Support Tip: Android 12 upgrade can affect NAC-enabled network access

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

As explained in Android 12 Day Zero Support with Microsoft Endpoint Manager, Google’s Android 12 includes a number of changes that affect device management capabilities. One of these changes removes the ability of third-party applications, including Microsoft Intune, to access hardware identifiers on Android Enterprise personally-owned work profile devices. The impacted hardware identifiers are IMEI, MEID, and serial number.

 

Some VPN providers use the IMEI for device identification and Intune compliance queries as part of their network access control (NAC) solutions. Some NAC solutions also expose the IMEI, MEID, or serial number in their products and allow access rules to be created based on these IDs. In these scenarios, personally-owned work profile devices may not be able to connect to NAC-enabled networks after upgrading to Android 12. Instead, the devices are blocked from the network and users are prompted to check enrollment and compliance status, even when the device is enrolled and compliant.

 

Affected providers: Currently, these Intune-supported VPN and NAC providers are known to use the IMEI in their NAC solutions:

  • Citrix (VPN client is Citrix SSO, NAC product is Citrix Gateway)

  • F5 (F5 Access, F5 BIG-IP APM)

  • Ivanti, formerly Pulse Secure (Pulse Secure, PPS/PCS)

 

This NAC product supports integration with Intune and uses the IMEI to identify devices:

  • Akamai SPS Secure Mobile

 

These NAC products also expose the IMEI, MEID, and serial number information currently returned by Intune:

  • Aruba ClearPass

  • Cisco ISE

  • Forescout CounterACT


If you experience NAC impact not listed here on Android 12 devices, please work with your NAC provider for guidance.

 

Resolution: Steps and functionality will vary based on your VPN and NAC provider. See below for provider-specific actions you might need to take:

  • Akamai: Network access control may no longer work for Android Enterprise personally-owned work profile devices on Android 12. Reach out to Akamai for support.

  • Aruba: Access rules around IMEI, MEID, or serial number will no longer work as Intune will no longer be able to return these values to ClearPass. If you have access rules based on these IDs, you will need to remove them from ClearPass to ensure network connectivity.

  • Cisco: Cisco AnyConnect no longer relies on the IMEI to identify devices NAC scenarios, but access rules around IMEI, MEID, or serial number will no longer work as Intune will no longer be able to return these values to ISE. If you have access rules based on these IDs, you will need to remove them from ISE to ensure network connectivity.

  • Citrix: Citrix SSO falls back to MAC addresses and will query Intune on this value. To ensure continued network access, users need to turn off MAC address randomization on their devices.
  • F5: Admins will need to use an app configuration policy to configure the F5 Access client. Add the mdmDeviceUniqueId key and set the value to {{deviceid}}, which will add the Intune device ID to the profile. Follow the steps here.
    • If you are using a VPN profile, you will need to create an app configuration policy instead (that includes the mdmDeviceUniqueId setting), and unassign your VPN profile.

    • If you are using per-app VPN, then you are already using an app configuration policy. Make sure to add the mdmDeviceUniqueId setting to this policy.

  • Forescout: Access rules around IMEI, MEID, or serial number will no longer work as Intune will no longer be able to return these values to CounterACT. If you have access rules based on these IDs, you will need to remove them from CounterACT to ensure network connectivity.

  • Ivanti, formerly Pulse Secure: PPS and PCS require the IMEI to be included in the authentication certificate used for VPNIntune will no longer be able to include the IMEI in the authentication certificate for impacted Android 12 devices, so this integration will break. Also, access rules around IMEI, MEID, or serial number will no longer work as Intune will no longer be able to return these values to PPS or PCS. If you have access rules based on these IDs, you will need to remove them from PPS and PCS to ensure network connectivity.

 

We will update this post and Android 12 Day Zero Support with Microsoft Endpoint Manager with additional information we learn as testing continues, and when Android 12 releases. If you have questions or comments for the Intune team, reply to this post or reach out to @IntuneSuppTeam on Twitter.

REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.