Skip to content

Enterprise Mobility + Security


This post is authored by Chris Baldwin, Principal Program Manager, Microsoft Intune. 

Earlier today, Google announced the deprecation and eventual disablement of Device Admin Android management. Device Admin, sometimes referred to as “legacy” Android management, is the technical term for the management mode that existed since Android 2.2 that is in use by the majority of our customers. For the customers who manage Android in the enterprise, this is an important announcement. This means that starting in Android Q (Android major version releases come roughly every year), the only way to manage an Android device will be to use one of the two new Android enterprise management modes. But more importantly, Google is signaling to the ecosystem that Device Admin is “legacy” and insufficient for many enterprise scenarios. Google’s recommendation is to start considering how to adopt one of these new management modes now.

Limitations of Device Admin management

Figure 1 Device Admin enrollment screen

Since Android 5.0, Device Admin has been seen as a legacy way of managing devices. Device Admin is common, is widely supported, and is often considered to be the “default” way of managing Android devices. However, it does have its issues which Google explains in their blog post. It lacks personal/work separation and requires that users grant full rights on their devices. It also lacks some of the pervasive controls that are useful for kiosk scenarios and for fully managed devices. For these reasons, Device Admin doesn’t work great for BYOD and company-owned device scenarios.

Intune has been one of Google’s EMM partners for quite some time, and we have been closely working with Google to understand their roadmap, solve customer integration issues, and share feature requests. Given this, we saw this change coming. If you look back at each release of Android since Android 5.0 when work profiles and device owner modes were first introduced, all of Google’s investment in enabling new enterprise features has been on those new modes while Device Admin has remained stagnant. Google has even taken the step to actively remove features from Device Admin, if they are deemed to be a security risk. A concrete example of this is the removal of the ability to perform an IT-initiated PIN reset under the Device Admin mode. In short, the writing has been on the wall for quite some time: the future of and the recommended way to manage modern Android devices is by using Android enterprise capabilities.

 

Modern Android management: Work Profile and Device Owner

Figure 2 Intune managing a work profile

Android enterprise (formerly Android for Work) introduced two new management modes starting in Android 5.0: work profile and device owner. Work profile is the mode that is designed for BYOD deployments. In this mode, the end user initiates enrollment on their own and during enrollment, a work profile gets created on the device.

This work profile is manageable by IT, and it sits alongside the user’s personal profile. The work profile provides both privacy benefits to the end user, and containerization and management benefits to IT. Management is scoped to the work profile, and the end user is assured of their privacy because IT cannot manage or obtain data about what’s going on in the personal profile. For IT, the separation between apps installed on the personal profile and corporate apps in the work profile is enforced at the OS level.

Device owner is a management mode suited to company-owned deployments where the device asset is owned by your organization. There are several deployment scenarios that are made possible when operating in the device owner mode. You can configure a device for userless, task-based, firstline use cases with strong kiosk and lockdown APIs. Or, you can deploy it as a work managed device that is associated with a knowledge worker’s Azure AD identity.

 

Managing Android with Intune

For scenarios where you choose not to manage a device, you can use Intune’s App Protection without enrollment capabilities to manage just corporate identities and corporate data on a device without managing the device itself. This capability is available across all Android devices from 4.4 and up and is not affected by the coming discontinuance of Device Admin management.

If you need to manage devices themselves because, for example, you require more advanced MDM capabilities like certificate installation, app installs, or app configuration, you can use work profiles. Intune support work profiles today and we encourage you to evaluate how you can start to transition your BYOD users from Device Admin to this new mode. See here to get started.

We are also actively working on the device owner scenarios to enable the deployment scenarios that are in demand for company-owned devices. We are building the kiosk (sometimes referred to as company-owned, single-use or “COSU”) scenario today. This will unlock a number of firstline, kiosk-based scenarios for our customers. We expect to have this available in the early part of 2018. After we have the kiosk scenarios, we’ll work on the work managed scenarios.

As we build out our Android roadmap, we’re committed to full support for all Android enterprise scenarios, so that our customers have a clear and clean transition path from Device Admin to modern Android management.

Please let us know what Android enterprise management features you are looking for here.

Additional resources: