If you are currently managing your devices enrolled in an EMM which uses Device Admin, known as “Android legacy” in AirWatch, you’ve probably heard that Google is deprecating these APIs in favor of their newer Android Enterprise APIs. As of Android 10.0, devices will only support Android Enterprise enrollment, so it is time to consider migrating to Android Enterprise as your solution for corporate-managed Android devices.
Migrating to Android Enterprise doesn’t just allow you to support newer devices, it adds management capabilities that weren’t previously available with the legacy Android Device Admin. Much like supervised devices in iOS, Work Managed, or “Device Owner,” devices in Android Enterprise support more extensive management of the device and OS.
Most importantly, Android Enterprise introduces changes to application distribution and management. Not all enrollment types support private APK distributions anymore, but there is a new Enterprise Play Store, similar to Apple’s VPP, that allows the managed distribution of public apps without requiring a Google account on the device.
What happens when Android 10.0 is released?
The deprecated behaviors from Device Admin will stop working and will return a security exception for apps running Android 10.0 and targeting that API level.
Google has introduced Android Enterprise as a modern management framework with robust enterprise APIs to match the evolving needs of businesses and it addresses Device Admin's limitations.
Modern application management is a strength of Android Enterprise - offering robust security and privacy as well as the ability to handle complex requirements and a variety of use cases.
Android Enterprise allows enterprise businesses to manage and secure their devices with a flexible set of management modes for corporate devices. To ensure that organizations can power their mobile environments with great features and security, Android offers Managed Device and Work Profile modes for mobile management.
Android Enterprise supports three different device options:
- Fully Managed Device (work only) mode for Corporate Owned Devices: Provides full control of the device and permissions for application installation.
- Managed Profile/Work profile (BYOD): Enroll devices as ‘Profile Owner’ which separates the work profiles and data from a personal profile.
- Fully Managed Device with a Work profile (also known as a Company Owned Personally Enabled Device): This is a hybrid management mode where end-users can use their apps and keep their work data separate on a company-owned device.
There are two strategies available to move to Android’s management APIs.
Managing personal BYOD (bring-your-own) devices
For personal devices used by employees for work, Google recommends using the work profile. Migration from a legacy device admin to the work profile can be done with minimal disruption. This can be handled either by enabling personal devices to install a work profile or by having new devices enroll with a work profile as existing devices phase-out of the fleet. Note, however, that at least as of the time of this writing, work profile devices cannot receive internal APK app deployments, only Enterprise Play Store apps.
Managing company-owned devices
We recommend that company-owned devices be set up as fully managed devices. Migrating a device from device admin to managed device requires a factory reset, so we recommend a phased adoption, where new devices are enrolled as fully managed devices while existing devices are left on device admin until they can be phased out.
Making the move
Given the significance of these changes, it’s critical that any migration be well-planned. You’ll want to perform an assessment of your current configuration to determine what, if anything, will need to change to function under Android Enterprise. You’ll also want to ensure that any supporting systems like Knox Mobile Enrollment or ZeroTouch are set up to enroll devices under the correct configuration. For some companies, you’ll need to get a Google developer account and move your internal apps to the Enterprise Play Store.
If this process sounds daunting, schedule a call with one of our consultants. We can provide migration services to plan and implement the entire project, or simply to support your team while they conduct the migration.