question

ZacSchramm-9378 avatar image
0 Votes"
ZacSchramm-9378 asked Crystal-MSFT commented

Android Enterprise - No prompt to create work profile (personnally owned)

Hi,
I have a very strange issue which is really testing my patience.

Previously I used app protection policy and am looking to move to work profile. I have a new group 'new' of users that I assigned an enrollment restriction to allow Android Enterprise personally owned to enroll. When I sign in under users in this group, a prompt to create a work profile is raised, great!

The issue is I want to also pilot it in my daily usage and I was not a member of this group. So I have another group which is a 'pilot' group and I added this to the enrollment restrictions, device compliance, and device configuration policies. I deleted all the microsoft apps, signed out of everything MS related. I also deleted the device registration in Azure AD. When I log back into the company portal I don't get a prompt to create a work profile, it signs in fine.

If I try to sign-in via outlook, the login is blocked by conditional access since I require a compliant device for Office 365 apps. This just asks me to download and install the company portal which I am doing already.

If I sign in to the company portal under an account in the newly configured 'new' group on that same device, I do get a prompt for the work profile. So the issue is not the device, software version, etc, it is clearly the user / group settings. When I downloaded the company portal log file it said Enrollment Postponed. I waited overnight and no difference.

I don't really understand what could be blocking this as I went through all the settings and all the documentation says this is enabled by default already. The only real differences between these groups right now is that the 'old' group has MAM policies for mobile, and MDM for win10 whereas the new group has MAM-WE for win10, but that should be unrelated.

Any thoughts are appreciated.

Zac



mem-intune-generalmem-intune-enrollment
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered Crystal-MSFT edited

@ZacSchramm-9378, Agree with RahulJindal, we can firstly go to Troubleshooting+support, select the user we test and check the enrollment restriction to confirm if it is applied.
140751-image.png
Meanwhile, we can uninstall the company portal on the device and reinstall to try again to see if it can enroll successfully.

If there's any update, feel free to let us know.


If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



image.png (31.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RahulJindal-2267 avatar image
0 Votes"
RahulJindal-2267 answered

Go under troubleshooting on the MEM admin portal and look for the policies applied against the user account you are using.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ZacSchramm-9378 avatar image
0 Votes"
ZacSchramm-9378 answered Crystal-MSFT commented

Thank you both for your help, this was one of the issues and I discovered that I had a enrollment restriction policy that took priority over the one I wanted. (Not realizing that block was different from "Not configured" or similar options throughout other policies). So after resolving that I do have the correct restrictions applied to that user account now. I can also see that no app protection policy is applied to the account as well, so that is correct.

After this I again confirmed that a 'new' group user still gets a prompt for a work profile right away where in same app instance 'old' group user still does not and is able to sign in successfully to company portal. I also uninstalled the app and reinstalled.

I have a conditional access policy which I am trying to GRANT access to all cloud apps based on requiring device to be marked compliant (for android only). According to MS docs (https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-compliant-device) note at the bottom says blocking all cloud apps still allows device to enroll with intune. What is now also driving me nuts is I have 2 CA policies applied to this sign-in, the one requiring compliant device fails, but doesn't block login.

I figured this policy would block login and then prompt for device enrollment perhaps. What am I missing here?

![140745-image.png][1]
[1]: /answers/storage/attachments/140745-image.png


image.png (21.0 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ZacSchramm-9378,Thanks for the reply. For the conditional policy, I would like to know if we exclude the cloud app "Microsoft Intune" And "Microsoft Intune Enrollment" will it be successful?
140746-image.png


0 Votes 0 ·
image.png (6.9 KiB)
ZacSchramm-9378 avatar image
0 Votes"
ZacSchramm-9378 answered ZacSchramm-9378 commented

Crystal,

Thanks, I didn't realize you could exclude these apps. However the policy is Failed currently and yet it allows the sign-in to succeed. So if we exclude intune (which according to that documentation link is not required) the policy will just be 'not applied', correct?

140934-image.png


140935-image.png


I would also add that the company portal hasn't triggered the device to register either, even after waiting all night and trying again.

What I really don't understand is how you trigger a device to register or MDM enroll. If I login to outlook app, the CA policy prevents this and outlook directs me to the google play store to install the company portal. As soon as I add the app protection policy back in, and try to sign-in to outlook, I get a prompt to register the device, so frustrating.... ;)


image.png (14.0 KiB)
image.png (15.3 KiB)
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ZacSchramm-9378, Thanks for the reply. For the sign in log, we can change to check on the failed sign in log to see which cause the failure.

For conditional access policy with require device compliance, when the user login outlook, it try to access exchange online cloud app which will apply conditional access policy. In the policy the device compliance is needed to check. If the device is not enrolled in Intune. company portal is asked to install and the option to enroll the device in Intune is given.
https://docs.microsoft.com/en-us/mem/intune/protect/create-conditional-access-intune

From the pictures you provided, I notice MFA is also required. And our process is stuck in login page not prompted. Based on my research, there's some issue for this scenario. We suggest to temporary bypass MFA during Microsoft Intune Enrollment to see if it is working. Here is a link for the reference:
https://www.mobile-mentor.com/insights/how-to-bypass-mfa-during-device-enrolment-in-microsoft-intune-ios-android
Note: Non-Microsoft link, just for the reference.

0 Votes 0 ·

@ZacSchramm-9378, Hope things are going well. I am writing to see if there's any update. If yes, feel free to let us know.

0 Votes 0 ·

Crystal,
Thanks for the suggestion, there was no difference when I excluded those apps from conditional access.

I strongly suspect that the device is remembering it's association with the MAM policies on that account since it works perfectly with the new user accounts. However I did just receive a new phone and got the same result signing into the same user accounts....

Crazy eh. Thanks for your help, I will update here further when I figure it out.

-Z


0 Votes 0 ·
Show more comments
ZacSchramm-9378 avatar image
0 Votes"
ZacSchramm-9378 answered Crystal-MSFT commented

Okay so today I tried it again on the new phone and it worked! This time however I noticed a notification in the top right after signing into the company portal the was regarding setting up a work profile, so when I clicked it I got the prompt I was looking for.

No further changes today besides deleting the device from AAD registration and disabling the app protection policy for this user.

All resolved it looks like, thanks for both your help.

Zac

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ZacSchramm-9378, Thanks for the update. I am glad to hear that the new phone is also working. And thanks for sharing your steps. I appreciate it. If there's anything else we can help in the future, feel free to post in our Q&A to discuss together.

Thanks for your time and have a nice day!

0 Votes 0 ·
Net3arabi1 avatar image
0 Votes"
Net3arabi1 answered Net3arabi1 published

thanks a lot ..

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.