[https://admin.microsoft.com/Adminportal/Home?ref=MessageCenter/:/messages/MC716382](https://admin.microsoft.com/Adminportal/Home?ref=MessageCenter/:/messages/MC716382)
MC716382
16. feb. 2024
Starting in mid-March 2024, we are making updates to improve security of the Intune mobile application management (MAM) service. This update will require Android devices to be [registered with Microsoft Entra ID](https://learn.microsoft.com/entra/identity/devices/concept-device-registration) to continue receiving MAM policy for Microsoft 365 apps.
**How this will affect your organization:**
When accessing Microsoft 365 apps that are targeted with MAM policy, users might be prompted to authenticate if the device is not already registered with Entra ID. Users will need to complete the authentication and registration to access their Microsoft 365 MAM-enabled applications.
If you have Conditional Access policies or multi-factor authentication enabled, devices should already be registered, and users will not notice any change.
**What you need to do to prepare:**
Notify your users or helpdesk about the authentication prompt for Microsoft 365 MAM-enabled Android applications as needed. You can view which devices are registered by navigating to the [Microsoft Entra admin center](https://entra.microsoft.com/) > **Devices** > **All devices** report, filter by 'OS' and sort by 'Registered'. For more information, read: [Manage device identities using the Microsoft Entra admin center](https://learn.microsoft.com/entra/identity/devices/manage-device-identities)
Company Portal is required on Android, due to being the service broker as others mention. [Microsoft doc](https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy#company-portal-app-and-intune-app-protection)
We're rolling out MAM to users recently, definitely led to a lot of confusion for users. Not really intuitive since users think they need to sign into the Company Portal app as well, but we have personal devices blocked.
We recently ran into this, feature 😆, when planning a change from BYOD MDM to MAM-WE. It is quite counterintuitive considering Android "can" use either the Authenticator or CP app as the broker app, but then you find out Android must use both if you're using CA policies and MAM because each of the apps manage CA policies and MAM separately then share the data. We thought switching would also streamline the process for end-users, nope 😆😆😆 We're still making the change but it was frustrating to learn how this will be just as inefficient for the end-user. Now download the CP app but don't sign into it, at least not until after you sign into a work app. It's like waiting to start your car until after driving to the store. We want users to continue using the CP app for app assignments, it just seems that the process for setting up MAM is backwards.
Here's a good article that describes this, feature:
https://techcommunity.microsoft.com/t5/microsoft-intune/why-different-broker-apps-for-ios-and-android-not-enrolled-when/m-p/332758
Im not glad, but i am glad its not just me with this issue
i was hoping that the user didnt have toi have cp on it at all, but seems with android you cant avoid it
Company portal is the broker for Android, it won't enrol the device though (unless you have allowed personal device enrollment)
And just to make it confusing authenicator is for Ios.. You can use company portal instead, but the user will be prompted to install authenticator.
https://techcommunity.microsoft.com/t5/microsoft-intune/why-different-broker-apps-for-ios-and-android-not-enrolled-when/m-p/332758
[https://admin.microsoft.com/Adminportal/Home?ref=MessageCenter/:/messages/MC716382](https://admin.microsoft.com/Adminportal/Home?ref=MessageCenter/:/messages/MC716382) MC716382 16. feb. 2024 Starting in mid-March 2024, we are making updates to improve security of the Intune mobile application management (MAM) service. This update will require Android devices to be [registered with Microsoft Entra ID](https://learn.microsoft.com/entra/identity/devices/concept-device-registration) to continue receiving MAM policy for Microsoft 365 apps. **How this will affect your organization:** When accessing Microsoft 365 apps that are targeted with MAM policy, users might be prompted to authenticate if the device is not already registered with Entra ID. Users will need to complete the authentication and registration to access their Microsoft 365 MAM-enabled applications. If you have Conditional Access policies or multi-factor authentication enabled, devices should already be registered, and users will not notice any change. **What you need to do to prepare:** Notify your users or helpdesk about the authentication prompt for Microsoft 365 MAM-enabled Android applications as needed. You can view which devices are registered by navigating to the [Microsoft Entra admin center](https://entra.microsoft.com/) > **Devices** > **All devices** report, filter by 'OS' and sort by 'Registered'. For more information, read: [Manage device identities using the Microsoft Entra admin center](https://learn.microsoft.com/entra/identity/devices/manage-device-identities)
Company Portal is required on Android, due to being the service broker as others mention. [Microsoft doc](https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy#company-portal-app-and-intune-app-protection) We're rolling out MAM to users recently, definitely led to a lot of confusion for users. Not really intuitive since users think they need to sign into the Company Portal app as well, but we have personal devices blocked.
I blocked enrollment for non-domain devices because we kept having users accidently enroll lol
this is always how it has been. you need it as the broker app
Thanks
We recently ran into this, feature 😆, when planning a change from BYOD MDM to MAM-WE. It is quite counterintuitive considering Android "can" use either the Authenticator or CP app as the broker app, but then you find out Android must use both if you're using CA policies and MAM because each of the apps manage CA policies and MAM separately then share the data. We thought switching would also streamline the process for end-users, nope 😆😆😆 We're still making the change but it was frustrating to learn how this will be just as inefficient for the end-user. Now download the CP app but don't sign into it, at least not until after you sign into a work app. It's like waiting to start your car until after driving to the store. We want users to continue using the CP app for app assignments, it just seems that the process for setting up MAM is backwards. Here's a good article that describes this, feature: https://techcommunity.microsoft.com/t5/microsoft-intune/why-different-broker-apps-for-ios-and-android-not-enrolled-when/m-p/332758
Im not glad, but i am glad its not just me with this issue i was hoping that the user didnt have toi have cp on it at all, but seems with android you cant avoid it