tl;dr
Add "android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true to your QR.The full story
My current employer is trialing Intune as an organization-wide MDM solution. We already have M365 licenses for the entire organization, so Intune looks like an attractive option (we're already paying for the licenses anyway).In addition to BYODs, we have tons of devices that are owned by the organization and meant strictly for business use. That means whatever MDM solution we end up using needs to be in complete control of the device, and for modern Android devices which support Android Enterprise, that seems to require the device owner mode of operation.
As of July 2019, Intune offers three ways to enroll Android devices:
Personal devices with work profile:
BYOD, the MDM controls a separate profile that contains work apps and data
Corporate-owned dedicated devices
The MDM controls the entire device, tailored towards kiosk and special-purpose devices
Corporate-owned, fully managed user devices (Preview)
The MDM controls the entire device, but the device still mainly functions as a regular user device
Both of the "corporate-owned" enrollment methods seem to use the device owner mode, and they both offer a handy QR code for easy enrollment. To start the QR-driven MDM wizard on most modern Android devices you simply tap a few times on a blank section of the first page of the device's out-of-the-box wizard.
I enrolled a couple of Samsung devices using the "Corporate-owned, fully managed" mode. The enrollment went without a hitch, but as I arrived at the start screen and looked through the app drawer, I noticed that several apps that I expect to see on an out-of-the-box Samsung device were conspicuously absent.
Admittedly, a lot of the software Samsung bundles with its phones is either pointless bloat no one ever asked for (Bixby), Samsung's version of something everyone else does better (Samsung Notes and Bixby) or straight-up evil (Facebook). Not a big deal if we accidentally happened to "lose" a few of those. The problem was that some of my enrolled devices were missing what I consider bare-minimum stock apps for a functional smartphone, like a camera app, an SMS/MMS app and a contacts app. Hmm.
Turns out that Android Enterprise in device owner mode disables or hides a lot of the OEM stock apps, although exactly which ones seems pretty random judging by my small sample of Samsung devices (most were missing the image gallery, some were missing the messages app, one had no camera, no gallery, no contacts and no messages).
There are certainly very good arguments for disabling some or all of the OEM stock apps in a business setting, but that's a separate discussion that I won't get into here. I just wanted to be able to leave the Samsung stock apps in place on a corporate-owned device, because at least in my organization's case there are a lot of devices where we'd want to do just that. Seems like a fairly basic MDM thing, so I'm sure Intune has a slider button for this, right? Right?
Well, it doesn't. At least I couldn't find one. I started googling and came across a few posts where people talked about running scripts with commands to enable specific stock apps, but I couldn't find a way to run Android scripts through Intune (at least not in a quick and easy way). This may be more because of my limited experience with and incomplete understanding of Intune than a limitation of the platform itself though.
Finally I found this post. "Just add this line to your QR, bro." After tons of fruitless research this seemed almost too good to be true, but how exactly do you go about adding that line of configuration to the enrollment QR code? Intune doesn't offer a way to customize it, so what do you do?
It's actually fairly easy. The enrollment QR code translates to a small chunk of JSON that tells your device which MDM system and tenant to enroll with, so if you use any kind of generic QR reader (app) on your Intune QR code, it should give you something that looks a little like this (formatting's gonna get mangled in the post so paste it into your favorite text editor or use this or something):
{
"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME":
"com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":
"A1a2A3a4B5b6B7b8C9c0C1c2D3d4D5dEeEeFfFfGgGg",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION":
"https://play.google.com/managed/downloadManagingApp?identifier=setup",
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": { "com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN": "ABCDABCD" }
}
If you're familiar with JSON that's probably all you need to know. If not, what you have to do is add a comma and that single line of configuration before the closing curly bracket:
{
"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME":
"com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":
"A1a2A3a4B5b6B7b8C9c0C1c2D3d4D5dEeEeFfFfGgGg",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION":
"https://play.google.com/managed/downloadManagingApp?identifier=setup",
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": { "com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN": "ABCDABCD" },
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true
}
Then stick that JSON in any random QR generator (online or otherwise) and use the resulting QR code to enroll your devices. Now Microsoft, could you please add that slider button? (Looks like it'll be here soon!)
