Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
In Microsoft Intune, you can manage and restrict generative AI usage on Android devices enrolled in Intune. You can block (or allow) AI apps, websites, screen-driven experiences, on-device AI services, and OEM-specific AI features.
This article lists different ways that AI experiences can be available on Android devices, and how you can use Intune to block these experiences.
When you use the steps in this guide, you can manage and restrict AI experiences on your Android devices.
Applies to:
- Android Enterprise
Prerequisites
Device platform requirements
IT admins and security engineers can allow/block generative AI on the following Android enrollment types:
- Android Enterprise corporate owned fully managed devices (COBO)
- Android Enterprise corporate owned dedicated devices (COSU)
- Android Enterprise corporate owned devices with a work profile (COPE)
- Android Enterprise personally owned devices with a work profile (BYOD)
To learn more about the different Android enrollment options, see the Android Enrollment guide.
Device configuration requirements
- Devices enrolled in Intune, including co-managed devices
- Managed Google Play account linked in the Intune admin center (Devices > Android > Enrollment > Managed Google Play)
Roles requirements
To configure the policies, use an account with the following role:
- Sign into the Microsoft Intune admin center with an account that has the Policy and Profile Manager built-in role. For more information on the built-in roles, go to Role-based access control for Microsoft Intune.
Before you begin
When you create the AI policies, you can assign them to the All Users and All Devices groups. Even though this assignment is the simplest approach, you can target your policies to specific users and devices.
To learn more, see:
- Inclusion and exclusion groups to assign apps that target specific users and devices.
- Assign policies in Intune that target specific users and devices.
For corporate owned devices with a work profile (COPE) and personally owned devices with a work profile (BYOD), most controls are available only in the work profile. They're not available in the personal profile.
The steps in this guide show you how to block AI experiences. If you want to allow specific AI experiences, you can use the same steps but configure them to allow instead of block.
When you create a policy and assign it, the devices receive the policy the next time they check in with Intune. To learn more, see Intune policy refresh intervals.
How AI shows up on Android
On Android devices, AI is available in several ways:
- AI apps - Standalone apps like ChatGPT, Microsoft Copilot, and Perplexity can be downloaded and used on the devices.
- AI websites - Users can access AI websites through browser apps, like Microsoft Edge and Chrome.
- Screen-driven and Assistant experiences - OS-integrated features that read on-screen content (like Circle to Search) or provide assistant help are typically installed and available by default.
- On-device AI services - Android can run the on-device Gemini Nano foundational model locally using AICore. Apps like Messages, Recorder, or GBoard use Gemini Nano to respond to messages, generate summaries, and suggest smart replies.
- OEM-specific AI services - OEMs might implement their own AI capabilities, like Galaxy AI by Samsung.
Block AI apps
✅ Goal - End users can't install AI apps from the Google Play Store
AI apps like ChatGPT, Copilot, Perplexity, and Claude can be installed from the Google Play Store. You can use Intune to block these apps from being installed on your devices.
Supported enrollment types:
- Corporate owned fully managed devices (COBO)
- Corporate owned dedicated devices (COSU)
- Corporate owned devices with a work profile (COPE)
Step 1 - Determine your app strategy
Determine your organization's app strategy - Block or Allow:
Block strategy - No apps in the Google Play Store can be downloaded unless assigned by admins. Only apps that are assigned are available on the device.
This strategy is the default for corporate owned devices.
Allow strategy - All apps can be downloaded unless specifically blocked by admins.
If the following setting is set to Allow in a device restrictions configuration profile, then your organization is probably using an Allow strategy. This setting allows non-admin specified apps to be downloaded:
- Devices > Android Enterprise > Configuration > Create > New Policy > Templates > Device Restrictions > Applications > Allow access to all apps in Google Play store
Step 2 - Implement your app strategy
In this step, implement your app strategy to block or allow AI apps.
Block strategy (default)
With a Block strategy, no apps in the Google Play Store can be downloaded unless explicitly allowed. Use the following steps to make sure the app you want to block isn't already deployed to your devices.
- In the Intune admin center, go to Apps > Android > Android apps.
- Select the app name > Properties.
- Make sure Assignments is not set to Required, not set to Available for enrolled devices, or not set to Available with or without enrollment.
If all these options aren't set, then the app hasn't been deployed by an Intune policy. If any of these options are set, then the app is deployed. In this scenario, you can change the assignment to Uninstall to remove it from the devices.
Allow strategy
With an Allow strategy, all apps in the Google Play Store can be downloaded.
Determine if the Allow access to all apps in Google Play store setting is set to allow.
If you use Copilot, you can ask Copilot to check this setting for you. You can also create a new device restrictions profile to configure this setting.
In the Intune admin center, go to Devices > Configuration > Create > New Policy
Configure the following properties and select Create:
- Platform: Select Android Enterprise.
- Profile type: Select Templates > Fully Managed, Dedicated, and Corporate-Owned Work Profile > Device restrictions.
Expand the Applications category and set the Allow access to all apps in Google Play store setting to Allow.
Select Next and continue creating the profile. For step-by-step instructions, see Create device profiles.
Add the apps you want to block.
When they're added to Intune, you can block the apps. Then they're considered managed apps.
- In the Intune admin center, go to Apps > Android > Create > Managed Google Play app.
- Select the AI app you want to block > Sync.
- In Apps > Android > Android apps, make sure the app is shown in the list. The sync might take a few minutes.
Blocks specific apps by assigning them for Uninstall:
If the apps are already installed on devices, assigning them for Uninstall removes them from the devices.
- In the Intune admin center, go to Apps > Android > Android apps.
- Select the AI app you want to uninstall > Properties.
- Select Assignments > Edit.
- In Uninstall, add a group, users, or devices.
Block AI Websites
✅ Goal - Block AI websites in web browser apps
You can use Intune app configuration policies to block access to AI websites in web browser apps, like Microsoft Edge and Chrome. Only the websites you enter are blocked. So, you can also use this approach to only allow specific AI websites. If you use multiple browsers, you need to create a separate policy for each web browser app.
Supported enrollment types:
- Corporate owned fully managed devices (COBO)
- Corporate owned dedicated devices (COSU)
- Corporate owned devices with a work profile (COPE)
- Personally owned devices with a work profile (BYOD)
Step 1 - Add your web browser as a managed app
To configure the browser settings, you first need to add the browser app to Intune so it becomes a managed app.
For the steps, see:
- It's possible the browser app is built-in.
- If the app isn't built in, then you can add your browser app from the Play Store.
Step 2 - Create an app configuration policy
Use the following steps to create an app configuration policy that configures your web browser app to block access to the AI websites you enter.
In the Intune admin center, go to Apps > Configuration > Create > Managed devices.
In Basics, configure the following properties:
Name: Enter a name for the policy, like Block AI Websites in Edge.
Platform: Select Android Enterprise.
Profile type: Select your enrollment type:
- Fully Managed, Dedicated, and Corporate-Owned Work Profile Only
- Personally Owned Work Profile devices
Targeted app: Select the browser app you added, like Microsoft Edge or Chrome.
Select Next.
In Settings > Configuration settings format, select Enter JSON data. Enter the list of URLs to block. For example, enter:
{ "key": "URLBlocklist", "valueStringArray": [ "https://chatgpt.com", "https://claude.ai", "https://copilot.microsoft.com", "https://perplexity.ai", "https://gemini.google.com" ] }Select Next and continue creating the policy. For step-by-step instructions, see Add App Configuration Policies for Managed Android Enterprise Devices.
Block Screen-Driven AI Experiences
✅ Goal - Block features that can read on-screen content
AI features can read on-screen content, and can provide insights & recommendations from screenshots and content displayed on the screen. Some of these features are built into the OS, like Circle to Search, and some are provided by assistant apps.
To block these features, you can use Intune to restrict screenshot abilities and block content sharing with privileged apps.
Supported enrollment types:
- Corporate owned fully managed devices (COBO)
- Corporate owned dedicated devices (COSU)
Step 1 - Implement Basic Coverage
This step creates a settings catalog policy that configures the Block assist content sharing with privileged apps setting.
This setting blocks assist content, like screenshots and app details, from being sent to a privileged app, like an assistant app. The setting can be used on Android AI capabilities, like Circle to Search. This setting doesn't affect general screenshot abilities.
In the Intune admin center, go to Devices > Configuration > Create > New policy.
Enter the following properties:
- Platform: Select Android Enterprise.
- Profile type: Select Settings catalog.
Select Create.
In Basics, enter a Name for the profile, and select Next.
Select Add settings.
Select the General category > Block assist content sharing with privileged apps setting. Set its value to True.
Select Next and continue creating the profile. For step-by-step instructions, see Use the Intune settings catalog to configure settings.
Step 2 - Implement Comprehensive Coverage (Optional)
For more comprehensive protection, you can also restrict screenshot abilities and other functionalities by blocking screen captures.
This setting blocks AI features from accessing on-screen content, but also disables screenshots device-wide.
In the Intune admin center, go to Devices > Configuration > Create > New policy.
Enter the following properties:
- Platform: Select Android Enterprise.
- Profile type: Select Settings catalog.
Select Create.
In Basics, enter a Name for the profile, and select Next.
Select Add settings.
Select the General category > Block Screen capture setting. Set its value to True.
This setting blocks AI features from accessing on-screen content. End users can't take screenshots on the device.
Select Next and continue creating the profile. For step-by-step instructions, see Use the Intune settings catalog to configure settings.
Disable On-Device AI System App
✅ Goal - Block Google's local AI processing
Gemini Nano is Google's on-device foundation model and processes AI interactions on the device. It enables AI summary and message reply capabilities in Messages, Recorder, GBoard, and other services. You can use Intune to disable the AICore system app.
Supported enrollment types:
- Corporate owned fully managed devices (COBO)
- Corporate owned dedicated devices (COSU)
- Corporate owned devices with a work profile (COPE)
- Personally owned devices with a work profile (BYOD)
Use the following steps to disable the AICore system app.
In the Intune admin center, select Apps > Android > Create.
In Select app type, select Other > Android Enterprise system app, and then choose Select.
In App information, configure the following properties, and then select Next:
- Name: Enter
AICore. - Publisher: Enter
Google Android. - Package Name: Enter
com.google.android.aicore.
- Name: Enter
In Scope tags, select Next.
In Assignments > Uninstall, select the group assignments for the app. When you select Uninstall, the app is disabled.
Select Next.
In Review + create, review the values and settings you entered for the app. When you're done, select Create.
Disable OEM-Specific AI Capabilities
✅ Goal - Turn off OEM‑provided AI features
OEMs can include their own AI features and capabilities on the device, like the Samsung Galaxy AI experiences through the Knox Service Plugin. These features are typically managed through the OEM's OEMConfig app. Using Intune, you can configure the OEMConfig app to manage these AI features.
To configure the OEMConfig app, you need to know the AI settings available in the app. Contact your OEMs to get a list of available AI controls in their OEMConfig apps.
For a list of supported OEMConfig apps, see OEMConfig in Intune - Supported OEMConfig apps.
Supported enrollment types:
- Corporate owned fully managed devices (COBO)
- Corporate owned dedicated devices (COSU)
- Corporate owned devices with a work profile (COPE)
- Personally owned devices with a work profile (BYOD)
Use the following steps to add, deploy, and configure the OEMConfig app and its AI capabilities.
Step 1 - Add the OEMConfig app
- In the Intune admin center, go to Apps > Android > Create > Managed Google Play app > Select.
- Select the OEMConfig app you want to configure.
- Choose Select > Sync.
Make sure the app is shown in the list (Apps > Android > Android apps). The sync can take a few minutes.
Step 2 - Deploy the OEMConfig app
In the Intune admin center, go to Apps > Android > Android apps.
Select the OEMConfig app you added.
Select Properties > Assignments > Edit.
Add your group and/or users to the following Assignments:
- Required
- Available for enrolled devices
- Available with or without enrollment
Review and save your changes.
Step 3 - Configure the OEMConfig app
In the Intune admin center, go to Devices > Manage devices > Configuration > Create > New policy.
Enter the following properties:
- Platform: Select Android Enterprise.
- Profile type: Select Templates > OEMConfig.
Select Create.
In Basics, configure the following properties, and then select Next:
- Name: Enter a name for the profile.
- OEMConfig app: Select the OEMConfig app you added and assigned.
In Configuration settings, select Configuration designer or JSON editor to configure the settings available in the OEMConfig app. If you select Configuration designer, you might be able to use the Locate search box to find AI-related settings.
The available settings depend on the OEMConfig app you select. Contact your OEM to get a list of available AI controls in their OEMConfig apps.
Select Next and continue creating the profile. For step-by-step instructions, see Use and manage Android Enterprise devices with OEMConfig.
Make sure you assign the profile to the same groups and/or users you assigned the OEMConfig app to.