It is corporate owned fully managed user devices. If I use QR instead of zero touch, I don’t get the initial PIN setup.

Currently, test users are prompted to create a PIN during setup, when they setup a PIN, the Lock Screen never shows up. But if they skip it, the Lock Screen shows up with the right 6 digit PIN.

As said a bit down below, i see the same behavior (setting a pin is requested during enrollment) but the lockscreen not showing up if done so, sounds very like an Intune issue.

Spoke to a Google representative today. This behavior started with Android 14 and there is no way to skip the initial prompt PIN

Strange name from MS as COPE devices are never fully managed 😄 but accept that the "naming issue" does come from MS, not from you.

I just did another test enrollment with COPE in Soti, set the pin during enrollment (and have a pin policy for the device in place as well), the lockscreen works perfect.

Hi @Michel, 

regarding "The procedure explained should be the same for COPE as for fully managed. Unless a device is enrolled as BYOD (when it does not have zero touch configured correctly for example). ", is that really the case?

For me it's long time ago i made such enrollment but my guess would be that even on COPE the user can/should set a pin him-/herself during the enrollment and later the policies of the MDM (no matter which one) takes place and may ask to reset the pin because the previously chosen one was not secure enough (compared to what the admin has set up as a requirement).

Just did a test on one of my test devices and you get prompted to define a pin (after the MDM agent was installed), not sure if admin policy already takes place here regarding how secure it has to be.

But be aware that on COPE you have 3 passwords to be set:

- admin password

- device pin

- work profile pin

Both pins can be enforced by the MDM to match defined requirements which can cause the device also re-requesting for example device pin to be set if the one chosen from the enduser before was too less secure.

Or you maybe struggle that the end user needs to set a pin for device (during enrollment) and later also for  the work profile later as well.

Hi @Moombas , its when looking at the passcode, yes. If you configure Intune with a password policy for the whole device, not just the work profile, it will ask you to set the pin before the personal settings of cope are shown. The rest of the enrollment process is different between fully managed and cope ofcourse. 

But you're comment got me thinking, and I've found this article from MS: https://learn.microsoft.com/en-us/troubleshoot/mem/intune/device-configuration/assign-password-setti...

It seems that you are able to configure it both ways, we always configure it via the recommended way:

Because of the OS limitation on Android Enterprise fully managed devices, we recommend that you assign the device restrictions profile that includes password settings to the devices before enrollment.

This might very well be the issue that @M-T-T is experiencing. But I have absolutely no idea how to apply a profile after enrollment 😅. The way we work:

Create a user, user is part of a group, assign policies and apps to that group, enroll the device and login with the user during the enrollment proces. My first interpretation would be that Microsoft means applying a policy to an operational device when talking about " after enrollment" but i'm not sure. 

Again, i don't use Intune and not sure how/where it works different.

For me it's other way around: I don't know how to apply it before enrollment. In Soti you deploy a COPE profile with authentication but this takes place after the device is enrolled.

And you even can't before as you enroll a device using an enrollment ID and not with logging in with a user to the device (similar to fully managed enrollment).