Monday, 21 December 2020

Migrate from Device Administrator to Android Enterprise

Starting with Android 5.0 and later, Google introduced Android Enterprise. That introduced the managed device (device owner) and work profile (profile owner) modes to provide enhanced privacy, security, and management capabilities. These modes support the different Android Enterprise deployment scenarios and can be managed by using the Android Management API. The Device Administrator method of managing Android devices is now considered legacy and has been deprecated by Google. They are encouraging migration to the Android Enterprise method.

I've recently deployed Android Enterprise (personally owned with work profile) for a number of customers and also developed a process to encourage users to migrate from Device Administrator. This is the only Android Enterprise migration that does not require a full reset of the device. Note that we cannot force the user to migrate but can encourage with the help of detailed communication. We can also block access to corporate resources via conditional access if they don't comply.

When Android Enterprise is adopted in production, enrollment restrictions should be imposed to block any new enrollments using Device Administrator.
We can now encourage users to move their Android devices from device administrator to personally owned work profile management by using the compliance setting to Block devices managed with device administrator. This setting lets you make devices non-compliant if they are managed with device administrator. When users see that they are out of compliance, they can tap Resolve. They will be taken to a checklist that will guide them through:

  • Unenrolling from device administrator management
  • Enrolling into personally owned work profile management
  • Resolving any compliance issues
In the Microsoft Endpoint Manager admin center, navigate to Devices > Android > Compliance policies to open the Android Compliance policies blade. Click Create Policy. The setting we're interested in is on the Device Health blade.

Select Block for Devices managed with device administrator

On the Actions blade, I've added two actions:
  • Mark device non-compliant immediately
  • Send push notification to the user
Be a little careful with your configuration here. Intune, the Company Portal app, and the Microsoft Intune app, can't guarantee delivery of a push notification. Notifications might show up after several hours of delay, if at all. This includes when users have turned off push notifications. Do not rely on this notification method for urgent messages. Add an action to first notify the user via email and make sure to adjust the default action to not mark a device as noncompliant immediately. That will provide the end-user with time to perform the migration before completely being blocked, if you have a conditional access policy configured.

Save and assign the policy. Start with a test or pilot group to ensure that your migration process is problem-free. It is recommended to create a procedure document to be sent to end users. It should contain the steps below so that users can follow what is expected from them.

The user receives a push notification telling them that “Your organization requires you to update settings”. The user should click on the notification.

The user can see the details. The user can see that they have to move to a new device management setup, which involves adding a work profile to the device. The user should click Resolve.

The user should click Begin to start the migration. The first step is to remove the existing management.

The user receives a warning that they may temporarily lose access to corporate services like WiFi.

The current device administrator management is being removed.

The current device administrator management has been removed. The user should click Continue.

The user should click Continue at the privacy screen.

The username is already pre-populated. The user should enter their password to sign into Intune (you may not see this step).

The user should click Confirm to accept that the organization will manage the work profile.

The work profile is being created.

The company portal is being configured.

The work profile has been created. The user should click Continue to activate.

The device is being registered with Intune.

The work profile is almost finished.

The user should select device ownership. This has no effect on the device itself. It is merely a label that allows the IT admin to target devices in the console.

The device has been enrolled in Android Enterprise with work profile and is compliant. The user should click Done.

The user can read information about the new work setup and should click Got it.

The user can see the separation between Personal and Work resources at the bottom of the screen.

The user can see notifications that corporate resources are installing – see notifications for Teams and Outlook. 

The user can see the corporate apps in the Work container. See the briefcase icon which denotes a corporate app. 

In the Microsoft Endpoint Manager admin center, the test device can no longer be seen in the results for the Migrate from Android Device Administrator compliance policy. That is expected. This policy is assigned to Device Administrator devices and the test device is now Android Enterprise. Therefore, the policy is no longer applicable.

When Android Enterprise is adopted in production, enrollment restrictions should be imposed to block any new enrollments using Device Administrator.

Navigate to Devices > Enroll devices > Enrollment restrictions to Block further Android Device Administrator enrollments.

I hope this helps. Until next time.....


No comments:

Post a Comment