In one of my tenants the new compliance rules for Android arrived last night. So as from now we are able to block users to access corporate data that have Android devices that have enabled USB Debugging, enabled the installation of apps from Unknown Sources and when users have disabled the option “Scan device for security threats”.
If you ask me three of the most wanted compliance enhancements to be able to support Android devices. Let’s have a look at how it works.
In the console the Compliance policy can be configured to block access when having one of the three settings do not comply. Also the minimum Android patch level for Android 6.0+ can be configured.
The administrator is able to identify the users that have non-compliant devices and execute a selective wipe if your organization requires you to do so.
Looking at the user experience, I was tested enrollment with the non-compliant settings configured and changing the non-compliant settings when the device was already enrolled.
So after enabling USB Debugging and enabling Unknown Sources a user sees the following;
After the recheck, the users are able to see what is wrong and what they need to fix to get access again;
Tapping on How to resolve this learns you how to fix the compliance issues;
Of course Conditional Access also works for modern apps while trying to configure for instance the Outlook app;
For some reason I was not able to verify via the compliance policy if the option “Scan device for security threats” was disabled or not. Some further investigation is needed 🙂
After searching on the web and stumbled here….I was curious did you actually test the Selective Wipe on Android? It appears it still doesn’t work correct for us and we’ve seen all sorts of issues.
Note: This is testing done with all Nexus devices, 5, 6, 5x
First: Selective Wipe with the Outlook app still does not remove the existing mail on the phone and it only prevented the ability to receive mail. I could however still send mail from the device after the selective wipe process. I can still view and read the cached email on the phone
Second: Initial enrollment prompted to install Intune and worked as intended. However, with re-testing we are able to configure the outlook app at will and connect to send/receive mail without the intune app at will
Third: MS documentation shows that MDM works with the built in Exchange support for the GMail app. However, we have yet to get it working with the GMail app. It says it is trying to connect via ActiveSync and is denied due to external MDM
Fourth: INtune app mistakenly found my device to be rooted which it is not.