Configure Android Enterprise system app in Intune for any OEM

-

When it comes to managed apps on Android Enterprise devices, normally it is Managed Google Play store that comes to mind. One setup and synced, you can make any published app in Managed Google Play store available to the Android managed devices. But what about apps outside the Managed Google Play store? Particularly non Google OEM specific apps in form of system apps? Organizations may want to allow system apps like Camera & Photos Gallery available to the end users to store media files in the work container. This is where Android Enterprise system app type in Intune can come handy. Through this app type you can enable a system app for Android Enterprise dedicated devices, fully managed devices, Android Enterprise corporate-owned with work profile, or Android Enterprise personally-owned work profiles.

Before you assign an Android Enterprise system app to a device, you must first enable the app in Microsoft Intune. To enable an app, assign the system app as Required. When you no longer need the system app, you can disable it by assigning it as Uninstall

A couple of Caveats -

1. Android Enterprise system apps will enable or disable apps that are already part of the platform. 
2. System apps cannot be assigned as available for a user.
3. You cannot create an Android Enterprise system app when there is the same app in Managed Google Play in Intune.
4. If the process covered in this blog doesn't work for you for identifying the package name, then you will need to work with the OEM of your device to find the package name of the app you would like to enable/disable.

How to identify the package name of the system app?

You see, when a work profile is created in an Android Enterprise device, the following system apps are automatically added in the work container.

- My Files
- Contacts
- Google Play Store

Now Samsung Knox has provided a list of some additional system apps that can directly be picked as-is. However, the same cannot be said for other OEM like OPPO\OnePlus. Even though most organizations use Samsung and Google manufactured devices for corporate use, in today's modern workplace hybrid setup, it is all about protecting corporate data. So device manufacturer shouldn't really be a concern as long as it adheres with Android Enterprise standards. Especially for personally owned devices.
  
With that said, one of easiest ways I have found to identify the package name of system app is using some sort of package manager app from Google Play Store and capture the information that way. Following are the snippets containing the package names of Camera and Photos app on OnePlus.


Now that we have package names, we are good to import them in Microsoft Intune.

2. Select Apps > All apps > Add > Android Enterprise system app
3. In the App information page, enter the name of the app.
4. Enter the name of the publisher of the app.
5. Enter a package name as shown below.


6. Click Next until you reach the assignments page. Select a group of users or devices. Note: In my experience Samsung system apps failed to install when I targeted a user based group with Intune Device filters and had to use device based groups instead. However, there was no such issue with OnePlus system apps.

7. Click Create to enable the app in Intune.

End Result

After the device syncs, the system apps should install and show up in the work container.


That's it for now. Thanks for reading and I hope the details covered in this blog post will save you some time when dealing with a similar scenario.

Comments

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){              ...
Read more

Prevent users from running certain programs or applications on Windows endpoints using Intune

-
Image
  When it comes to blocking or preventing users from running an application on Windows devices, one normally uses App locker policy, Windows Defender Application Control and not so new but pretty useful method called Defender Vulnerability management within Microsoft 365 Defender Portal. A recent question on the Tech Community Microsoft forum prompted me to look for all possible alternatives. I started reminiscing over the legacy GPO policies and that is when I stumbled upon the policy  Don’t run specified Windows applications  located under User Administrative Templates - The policy setting does come with its own caveat - " This policy setting only prevents users from running programs that are started by the File Explorer process. It does not prevent users from running programs, such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not prevent them from st...
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $P...
Read more