ANDROID DEVICE ADMINISTRATOR
Android device administrator management provides device administration features at the system level on Android devices and became the basis for enterprise device management in early versions of Android. Since then, enterprise needs have evolved, with devices accessing more confidential resources in a wider variety of use cases than the original Android device administrator API was design for.
At the same time, organisations are demanding a higher trust relationship than device administrator was designed to support (device administrator can be enabled by any application the user authorises).
Because of these reasons, it is time for organisations to adopt the fully managed device and work profile modes of Android Enterprise to manage their devices.
The first part of a migration from Android device administrator to Android Enterprise is an analysis of the existing Android setup in Microsoft Intune. This involves documenting:
- Current device administrator policies, including
- The app catalogue
- Inventory of devices
- Use cases
Use cases include the set of all features and requirements which are deployed to a particular role in the organisation. Your organisation may have only a singled use case for all users or separate use cases for each business unit or role. In Microsoft Intune, this involves documenting the configuration profiles and compliance policies for the Android device administrator platforms as well as the apps deployed.
Once the use cases are documented you can determine the Android Enterprise feature requirements. For each use case you determine:
- The management mode (fully managed or work profile)
- The Android Enterprise features that map to the use case requirements
The features and requirements of the existing Android device administrator management configuration are then mapped against the features and requirements available in Android Enterprise management, creating a document outlining the policies and profiles which need to be created for each use case.
CONFIGURE ANDROID ENTERPRISE IN MICROSOFT INTUNE
One of the biggest changes between Android device administrator and Android Enterprise is the use of Managed Google Play to manage applications. Using Play, admins can:
- Approve and distribute apps to users – Admins can choose whether apps are pushed to devices or simply made available to users for install
- Approve app permissions – Admins can accept app permissions on behalf of the user
- Manage configurations – Admins can set configuration properties for supported apps
- Deploy custom apps
The first requirement for moving Android devices from Android device administrator to Android Enterprise is to connect Microsoft Intune to your organisation’s Managed Google Play account. If you don’t have a Managed Google Play account, you can create one during the connection process. You should create a dedicated account with a mailbox in your organisation and use this as the Managed Google Play account. Full details on the process have been documented by Microsoft here: Connect your Intune account to your Managed Google Play account.
Once this is completed, the next step is to create the appropriate compliance policies, configuration profiles and apps for the Android Enterprise work profiles and fully managed devices. The settings for these policies and profiles are taken from the mapping document you created previously.
At this point I would recommend blocking the option for users to enrol new devices into Android device administrator management in every enrolment restriction policy in your organisation (see the image below). This will stop users having to un-enrol and re-enrol new devices when moving to Android Enterprise.
If you are looking to roll this out in a staged manner, assign the new policies and profiles to a group containing your initial users. These users should also be excluded from any Android device administrator compliance policies and configuration profiles in Microsoft Intune.
The final step is getting your users to un-enrol their devices from Android device administrator management in Microsoft Intune and enrol them in Android Enterprise work profile management. To assist with this process, create and assign a new Android device administrator compliance policy to these users blocking devices managed with Android device administrator. This will mark the devices as non-compliant and they will be presented with a Resolve option they can select which will provide them with a checklist to guide them through:
- Unenrolling from Android device administrator management
- Enrolling into work profile management
- Resolving any compliance issues
As always, reach out if you have any questions or need some assistance.