Corporate identifiers and Android BYO with work profile - GraphAPI to the rescue!


When a device is enrolled in Intune as a corporate device then Intune can collect full phone hardware and app inventory, but only partially for devices enrolled as personal. The benefit of managing devices  as corporate is the unlocking of additional device management capabilities as compared to personal devices. At the time of writing this blog, Intune automatically assigns corporate-owned status to devices that join to Microsoft Entra via:

- Device enrollment manager account (all platforms)
- An Apple device enrollment program such as Apple School Manager, Apple Business Manager, or Apple Configurator (iOS/iPadOS only)
- Windows Autopilot
- Co-management with Microsoft Intune and group policy (GPO)
- Azure Virtual Desktop
- Automatic mobile device management (MDM) enrollment via provisioning package
- Knox Mobile Enrollment
- Android Corporate-owned devices with work profile
- Android Fully managed devices
- Android Dedicated devices.
- Android Open Source Project (AOSP) Corporate-owned user-associated devices
- Android Open Source Project (AOSP) Corporate-owned user-less devices
- Android Open Source Project (AOSP) Google Zero Touch

To ensure that corporate devices are marked as corporate-owned as soon as they enroll in Intune, organizations can add their corporate identifiers ahead of time in the Microsoft Intune admin center. This can be done through a .csv file containing all the supported corporate identifiers or enter each identifier separately. At the time of writing this blog, following identifiers are supported -

- IMEI
- Serial number
- Serial number, manufacturer, and model (Windows only)

Now that we have established the importance of configuring corporate identifiers in Intune, let's cover another enrolment method which is Android BYO with work profile. As of writing this blog, corporate identifiers for Android BYO with work profile is only supported on Android 11 and earlier.

Source:Microsoft

This is because Google removed the ability for apps to access hardware identifiers on personally-owned work profile devices that utilized hardware identifiers like IMEI, MEID and serial number. Instead, Google introduced enrolment specific id which identifies the work profile enrollment in a particular organization, thus keeping it stable across factory resets. The removal affects the workflows  personally-owned Android Enterprise with work profile devices running Android 12 where serial number, IMEI, MEID are no longer supported to identify devices as corporate in Intune admin center.

This is a big bummer because corporate identifier for Android BYO with work profile was a great way to allow managing ownership for existing corporate Android devices without having to reset them. Luckily, all is not lost. The device owner type can be changed for all managed devices in Intune using Graph API through a Patch channel aka Update channel

For all intent and purposes, I am going to be updating the device owner type for all Android BYO with work profile devices looking at the current owner type 'personal' and operating system as 'Android'. I will be using Azure cloud shell to prepare and run the PS commands to call the Graph APIs. We will be using DeviceManagementManagedDevices.ReadWrite.All API that allows read and write actions against the properties of devices managed by Microsoft Intune. This does not allow high impact operations such as remote wipe and password reset on the device’s owner. 

If you will like to read about setting up Azure cloud shell, then you can read about it on one of my posts over here.

1. Sign in to the Azure portal.
2. Launch Cloud Shell from the top navigation of the Azure portal and run the following PS commands.

connect-mggraph -Scopes 'DeviceManagementManagedDevices.ReadWrite.All'

$personaldevices = Invoke-MgGraphRequest -Method Get -OutputType PSObject -Uri "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?`$filter=managedDeviceownerType eq 'personal' and operatingSystem eq 'Android')"

$body = '
{
    ownerType:"company"
}'

foreach($personaldevices in $personaldevices.value) {
    $uri = "https://graph.microsoft.com/beta/deviceManagement/managedDevices/$($personaldevices.id)"
    Invoke-MgGraphRequest -Uri $uri -Body $body -method Patch -ContentType "application/json"
}


You can run $personaldevices.value to ensure correct values are getting filtered.



Status after running the command.


In the Intune admin portal, the ownership will change almost immediately.

Before

After



Final thoughts

The Microsoft Graph API for Intune is a neat way of accessing Intune information within an organization's tenant. The API performs the same Intune operations as those available through the Azure Portal. However, it must be used carefully, therefore it is important that both access and permissions are secured. There are a couple of ways to achieve this and I will be covering the details in the blogs to come. Until then, thanks for reading and hope it was helpful..

References:



Comments

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

Prevent users from running certain programs or applications on Windows endpoints using Intune

Intune: Configure Printers for Non-Administrative Users