Intune: Disable biometric unlock for Android devices (mssing options)

Question

question

DenisPasternak-3587 asked Jan 22, '22 DenisPasternak-3587 commented Jan 26, '22

Intune: Disable biometric unlock for Android devices (mssing options)

Hello,

I need to disable Face, Iris, Fingerprint unlock for Android devices.
I found that it was possible
https://eskonr.com/2020/11/the-case-of-unexplained-android-enterprise-work-profile-password-in-intune/

Now

but now these options are missing.
I know that Knox able to do this, but Knox plugin installation starts only after user will be able to set password. In my case I need to block these options for users on all kiosk mode devices.

Does anyone know how to disable it?
Or maybe someone knows how to use the OMA-URI for a ban?

Thank you.

mem-intune-general mem-intune-device-configurations mem-intune-enrollment mem-intune-application-management

chrome-fk1a8onfkj.png (134.5 KiB)

applicationframehost-drmt7orlhc.png (75 B)

· 2

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RahulJindal-2267 · Jan 22 at 11:22 PM

What is the enrollment method for your devices?

0 ·

DenisPasternak-3587 RahulJindal-2267 · Jan 26 at 08:23 PM

Hi.

Corporate-owned dedicated devices
Manage device owner enrollments for kiosk and task devices.

Do you have this settings?

0 ·

Answer 1 · 2022-01-23T08:20:04.473Z

TimmyAndersson answered Jan 23, '22 DenisPasternak-3587 commented Jan 24, '22

Hey,

The guide you posted covers Android Enterprise work profile which is not the same scenario you are describing. Kiosk devices are enrolled as Dedicated devices and then put in to Kiosk mode in the configuration profile.

A dedicated devices is not linked to a specific user and during initial setup of a dedicated devices I cant remember that you ever are asked to set a pin, face unlock in that scenario. If you are please tell us a bit more about your configuration and enrollment method and make sure you are enrolling it as a Dedicated Device and that you don't have another policy forcing biometric or pin on your kiosk devices.

https://docs.microsoft.com/en-us/mem/intune/enrollment/android-kiosk-enroll

As you mentioned you have the capability to enable/disable those features with Knox and OEMConfig but I have never had to disable those on a Dedicated devices.

I would suggest the following:

Make sure you are enrolling your devices as Dedicated devices
If you are using the Kiosk mode, make sure its enabled in your configuration
Double check that you don't have another policy forcing biometrics or security features to your Dedicated devices

hope this helps, and if it does don't forget to click accept answer.

image.png (47.5 KiB)

· 3

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DenisPasternak-3587 · Jan 24 at 08:14 PM

Timmy, please share you screen with setting.
I can`t find this setting.

0 ·

DenisPasternak-3587 · Jan 24 at 08:15 PM

Hello.

All my enrollment profiles are "Corporate-owned dedicated devices"

But I don`t see any options

All profiles are looks like this:

"If you are using the Kiosk mode, make sure its enabled in your configuration" where can I check it?

Tahnk you.

0 ·

DenisPasternak-3587 · Jan 24 at 08:16 PM

Yes, you can set preferences through Knox. But the problem is that Knox is installed after the setup mater.

The user is first prompted to enter a pincode, or use a biometric lock. And only then, the Knox Plugin is installed and even later the settings :)

If there is a way to not allow the user to interact with interest until all programs are installed - that would solve some of my problems :)
Including, the user can have time to go into the device settings before the Home Screen is installed.

Thank you for your participation!

0 ·

question