Moving from Android Device Administrator to Android Enterprise with Microsoft Intune

United Kingdom | Moving from Android Device Administrator to Android Enterprise with Microsoft Intune

ANDROID DEVICE ADMINISTRATOR

Android device administrator management provides device administration features at the system level on Android devices and became the basis for enterprise device management in early versions of Android. Since then, enterprise needs have evolved, with devices accessing more confidential resources in a wider variety of use cases than the original Android device administrator API was design for.

At the same time, organisations are demanding a higher trust relationship than device administrator was designed to support (device administrator can be enabled by any application the user authorises).

Because of these reasons, it is time for organisations to adopt the fully managed device and work profile modes of Android Enterprise to manage their devices.

The first part of a migration from Android device administrator to Android Enterprise is an analysis of the existing Android setup in Microsoft Intune. This involves documenting:

  • Current device administrator policies, including
    • Security
    • Management
    • Usability
  • The app catalogue
  • Inventory of devices
  • Use cases

Use cases include the set of all features and requirements which are deployed to a particular role in the organisation. Your organisation may have only a singled use case for all users or separate use cases for each business unit or role. In Microsoft Intune, this involves documenting the configuration profiles and compliance policies for the Android device administrator platforms as well as the apps deployed.

Once the use cases are documented you can determine the Android Enterprise feature requirements. For each use case you determine:

  • The management mode (fully managed or work profile)
  • The Android Enterprise features that map to the use case requirements

The features and requirements of the existing Android device administrator management configuration are then mapped against the features and requirements available in Android Enterprise management, creating a document outlining the policies and profiles which need to be created for each use case.

CONFIGURE ANDROID ENTERPRISE IN MICROSOFT INTUNE

One of the biggest changes between Android device administrator and Android Enterprise is the use of Managed Google Play to manage applications. Using Play, admins can:

  • Approve and distribute apps to users – Admins can choose whether apps are pushed to devices or simply made available to users for install
  • Approve app permissions – Admins can accept app permissions on behalf of the user
  • Manage configurations – Admins can set configuration properties for supported apps
  • Deploy custom apps

The first requirement for moving Android devices from Android device administrator to Android Enterprise is to connect Microsoft Intune to your organisation’s Managed Google Play account. If you don’t have a Managed Google Play account, you can create one during the connexion process. You should create a dedicated account with a mailbox in your organisation and use this as the Managed Google Play account. Full details on the process have been documented by Microsoft here: Connect your Intune account to your Managed Google Play account.

Once this is completed, the next step is to create the appropriate compliance policies, configuration profiles and apps for the Android Enterprise work profiles and fully managed devices. The settings for these policies and profiles are taken from the mapping document you created previously.

At this point I would recommend blocking the option for users to enrol new devices into Android device administrator management in every enrolment restriction policy in your organisation (see the image below). This will stop users having to un-enrol and re-enrol new devices when moving to Android Enterprise.

United Kingdom | Moving from Android Device Administrator to Android Enterprise with Microsoft Intune

If you are looking to roll this out in a staged manner, assign the new policies and profiles to a group containing your initial users. These users should also be excluded from any Android device administrator compliance policies and configuration profiles in Microsoft Intune. 

The final step is getting your users to un-enrol their devices from Android device administrator management in Microsoft Intune and enrol them in Android Enterprise work profile management. To assist with this process, create and assign a new Android device administrator compliance policy to these users blocking devices managed with Android device administrator. This will mark the devices as non-compliant and they will be presented with a Resolve option they can select which will provide them with a checklist to guide them through:

  • Unenrolling from Android device administrator management
  • Enrolling into work profile management
  • Resolving any compliance issues

As always, reach out if you have any questions or need some assistance.

THANK YOU FOR YOUR SUBMISSION!

United Kingdom | Moving from Android Device Administrator to Android Enterprise with Microsoft Intune

The form was submitted successfully.

Join the Insentra Community with the Insentragram Newsletter

Hungry for more?

If you’re waiting for a sign, this is it.

We’re a certified amazing place to work, with an incredible team and fascinating projects – and we’re ready for you to join us! Go through our simple application process. Once you’re done, we will be in touch shortly!

Who is Insentra?

Imagine a business which exists to help IT Partners & Vendors grow and thrive.

Insentra is a 100% channel business. This means we provide a range of Advisory, Professional and Managed IT services exclusively for and through our Partners.

Our #PartnerObsessed business model achieves powerful results for our Partners and their Clients with our crew’s deep expertise and specialised knowledge.

We love what we do and are driven by a relentless determination to deliver exceptional service excellence.

United Kingdom | Moving from Android Device Administrator to Android Enterprise with Microsoft Intune

Insentra ISO 27001:2013 Certification

SYDNEY, WEDNESDAY 20TH APRIL 2022 – We are proud to announce that Insentra has achieved the  ISO 27001 Certification.