Android 8.0 (“O”) behaviour changes and Microsoft Intune

Intune has announced day 0 support for Android 8.0 (code named "O").  You can be confident that once your users upgrade to the released version of Android O, Intune's device and app management features will continue to work seamlessly.  This applies to all facets of Android management with Intune including work profile management, non-work profile management, and App Protection Policies. The only thing you need to do is update to the latest version of the Company Portal, which is available now in the Play Store.

That said, there are two behaviour changes to be aware of.

Unknown Sources permission has moved

If you're managing MDM-enrolled Android devices but you're not using a work profile (i.e., Android for Work) then you need to enable Installation from Unknown Sources in order to install line-of-business APKs.  In an effort to increase security, Google has introduced a behavior change in Android O that changes where this setting is.  On prior versions, it used to be a device-wide setting.  On O, each individual app has its own "Install unknown apps" permission.  You can still successfully install line-of-business APKs just as you did before, you just need to go to a different place to turn it on.  End users will be guided through the flow of enabling this permission for Company Portal if they try to install a line-of-business APK that you deploy to them.

Where it was prior to Android O, under Settings > Security


Where it is in Android O, under Settings > Apps & notifications > Special app access > Install unknown apps > Company Portal



Block apps from unknown sources compliance setting does not work on Android 8.0

Due to the fact that the unknown sources setting has been moved from a device setting to a per-app permission, it’s no longer possible for Company Portal to detect whether this permission has been granted at the device level.  As a result, this compliance policy will not work on Android O:


Intune Azure portal UI:


Intune hybrid/SCCM UI:

Comments (5)

  1. And how does this affect the Hybrid environment versions? Will we have to migrate again?

  2. Mike S says:

    You have to disable the ‘Block apps from unknown sources’ compliance policy setting in Intune AND enable the unkown sources setting (as in this article) in order for this to work.

    I had a support ticket open for a nearly month since 8.0 was released and couldn’t enrol android 8..0 devices into Intune
    Until you make the changes the Intune portal app just freezes with a black screen and causes all sorts of device problems.

    ‘Intune has announced day 0 support for Android 8.0 (code named “O”) they might have announced it but really should have tested it too..

  3. Mark says:

    why to make things complicated to users?! dumb Google

  4. Andrew Flatt says:

    This doesn’t appear to work. Pixel 2 running Android 8.0. Intune Company Portal installed and pushing out profiles for the google apps. (email/calendar) the device goes compliant but then the email app simply loops asking for a password time and again.

    Any ideas…..?

    1. Andrew, we’ll need to know more to diagnose this issue for you. The best way to resolve this would be to open a support case.

Skip to main content