![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 51%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMC%3C/text%3E%3C/svg%3E)
Microsoft Security | Intune | Microsoft Intune Android
Managing Android devices using Microsoft Intune
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 90%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Hello Mbonani,
Thank you for reaching out. Please help me clarify that my understanding of your question is correct.
Why is app access blocked on high‑end Samsung devices enrolled using Android Device Administrator (DA) auto‑enrollment?
if this the question, then, this behavior is expected and is related to the retirement of Android Device Administrator (DA) management for modern Android devices.
What changed?
Google deprecated Android Device Administrator in 2020, and Microsoft Intune officially ended support for Android Device Administrator on devices with Google Mobile Services (GMS) on December 31, 2024. As a result, Intune no longer provides fixes, updates, or technical support for DA‑managed devices with GMS. [techcommun...rosoft.com]
**
Why does this impact high‑end Samsung devices?**
Newer Samsung devices run recent Android versions and enforce modern security and management APIs. These devices are designed to work with Android Enterprise management. When a device is enrolled using the legacy Device Administrator model:
- The device may appear enrolled, but it does not meet modern compliance requirements
- App protection and Conditional Access policies can mark the device as non‑compliant
- As a result, corporate apps (such as Engage) can be blocked from accessing work data
This is why the issue is more visible on newer or high‑end Samsung models that receive frequent Android and Knox security updates.
Is Android Device Administrator the same as auto‑enrollment?
No.
- Android Device Administrator is a legacy management mode (how the device is managed).
- Auto‑enrollment (such as Samsung Knox Mobile Enrollment or Google Zero‑Touch) is an enrollment method (how the device is enrolled).
Auto‑enrollment is still supported, but it must be used together with Android Enterprise, not Device Administrator.
What is the recommended solution?
Microsoft recommends migrating away from Android Device Administrator and using one of the Android Enterprise enrollment options instead, depending on device ownership:
Corporate‑owned devices
- Android Enterprise Fully Managed (COBO)
- Android Enterprise Corporate‑Owned Work Profile (COPE)
- Enroll using Samsung Knox Mobile Enrollment or Google Zero‑Touch
- Android Enterprise Work Profile
- Android Enterprise Corporate‑Owned Work Profile (COPE)
These enrollment methods are fully supported and compatible with modern Android and Samsung Knox security requirements. [learn.microsoft.com], [learn.microsoft.com]
Summary
- Android Device Administrator is deprecated and unsupported on GMS devices
- High‑end Samsung devices require Android Enterprise management
- DA‑enrolled devices can fail compliance checks, causing apps to be blocked
- Re‑enrolling devices using Android Enterprise + supported auto‑enrollment methods resolves the issue
For official guidance, see: Intune ending support for Android Device Administrator on GMS devices https://aka.ms/Intune-Android-DA-blog [techcommun...rosoft.com]