This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.
Google recently identified two issues in Android 14 that make some management policies permanent on non-Samsung devices. When a device is upgraded from Android 13 to Android 14, certain settings are made permanent on the device. Additionally, when devices that have been upgraded to Android 14 are rebooted, other settings are made permanent on the device.
For example, let’s say you are managing a device with a personally-owned work profile running Android 13, with the settings Block camera and Block apps from unknown sources enabled in the management profile. When that device updates to Android 14, the camera will become permanently blocked, even if you later disable the Block camera setting in Intune. After the update to Android 14, when the device reboots, apps from unknown sources will also become permanently blocked, even if you later disable Block apps from unknown sources in Intune.
Due to the severity of the issue, we do not recommend updating non-Samsung devices to Android 14 at this time. On Android Enterprise devices, you can use Intune device restrictions policies to postpone system updates. For more details, see Managing system updates on Microsoft Intune managed Android Enterprise corporate devices.
Issue 1: A device that has been upgraded to Android 14 is rebooted
When devices that have been upgraded to Android 14 are rebooted, certain settings are made permanent on the device. Devices that shipped with Android 14 will not be affected.
This issue currently affects devices enrolled with personally-owned work profiles.
Settings affected
Personally-owned work profile
- Threat scan on apps
- Block apps from unknown sources
Fully managed, Dedicated and Corporate-owned work profile
Google recently released a fix for this issue on fully managed, dedicated, and corporate-owned fully managed devices. Prior to this, some settings could also have become permanent on devices after rebooting. We’ll update this post with the list of affected settings soon.
Issue 2: A device is upgraded from Android 13 to Android 14
When a device is upgraded from Android 13 to Android 14, certain settings are made permanent on the device.
The following enrollment types are affected by this issue:
- Fully managed
- Dedicated
- Corporate-owned work profile
- Personally-owned work profile
Settings affected
Fully managed, Dedicated and Corporate-owned work profile
- Date and Time changes
- Roaming data services
- Wi-Fi access point configuration
- Bluetooth configuration
- Tethering and access to hotspots
- USB file transfer
- External media
- Beam data using NFC
- Developer settings
- Microphone adjustment
- Volume changes
- Factory reset
- USB storage
- System error warnings
- Copy and paste between work and personal profiles
- Add new users
- Users can configure credentials
- User removal
- Account changes
- Allow users to enable app installation from unknown sources in the personal profile
Personally-owned work profile
- Camera (set to ‘Block’)
- VPN (set to ‘Enabled’)
- Copy and paste between work and personal profile
- Prevent app installations from unknown sources in the personal profile
- Add or remove accounts (set to ‘Block all account types’)
- One lock for device and work profile
Next steps
Currently, the only way to clear settings that have become permanent is:
- (Personally-owned work profile) Remove the work profile from the device.
- Note: If configured, the settings Threat scan on apps and Block apps from unknown sources cannot be cleared by removing the work profile.
- (All enrollment types) Factory reset the device.
Google is currently sharing patches with other device OEMs for these issues, which OEMs will integrate into their OS update images going forward. Device OEMs will determine if, and how, their devices will receive these fixes. When released, these OEM patches will prevent these issues in the future, but if a device has already upgraded to Android 14 and experienced the issue, any settings that have been made permanent will remain on the device.
We’ll continue to provide updates on this post as they’re available. If you have any questions leave a comment below or reach out to us on X @IntuneSuppTeam.