Corporate identifiers and Android BYO with work profile - GraphAPI to the rescue!

-

When a device is enrolled in Intune as a corporate device then Intune can collect full phone hardware and app inventory, but only partially for devices enrolled as personal. The benefit of managing devices  as corporate is the unlocking of additional device management capabilities as compared to personal devices. At the time of writing this blog, Intune automatically assigns corporate-owned status to devices that join to Microsoft Entra via:

- Device enrollment manager account (all platforms)
- An Apple device enrollment program such as Apple School Manager, Apple Business Manager, or Apple Configurator (iOS/iPadOS only)
- Windows Autopilot
- Co-management with Microsoft Intune and group policy (GPO)
- Azure Virtual Desktop
- Automatic mobile device management (MDM) enrollment via provisioning package
- Knox Mobile Enrollment
- Android Corporate-owned devices with work profile
- Android Fully managed devices
- Android Dedicated devices.
- Android Open Source Project (AOSP) Corporate-owned user-associated devices
- Android Open Source Project (AOSP) Corporate-owned user-less devices
- Android Open Source Project (AOSP) Google Zero Touch

To ensure that corporate devices are marked as corporate-owned as soon as they enroll in Intune, organizations can add their corporate identifiers ahead of time in the Microsoft Intune admin center. This can be done through a .csv file containing all the supported corporate identifiers or enter each identifier separately. At the time of writing this blog, following identifiers are supported -

- IMEI
- Serial number
- Serial number, manufacturer, and model (Windows only)

Now that we have established the importance of configuring corporate identifiers in Intune, let's cover another enrolment method which is Android BYO with work profile. As of writing this blog, corporate identifiers for Android BYO with work profile is only supported on Android 11 and earlier.

Source:Microsoft

This is because Google removed the ability for apps to access hardware identifiers on personally-owned work profile devices that utilized hardware identifiers like IMEI, MEID and serial number. Instead, Google introduced enrolment specific id which identifies the work profile enrollment in a particular organization, thus keeping it stable across factory resets. The removal affects the workflows  personally-owned Android Enterprise with work profile devices running Android 12 where serial number, IMEI, MEID are no longer supported to identify devices as corporate in Intune admin center.

This is a big bummer because corporate identifier for Android BYO with work profile was a great way to allow managing ownership for existing corporate Android devices without having to reset them. Luckily, all is not lost. The device owner type can be changed for all managed devices in Intune using Graph API through a Patch channel aka Update channel

For all intent and purposes, I am going to be updating the device owner type for all Android BYO with work profile devices looking at the current owner type 'personal' and operating system as 'Android'. I will be using Azure cloud shell to prepare and run the PS commands to call the Graph APIs. We will be using DeviceManagementManagedDevices.ReadWrite.All API that allows read and write actions against the properties of devices managed by Microsoft Intune. This does not allow high impact operations such as remote wipe and password reset on the device’s owner. 

If you will like to read about setting up Azure cloud shell, then you can read about it on one of my posts over here.

1. Sign in to the Azure portal.
2. Launch Cloud Shell from the top navigation of the Azure portal and run the following PS commands.

connect-mggraph -Scopes 'DeviceManagementManagedDevices.ReadWrite.All'

$personaldevices = Invoke-MgGraphRequest -Method Get -OutputType PSObject -Uri "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?`$filter=managedDeviceownerType eq 'personal' and operatingSystem eq 'Android')"

$body = '
{
    ownerType:"company"
}'

foreach($personaldevices in $personaldevices.value) {
    $uri = "https://graph.microsoft.com/beta/deviceManagement/managedDevices/$($personaldevices.id)"
    Invoke-MgGraphRequest -Uri $uri -Body $body -method Patch -ContentType "application/json"
}


You can run $personaldevices.value to ensure correct values are getting filtered.



Status after running the command.


In the Intune admin portal, the ownership will change almost immediately.

Before

After



Final thoughts

The Microsoft Graph API for Intune is a neat way of accessing Intune information within an organization's tenant. The API performs the same Intune operations as those available through the Azure Portal. However, it must be used carefully, therefore it is important that both access and permissions are secured. There are a couple of ways to achieve this and I will be covering the details in the blogs to come. Until then, thanks for reading and hope it was helpful..

References:



Comments

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Prevent users from running certain programs or applications on Windows endpoints using Intune

-
Image
  When it comes to blocking or preventing users from running an application on Windows devices, one normally uses App locker policy, Windows Defender Application Control and not so new but pretty useful method called Defender Vulnerability management within Microsoft 365 Defender Portal. A recent question on the Tech Community Microsoft forum prompted me to look for all possible alternatives. I started reminiscing over the legacy GPO policies and that is when I stumbled upon the policy  Don’t run specified Windows applications  located under User Administrative Templates - The policy setting does come with its own caveat - " This policy setting only prevents users from running programs that are started by the File Explorer process. It does not prevent users from running programs, such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not prevent them from starting pr
Read more