I have been working with enrolling devices into Android Fully Managed this week and came across an error during the registration step.
Many thanks to Peter van der Woude for pointing me to the solution on this one as it came up as a comment on his blog – https://www.petervanderwoude.nl/post/android-enterprise-fully-managed-devices-and-conditional-access/#comments by Geert-Jan Schroot so full credit there to those guys.
This post seeks to add a little more context around that and hopefully help someone else who may stumble upon this. I will add however, at the time of writing this post Android Fully Managed is in preview with Microsoft Intune.
During the provisioning of a device with Android Enterprise Fully Managed, we need to run through various steps to apply configurations and register the device according to the policies set in Intune. The last step in this list is to do the registration.
Then it will fire up the Microsoft Intune app and ask for authentication.
After authentication we need to register the device.
At this point I was shown the error “You do not have permission to perform this action”
That’s as much information as we get at this point. So you have to do some digging to find the answer. Fortunately a comment on Peters blog provided this.
If the device configuration profile has set the “Device Restrictions > Users and Accounts > Account changes” policy to Block, then this does indeed block the registration. I changed this to Not Configured, tried again on a couple of devices and it now works.
I’ve asked Microsoft for some more information on what is happening here and if/when I get that I will add to this post.