Windows Server Posted January 24 Posted January 24 We’re happy to announce two improvements for the management of Android personally owned work profile devices with Microsoft Intune, which will be released later this year. A new implementation for how Intune delivers policies to devices Web based enrollment These updates modernize how Microsoft Intune manages devices and improves the enrollment flow. Action may be required by you as we move to the new implementation. Keep reading to understand what’s changing, actions, and timelines you need to know. What’s changing New implementation We’re finalizing our work on moving the Android personally owned work profile implementation to the latest and greatest available – Google’s Android Management API (AM API). It has been almost a decade since Intune released support for Android personally owned work profile management. At that time, we accomplished this by building a custom device policy controller (DPC), in the form of the Intune Company Portal app. A lot has changed since then. Google released AM API and its companion app, Android Device Policy, which enforces AM API policy on devices. This is now Google’s recommended implementation, which we used to deliver the three corporate Android Enterprise management methods: corporate owned work profile, fully managed, and dedicated. Google no longer recommends use of custom DPCs and they’re deprecating associated functionality. The benefits of moving personally owned work profile management to AM API include: Faster release of new features across all four Android Enterprise management options. Consistent behaviors across all four Android Enterprise management options. The Microsoft Intune app will replace the Company Portal app as the user app (to manage devices, contact their IT department, collect logs, and more), providing an updated user experience and aligning it with the corporate Android Enterprise management options. Enables Intune to support the latest Android platform management capabilities, which are unavailable with custom DPC implementations. Web based enrollment The move to AM API also enables us to build a web-based enrollment flow for personally owned work profile devices, similar to web based device enrollment for iOS. The benefits of this include: Users don’t need to manually install an app to start Intune enrollment since they can start enrollment from a webpage instead. Users can access enrollment from any of the four different entry points which all launch the same webpage: Productivity apps (when the user is required to enroll before accessing corporate resources) The Company Portal app The Microsoft Intune app (new!) A URL (new!) This gives you more options for how to guide your users to get set up. 3. Android enrollment is more consistent with the iOS web-based enrollment flow. How to prepare We recommend you make these changes to prepare for the upcoming release and provide the most streamlined experience for users. Replace custom policies: Intune is ending support for custom configuration polices for personally owned work profile devices on April 1, 2025. Custom policies are not supported in the new implementation. Replace all custom policies with equivalent policies using this setting mapping. Certificate authentication for Wi-Fi: If you’re using username and password authentication for Wi-Fi policies, we strongly encourage you to move to certificate authentication instead. Devices that are connected to corporate Wi-Fi with username and password authentication will lose access to corporate Wi-Fi when they are moved to AM API until the user signs into the corporate Wi-Fi network again. Devices using certificate authentication for Wi-Fi won’t lose access, and it’s also a more secure authentication method. Evaluate biometric configuration: Devices on the new implementation won’t apply polices that prevent users from using face, fingerprint, iris, or trust agent to unlock their device. However, policies that prevent this at the work profile level are still supported. If you have this configured at the device level, consider blocking face, fingerprint, iris, and trust agents at the work profile level to protect work resources in an equivalent way. Update Android OS: Intune currently supports Android 10 and later on personally owned work profile devices and plans to maintain support for the four most recent Android versions going forward. We recommend you guide users to update to their device’s latest supported Android version for the best experience. Helpdesk preparation: Inform your helpdesk teams of these coming changes so they know what to expect. For devices on the new implementation, diagnostic logs are collected using the Microsoft Intune app (instead of the Company Portal). We’ll publish more information about the new enrollment flow before it’s released so you can prepare. Plan to update any user instructions you have once we release the web-based enrollment flow and devices are managed with the new implementation. iOS web based enrollment: We recommend you consider setting up web based device enrollment for iOS now or when we release Android web based enrollment for a more consistent and improved user experience. Changes to be aware of A few defaults will change as part of the move to the new implementation. Required app installation behavior: In the custom DPC implementation, users can uninstall required apps, but they are reinstalled automatically within a few hours. In the new implementation, users won’t be able to uninstall required apps from their device, which is the same experience as on corporate Android Enterprise devices. Caller ID and contact search: In the custom DPC implementation, the settings to “Display work contact caller-id in personal profile” and “Search work contacts from personal profile” are two independent settings. In AM API, they are controlled with a single setting. If you have blocked either, Intune automatically blocks both for devices on the new implementation. Intune will update the policy user interface to have a single setting once all devices are on the new implementation. Screen timeout: In the custom DPC implementation, you can configure screen timeouts either for the full device or for the work profile under “Maximum minutes of inactivity until work profile locks.” In AM API, you can only configure this at the work profile level. Intune will set this to the lesser of the two when devices move to the new implementation. We will remove the device level setting from policies when all devices are on AM API. How to configure and monitor Web based enrollment No action is needed to turn on or configure web-based enrollment for personally owned work profile devices. When we release it, it will replace the current Company Portal enrollment flow and all new enrollments will use the web-based enrollment flow. New implementation Devices enrolled before web-based enrollment releases aren't immediately impacted by the new implementation. We’ll release a new setting that allows you to migrate device groups to the new implementation. As a best practice, we encourage admins to evaluate migrating a smaller device set before migrating all devices. Before moving devices to the new implementation, you may want to email users or configure custom notifications to inform them of what to expect. In 2026, we’ll automatically migrate all remaining devices using the custom DPC implementation over to the new AM API implementation. Monitoring There’ll be a new report that will show how many personally owned work profile devices are on the new implementation, how many still need to move, how many are targeted and pending moving (since it may roll out over hours or days), and how many attempted to move but hit an error. Using this new report, you can see which devices are in each state. How this will affect your users Web based enrollment Users who enroll devices after release will see the new web-based enrollment flow. Their devices will be managed with AM API. After enrollment, Intune will install a few apps automatically to ensure streamlined management. Microsoft Intune: User-facing app to manage devices, contact the IT department, collect diagnostic logs, and more. Company Portal: For mobile app management (MAM). Android Device Policy: To enforce AM API policies. This app is installed in a “hidden” state, so users don’t see it in their app list and can’t launch it. New implementation Devices on the new implementation (either through admin configuration or the later automatic move), will install the Microsoft Intune app and the Android Device Policy app, and users will see notifications on their device about these app installs. The devices will not unenroll and users won’t lose access to corporate resources on these devices because of this change. The only exception to this is for devices that are connected to corporate Wi-Fi with username and password authentication. When they move to AM API, they will lose access to corporate Wi-Fi until they sign in to the corporate Wi-Fi again. To avoid any potential disruption, we encourage you to move to certificate Wi-Fi authentication instead (as mentioned above). Timeline We'll update these timelines to provide more specific timeframes in the coming months. First half of 2025: Use this time to revise any relevant policy configurations, update your internal documentation, and prepare your helpdesk teams, as advised above. Second half of 2025: All enrollments of personally owned work profile devices will use web-based enrollments on AM API. You’ll be able to set a configuration policy to migrate previously enrolled devices over to the new implementation. First half of 2026: All devices on the custom DPC implementation will be automatically moved over to AM API. Stay tuned to this blog for updates! If you have any questions or feedback on this change, leave a comment on this post or reach out on X @IntuneSuppTeam. View the full article Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.