate operational disruption and support overload, the strategy shifts: forced migrations are discontinued. Migration now occurs only during: Hardware replacement (obsolescence, failure, or breakage) Voluntary device reset This approach prioritizes stability and resource optimization while maintaining compliance with security standards. Weâve been with Intune for almost two years, we make do with it and we are hardly surprised anymore when something doesnât work. If you have any questions, don't hesitate to reach out via the comments below Kris
Unable to upload bulk CSV file to ZeroTouch
Hi Team, Is there currently an issue uploading a bulk .csv file to ZeroTouch? It's giving me an error. See below. Steps below: I downloaded the sample .csv file then updated it with my data, then uploading it again to the portal as is without changing the name or file extension as seeing above, yet its giving me an error. This was working not long ago, just wondering if there is currently an issue. Thanks
Fido2 key and their issues using them on Android
First, do Android support using Fido2 keys on Android? Yes, it does support both using bluetooth, NFC and USB authentication. For reference: https://developers.google.com/identity/fido/android/native-apps But does it mean that it is straight forward to use it in a enterprise environment without hiccups? No, the support lacks many features that both Windows and iOS has supported for long time. If I buy a modern Fido2 with OTP support, will it work straight out of the box for using the USB? No, you need to disable the OTP support first. Here is how you can do that from yubikey manager, this works for Yubikey. Other vendors might have something similar. But for Fido2 keys without OTP support, it should work out of the box for USB-C, like Google titan. Why this happens, dont know. Can we use NFC for Entra ID authentication like we can on Windows and iOS? No. Android does not currently support CTAP2 for NFC, only for USB-C input. CTAP1 (FIDO U2F) supports certificate based authentication, but CTAP supports user verification with PIN and biometrics. Entra ID requires UV (user verification) before accepting login. As far as I know, there is also support for bluetooth. But I dont have any fido2 keys that support bluetooth yet. So why does this matter? With Android you can have shared devices with secure login for multiple users with a single log in for all supported apps, auto log off and many other possibilities. https://learn.microsoft.com/en-us/entra/identity-platform/msal-shared-devices Other sources/discussions: https://www.reddit.com/r/yubikey/comments/1oncuh2/whats_the_point_of_nfc_on_android/ https://www.reddit.com/r/yubikey/comments/13tlzoc/fido2_inconsistent_across_windowsandroid/ https://fidoalliance.org/specifications/Set up a new Android Enterprise domain in Intune/EMM when an old-style Google Account is still connected
Hi, I have a situation similar to this older discussion - situation as follows: My EMM is MS Intune. Managed Goole Play Store was set up in April 2024 before the new method of creating Android Enterprise admin accounts on a managed Google domain - using a normal Gmail account This Gmail/Google account was forcibly deleted in the last month, presumably for inactivity, as the first linked discussion describes. Only the final termination email was ever sent to the recovery email, no other warnings were received. Recovery was not possible (it just said that no recovery methods were set up, even though there was a recovery email - hence the warnings...!) and now the account shows as nonexistent rather than potentially recoverable, although it's less than the quoted 30 days that recovery is available. I have seen (Community Manager) Lizzie's helpful posts and advice from a couple of years ago, including this article describing the potential for having support migrate the EMM bind from one account to another. However, I don't yet have another account to migrate to, since I would be moving from an old Gmail account to a new managed domain account - which I don't yet have, as I can't sign up as a 'new customer' to Android Enterprise within Intune, because the old bind still exists, and I haven't found anything to tell me how to sign up other than going through the EMM. I want to keep the old bind active so it doesn't break existing devices, even though I think that's what's stopping me signing up to Android Enterprise in the new way. Removing this existing orphaned bind will break everything, and Lizzie's info in other posts has suggested that the bind will stay mostly-working if left alone, whereas removing it will trigger retirement of all devices. MS/Intune support don't seem to be aware of the possibility of contacting Google support to migrate a bind, but even if they were, I don't yet know what to tell them (as I have no new destination account, of course). They just advise me that it will need a new account and re-enrolment of all devices, which I'm hoping to avoid. I know this is convoluted, but that's why I was hoping for help. Is there a way to get a new Android Enterprise admin account set up, using the new managed domain method, without breaking the existing bind - and then to migrate the bind across? Thanks Dev
Disabled apps
Friends! Lately Im getting lots of cases regarding apps not starting on our dedicated devices managed in Intune. Edge is the most common problem. If I start Google Play on an effected device I see that the app is disabled. Pressing the Enable button does nothing at all. The version of Edge installed is quite old, which is also strange since it should update automatically. Only way to fix it is to reinstall the app. Any ideas what the root cause can be and how to mitigate it?
