Search code examples
androidazurebluetoothmdmintune

Bluetooth PIN not showing after enrolling device in Microsoft Intune / Android Enterprise

We have new stock Zebra TC57 handhelds to be used in a specific line of business. They are running Android 8.1 (Oreo). Out of the box, they are able to pair with Bluetooth devices, showing the PIN confirmation code on the handheld's screen. This is all normal and expected.

However, we want to enroll these devices as corporate-owned & managed devices using Microsoft Intune Mobile Device Management (MDM). After doing so, the device is effectively locked down, only listing approved company apps. Again, great.

However, when attempting to connect to the same bluetooth device (in this case a mobile printer), the Bluetooth PIN confirmation screen does NOT appear.

We have applied device restrictions per the Android Enterprise device settings which do not prohibit any bluetooth, location, or networking setting.

We also tried the BYOD approach, where there is an Android "Work Profile". This allowed us to pair the printer, but we are unable to access the native barcode scanner. This is a stated limitation of the Zebra EMDK for Android - "EMDK does not support Managed Profiles". Managed Profiles is not an acceptable workaround.

Is there any reason why we are uanble to pair the printer, or unable to see the pairing code & confirm, after enrolling in InTune MDM?

Solution

  • Intune does not have a feature yet, outside of Knox Mobile and Zero Touch, to preserve already installed apps. When the QR code is scanned, the device is wiped, which causes the Zebra TC57s to no longer get the pin confirmation popup when pairing bluetooth. Most of the Zebra apk files are not published on the play store as they come bundled with the device. The work around is to modify the QR code to preserve the already installed apps.

    1. From Intune go to Device Enrollment => Android Enrollment => Corporate-owned, fully managed user devices.
    2. Highlight the QR code and save it as an image.
    3. Decode the QR code to extract the text from it. There are many free ones online. I personally used the one from ZXing.
    4. Add the command: "android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED": true to the QR code.
    5. Encode the text back to a QR code and it should be good to go.

    Here is an example QR code text with the added line:

     {"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME":"com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver","android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX","android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION":"https://play.google.com/managed/downloadManagingApp?identifier=setup","android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN":"XXXXXXXX"},"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED": true}

    Originally found in the comments Microsoft's InTune Fully Managed Android announcement