The Microsoft Company Portal app is a cross platform app available in the app stores of Apple, Android and Microsoft. The app, depending on the installed platform provides several options depending on the scenario it’s used in. In my implementations of Windows 10 Modern Workplaces the Company Portal is one of the apps which always gets installed during the Autopilot enrollment. Installing the App is not a requirement for Autopilot and device management using Microsoft Endpoint Manager to work. It serves more as a front-end to the end user to interact with the device management platform in several ways. In some circumstances the App is needed, for example if you want to manage the Outlook App using Mobile Application Management policies on Android Devices, or if you want to allow users to enroll their own device into Mobile Device Management.
Some of the functionality the Company Portal app provides:
- Enrolling your device into Microsoft Endpoint Manager from where it will be managed.
- Installing available software from both Microsoft Endpoint Manager but also Microsoft Endpoint Configuration Manager/ConfigMgr in co-managed scenarios.
- Act as a broker, providing Single Sign-on functionality between installed Apps on a device (on Android).
- Provide a way to manage the devices, including the option to reset the PIN or reset the whole device.
- Check for compliance status, and trigger a check outside of the normal times that a compliance check is invoked (every 8 hours).
- Change your password.
- Set the color mode of the company portal app (Light, Dark or adopt Windows Default)
- Force a synchronization of your device to receive new assignments.
- Look up support department contact information like phone number, email and website.
By default, the Company portal has a neutral look and feel which can be customized by branding it with your corporate look and feel. By doing so, your end users will be tended to trust the app more, since it has adopted the familiar company branding. In this article I will go into more detail on what can be customized for the Company portal – I will focus on the Windows 10 Modern Workplace, while customizing the company portal app also affects the company portal app running on Android and iOS as well. If you are going to customize the company portal, it might be a good idea to include people involved with/responsible for the company branding for your customer as well.
Writing this blogpost has been a bumpy ride, in my conclusion I therefore recommend to use only certain functionality and leave other functionality not configured until Microsoft fixes the inconsistencies.
Disclaimer: This post reflects the status of customizing the Company Portal as of April 16, 2021. Functionality may and will change, even right after this post has been published.
Besides the App, there is also a web version of the Company portal available via: https://portal.manage.microsoft.com/. The web version of the company portal has the following functionality:
- Manage apps
- Rename your device
- Remove your device
- Reset your device
- Reset your device passcode
- Remotely lock a device
- Find the company support’s contact information, if you configured it
- Check compliance status
- Remotely manage a PC
You could for example, using the web version of the Company Portal install an application on one of the devices that you are using. Before you can use this functionality, you have to define which device you are currently using.
You can customize the Company Portal in Microsoft Endpoint Manager by going to Tenant Administration, and select Customization under the End user experiences section.
In a default Microsoft Endpoint Manager environment there is no customization configured for the Company Portal, by default the company portal is has a blue theme color and no customer specific information is included.
Today you have the option to configure the global company portal branding, and you can define up to 10 custom configurations which you can assign to Azure AD groups in your organization. You could for example define different branding for specific departments, a specific brand within your organization or people working on a project. The default customization policy can be edited but not deleted while additional customization policy can be edited and deleted as well. If you want flexibility and have a requirement to use different customizations you might want to consider not to use the default customization policy and work with custom customization policies only.
In the branding section you can configure the look and feel of the company portal. You can define the organization name, the colors to be used and upload pictures being displayed.
You can provide the name to show in the Company Portal App, this name can maximal be 40 characters.
You might also want to know the color codes used within your corporate branding, because besides offering some generic colors like Blue, Red, Orange, Green and Purple you can also use your company specific color codes in the branding using the # notation. Below is a fragment of the code coloring used within my own company, and we could use the #3e4852, #b91d1e and #FFFFFF colors for our specific branding.
Before you can start customizing your company portal you need some images which you can use in your branding. Below is a table with the requirements for these images:
|Logo for theme color background||400 px x 400 px||750 KB||PNG, JPG/JPEG|
|Logo for white or light background||400 px x 400 px||750 KB||PNG, JPG/JPEG|
|Brand image||1125 px (width)||1.3 MB||PNG, JPG/JPEG|
When you configure the Logo, you can either configure to use a logo on top of one of the standard colors provided, or use a logo to be used on a white or light background.
While writing this post I have really been struggling with the logo’s and I really wonder if this functionality is currently working correctly. I’ve had several occasions where PNG or JPG files uploaded wouldn’t be effectuated once saved, returning to the policy showed me that the change wasn’t saved at all. Tested this is several tenants with the same behavior. I’ve reached out to the Intune Support team via twitter and provided them with a recording of what went wrong. I do hope this is a temporary issue, but I’m afraid it’s not.
Another thing that was interesting was that the “Logo for white or light background” was never used in the portals I tested (Web portal and Company Portal App). Also the logo for theme color background (for which I thought it shouldn’t work when selecting a custom color, but it does) doesn’t look nice in the Company Portal App. It does look good in the web version of the company portal though.
Under support information you can provide the following info:
- Contact name (max 40 characters)
- Phone number (max 20 characters)
- Email address (max 40 characters)
- Website name (max 40 characters)
- Website URL (max 150 characters)
- Additional Information (max 120 characters)
The information provided here is also used when sending out emails to users when their device is not compliant. While defining the emails to be sent in your Compliance Policy configuration you can include the support information from the Customization. See also: Designing and configuring compliance policies for your Windows Modern Workplace using Microsoft Endpoint Manager
The configuration section provides us with a lot of options to configure, let’s go through them.
Enrollment and Privacy
Under Enrollment we can customize the setup experience in the Company portal for Android and iOS/iPadOS. The first setting related to Device Enrollment is an important one. The setting defines how the option to enroll is presented to users when they open Company Portal. The following options are available:
- Available, with prompts (selected by default)
- Available, no prompts
So, if you don’t want users to allow to enroll their device from the Company Portal you might want to consider to configure this setting to Unavailable. Screenshot below (sorry it’s in Dutch) shows the difference with the setting disabled (1, left) and the setting enabled (2,right). Right has the option to enroll, left doesn’t.
I’ve seen many issues with the company portal while enrolling Android devices with MAM. In order to enroll MAM on Android devices, the Company Portal app must be installed because it serves as a “broker” application allowing the registration of the device. With the default settings, I’ve see a lot of situation where the users downloaded the app, logged in and tried to enroll their device, which later failed because personal enrollment was blocked. This didn’t provide a smooth user experience though, so my advice would be to set this option to Unavailable unless you really need it. For devices which you enroll into MDM you normally use programs like Automated Device Enrollment or Android Enterprise.
The Privacy statement URL is a mandatory field which must be filled in. It will be displayed on the Settings page of the company portal together with other links to Microsoft websites where users can send feedback, see the license terms and more.
Under Privacy you can also customize the message displayed to users on iOS/iPadOS devices about what support cannot see or do, and what support can see or do. Once the Customize message link is clicked, a new panel is opened where the message to display can be customized. It features a rich text editor allowing you to customize the message.
Device Ownership notification and App Sources
Under Device ownership notification you can define if you want to send a push notification when the device ownership of the device changes from personal to corporate. This functionality is only supported on Android and iOS/iPadOS devices. When device ownership is set to corporate ownership, Intune has greater access to the device, which includes the full app inventory, FileVault key rotation, phone number retrieval, and a select few remote actions.
Under App Sources you can choose if you want additional apps to be shown in the Company portal. So besides assigned/deployed applications coming from Microsoft Endpoint Manager or Microsoft Endpoint Configuration Manager (if co-managed), you can also define whether users can see all their Azure AD Enterprise Applications. This is the same list of apps which are available for users under the MyApps portal available via: https://myapplications.microsoft.com/.
Here I had different experiences with the Company Portal in comparison to the Web Portal, I experienced a situation where Apps showed in the Web portal but not in the Company portal. Apps not being removed after setting the Azure AD Enterprise Applications setting back to Hide and more unexplainable inconsistent behavior.
You can also show or hide the Office Online Applications, I tried several times to get the Office Online Applications to show in the Company portal but didn’t succeed in my own tenant, while it was working directly in one of my test tenants.
The Hide features configuration options are only available in the default customization configuration. The following options are available:
- Hide remove button on corporate Windows Devices
- Hide reset button on corporate Windows Devices
- Hide remove button on corporate iOS/iPadOS devices
- Hide reset button on corporate iOS/iPadOS devices
Customizing the Company Portal has not been a smooth experience. In my testing a lot didn’t work as expected and I think that Microsoft has some homework to do in order to get this fixed. I doubt it that it was only related to the tenants which I was working on, since I tried several to determine whether my issues were structural.
For the customization I would suggest to only use the following options for now:
- Company name
- Theme color
- Support information
- Device Enrollment configuration
- Privacy statement URL
- Hide features functionality
- If really needed configure the privacy message for iOS/iPadOS and Device ownership notification.
For the following functionality I advise not to use it, if you want consistent behavior:
- Branding using images
- Adding Azure AD Enterprise Applications
- Adding Office Web Applications
In my opinion Microsoft should work on the following changes:
- Create customization based on platform the Company Portal is running on, so different settings for iOS/iPadOS, Android, macOS and Windows devices based on capabilities of the app on the platform. A one size fits all (meaning one page for all configuration) leads to inconsistent behavior and testing the outcome is also not very administrator friendly. With this I mean that today a change to change something in the Company Portal for Windows might break something in the Company portal on iOS.
- Consistent options related to Privacy settings across platforms
- Consistent portal options for the end user and preferably one portal to rule them all where the user can initiate all the tasks that he/she is entitled to. In the heat of the moment I’m pretty sure the end user now doesn’t know which of the many portal it must visit in order to accomplish the task to be executed (reset password, wipe device, reset pincode, request rights). We need a portal where changes made are consistently reflected across all the other portals (f.e. profile picture, title, location etc..) and one which is easy to remember for end users giving a true self-service experience to the end user.
- Get their App portal story/solutions straight, make the Apps the users can see consistent across all portals. (MyApps, Office Portal, Company Portal, Company Web Portal and all other portals where apps can be published). We want a consistent Start Menu in the cloud which integrates with the MyApps secure sign-in extension. Another options is to not offer this solution at all and leave it to companies focused on solutions in this space. Workspace365/Liquit and others.
- Fully integrate the MECM/ConfigMgr Software Center into the Company Portal app on Windows 10 devices