Fido2 key and their issues using them on Android
First, do Android support using Fido2 keys on Android? Yes, it does support both using bluetooth, NFC and USB authentication. For reference: https://developers.google.com/identity/fido/android/native-apps But does it mean that it is straight forward to use it in a enterprise environment without hiccups? No, the support lacks many features that both Windows and iOS has supported for long time. If I buy a modern Fido2 with OTP support, will it work straight out of the box for using the USB? No, you need to disable the OTP support first. Here is how you can do that from yubikey manager, this works for Yubikey. Other vendors might have something similar. But for Fido2 keys without OTP support, it should work out of the box for USB-C, like Google titan. Why this happens, dont know. Can we use NFC for Entra ID authentication like we can on Windows and iOS? No. Android does not currently support CTAP2 for NFC, only for USB-C input. CTAP1 (FIDO U2F) supports certificate based authentication, but CTAP supports user verification with PIN and biometrics. Entra ID requires UV (user verification) before accepting login. As far as I know, there is also support for bluetooth. But I dont have any fido2 keys that support bluetooth yet. So why does this matter? With Android you can have shared devices with secure login for multiple users with a single log in for all supported apps, auto log off and many other possibilities. https://learn.microsoft.com/en-us/entra/identity-platform/msal-shared-devices Other sources/discussions: https://www.reddit.com/r/yubikey/comments/1oncuh2/whats_the_point_of_nfc_on_android/ https://www.reddit.com/r/yubikey/comments/13tlzoc/fido2_inconsistent_across_windowsandroid/ https://fidoalliance.org/specifications/
Intermittent QR Code Provisioning Failures with Identical Source Code
I am experiencing inconsistent behavior with QR code provisioning for Android Enterprise and am seeking guidance from the community. The Issue: QR code provisioning works intermittently, but the failure pattern is inconsistent. A provisioning QR code generated from a specific APK build will work reliably. However, subsequent builds of the exact same source code from the same Android Studio project will sometimes fail. The device displays a generic "Contact your IT admin" error. What I've Verified: The APK is properly signed and the checksum in the QR code is correct. The server delivers the APK with the correct application/vnd.android.package-archive MIME type. The DeviceAdminReceiver is correctly declared in the manifest and the associated XML resource exists. The package name and component name in the QR code are 100% accurate. Comparing a "working" APK and a "failing" APK in APK Analyzer shows no differences in the core components (package name, receivers, resources). Question: Has anyone else encountered this? Are there known issues with Android's provisioning service being sensitive to certain aspects of the APK build output that are not related to the core functionality or signature? Any insight into how to achieve consistent, reproducible builds for provisioning would be greatly appreciated.
GSF ID not generated after device enrollment on Android 15
Hi everyone, We’re facing an issue with devices running Android 15 — after successfully enrolling them in our Android Enterprise setup (Device Owner / Fully Managed mode), the Google Services Framework (GSF) ID is not being generated. This issue did not occur on Android 13 or 14; the GSF ID was available immediately after enrollment. However, on Android 15, the GSF ID remains empty even after waiting and rebooting. We’ve already tried: Factory reset and re-enrollment Checking Google Play Services version Ensuring the device is connected to the internet Waiting for Play Store sync Despite that, the GSF ID is still missing. Could anyone confirm if there’s a known change in Android 15 related to GSF ID generation, or if additional permissions/configuration are required for enterprise-enrolled devices to obtain it? Any guidance or workaround would be greatly appreciated.
Question to Enterprise Factory Reset Protection
Hello, we have a question to EFRP: If you specify a google account which can unlock FRP on this device in the future, does this google account have any other special permissions on that device or is it just like any other google account if logged in? Our Security Office wants to know that to be sure there is no other security concerns with configuring central EFRP accounts. If you have any technical references or KB articles to this topic, it would be highly appreciated. :) Thank you in advance
Control Wi-Fi Calling settings
Hi there, hope you're well. Just wondering is it possible to control the Wi-Fi Calling settings within Android via MDM? The closest thing I've seen is to use Knox Asset Intelligence to check Wi-Fi Calling setting status on Samsung devices: https://docs.samsungknox.com/admin/knox-asset-intelligence/dashboard/network-insights/wifi-calling-setting-status/ Thank you for your help & input in advance!
Is there an alternative way to perform the same function as UpdateApplication on Android 15?
Hi everyone, We are currently managing Samsung enterprise devices via Knox Manage under Android Enterprise DA mode (Device Admin) . Our in-house application previously used the UpdateApplication API to update itself silently without user interaction. This worked well under Android 14. However, after updating to Android 15, this API no longer functions. Based on the Samsung Knox SDK documentation, it appears that UpdateApplication is now restricted to Device Owner (DO) and Profile Owner (PO) apps. We have tried to assign all delegated scopes to our app via Knox Manage policy settings (Android Enterprise → App Restrictions → Delegated Scopes for Apps). Unfortunately, the API call still fails. ✅ What we’re looking for: - Is there any alternative methods that allows silent or managed updates of enterprise apps on Android 15, without being a DO/PO app? - Or is DO/PO elevation now the only viable path? - If so, is there an official onboarding flow or protocol to request DO/PO designation for an app via Knox Manage? Any guidance, references, or examples would be greatly appreciated. Thank you! — Environment: - Android 15 - Knox Manage (latest) - Samsung A9+ tablets - Device Admin mode
Samsung Tab Active5 Side Button Configuration
Is there any way to change the default configuration for press and hold from "Wake Bixby" to "Power off menu". Trying to run a kiosk application and it's confusing for users to need to hold the side and volume down button to open the power control. Bixby is otherwise disabled so holding the side button currently does nothing in its default configuration. Samsung support has unfortunately been less than helpful, and will only lift a finger if you pay for full Knox EMM.
