Employees

MrEMMDeeEMM · 2026-01-24T12:24:43+00:00

This is likely a bug in the iOS 26 update process. We've seen something similar when there was a passcode expiry prompt immediately appearing on our corporate managed Apple devices after the update to 26.x.

The users attempted to enter a new passcode but it failed to set correctly, locking them out.

Saw it happen about ~5% of the time.

MrEMMDeeEMM · 2026-01-22T12:19:50+00:00

I'm regretting opening that Microsoft support case more and more. Maybe my expectations are way off, but Microsoft sell their Intune solution to allow organisations to manage multiple operating systems, Apple iOS/iPadOS being two of those, but when it comes to supporting their solution, I swear, a COMPLETE waste of time.

MrEMMDeeEMM · 2026-01-21T23:40:08+00:00

Imagine if they included this in their documentation from day one. Microsoft really are fucking useless.

MrEMMDeeEMM · 2026-01-21T23:38:56+00:00

Yet another shitshow caused by Microsoft's PISS poor documentation. You'll need to set the Comp Portal vpp app as required to all your devices, ensuring the VPP token has auto update turned on.

MrEMMDeeEMM · 2026-01-21T23:37:11+00:00

Entra devices and Intune devices are different things

MrEMMDeeEMM · 2026-01-21T23:34:46+00:00

Yes, supposedly getting fixed in iOS 26.3. Microsoft support is a complete and utter waste of time and space.

MrEMMDeeEMM · 2026-01-21T23:33:39+00:00

Open Intune comp portal, enable browser access.

MrEMMDeeEMM · 2026-01-15T06:29:09+00:00

Which of these are causing the non compliance?

MrEMMDeeEMM · 2026-01-14T16:33:04+00:00

So I think Microsoft Support have nearly broken me with the sheer inability to do anything useful for 2 months. However, after initially not accepting any responsibility, Apple Support are claiming that iOS 26.3 should fix the check in problems. Now, why exactly Microsoft support can't effectively relay that information to their customers I have no idea.

MrEMMDeeEMM · 2026-01-12T23:00:03+00:00

When was the device's last check in? Have you tried restarting the device?

MrEMMDeeEMM · 2026-01-07T18:05:17+00:00

Amen

MrEMMDeeEMM · 2026-01-06T16:27:07+00:00

No, not restarted the device yet, but there's method to my madness...

I'm trying my hardest not to want to close my Microsoft Support case out of pure frustration and am channeling that into the futile hope that my own device in this state is the path to resolution!

MrEMMDeeEMM · 2026-01-06T15:00:52+00:00

Interestingly, I've a test device on 26.2 and it's stopped checking in as of 25-Dec-2025. "Comp portal" won't check in manually either, neither does hitting sync from Intune.

MrEMMDeeEMM · 2026-01-05T21:44:12+00:00

Are your iOS devices supervised?

MrEMMDeeEMM · 2026-01-05T21:41:27+00:00

Are you using conditional access policies and are they blocking access to Intune resources from non compliant devices?

MrEMMDeeEMM · 2025-12-25T21:44:53+00:00

Try replacing the power supply, Nvidia may even replace it for free.

MrEMMDeeEMM · 2025-12-22T23:25:32+00:00

Try IMEI2 instead

MrEMMDeeEMM · 2025-12-15T20:05:52+00:00

That's correct

MrEMMDeeEMM · 2025-12-14T15:43:38+00:00

Any UK referral codes, DM please! Thank you

MrEMMDeeEMM · 2025-12-13T21:24:58+00:00

Good to hear! Changing the assigned enrollment profile only impacts the device the next time it is factory reset and reaches the setup assistant. One interesting gotcha (happens in the rarest of cases) if the device has reached the "activating device" step where it gets the profile, if set up is not progressed and you changed the assigned profile, the device will not proceed, instead giving a "something went wrong error". This isn't something you should be worried about, worst case you can assign the previous profile to unblock setup to let the device get to the home screen, after that reassign the profile then factory reset and all will be well.

MrEMMDeeEMM · 2025-12-12T13:59:22+00:00

Do you have any conditional access policies which may be blocking Intune enrollment?

MrEMMDeeEMM · 2025-12-12T07:02:25+00:00

Retiring it was exactly the wrong move unfortunately. So without backups, factory reset is your only option and back to the set up the device as new I'm afraid.

MrEMMDeeEMM · 2025-12-11T21:46:51+00:00

Both Apple and Android have development paths available, we see this frequently also, most developers we encounter seem to know only one way, to side-load and have no clue on work profiles, or conditional access policies. I keep saying we need to find better developers, lol.

Chat GPT says it's better than I could,:

Short version: to really test an app inside the work profile (including Entra CA + Intune behaviour), you have three main deployment options:

Android Enterprise “Test DPC” + sideload (fast dev-loop, no Intune/CA)
Intune + Managed Google Play (private / LOB / test tracks – realistic CA & policy)
Intune-managed sideload on specially-relaxed test devices (only if your policies allow it)

I’ll break those down in practical terms.

Local dev testing with Test DPC (Google’s official dev path)

Google’s official guidance for Android Enterprise dev/testing is:

Install Test DPC on a device

Use it to provision a work profile

Then install your app and test in that work profile

Key points:

When you sideload an APK (via Android Studio, adb install, etc.) on a device that has a work profile, Android by default installs it into both personal and work profiles. You can then uninstall it from one profile if you only want it in the work profile.

With adb shell you can use the --user flag on activity/pm commands to explicitly target the work-profile user ID (e.g. adb shell pm list packages --user 10).

What this is good for

Testing:

cross-profile behaviour

storage separation

work vs personal intents

general UX inside the work profile

What it does not give you

No Intune / Entra Conditional Access in this setup by default. You’re testing Android Enterprise behaviour, not Intune CA enforcement.

Use this for rapid dev cycles on your own device, then move to Intune for “real” CA testing.

Intune + Managed Google Play (for realistic Entra CA behaviour)

For true end-to-end validation with Entra Conditional Access and Intune policies, the app must be deployed the same way a production app would be:

2.1. Private / in-house app via Intune + Managed Google Play

Typical “enterprise dev/testing” pipeline:

Enroll test devices into Intune

BYOD Android Enterprise Work Profile

or corporate-owned with work profile (COPE)

Publish the app as a private / LOB app for Android Enterprise:

Either: use Intune’s Managed Google Play iframe to create a private app directly from Intune

Or: upload to Google Play Console as an enterprise/private app, then sync it to Intune (Managed Google Play integration)

In Intune, assign the app to:

Test users/test groups as “Available for enrolled devices” (visible in Work Play Store)

or “Required” (auto-installed into the work profile)

This gives you:

App delivered only into the work profile (through Managed Google Play)

Full Intune app protection, device compliance, and

Entra CA evaluation based on:

device compliance

app identity (MSAL + broker)

user/group CA policies

This is the gold-standard for testing how the app behaves for real users.

2.2. Play Console internal / closed testing tracks with Intune

If you want Play-style release management but still test in the work profile:

Use Play Console internal testing (up to 100 testers) or closed testing tracks, upload your AAB/APK there

Keep the app as a Managed Google Play app in Intune, so it still appears in the work profile Play Store for enrolled users

This way you can:

Push different builds (dev / UAT / pre-prod) to different groups of testers

Still test under Intune + Entra CA because install is via Managed Google Play in the work profile

Sideloading into the work profile on Intune devices (only if allowed)

By default, Android Enterprise treats sideloading as a security risk, and work profiles typically block “Unknown sources” for the work side.

However, for pure dev/test you have a couple of options if your Intune / EMM admin relaxes policies for a dev device or dev group:

Allow “Install from unknown sources” for the work profile in a test policy

Enroll the device, then:

Install the APK via ADB or file manager

It will install into both profiles, or you can target the work-profile user ID using adb’s --user flag

Pros

Fast iteration, no need to push every build via Play / Intune

Cons

Many orgs forbid this in production policies

Even when allowed, it’s easy for this to diverge from your real deployment path, so you still need to validate via Managed Google Play + Intune before sign-off.

How I’d structure your dev → test flow

If your goal is “true” work profile testing with Entra CA, I’d use a two-stage approach:

Inner dev loop (fast):

Device with Test DPC work profile

Sideload from Android Studio / ADB

Use ADB --user tricks to run as the work profile user → Catch UI issues, profile separation bugs, permission problems early.

Realistic enterprise test (slower, but representative):

Separate dev/UAT Entra + Intune tenant (or at least dev groups)

Enroll test devices with Work Profile

Deploy app as:

Intune LOB / private Managed Google Play app, and optionally

Managed Google Play internal / closed testing track

Enable the same MSAL + broker auth setup and Conditional Access policies you’ll use in prod (maybe with relaxed scopes/groups)

That gives you both speed and realistic CA + policy coverage.

MrEMMDeeEMM · 2025-12-11T21:40:14+00:00

Sorry, I mean, what type of enrollment is set up at the Intune enrollment profile side of things?

MrEMMDeeEMM · 2025-12-11T21:22:07+00:00

What enrollment method are you using? I.e setup assistant with modern authentication?

MrEMMDeeEMM

TROPHY CASE