How to use Intune in environments without Google Mobile Services

Microsoft Intune uses Google Mobile Services (GMS) to communicate with the Microsoft Intune company portal when managing Android devices. In some cases, devices may temporarily or permanently not have access to GMS. For example, a device might ship without GMS, or the device may be connecting to a closed network where GMS is not available. This document summarizes the differences and limitations you may observe when installing and using Intune to manage Android devices without GMS.

Install the Intune Company Portal app without access to the Google Play Store

For users outside of People's Republic of China

If Google Play isn't available, Android devices can download the Microsoft Intune Company Portal for Android and sideload the app. When installed this way, the app doesn't receive updates or fixes automatically. You must be sure to regularly update and patch the app manually.

For users in People's Republic of China

Because the Google Play Store is currently not available in People's Republic of China, Android devices must obtain apps from Chinese app marketplaces. For more information, see Install the Company Portal app in People's Republic of China.

Limitations of Intune device administrator management when GMS is unavailable

Unavailable Intune features

Some Intune features rely on components of GMS such as the Google Play store or Google Play services. Because these components are not available in environments without GMS, the following features in the Intune administrator console may be unavailable.

Scenario Features
Device compliance policies When creating or editing compliance policies for Android device administrator, all options listed under Google Play Protect are unavailable.
App protection policies (conditional launch) SafetyNet device attestation, Require threat scan on apps, and Max Company Portal version age (days) are device conditions that cannot be used for conditional launch.
Client apps Apps of type Android are not available. Use Line-of-business app instead to deploy and manage apps.
Mobile Threat Defense Work with your MTD vendor to understand if their solution is integrated with Intune, if it is available in the region of interest, and if it relies on GMS.

Some tasks may be delayed

In environments where GMS is available, Intune relies on push notifications to speed tasks to finish. For example, if you try to remotely wipe the device, notifications generally get to the device in seconds. In conditions where GMS isn't available, push notifications may also not be available. Therefore, Intune must wait for the next device check-in time to complete the tasks.

Enrolled Android devices report to Intune every 8 hours. For example, if a device reports to Intune at 1 PM and the remote tasks are issued at 1:05 PM, Intune will contact the device at 9 PM to complete the tasks.

The following tasks can require up to 8 hours to finish:

Intune console:

  • Full wipe
  • Selective wipe
  • New or updated app deployments
  • Remote lock
  • Passcode reset

Intune Company Portal app for Android:

  • Remote device removal
  • Device reset
  • Installation of available line-of-business apps

Intune Company Portal website:

  • Device removal (local and remote)
  • Device reset
  • Device passcode reset

If the device recently enrolled, the compliance, non-compliance, and configuration check-in runs more frequently. For more information on device check-ins, see Common questions, issues, and resolutions with device policies and profiles in Microsoft Intune.

Next steps