This week is all about remotely locating corporate-owned Android Enterprise devices. More specifically, about the configurations that are related to remotely locating those devices. With one of the latest service updates of Microsoft Intune (2401) a new configuration was introduced to specifically block the location on corporate-owned Android Enterprise devices. That configuration, however, has a direct impact on the ability to locate those devices. Besides that, the availability of remotely locating the device depends on the Android Enterprise deployment method. So, multiple reasons why the ability of remotely locating devices could be unavailable. This post will focus on the available settings related to the location of Android Enterprise devices, followed with the steps to configure those settings. This post will end with the user experience.
Introducing the different location related settings
When looking at the settings that are related to allowing remotely locating corporate-owned Android Enterprise devices, there are two settings important: Location and Locate device. The former setting is focused on the location services of the device and the latter is focused on allowing Microsoft Intune to locate the device. In a bit more detail:
- Location: This setting is applicable to fully managed, dedicated, and corporate-owned work profile devices and can be set to either Block or Not configured. When configuring it to Block, it disables the location setting on the device and also prevents users from turning it on. When the location is disabled that will immediately impact any other setting that depends on the device location. And that includes the Locate device remote action. When configuring it to Not configured, the setting is not updated and uses the default. By default, the platform might allow using the location of the device.
- Locate device: This setting is available in two different flavors, one that is applicable to fully managed and corporate-owned work profile devices and one that is applicable to dedicated devices. Two different flavors, because the default state is different. When configuring it to Allow (which is the default on dedicated devices), Microsoft Intune will be able to remotely locate the device when the action is triggered by the IT administrator. When configuring it to Block (which is the default on fully managed and corporate-owned work profile devices), Microsoft Intune will not be able to remotely locate the device. And when configuring it to Not configured, the default configuration will be used.
Configuring the different location related settings
After being familiar with the configurations that are related to remotely locating corporate-owned Android Enterprise devices, the configuration is pretty straight forward. The configurations are available in a device restrictions profile. For corporate-owned Android Enterprise devices that configuration can be achieved by going through the eight steps below.
- Open the Microsoft Intune admin center portal navigate to Devices > Android > Configuration profiles
- On the Android | Configuration profiles page, click Create > New Policy
- On the Create a profile page, provide the following information and click Create
- Platform: Select Android Enterprise to select the platform that can use custom support information
- Profile type: Select Fully Managed, Dedicated, and Corporate-Owned Work Profile > Device restrictions to select the profile type that contains the location configuration options
- On the Basics page, provide a valid name for the device restrictions profile and click Next
- On the Configuration settings page, as shown below in Figure 1, configure at least the following settings and click Next
- Location (1): Do not configure this setting to Block, as it will prevent any app from using the location services
- Dedicated devices > Location device (2): Leave this on Not configured to allow Microsoft Intune to remotely locate the device when specifically requested by the IT administrator
- Fully managed and corporate-owned work profile devices > Location device (2): Select Allow to allow Microsoft Intune to remotely locate the device when specifically requested by the IT administrator
- On the Scope tags page, add any required scope tags and click Next
- On the Assignments page, configure the assignment to the required users and/or devices and click Next
- On the Review + create page, verify the configuration and click Create
Note: These steps walk through the minimal steps to allow IT administrators to remotely locate devices.
Experiencing remotely locating Android Enterprise devices
When the required configurations are in place, it’s time verify the user experience. The first setting is pretty straight forward. When location services are disabled, location sharing is no longer possible. Not even for apps that have the required permissions to access the location of the device. So, mainly make sure to not disable the location when it’s required to be able to remotely access the location of the device. When the locations services are not disabled, it’s time to look at the experience with remotely accessing the location. On dedicated devices the location can be accessed by default, while that is not possible on fully managed and corporate-owned work profile devices. So, for the most complete experience, below is an example of a fully managed device.
Below in Figure 2 is an example of the user experience after the fully managed device receives a configuration that will enable the Intune app to access the location of the device. In that case, the user receives a notification that clearly notifies the user that a configuration is applied that allows Intune access to the location of the device. When looking at the location permissions for the Intune app, as shown below in Figure 3, the user can see that the Intune app has all the time access to the location. When the IT administrator now actually triggers the Locate device remote action, the user receives a notification that clearly notifies the user that the location of the device has been queried by the IT administrator because the device has been reported as lost or stolen. That notification is shown below in Figure 4.
Note: When the Locate device remote action is greyed out, the configuration to allow Microsoft Intune to locate the device has not yet been successfully applied.
More information
For more information about discovered apps on Android Enterprise devices, refer to the following docs.
Thanks for your post.
Is the localisation works everytime for you?
Because on our side we have sometimes error in Intune on the bing map location page :
“The locate device action failed. Try refreshing”
On the other hand, the notification on device works everytime.
Hi Michael,
Yes, I recognize that behavior. I’ve seen it also that the notification is reliable and that the actual location page shows an error.
Regards, Peter
Thanks for your feedback.
I had open a case at Microsoft but like often not so satisfactory return.
Regards.
Ah, that it’s not good to hear. What was the response that you’ve received so far?
Regards, Peter
At first the phone was missing permissions for Company portal app. And afterwards, it worked, didn’t work, worked… I ended up giving up because working with Microsoft support is very time-consuming and tiring.
Thank you for the update, Michael!
Same results here, everything works except showing the actual location on the map. Let’s hope MS fixes this soon.
Thank you for sharing, Wietse!
Regards, Peter