As mentioned in MC988140, later this year we are making two significant improvements for the management of Android personally owned work profile devices. These include a web-based enrollment flow and a new implementation to deliver policies by moving to Google's Android Management API (AM API). These updates are designed to modernize device management and improve the user enrollment flow.
For more details, review the blog: New policy implementation and web enrollment for Android personally owned work profile
[How this will affect your organization:]
We have updated the blog with this additional information:
- Web enrollment opt in: Intune will add a tenant-wide setting for you to opt in to web enrollment for new devices, which will be available in the second half of calendar year 2025. In the first half of calendar year 2026, web enrollment will become the default for all enrollments.
- Android OS version support:
- Web enrollment will be supported on all Android OS versions.
- Moving existing enrolled devices to the new implementation will be supported on any device running supported Android OS versions for user-based management methods at that time.
- Microsoft Authenticator: The Microsoft Authenticator app will be installed automatically during web enrollments to provide streamlined single sign-on for users.
- Enrollment restriction: For the enrollment restriction for personal work profile devices, Intune will be removing the setting to block personally owned devices.
- Work profile password: AM API does not support password requirements at the work profile level for devices on Android 11 and earlier. Because of this, any devices on Android 11 and earlier that have configuration or compliance policies that set a password requirement at the work profile level that web enroll or move to AM API will have their work profile level password requirement applied at the device level to ensure corporate data is protected.
- TeamViewer support: For devices on the new implementation, support for using TeamViewer to remotely administer devices will be added in the first half of calendar year 2026 when all devices are moved to the new implementation. If you opt in to web enrollment or move devices to the new implementation before that time, you will not be able to use TeamViewer on those devices until the first half of calendar year 2026. TeamViewer will continue working for devices on the custom DPC implementation.
For more details and the full list of expected changes, review the blog: New policy implementation and web enrollment for Android personally owned work profile
[What you need to do to prepare:]
To ensure a smooth transition and the most streamlined experience for your users, we recommend as applicable:
- Reviewing the changes listed and revising any relevant policy configurations
- Update your IT admin documentation
- Notify your users or helpdesk about the changes in experience
We will provide more specific timeframes and additional information in the coming months to give you adequate time to prepare. Stay tuned to the blog for more details and updates: New policy implementation and web enrollment for Android personally owned work profile