This week is sort of a follow-up on a post of more then 5 years ago, about checking diagnostic logs for managed apps on iOS and Android devices. That post was focussed on how to achieve that locally on the device. Since recently, a lot has changed. The local option is still available, but it’s now also possible to remotely collect those diagnostic logs for managed Microsoft 365 apps. That make the troubleshooting of app protection and app configuration policies a lot easier. Without really difficult, or challenging, activities from an user perspective. The main thing that is left for the user, is accepting the remote collections of the diagnostics logs. There are, however, some other details to keep in mind. This post will focus on that remote capability for collecting diagnostic logs for managed Microsoft 365 apps.
Remotely collecting diagnostic logs for Microsoft 365 apps
When looking at remotely collecting diagnostic logs, there are a couple of things to keep in mind. The most important things are related to the user and their device. Before being able to remotely collect diagnostic logs, the users of Android devices, must be signed into the Company Portal app for the diagnostic logs to become available for download within the Microsoft Intune administrator portal. Besides that, when the IT administrator is actually remotely requesting the diagnostic logs, the user must have the app open. In some cases it might even be required to close the app and reopen it again. The main reason for that is that the user basically has to consent for the diagnostic logs to be retrieved from the app.
From an IT administrator perspective, the activities are pretty straight forward. First collect the diagnostic logs for the Microsoft 365 apps and secondly download the collected diagnostic logs. In practice that simply means the following:
- The IT administrator opens the Microsoft Intune admin center portal and navigates to Troubleshooting + support
- On the Troubleshooting + support | Troubleshoot page, as shown below in Figure 1, on the Overview tab, provide a User, navigate to the App protection section and either click on App protection (for an overview of all assigned apps) or click on Checked in (for an overview of the actually signed in apps)
- On the App protection page, as shown below in Figure 2, click on the three dots > Collect diagnostics
- On the Collect diagnostics – Mobile app diagnostics dialog box, as shown below in Figure 3, click Yes
When the IT administrator continued with the diagnostic log collection, the user will eventually receive a request within the applicable Microsoft 365 app. For this, however, it is important that on Android devices the user is actually signed in to the Company Portal app. The device doesn’t have to be managed, but the user must be signed in. So, for managed Android devices this process is relatively straight forward, but for unmanaged Android devices this might mean that users have to sign in to the Company Portal app. Not to enroll the device, but just to be signed in. Without that, the diagnostic logs won’t be available within the Microsoft Intune admin center.
It can take up to 30 minutes for the diagnostics logs to be delivered from a device. This might, however, require the user to close and reopen the applicable Microsoft 365 app. Eventually, the user should receive a notification about the request to collect the diagnostic logs (as shown in Figure 4 for the Microsoft Outlook app). Once approved, the process to collect the diagnostic logs will be started. Also, once approved, the IT administrator will have the ability to collect the diagnostic logs for the next seven days.
Note: At this moment, the diagnostics logs will not be available for download for iOS devices. For those logs, contact the Intune support team.
After the user approved the request to collect the diagnostic logs, those logs will become available for download in the Microsoft Intune admin center. For that, the IT administrator can navigate to the Diagnostics tab. That should contain line items for the Incident IDs, as shown below in Figure 5, that were created for the trigger to collect the diagnostic logs. In some cases that might even mean that there are two incidents created for two different downloads. One related to the app and one related to the SDK. The downloads, however, all seem to be the same. A compressed file that contains the scrubbed Company Portal app logs and the logs of the checked in managed Microsoft 365 apps. Eventually the line item for the Incident ID will also contain the user that actually initiated the download of the diagnostic logs.
Note: This functionality is currently only available for Intune managed Microsoft 365 apps.
More information
For more information about remotely collecting diagnostic logs, refer to the following docs.