Add app configuration policies for managed Android Enterprise devices

App configuration policies in Microsoft Intune supply settings to Managed Google Play apps on managed Android Enterprise devices. The app developer exposes Android-managed app configuration settings. Intune uses these exposed setting to let the admin configure features for the app. The app configuration policy is assigned to your user groups. The policy settings are used when the app checks for them, typically the first time the app runs.

Note

Not every app supports app configuration. Check with the app developer to see if their app supports app configuration policies.

  1. In Intune, select Client apps > App configuration policies > Add.

  2. Enter the following properties:

    • Name: Enter a descriptive name for the policy. Name your policies so you can easily identify them later. For example, a good policy name is Android Enterprise Nine Work app policy for entire company.
    • Description: Enter a description for the profile. This setting is optional, but recommended.
    • Device enrollment type: Select Managed devices.
    • Platform: Select Android.
  3. Select Associated App. Choose the app you want to define an app configuration policy. Select from the list of Managed Google Play apps that you've approved and synchronized with Intune.

  4. Select Permissions. You can set configurations by using:

  5. Select OK > Add.

Use the configuration designer

You can use the configuration designer for Managed Google Play apps when the app is designed to support configuration settings. Configuration applies to devices enrolled in Intune. The designer lets you configure specific configuration values for the settings exposed by the app.

  1. Select Add. Choose the list of configuration settings that you want to enter for the app.

    If you're using GMail or Nine Work for your email app, see Android Enterprise device settings to configure email for more information on these settings.

  2. For each key and value in the configuration, set:

    • Value type: The data type of the configuration value. For String value types, you can optionally choose a variable or certificate profile as the value type.
    • Configuration value: The value for the configuration. If you select variable or certificate for the Value type, choose from a list of variables or certificate profiles. If you choose a certificate, then the certificate alias of the certificate deployed to the device is populated at runtime.

Supported variables for configuration values

You can choose the following options if you choose variable as the value type:

Option Example
AAD Device ID dc0dc142-11d8-4b12-bfea-cae2a8514c82
Account ID fc0dc142-71d8-4b12-bbea-bae2a8514c81
Intune Device ID b9841cd9-9843-405f-be28-b2265c59ef97
Domain contoso.com
Mail john@contoso.com
Partial UPN john
User ID 3ec2c00f-b125-4519-acf0-302ac3761822
User name John Doe
User Principal Name john@contoso.com

Allow only configured organization accounts in multi-identity apps

For Android devices, use the following key/value pairs:

Key com.microsoft.intune.mam.AllowedAccountUPNs
Values
  • One or more ; delimited UPNs.
  • Only account(s) allowed are the managed user account(s) defined by this key.
  • For Intune enrolled devices, the {{userprincipalname}} token may be used to represent the enrolled user account.

Note

You must use Outlook for Android 2.2.222 and later, Word, Excel, PowerPoint for Android 16.0.9327.1000 and later or OneDrive for Android 5.28 and later when allowing only configured organization accounts with multi-identity.

As the Microsoft Intune administrator, you can control which user accounts are added to Microsoft Office applications on managed devices. You can limit access to only allowed organization user accounts and block personal accounts on enrolled devices. The supporting applications process the app configuration and remove and block unapproved accounts.

Enter the JSON editor

Some configuration settings on apps (such as apps with Bundle types) can't be configured with the configuration designer. Use the JSON editor for those values. Settings are supplied to apps automatically when the app is installed.

  1. For Configuration settings format, select Enter JSON editor.
  2. In the editor, you can define JSON values for configuration settings. You can choose Download JSON template to download a sample file that you can then configure.
  3. Choose OK, and then choose Add.

The policy is created and shown in the list.

When the assigned app is run on a device, it runs with the settings that you configured in the app configuration policy.

Preconfigure the permissions grant state for apps

You can also preconfigure app permissions to access Android device features. By default, Android apps that require device permissions, such as access to location or the device camera, prompt users to accept or deny permissions.

For example, an app uses the device's microphone. The user is prompted to grant the app permission to use the microphone.

  1. In Intune, select Client apps > App configuration policies > Add.

  2. Enter the following properties:

    • Name: Enter a descriptive name for the policy. Name your policies so you can easily identify them later. For example, a good policy name is Android Enterprise prompt permissions app policy for entire company.
    • Description. Enter a description for the profile. This setting is optional, but recommended.
    • Device enrollment type: Select Managed devices.
    • Platform: Select Android.
  3. Select Associated App. Choose the app you want to define a configuration policy. Select from the list of Android work profile apps that you've approved and synchronized with Intune.

  4. Select Permissions > Add. From the list, select the available app permissions > OK.

  5. Select an option for each permission to grant with this policy:

    • Prompt. Prompt the user to accept or deny.
    • Auto grant. Automatically approve without notifying the user.
    • Auto deny. Automatically deny without notifying the user.
  6. To assign the app configuration policy, select the app configuration policy > Assignment > Select groups. Choose the user groups to assign > Select.

  7. Choose Save to assign the policy.

Additional information

Next steps

Continue to assign and monitor the app.