Microsoft Intune

My Fairphone 4 arrived yesterday after having used a Motorola Edge 2020 for 2 years with e/OS. I have been successfully using the Moto Edge with Microsoft’s Intune installed for my company’s BYOD policy (I know. It know. I hate it but I have to do it). But, so far, I have been unable to successfully create a company profile using Intune on my Fairphone 4. I keep getting an error indicating “Can not set up a company profile” every time I try the install. What makes it worse is that I need to do a factory reset to remove Intune in order to do a reinstall of Intune.

Is anyone aware of a fix for this? The forum search results haven’t come up with any conclusive work arounds.

Thanks in advance.

Just for clarification: have you installed /e/ on your FP4 like you did with your previous phone or is it on stock Android?

1 Like

I installed e/OS on my previous phone (the Moto Edge). I bought the Fairphone 4 from Murena with e/OS preinstalled.

1 Like

I saw your post over on XDA, so I’ll repeat what I said there.

One fix could be looking for another job that doesn’t use InTune on BYOD? :laughing:
</tongue firmly in cheek>

Genuine answer, why not ask your work to provide you with a phone? Why are you expected to install InTune on your own phone? I have InTune on my work phone and it completely takes it over, locks it down hard.

2 Likes

Your company may have configured a policy in intune which disallows jailbroken devices. This setting also applies to phones with custom roms (which e/os counts to) because they don’t have the Google certification and likely other measures like safetynet integrity.

But intune should actually display, what is preventing the setup.

1 Like

From what gaultfalcon said in their first post, Intune was functioning on a previous phone running /e/.
Agree with you, I can’t stand apps that are incapable of stating the problem clearly. Probably a sign of lazy developers and / or impatient managers who don’t leave them time to do a proper job.

I daresay there are options for the MDM admins but even so, this case appals me.
I agree that if an employer requires employees to use mobile software then they must supply the hardware too. BYOD should be a (convenience) choice for the employee.
I should be very interested to learn the legal position which may well vary from country to country, even within the EU. But to my mind, a person’s private mobile phone is personal space and it should not be possible to invade it, whatever the excuse.

@gaultfalcon If you really want to install this stuff there may be some info in the Murena forum.
Also, talk to your MDM admins. The necessity of factory-resetting the phone indicates either software or admin errors.
And welcome to the FP community forum, by the way! :slightly_smiling_face:

1 Like

It’s to do with InTune itself.
You have to perform a factory reset if your installation fails at any stage during onboarding. You basically have to start with a blank slate to install InTune. The hard lockdown is required on my work phone because of various certificates and authentication methods.

Interesting point, fingerprint is disallowed in my installation of InTune. It has to be PIN or password to unlock the phone. I have to be awake and aware to get into my phone. :smirk:

So no chance of someone holding my finger to the sensor when I’m in a drunken stupor on a Friday night
:wink:
That’s defensible.

But on the factory reset thing, an app should be able to clean up after itself, or else be capable of managing vestiges of a previous install failure. Obliging the user to perform a factory reset is just pathetic to my mind. The user is doing the developers’ jobs for them. Good for backup / restore tests though…

Thanks for the welcome and glad to be here.

My Moto Edge is running e/OS/ Android 12 v 1.17. Perhaps there is something in v2.0 running on the Fairphone that isn’t [yet] compatible with the MS infrastructure.

It may also be that my company has new security protocols in place since I enrolled my Moto Edge a few years ago.

I will pursue this via my company’s support org on Tuesday and will update to let you know what I learn.

Thanks all.

2 Likes

That’s interesting that it works with your Motorla Edge as I’ve never managed to get it working with /e/OS and I’ve so far not found anyone claming to have managed to get it working.
At which point do you get the mentioned error?

When I try to begin profile enrollment on a FP4 (and it was the same on a FP2 and FP5) I get the message
“Work profile setup may be unavailable - we might run into problems setting up your work profile because we can’t connect to Google. Check your internet connection and try again […]).”
Well, I can say “try anyway” at this point - but at the end it doesn’t work. During the setup “Activate work profile → Adding your device to company portal” I get the error
“Couldn’t add your device. Check your network connection and try again. If you still can’t set up your work profile after trying again, send feedback to Microsoft for more help”.
So I always thought that there’s some Google connection/module/api missing for Intune on any /e/OS device…

Why this?
You probably just have to remove Intune from the “Device admin apps” in settings to be able to remove the app (which probably removes the visible intune app icon - so might need the aurora app to delete the intune app from there).

Btw.: the topic can also be fund in /e/ forum at MS Intune company portal unable to register - Applications - /e/OS community

1 Like

Yeah. Motorola Edge I’ve been using with /e/OS for 2 years. Works fine (which is why this isn’t an urgent situation). Perhaps my IT admins did something to make it work on their end without telling me. Right now I have a ticket open with them to have them call me to see if they can get it to work. 1st line tech was stumped so the ticket has been escalated. We will see.

You’re spot on regarding not needing to do the factory reset to remove Intune. I figured that out a few days after posting.

At this point (and especially after reading the forum link you provided) I am thinking this is an IT administration policy issue. Hopefully it gets worked out. I’ll update this thread once IT calls me back on the open ticket.

2 Likes

Okay. I got it working. My company’s IT org’s instructions probably work well for the standard Galaxy Google Android but not the /e/OS. Here is what I did.

From a factory fresh install:

  1. Installed Intune (did NOT open it)
  2. Installed Outlook (did NOT open it)
  3. In settings, went to accounts. With Intune installed I now saw a work profile option. Did NOT select that. Further down on that screen I selected “Add An Account”. Selected Work Account.
  4. A screen came up requesting my work email address. I entered it.
  5. I was then taken to my corporate authentication page where I entered my password.
  6. I was then asked if I would allow my company’s certificate to be downloaded and installed. I agreed.
  7. I was then asked to authenticate using my authenticator app which was still available on my previous phone.
  8. Done.
  9. Opened Outlook and Teams on the FP4. All data was there. Works great.

My corporate instructions had me setting up the company profile directly through Intune but the profile activation would hang and never complete.

Anyway. I hope that helps someone else.

8 Likes

Thanks for the instructions!
Anyway, it didn’t work unfortunately in my case.
I’ve followed your steps

  1. tried, but was not sure what to install; there’s “Intune Company Portal” which I think I need in my case and which I’ve installed and there’s “Microsoft Intune”)
  2. ok
  3. Did’n find a “work profile option” - even not after installing “Microsoft Intune” app; still selected “Add acocunt” → “Work account”
  4. ok
  5. ok
  6. had to choose between “VPN & app user certificate” and “Wi-Fe certificate”. Selected “VPN & app user certificate”
  7. didn’t happen with my authenticator app (on previous phone)
  8. ?
  9. After opening outlook it asked me to “add account” or “create new account”. I selected “add account”; then I reached a page with “Accounts found” and my company account preselected; I chose “Continue”; on the next page I got the error message “Your sign-in was successful but does not meet the criteria to access this resource.”

Maybe my company’s policy is different to yours…