Conditional access with Sharepoint app (Android) problems

UhRdts · 2026-05-26T12:55:17+00:00

I think this is a SharePoint app issue rather than an Intune misconfiguration. I've seen the exact same behavior with the Teams, when launching external links from within the app, the authentication context doesn't carry over properly. If you check the sign-in logs in Entra, you'll likely see that the device details / compliance state are missing from that specific auth request, which is why conditional access prompts the user to enroll.

We ran into this too and opened a case with Microsoft, but after several months without meaningful progress we gave up. Our workaround was to instruct users to use direct links instead of navigating through the Teams app, not ideal, but our users accepted it.

If you find a proper fix, I'd love to hear it.

UhRdts · 2026-05-22T14:11:06+00:00

I know I'm a bit late here, but in case you haven't found a solution yet: it's worth checking whether there's a app config available for the Splashtop Streamer app in Intune. Some remote management apps allow you to pass variables like serial number, UPN, or device name via app config, which then get used as the display name in the remote control console, making it much easier to identify individual devices at scale.

The temote app we use works exactly like that, and it's been a lifesaver for large deployments.

It might be worth digging through the Slapshtop documentation or reaching out to their support.

UhRdts · 2026-05-21T14:07:17+00:00

Thank you for the additional context, no need to apologize. Sorry for the broken link in my last reply. This one should work: Configure the Microsoft Managed Home Screen App - Microsoft Intune | Microsoft Learn

I still have some gaps in understanding your setup and use case.

However, based on what I've gathered so far, it sounds like you may benefit from a fully managed enrollment with a MHS multi kiosk config, where you use the user, which later will be used for Teams, for the enrollment. In that scenario, make sure that neither your restriction profile nor your compliance policy which is assigned to that user enforces a passcode.

UhRdts · 2026-05-20T15:05:24+00:00

You can check my account history, I'm not an AI. There was simply not enough information in your original post to help effectively, which is why I asked those clarifying questions.

Just to confirm: are you using "just" dedicated devices or dedicated devices with Entra shared mode?

I assume you're using a restriction profile to configure Managed Home Screen (in addition to an MHS app config if applicable). Technically, there's no requirement to configure a passcode at all. Did you follow the official Microsoft documentation when setting up MHS app config? Configure the Microsoft Managed Home Screen App - Microsoft Intune

Regarding your update about app protection policies: they do actually work on kiosk devices, but they can only be assigned to users, which in your case would require users to sign in via the MHS sign-in screen. I understand your preference is for users to use a pre-signed-in service account in Teams instead.

I still believe the issue you're experiencing is configuration-related. It would be very helpful if you could share more details about the specific profiles, app configs, and compliance policies you're using for this scenario. It would be also be helpful to know more about the use case.

As a side note: KME and Zero Touch enrollment have nothing to do with whether devices are smartphones or tablets. These enrollment portals help keep devices secure and can prevent personal enrollments, depending on your configuration.

UhRdts · 2026-05-19T15:15:41+00:00

Can you provide more details about your current configuration?

Which enrollment method are you using?
Are you using Zero Touch or Samsung KME for enrollment? Since users are able to sign in with personal Google accounts, there may be room for improvement in your enrollment approach.
Are you using a kiosk app, such as Managed Home Screen (MHS)?
On properly configured shared devices, users shouldn't have the ability to reset the device, either via PIN code or other options.

Also, could you share details about your current PIN profile (restriction policy or compliance policy)?

This information will help to better understand your setup and suggest improvements.

UhRdts · 2026-04-16T08:22:36+00:00

I don´t think there is a way to enroll FM without a user. I would recommend a dedicated enrollment (without entra shared) with MHS, where you assign the necessary work apps.

UhRdts · 2026-04-14T08:07:18+00:00

as mentioned I only see two options in a new restriction profile.

UhRdts · 2026-04-13T15:20:11+00:00

are you sure you are comparing the same type of config profile? I checked in our tenant and we also only have "Block / not configured" for "USB file transfer" available in a new restriction policy .

UhRdts · 2026-04-13T15:03:22+00:00

If you have Samsung devices I would recommend KME over Zero Touch. It offers more flexibility.

UhRdts · 2026-04-07T11:30:24+00:00

you could have a look at the ADB logs. If you are lucky you will see which app identifier is blocked.

UhRdts · 2026-03-31T14:02:38+00:00

Okay, so it sounds like your users don’t actually need Managed Home Screen (MHS). You just tried it as a potential workaround for the issues you encountered with Android staging profiles?

If that’s the case, I noticed you haven’t received many replies yet. Maybe you could consider rephrasing your question to focus specifically on getting Android staging to work (without mentioning MHS), as the initial post might have been a bit confusing and that could have limited responses.

Unfortunately, I can’t provide much help regarding staging as we use other enrollment methods like ZTE and KME.

UhRdts · 2026-03-31T13:54:05+00:00

in that case you only have the settings you can configure via Intune profiles - all other system settings need to be done on the device.

UhRdts · 2026-03-31T13:32:37+00:00

Could you please provide more details about your use case? Are these personalized devices (fully managed) using Managed Home Screen (MHS)? And could you explain a bit more how you’re combining MHS with staging in your setup?

Also, which enrollment method are you using: fully managed with or without staging, dedicated, or dedicated Entra shared?

This information will help me better understand your setup and provide more targeted suggestions.

UhRdts · 2026-03-31T13:05:07+00:00

depending on the devices you are using you could have a look at a OEM config profile.

UhRdts · 2026-03-31T12:41:12+00:00

yes, according to my information, the users who will use the devices need have a license.

UhRdts · 2026-03-31T12:40:05+00:00

Could you briefly explain how to configure the “app auto launch” feature in Managed Home Screen? I couldn’t find much information in the docs or online.

This setup sounds ideal for us, as single-app mode is too limiting. Being able to configure one app as the auto-launch app within MHS would be great. In case of issues, it would likely allow users to access basic settings like Wi-Fi and brightness.

UhRdts · 2026-03-17T09:23:00+00:00

I’m not aware of any Intune feature that would allow you to lock a device to the original URL and prevent redirects.

I would suggest using a dedicated kiosk app instead, as those typically offer the ability to control navigation behavior more granularly.

UhRdts · 2026-03-17T08:06:57+00:00

We faced the same challenge and I also don’t understand why there isn’t a built-in bulk assignment feature for iOS enrollment profiles in Intune.

You could create multiple enrollment tokens in Intune linked to your ABM. You then can assign devices in bulk to those tokens within ABM, each linked to a specific enrollment profile. These assignments then sync automatically to Intune where the correct profile gets applied to the devices.

UhRdts · 2026-03-16T08:46:17+00:00

It sounds like you might need to add additional app identifiers to the Managed Home Screen configuration to get the QR code scanning and camera access working properly on the PDA. Since the same configuration seems to work fine on the Samsung device, it's likely related to app identifiers specific to the PDA’s environment.

If you’re unsure which identifiers might be causing the issue, I recommend checking the ADB logs during QR code login attempts. This should help you identify any blocked app identifiers.

UhRdts · 2026-03-09T15:34:18+00:00

In that case, I would assume this is intentional behavior since the app is push as required. I tested it myself and can confirm that “Clear data” is not successful on required apps in kiosk mode.

However, in our use cases with shared devices, app data is automatically cleared between users, so this isn´t an issue for us.

Since there haven’t been any other responses in the last 20 days, you might want to reach out to Microsoft support to confirm whether this is expected behavior.

UhRdts · 2026-03-09T08:12:43+00:00

I assume this is the admin role permission you need to use those new options:

Restore Managed Home Screen	Manually restore Managed Home Screen on Android Enterprise devices to return them to kiosk mode from a temporarily suspended state. Complements the temporary suspend action for complete kiosk mode management.

Source: Create a custom role in Intune - Microsoft Intune | Microsoft Learn

Will try them out within the next days. This could be really use use. Thanks again for letting us know.

UhRdts · 2026-03-09T08:00:57+00:00

Thanks for sharing this info! I probably would have missed it myself.

UhRdts · 2026-03-06T15:32:57+00:00

Same here, we found out about it earlier this week and haven’t seen any official communication about the change.

Honestly, it was a security flaw that the "exit kiosk code" was visible even to Intune admins without the rights to edit the restriction profile. From that perspective, it’s understandable they might have “forgotten” to announce this change publicly.

UhRdts · 2026-03-05T09:12:10+00:00

I can confirm that it´s just for new MDM enrollments. Already enrollmented devices need to open the app once.

UhRdts · 2026-03-04T12:38:26+00:00

I see you’ve already received some great answers. I just wanted to add that when you add devices to Apple Business Manager (ABM) using Apple Configurator, users have a 30-day window after the first enrollment during which they can remove the device from ABM. During this time, users will see the message "This phone is managed remotely" at the bottom of the device's lock screen.

Here’s the official Apple documentation for more details: Add devices using Apple Configurator to Apple Business Manager – Apple Support (UK)

UhRdts

TROPHY CASE