Recent discussions
SCEP Certificate Fails with Multiple Root CAs on COPE/COBO (Works on BYOD)
Hi everyone, We're running into a certificate issue with our Android Enterprise deployment and hoping someone here has encountered something similar or can point us in the right direction. We're using Microsoft Intune as our MDM solution with COPE and COBO enrolled devices. This affects all Android devices regardless of manufacturer, including Google Pixel devices running Android 16 with the latest security patch. The devices use SCEP certificates for Wi-Fi authentication. In early September, we rolled out new Root CAs via Intune. These new Root CAs are used for creating SCEP profiles for Wi-Fi authentication. The devices now have both the old, still valid Root CA and the new Root CA installed. The problem occurs when a device tries to obtain a new SCEP certificate issued by the new Root CA. In this case, the Android device attempts to verify the certificate chain using the old Root CA, which fails because the certificate was issued by the new Root CA. As soon as the old Root CA is removed from the device via MDM, the certificate verification works as expected. Interestingly, the entire process works without any problems on Android devices with personal enrollment (BYOD). We've tested creating a new SCEP profile, but unfortunately that didn't help. Only removing the old Root CA solved the problem. The issue now also occurs with BYOD devices as well. Has anyone dealt with a similar situation during a Root CA migration on Android Enterprise devices? We're trying to understand why COPE and COBO devices behave differently than BYOD devices in this scenario, and whether there's a configuration we're missing that would allow both Root CAs to coexist properly during our transition period. Thanks in advance for any help you can provide.
Android 15 Setup Wizard loops at “Accept Google Services” on Lenovo Tab M11 (TB311FU)
Hi all, I'm running into a blocking issue provisioning brand-new (and factory-reset) Lenovo Tab M11 - TB311FU devices on Android 15 with Android Management API (fully managed / dedicated, kiosk). On Android 14 everything worked fine with the exact same policy and enrollment flow. The issue only started after updating to Android 15. (this is my test device, i constantly factory reset it) Expected behavior: Standard QR (6-tap) provisioning to proceed past the “Accept Google Services” screen, install Android Device Policy, enroll to my enterprise, and apply the kiosk policy, install app, and done. What happens instead: After Wi-Fi and scanning the AMAPI QR token, Setup Wizard reaches “Accept Google Services”. Tapping Accept shows a spinner, then it returns to the same screen (loop). I simply cannot get past this point. If I reboot at this point, on the very first Welcome screen the device sometimes becomes unresponsive (neither 6-tap nor “Next” reacts) until I factory reset again. Is there a known Android 15 Setup Wizard issue that can cause a loop at “Accept Google Services” on Lenovo TB311FU? Any workarounds you'd recommend to get past the acceptance loop? When factory resetting, and setting up the tablet without scanning the qr code, i get past the Google Services no problem. When i install via qr-code on new fresh never used before tablets, that come pre-installed with Android 14, i don't have any issues. Same policy, same everything... except the Android version. Thanks in advance! /B
Google keyboard not appearing automatically
Have a bit of an emergency where after the latest Gboard update, when users tap an input field, instead of Gboard just showing up as normal, a menu bubble is appearing instead where they have to tap it and select the "show on screen keyboard" option. I haven't been able to locate Google's release notes for Gboard to see if there was something that changed. Any ideas would be greatly appreciated!
New devices only receive "Enterprise Default Profile" instead of default profile
Hey there, this is my first post here as I could not find a ticket system for Zero Touch. Since a couple of weeks all new devices only getting the "Enterprise Default Profile" automatically assigned which I deleted during zero touch tenant setup in "Configurations". The default profile I created does not get automatically applied anymore. Unfortunately I can change the default assignment profile to whatever I want but newly added devices still are getting the "Enterprise Default Profile". Changing the device profile after the initial upload (including wrong DPC info) to the created target profile works in bulk. Once changed manually the devices apply the correct DPC. Multiple zero touch instances are affected. How to fix the default assignment profile for newly added devices? Any suggestions?Can't configure notifications on my work profile
I hope someone here can help me, since I've been stuck in this issue for over a month now. I can not configure notifications on my work profile. I am the admin so should be able to allow this for users. I'll share some screenshots to illustrate the issue. First, the disabled notification: Then, the advice of gemini: The Solution: Change the Admin Policy You must log in to your Google Admin Console and change the setting that is blocking this. On your computer, log in to your Google Admin Console at admin.google.com. In the left-hand menu, navigate to: Devices $\rightarrow$ Mobile & endpoints $\rightarrow$ Settings Click on Android. This page lists all your Android policies. You are looking for the setting that controls app permissions. It is most likely in one of these two sections: Primary Target: Apps and data sharing Look for a setting like App permissions or App settings. The current setting is likely "Block user from modifying" or "Set to... (Enforced)". Change this setting to Allow user to configure or Let user choose. Secondary Target: Work profile Look for a setting like Work profile notifications or Lock screen notifications. While this usually just controls lock screen visibility, if it's set to "Hide all notifications," it may interfere. Ensure it is set to Show all notification content or Allow user to configure. Click Save at the top or bottom of the page. This option is simply not there!
How to obtain the eSIM EID (Embedded Identification Document) from a device with DO (Device Owner) active?
Hello, We are looking to implement the functionality to provision eSIM profiles on devices with Android 15+. However, we encountered a telecom provider that requires the EID of the devices before providing us with the eSIM activation code. In this initial stage, we are simply trying to obtain the EIDs of all devices so that we can send them to the telecom provider and receive the eSIM activation code in return. To obtain the EID, we are using the following approach: `euiccManager.createForCardId(slot).eid` However, we are encountering this issue as noted here: *Must have carrier privileges on subscription to read EID for cardId=0 [java.lang.SecurityException: Must have carrier privileges on subscription to read EID for cardId=0]* The same issue occurs with `euiccManager.eid`. According to the documentation mentioned above, Android 15 introduced the possibility of managing eSIM profiles without requiring carrier privileges. However, it seems that the same should also apply to obtaining the EID. I noticed a similar situation reported here that has been unanswered since September 2024. Is there any other way to retrieve the EID, or is there any plan to include EID in the bypass for managed corporate devices (which have Device Owner active)? Looking forward to any insights on this. Thanks in advance!
Why openNetworkConfiguration not working in enrolled device?
I have enrolled a device and want to use managed wifi on that device. I have used following configuration- "openNetworkConfiguration": { "Type": "UnencryptedConfiguration", "NetworkConfigurations": [ { "GUID": "inovex_wifi", "Name": "INovex-Dev", "Type": "WiFi", "WiFi": { "SSID": "INovex-Dev", "Security": "WPA-EAP", "EAP": { "Outer": "EAP-TLS", "Identity": "faruk", "DomainSuffixMatch": ["dms.mobi-manager.com"], "ServerCARefs": ["ca_inovex"], "ClientCertType": "Ref", "ClientCertRef": "client_inovex" } } } ], "Certificates": [ { "GUID": "ca_inovex", "Type": "Server", "X509": "ca_base64" }, { "GUID": "client_inovex", "Type": "Client", "PKCS12": "client_base64" } ] } My expection is This network automatically save in wifi list As I set client and server certificate the device should connect automatically For information I have used freeradius server for authentication.
