Add app configuration policies for managed Android Enterprise devices

App configuration policies in Microsoft Intune supply settings to Managed Google Play apps on managed Android Enterprise devices. The app developer exposes Android-managed app configuration settings. Intune uses these exposed setting to let the admin configure features for the app. The app configuration policy is assigned to your user groups. The policy settings are used when the app checks for them, typically the first time the app runs.

Note

Not every app supports app configuration. Check with the app developer to see if their app supports app configuration policies.

  1. Sign in to the Microsoft Endpoint Manager admin center.

  2. Choose the Apps > App configuration policies > Add > Managed devices. Note that you can choose between Managed devices and Managed apps. For more information see Apps that support app configuration.

  3. On the Basics page, set the following details:

    • Name - The name of the profile that appears in the Azure portal.
    • Description - The description of the profile that appears in the Azure portal.
    • Device enrollment type - This setting is set to Managed devices.
  4. Select Android Enterprise as the Platform.

  5. Click Select app next to Targeted app. The Associated app pane is displayed.

  6. On the Associated app pane, choose the managed app to associate with the configuration policy and click OK.

  7. Click Next to display the Settings page.

  8. Click Add to display the Add permissions pane.

  9. Click the permissions that you want to override. Permissions granted will override the "Default app permissions" policy for the selected apps.

  10. Set the Permission state for each permission. You can choose from Prompt, Auto grant, or Auto deny. For more information about permissions, see Android Enterprise settings to mark devices as compliant or not compliant using Intune.

  11. If the managed app supports configuration settings, the Configuration settings format dropdown box is visible. Select one of the following methods to add configuration information:

  12. Click Next to display the Assignments page.

  13. In the dropdown box next to Assign to, select either Selected groups, All users, All devices, or All users and all devies to assign the app configuration policy to.

    Screenshot of Policy assignments Include tab

  14. Select All users in the dropdown box.

    Screenshot of Policy assignments - All Users dropdown option

  15. Click Select groups to exclude to display the related pane.

    Screenshot of Policy assignments - Select groups to exclude pane

  16. Choose the groups you want to exclude and then click Select.

    Note

    When adding a group, if any other group has already been included for a given assignment type, it is pre-selected and unchangeable for other include assignment types. Therefore, that group that has been used, cannot be used as an excluded group.

  17. Click Next to display the Review + create page.

  18. Click Create to add the app configuration policy to Intune.

Use the configuration designer

You can use the configuration designer for Managed Google Play apps when the app is designed to support configuration settings. Configuration applies to devices enrolled in Intune. The designer lets you configure specific configuration values for the settings exposed by the app.

  1. Select Add. Choose the list of configuration settings that you want to enter for the app.

    If you're using GMail or Nine Work for your email app, see Android Enterprise device settings to configure email for more information on these settings.

  2. For each key and value in the configuration, set:

    • Value type: The data type of the configuration value. For String value types, you can optionally choose a variable or certificate profile as the value type.
    • Configuration value: The value for the configuration. If you select variable or certificate for the Value type, choose from a list of variables or certificate profiles. If you choose a certificate, then the certificate alias of the certificate deployed to the device is populated at runtime.

Supported variables for configuration values

You can choose the following options if you choose variable as the value type:

Option Example
Azure AD Device ID dc0dc142-11d8-4b12-bfea-cae2a8514c82
Account ID fc0dc142-71d8-4b12-bbea-bae2a8514c81
Intune Device ID b9841cd9-9843-405f-be28-b2265c59ef97
Domain contoso.com
Mail john@contoso.com
Partial UPN john
User ID 3ec2c00f-b125-4519-acf0-302ac3761822
User name John Doe
User Principal Name john@contoso.com

Allow only configured organization accounts in multi-identity apps

As the Microsoft Intune administrator, you can control which work or school accounts are added to Microsoft apps on managed devices. You can limit access to only allowed organization user accounts and block personal accounts on enrolled devices. For Android devices, use the following key/value pairs in a Managed Devices app configuration policy:

Key com.microsoft.intune.mam.AllowedAccountUPNs
Values
  • One or more ; delimited UPNs.
  • Only account(s) allowed are the managed user account(s) defined by this key.
  • For Intune enrolled devices, the {{userprincipalname}} token may be used to represent the enrolled user account.

Note

The following apps process the above app configuration and only allow organization accounts:

  • Edge for Android (42.0.4.4048 and later)
  • Office, Word, Excel, PowerPoint for Android (16.0.9327.1000 and later)
  • OneDrive for Android (5.28 and later)
  • OneNote for Android (16.0.13231.20222 or later)
  • Outlook for Android (2.2.222 and later)
  • Teams for Android (1416/1.0.0.2020073101 and later)

Enter JSON data

Some configuration settings on apps (such as apps with Bundle types) can't be configured with the configuration designer. Use the JSON editor for those values. Settings are supplied to apps automatically when the app is installed.

  1. For Configuration settings format, select Enter JSON editor.
  2. In the editor, you can define JSON values for configuration settings. You can choose Download JSON template to download a sample file that you can then configure.
  3. Choose OK, and then choose Add.

The policy is created and shown in the list.

When the assigned app is run on a device, it runs with the settings that you configured in the app configuration policy.

Preconfigure the permissions grant state for apps

You can also preconfigure app permissions to access Android device features. By default, Android apps that require device permissions, such as access to location or the device camera, prompt users to accept or deny permissions.

For example, an app uses the device's microphone. The user is prompted to grant the app permission to use the microphone.

  1. In the Microsoft Endpoint Manager admin center, select Apps > App configuration policies > Add > Managed devices.

  2. Add the following properties:

    • Name: Enter a descriptive name for the policy. Name your policies so you can easily identify them later. For example, a good policy name is Android Enterprise prompt permissions app policy for entire company.
    • Description. Enter a description for the profile. This setting is optional, but recommended.
    • Device enrollment type: This setting is set to Managed devices.
    • Platform: Select Android.
  3. Select Associated App. Choose the app you want to define a configuration policy. Select from the list of Android work profile apps that you've approved and synchronized with Intune.

  4. Select Permissions > Add. From the list, select the available app permissions > OK.

  5. Select an option for each permission to grant with this policy:

    • Prompt. Prompt the user to accept or deny.
    • Auto grant. Automatically approve without notifying the user.
    • Auto deny. Automatically deny without notifying the user.
  6. To assign the app configuration policy, select the app configuration policy > Assignment > Select groups. Choose the user groups to assign > Select.

  7. Choose Save to assign the policy.

Additional information

Next steps

Continue to assign and monitor the app.