Add app configuration policies for managed Android Enterprise devices
App configuration policies in Microsoft Intune supply settings to Managed Google Play apps on managed Android Enterprise devices. The app developer exposes Android-managed app configuration settings. Intune uses these exposed setting to let the admin configure features for the app. The app configuration policy is assigned to your user groups. The policy settings are used when the app checks for them, typically the first time the app runs.
Not every app supports app configuration. Check with the app developer to see if their app supports app configuration policies.
Android Enterprise has several enrollment methods. The enrollment type depends on how email is configured on the device:
- On Android Enterprise Fully Managed, Dedicated, and Corporate-owned Work Profiles, use an app configuration policy and the steps in this article. App configuration policies support Gmail and Nine Work email apps.
- On Android Enterprise personally owned devices with a work profile, create an Android Enterprise email device configuration profile. When you create the profile, you can configure settings for email clients that support app configuration policies. When using the configuration designer, Intune includes email settings specific to Gmail and Nine Work apps.
- On Android device administrator, create an Android device administrator email device configuration profile for Samsung Knox devices. When you create the profile, you can configure Exchange email settings, such as
Create an app configuration policy
Sign in to the Microsoft Endpoint Manager admin center.
Choose the Apps > App configuration policies > Add > Managed devices. Note that you can choose between Managed devices and Managed apps. For more information see Apps that support app configuration.
On the Basics page, set the following details:
- Name - The name of the profile that appears in the portal.
- Description - The description of the profile that appears in the portal.
- Device enrollment type - This setting is set to Managed devices.
Select Android Enterprise as the Platform.
Click Select app next to Targeted app. The Associated app pane is displayed.
On the Associated app pane, choose the managed app to associate with the configuration policy and click OK.
Click Next to display the Settings page.
Click Add to display the Add permissions pane.
Click the permissions that you want to override. Permissions granted will override the "Default app permissions" policy for the selected apps.
Set the Permission state for each permission. You can choose from Prompt, Auto grant, or Auto deny.
If the managed app supports configuration settings, the Configuration settings format dropdown box is visible. Select one of the following methods to add configuration information:
- Use configuration designer
- Enter JSON data
Click Next to display the Assignments page.
In the dropdown box next to Assign to, select either Selected groups, All users, All devices, or All users and all devies to assign the app configuration policy to.
Select All users in the dropdown box.
Click Select groups to exclude to display the related pane.
Choose the groups you want to exclude and then click Select.
When adding a group, if any other group has already been included for a given assignment type, it is pre-selected and unchangeable for other include assignment types. Therefore, that group that has been used, cannot be used as an excluded group.
Click Next to display the Review + create page.
Click Create to add the app configuration policy to Intune.
Use the configuration designer
You can use the configuration designer for Managed Google Play apps when the app is designed to support configuration settings. Configuration applies to devices enrolled in Intune. The designer lets you configure specific configuration values for the settings exposed by the app.
Select Add. Choose the list of configuration settings that you want to enter for the app.
If you're using Gmail or Nine Work email apps, Android Enterprise device settings to configure email has more information on these specific settings.
For each key and value in the configuration, set:
- Value type: The data type of the configuration value. For String value types, you can optionally choose a variable or certificate profile as the value type.
- Configuration value: The value for the configuration. If you select variable or certificate for the Value type, choose from a list of variables or certificate profiles. If you choose a certificate, then the certificate alias of the certificate deployed to the device is populated at runtime.
Supported variables for configuration values
You can choose the following options if you choose variable as the value type:
|Azure AD Device ID||dc0dc142-11d8-4b12-bfea-cae2a8514c82|
|Intune Device ID||b9841cd9-9843-405f-be28-b2265c59ef97|
|User name||John Doe|
|User Principal Namefirstname.lastname@example.org|
Allow only configured organization accounts in multi-identity apps
As the Microsoft Intune administrator, you can control which work or school accounts are added to Microsoft apps on managed devices. You can limit access to only allowed organization user accounts and block personal accounts on enrolled devices. For Android devices, use the following key/value pairs in a Managed Devices app configuration policy:
The following apps process the above app configuration and only allow organization accounts:
- Edge for Android (220.127.116.1148 and later)
- Office, Word, Excel, PowerPoint for Android (16.0.9327.1000 and later)
- OneDrive for Android (5.28 and later)
- OneNote for Android (16.0.13231.20222 or later)
- Outlook for Android (2.2.222 and later)
- Teams for Android (1416/18.104.22.1680073101 and later)
Enter JSON data
Some configuration settings on apps (such as apps with Bundle types) can't be configured with the configuration designer. Use the JSON editor for those values. Settings are supplied to apps automatically when the app is installed.
- For Configuration settings format, select Enter JSON editor.
- In the editor, you can define JSON values for configuration settings. You can choose Download JSON template to download a sample file that you can then configure.
- Choose OK, and then choose Add.
The policy is created and shown in the list.
When the assigned app is run on a device, it runs with the settings that you configured in the app configuration policy.
Preconfigure the permissions grant state for apps
You can also preconfigure app permissions to access Android device features. By default, Android apps that require device permissions, such as access to location or the device camera, prompt users to accept or deny permissions.
For example, an app uses the device's microphone. The user is prompted to grant the app permission to use the microphone.
- In the Microsoft Endpoint Manager admin center, select Apps > App configuration policies > Add > Managed devices.
- Add the following properties:
- Name: Enter a descriptive name for the policy. Name your policies so you can easily identify them later. For example, a good policy name is Android Enterprise prompt permissions app policy for entire company.
- Description. Enter a description for the profile. This setting is optional, but recommended.
- Device enrollment type: This setting is set to Managed devices.
- Platform: Select Android Enterprise.
- Select Profile Type:
- Select Targeted App. Choose the app that you want to associate a configuration policy with. Select from the list of Android Enterprise fully managed work profile apps that you've approved and synchronized with Intune.
- Select Permissions > Add. From the list, select the available app permissions > OK.
- Select an option for each permission to grant with this policy:
- Prompt. Prompt the user to accept or deny.
- Auto grant. Automatically approve without notifying the user.
- Auto deny. Automatically deny without notifying the user.
- To assign the app configuration policy, select the app configuration policy > Assignment > Select groups. Choose the user groups to assign > Select.
- Choose Save to assign the policy.
- Assign a Managed Google Play app to Android Enterprise personally-owned and corporate-owned work profile devices
- Deploying Outlook for iOS/iPadOS and Android app configuration settings