Using Remote Help on Android Devices

Using Remote Help

Sometimes you have a scenario where you need to Get M365 Devices to Stay Logged in with Conditional Access. And that is a multiuser device that is enrolled in Intune but also can’t use MFA. Using Remote Help when the device eventually logs out will be extremely helpful.

You need to get that device to stay logged in. Having it logged out would not be good since you might have to tell the user (one of many) what the password is to log back in. A password that could be easily shared. Not the best for security.

Using Remote Help

Using remote help on the android device is good, because it enables you to remote to the device and help the user with configuring or troubleshooting programs. There is no need to walk them through instructions over the phone or have them hold up the phone over a web cam (like in Teams) so you can see the screen as you help them. In this case, telling them a password that you don’t want them to know!

What is Remote Help

Remote help is an application that is available in any of the app stores. We are going to focus on Android devices. As an administrator of Intune, you probably have a company google play store for enrolled devices. Just add the app to your store like you would do normally for any other app.

Configure Using Remote Help

** Note ** – this is EXTREMELY important!!!! If you plane on using this feature with enrolled devices, there is only one enrollment profile that works with the Remote Help App!!!

When using remote help, this is a problem. The profile is the Corporate Owned Dedicated Devices. It works with unenrolled devices, but you need to enable that in Intune. I think Microsoft needs to do better. There are devices that use different profiles (i.e., Corporate Owned With Work Profile) that could benefit from Using Remote Help. But here is how you set it up.

Configure Remote Help on the Tenant

Task 1: Enable Remote Help
Sign in to Microsoft Intune admin center and go to Tenant administration > Remote Help.

  • On the Settings tab:
  • Set Enable Remote Help to Enabled to allow the use of remote help. By default, this setting is Disabled.
  • Set Allow Remote Help to unenrolled devices to Enabled if you want to allow this option. By default, this setting is Disabled.
  • Set Disable chat to Yes to remove the chat functionality in the Remote Help app. By default, chat is enabled and this setting is set to No.
  • Select Save.
  • Note: When you purchase licenses or start a trial, it could take a while to become active (anywhere between 30 minutes to 8 hours). When you try to create a Remote Help session you may continue to see messages indicating that Remote Help isn’t enabled for the tenant even if you enabled Remote Help in the tenant after activation.

Task 2: Configure permissions for Remote Help

Remote Help uses Intune role-based access controls (RBAC) to set the level of access a helper is allowed. Through RBAC, you determine which users can provide help and the level of help they can provide.

To protect the privacy of users who may be using the sharer device, helpers should use the minimum level of privilege required to remotely assist the device. Only request an Unattended session if you know that there’s no user at the sharer device to accept the remote help session.

The following Intune RBAC permissions manage the use of the Remote Help app. Set each to Yes to grant the permission:

  • Category: Remote Help app
  • Permissions:
    • Elevation : Yes/No
    • View screen : Yes/No
    • Take full control : Yes/No
    • Unattended control : Yes/No

 Note

If the Take full control permission is set to Yes, then by default, the user will have additional permission to View screen, even if the user’s View screen permission is set to No. If the Elevation permission is set to Yes, then by default, the user will have additional permission to View screen and Take full control, even if the user’s View screen and Take full control permission is set to No. If the Unattended control permission is set to Yes, then, by default, the user will have additional permission to View screenTake full control, and Elevation, even if the user’s View screenTake full control, and Elevation permissions is set to No.

  • Category: Remote tasks
  • Permissions:
    • Offer remote assistance: Yes/No

By default, the built-in Help Desk Operator role sets all these permissions to Yes. You can use the built-in role or create custom roles to grant only the remote tasks and Remote Help app permissions that you want different groups of users to have. For more information on using Intune RBAC, see Role-based access control.

Task 3: Assign user to roles

After creating the custom roles that you can use to provide different users with Remote Help permissions, proceed to assign users to those roles.

  1. Sign into Microsoft Intune admin center and go to Tenant administration > Roles > and select a role that grants Remote Help app permissions.
  2. Select Assignments > Assign to open Add Role Assignment.
  3. On the Basics page, enter an Assignment name and optional Assignment description, and then choose Next.
  4. On the Admin Groups page, select the group that contains the user you want to give the permissions to. Choose Next.
  5. On the Scope (Groups) page, choose a group containing the users/devices that a member is allowed to manage. You also can choose all users or all devices. Choose Next to continue.

 Important

If a sharer or a sharer’s device isn’t in the scope of a helper, that helper cannot aid.

On the Review + Create page, when you’re done, choose Create. The new assignment is displayed in the list of assignments.

Configure Using Remote Help for the User

Prerequisites for Remote Help on Android


For general prerequisites, go to Prerequisites for Remote Help

  • Set up Managed Google Play for your tenant. For more information, go to Connect your Intune account to your Managed Google Play account
  • Install the Intune app on devices with a version higher than 5.0.5541.0
  • Devices must NOT have device configuration policy set to block Screen capture
  • The helper must be licensed to use the Remote Help add-on. For more details on licensing, go to Use Intune Suite add-on capabilities – Microsoft Intune
  • The helper must have appropriate RBAC permissions to use Remote Help on Android:
  • Category: Remote Help app
  • Permissions:
  • Take full control: Yes (required for control)
  • View screen: Yes (required for screen share)
  • Unattended control: Yes (required for unattended control)
  • If the user doesn’t have the correct RBAC permissions for a particular mode, the corresponding options are disabled when attempting to start a Remote Help session.


Setting up Remote Help for Android


To set up Remote Help for Android, you need to complete the following steps:

  1. Deploy the Remote Help app.
  2. Grant permissions.
  • Configure camera permissions.
  • Configure permission setup for Samsung devices.


Deploy Remote Help app

  1. Using Managed Google Play, add the Remote Help app from Microsoft.
  2. On devices that you want to use Remote Help, assign the app as Required. This setting allows automatic installation of the app on those devices.


Grant permissions


To protect user privacy on the device, both the Android OS and device OEMs require certain permissions to be granted to the Remote Help app.


Camera
The Remote Help app requires Camera permissions.

Note: Remote Help does not store camera input. These permissions are only used to initiate a remote help session between the device and the Intune service.


You can auto-grant them through app configuration policy:

  1. Go to Apps > App Configuration Policies > Add a new policy for Managed devices.
  2. Create the policy for Android Enterprise with type Fully managed, Dedicated, and Corporate-Owned Work Profile Only. Target the policy to the Remote Help app that you approved earlier.
  3. Under Permissions, add CAMERA permissions. Then, set the permission state to Auto grant.
  4. Assign the profile to the devices on which you want to use Remote Help.

Using Remote Help for Android

  1. In the admin console, navigate to the device you would like to remotely assist.
  2. On the device actions toolbar, select New remote assistance session then select the session mode.
  3. On the device, the user sees a prompt displaying a request to grant screen share or control of the device.
  • If starting an attended screen sharing or full control session, the user must select Accept to allow the session to begin. If the user doesn’t accept within 5 minutes, the session times out.
  • If starting an unattended control session, the session will begin automatically after 30 seconds.

4. During the session, the sharer device displays a floating End Session button. This button can be repositioned on the screen. Tap the button to end the session from the sharer device.

5. During a control session, use the buttons on the menu bar, keyboard or mouse input to interact with the sharer device. You can also long-press on the Power button in the menu bar to simulate a long press. This can be useful, for example, to open the power options menu on some devices.

6. At the end of the session, select Leave to end the session from the admin console.

Note: On Android 13 devices, the device unlock UI (the PIN entry pad, or the pattern dot grid) cannot be displayed remotely. To unlock the device, you can still use keyboard input to enter a passcode. This is a security measure added by Android, not Remote Help, to protect the end user from a passcode or unlock pattern being captured if the device is unlocked while screen sharing.
 
Hopefully this will help you with using remote help on android. Once you realized that for enrolled device, you can only use the Corporate Owned Dedicated Devices profile you will be well on your way. Or you can spend several hours trying to get it work before you find out and have to write a blog article about!

Avatar photo

I am an IT professional with over twenty years experience in the field. I have supported thousands of users over the years. The organizations I have worked for range in size from one person to hundreds of people. I have performed support from Help Desk, Network / Cloud Administration, Network Support, Application Support, Implementation and Security.

Pin It on Pinterest