diff --git a/intune/intune-service/apps/apps-deploy.md b/intune/intune-service/apps/apps-deploy.md index ba4cca1a45f..a28e2526177 100644 --- a/intune/intune-service/apps/apps-deploy.md +++ b/intune/intune-service/apps/apps-deploy.md @@ -152,7 +152,7 @@ The information in the following table can help you understand the resulting int > [!NOTE] > Apps deployed as Required to corporate-owned work profile and corporate-owned fully managed devices can't be uninstalled manually by the user. -## Managed Google Play app deployment to unmanaged devices +## Managed app deployment to unmanaged devices For unenrolled Android devices, you can use managed Google Play to deploy store apps and line-of-business (LOB) apps to users. Once deployed, you can use [Mobile Application Management (MAM)](../apps/android-deployment-scenarios-app-protection-work-profiles.md#mam) to manage the applications. @@ -169,13 +169,19 @@ Steps to assign a Managed Google Play app to unmanaged devices: 5. User logs in any protected app. 6. The next time the end user opens the Company Portal app and completes the sign in process, they see a message in the Apps section. This message indicates that there are apps available for them. The user can select this notification to navigate to the Play Store. - > [!NOTE] - > You can configure [device enrollment setting options](./company-portal-app.md#device-enrollment-setting-options) to be **Available, no prompts** or **Unavailable**. This setting prevents users from unintentionally enrolling their device. It also prevents notifications to enroll after they sign in to the Company Portal. + > [!NOTE] + > You can configure [device enrollment setting options](./company-portal-app.md#device-enrollment-setting-options) to be **Available, no prompts** or **Unavailable**. This setting prevents users from unintentionally enrolling their device. It also prevents notifications to enroll after they sign in to the Company Portal. 6. The end user can expand the context menu within the Play Store app and switch between their personal Google account (where they see their personal apps), and their work account (where they see store and LOB apps targeted to them). End users install the apps by tapping Install in the Play Store app. When an APP selective wipe is issued in the Intune admin center, the work account is automatically removed from the Play Store app. The end user no longer sees work apps in the Play Store app catalog from that point. +For unmanaged Android devices, you can also use the Company Portal app to allow end users to browse and install available Line-of-Business applications. In this scenario, end users browse and install apps from the Company Portal app, instead of the Play Store app. To make LOB apps available from the Company Portal app, add Android-Line-of-Business apps with **Target platform** of Device Administrator. Target the apps as **Available with or without enrollment** to the desired user group. [Device enrollment setting options](./company-portal-app.md#device-enrollment-setting-options) should be configured to be **Available, no prompts** or **Unavailable**. + +> [!NOTE] +> Intune [ended support for Android device administrator devices](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftechcommunity.microsoft.com%2Fblog%2Fintunecustomersuccess%2Fintune-ending-support-for-android-device-administrator-on-devices-with-gms-in-de%2F3915443&data=05%7C02%7Cabigailstein%40microsoft.com%7C57716dd93a764ca4b96008de6efadc38%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C639070221094500026%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=QMsY3dA2Jw8WuBcc1lP9ClKjyDGX5C3NfmIxlCDHD9o%3D&reserved=0) with GMS in December 2024. + + When the work account is removed from a device, apps installed from the Play Store remain installed on the device and don't uninstall. ## App uninstall setting for iOS managed apps diff --git a/intune/intune-service/enrollment/automated-device-enrollment-authentication.md b/intune/intune-service/enrollment/automated-device-enrollment-authentication.md index df6da3f7a13..745e99cd54e 100644 --- a/intune/intune-service/enrollment/automated-device-enrollment-authentication.md +++ b/intune/intune-service/enrollment/automated-device-enrollment-authentication.md @@ -64,6 +64,9 @@ In both scenarios, the Company Portal installation option is hidden from the dev ### Multifactor authentication +>[!CAUTION] +> Phishing-resistant MFA isn't supported on Setup Assistant for iOS/iPadOS. Users enrolling iOS/iPadOS devices via Automated Device Enrollment using Setup Assistant with modern authentication must have an alternate MFA method available to complete device enrollment. For more information about choosing an alternate MFA method, see [Requiring multifactor authentication](/entra/identity/conditional-access/policy-all-users-mfa-strength#authentication-strength). + Multifactor authentication (MFA) will be required if a [Conditional Access policy that requires it](multi-factor-authentication.md) is applied at enrollment or during Company Portal sign-in. However, MFA is optional, based on the Microsoft Entra settings in the targeted Conditional Access policy. External authentication methods are supported in Microsoft Entra ID, which means you can use your preferred MFA solution to facilitate MFA during device enrollment. If you choose to use a third-party MFA provider, before you deploy enrollment profiles to all devices, do a test run to ensure that both the Microsoft Entra MFA screen and MFA work during enrollment. For more information and support details about external authentication methods, see [Public preview: External authentication methods in Microsoft Entra ID](https://techcommunity.microsoft.com/t5/microsoft-entra-blog/public-preview-external-authentication-methods-in-microsoft/ba-p/4078808).