cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Decreasing support for Android device administrator
By
Intune_Support_Team
Published Jun 05 2020 04:00 PM 51K Views
Intune_Support_Team
Microsoft
‎Jun 05 2020 04:00 PM

Decreasing support for Android device administrator

‎Jun 05 2020 04:00 PM

Android device administrator management was released in Android 2.2 as a way to manage Android devices. Then beginning with Android 5, the more modern management framework of Android Enterprise was released (for devices that can reliably connect to Google Mobile Services). Google is encouraging movement off of device administrator management by decreasing its management support in new Android releases.

 

How does this affect me?

Because of these changes by Google, in October 2020 you will no longer have as extensive management capabilities on impacted device administrator managed devices.

 

Note: This date was previously communicated as fourth quarter of 2020, but it has been moved out based on the latest information from Google.

 

Device types that will be impacted

Devices that will be impacted by the decreasing device administrator support are those for which all three conditions below apply:

  • Enrolled in device administrator management
  • Running Android 10 or later
  • All Android manufacturers, except Samsung

Devices will not be impacted if they are any of the below:

  • Not enrolled with device administrator management
  • Running an Android version below Android 10
  • Samsung devices (Samsung Knox devices won't be impacted in this timeframe because extended support is provided through Intune’s integration with the Knox platform. This gives you additional time to plan the transition off device administrator management for Samsung devices.)

 

Settings that will be impacted

Google's decreased device administrator support prevents configuration of these settings from applying on impacted devices.

 

Configuration profile device restrictions settings:

  • Block Camera
  • Set Minimum password length
  • Set Number of sign-in failures before wiping device (will not apply on devices without a password set, but will apply on devices with a password)
  • Set Password expiration (days)
  • Set Required password type
  • Set Prevent use of previous passwords
  • Block Smart Lock and other trust agents

Config-camera.pngConfig-password.png

 

 

Compliance policy settings

  • Set Required password type
  • Set Minimum password length
  • Set Number of days until password expires
  • Set Number of previous passwords to prevent reuse

compliance-password.png

 

User experience of impacted settings on impacted devices

Impacted configuration settings:

  • For already enrolled devices that already had the settings applied, the impacted configuration settings will continue being enforced.
  • For newly enrolled devices, newly assigned settings, and updated settings, the impacted configuration settings will not be enforced (but all other configuration settings will still be enforced).

Impacted compliance settings:

  • For already enrolled devices that already had the settings applied, the impacted compliance settings will still be enforced in the Settings app and the user will still be compliant. The Microsoft Endpoint Manager console will report these impacted settings on these devices as Not Applicable.
  • For newly enrolled devices, newly assigned settings, and updated settings, the impacted compliance will not be sent down to the device, so they will not be enforced in the Settings app and the user will still be compliant. The Microsoft Endpoint Manager console will report these impacted settings on these devices as Not Applicable.

Additional user experience change for Wi-Fi profiles:

  • Users will need to accept additional permissions, and explicitly accept Wi-Fi configurations when they're deployed. Note: Wi-Fi configurations will not appear in the known Wi-Fi networks list, but will automatically connect when in range.
  • If the user disconnects from the Wi-Fi network manually, the network appears in the network list as “Available via Company Portal” and the user can manually reconnect. If you unassign a Wi-Fi profile for a network a device is connected to, the device will be disconnected the next time it checks into Intune.
  • There are no changes in behavior for existing Wi-Fi profiles. There are also no changes to the admin experience in the Microsoft Endpoint Manager admin center.

Custom Wi-Fi profiles with pre-shared keys:

  • As communicated in MC223443, an additional change is happening with October's Company Portal release where you will no longer be able to create custom Wi-Fi profiles to include a pre-shared key (PSK) in the profile.
    • How will this affect you: If you use custom Wi-Fi profiles in order to include a PSK in the profile, this will continue working for devices that already have the profile installed but the policies will no longer work for newly-enrolled Android 10+ devices once the Company Portal upgrades in October.
    • What you need to do to prepare: If possible, we encourage you to move to Android Enterprise. If not, make sure all Wi-Fi profiles for Android device administrator are set before October's Company Portal release expected to start mid-October.

 

Cause of impact

Devices will begin being impacted in October 2020. At that time, there will be a Company Portal app update that will increase the Company Portal API targeting from level 28 to level 29 (as required by Google).

At that point, device administrator managed devices that are not manufactured by Samsung will be impacted once the user completes both these actions:

  • Updates to Android 10 or later
  • Updates the Company Portal app to the version that targets API level 29

 

Additional impacts based on Android OS version

Android 10: For all device administrator managed devices (including Samsung) running Android 10 and later, Google has restricted the ability for device administrator management agents like Company Portal to access device identifier information. This restriction impacts the following Intune features after a device is updated to Android 10 or later:

  • Network access control for VPN will no longer work
  • Identifying devices as corporate-owned with an IMEI or serial number won't automatically mark devices as corporate-owned
  • The IMEI and serial number will no longer be visible to IT admins in Intune

Android 11 updates after enrolling: These are the changes that will impact device administrator managed devices when they update to Android 11:

  • For device administrator devices (excluding Samsung) running Android 11 and later, Google has removed the ability for management agents like Company Portal to enforce blocking Camera, even before the October update to the Company Portal app. Policies blocking camera that are applied to devices before they update to Android 11 will continue to apply.
  • With Android 11, trusted root certificates can no longer be deployed to devices enrolled with device administrator (except on Samsung devices). Users must manually install the trusted root certificate on the device. With the trusted root certificate manually installed on a device, you can then use SCEP to provision certificates to the device. In this scenario you must still create and deploy a trusted certificate policy to the device, and link that policy to the SCEP certificate profile.
    • If the trusted root certificate is on the device, then the SCEP certificate profile will install successfully.
    • If the trusted certificate cannot be found, the SCEP certificate profile will fail.

Android 11 new enrollments: These are the changes that will impact new device administrator enrollments for devices on Android 11:

  • Samsung devices configured for Knox Mobile Enrollment will not be able to enroll in device administrator management if they are running Android 11. To enroll these devices, they should either be configured for Android Enterprise management or they can continue to enroll in device administrator management without Knox Mobile Enrollment through the Android Company Portal app. This will not impact devices that are already enrolled and then update to Android 11.


What do I need to do to prepare for this change?

To avoid the reduction in functionality coming in October 2020, we recommend the following:

What if I have non-Samsung devices that cannot move to Android Enterprise?

Some devices can’t move from device administrator to Android Enterprise management. For example, Google hasn’t made Android Enterprise available in some markets. You can still use Intune to manage non-Samsung devices with device administrator, but the changes to functionality mentioned in this post will apply. For guidance on managing devices when Android Enterprise isn’t available, see: How to use Intune in environments without Google Mobile Services.

 

Additional information

 

Blog post updates:

  • 8/10/20: Update to clarify the Company Portal app API version under the cause of impact section.
  • 8/24/20: We previously communicated that this change will come in the fourth quarter of 2020. Updated post as this change will be made in October 2020.
  • 8/27/20: Update to include an additional user experience change for Wi-Fi profiles, additional impacts based on Android OS version, a scenario on what if you have non-Samsung devices that cannot move to Android Enterprise, and a recommendation to configure a new setting called Password Complexity for devices running Android 10 and later.
  • 9/8/20: With a small edit to update formatting.
  • 9/9/29: Update to the: "Android Additional impacts based on Android OS version/Android 11" section.
  • 9/23/20: Added a Note to the "Configure Password Complexity" section as admins will need to set the Password toggle to "Require" to leverage this setting.
  • 10/1/20: Updated the "Impacted compliance settings" section.
  • 10/6/20: Added a note about using custom Wi-Fi profiles with pre-shared keys.
  • 11/6/20: With an update to the "Additional user experience change for Wi-Fi profiles" section.
  • 3/2/21: Update to the: "Android Additional impacts based on Android OS version/Android 11" section to include a note around newly enrolled Samsung devices configured for Knox Mobile Enrollment on Android 11. 
19 Comments
MaxM
Brass Contributor
‎Jun 06 2020 08:59 AM
‎Jun 06 2020 08:59 AM

Thank you for reiterating this. The timeline and impacts/non-impacts for the deprecation of Android Device Administrator management had been a tad confusing.

 

Regarding the Android Enterprise support caveat "(for devices that can reliably connect to Google Mobile Services)" – is it on the roadmap for Intune to support Android Enterprise enrollment on devices that do not have access to Google Mobile Services? (AOSP, etc) Some other big-name MDMs can manage such devices.

tmaguire
Copper Contributor
‎Jun 07 2020 01:22 AM
‎Jun 07 2020 01:22 AM

Will support for Android Enterprise be coming to Office 365 MDM? This only supports Android device administrator enrollment and will be affected by these changes.

0 Likes
Like
chetan19871
Copper Contributor
‎Jun 08 2020 12:53 PM
‎Jun 08 2020 12:53 PM

What about non-Samsung devices that's used in China. Since Android Enterprise is not available there, how are we tackling this issue for China?

Intune_Support_Team
Microsoft
‎Jun 08 2020 03:18 PM
‎Jun 08 2020 03:18 PM

Hi @tmaguire, there are no current plans for Microsoft 365 Mobile Device Management to support Android Enterprise support, as the current supported device types for MDM for Microsoft 365 are available here. If you'd like to start managing Android Enterprise devices you may want to consider moving to Intune. You can learn more about Intune here and you can start enrolling Android Enterprise devices in a few ways listed here. Hope this helps!

0 Likes
Like
florianH
Copper Contributor
‎Jun 09 2020 01:21 AM
‎Jun 09 2020 01:21 AM

We use Samsung devices because of the smooth management by Intune through the device management. Are there any plans or schedules, then it won't work with Samsung either? All other management methods via Android Enterprise/Working Profile or mam policies do not meet our business needs. 

So we are currently staying with the android device management for the moment.

0 Likes
Like
Intune_Support_Team
Microsoft
‎Jun 09 2020 04:39 PM
‎Jun 09 2020 04:39 PM

Hi @florianH, thanks for the feedback. There are no current plans to end support on Samsung devices. For any future Intune changes and features - We’ll be communicating these notices in advance within the Message Center as well as an posting an update within our Intune - Notices docs.

0 Likes
Like
Intune_Support_Team
Microsoft
‎Jun 09 2020 05:27 PM
‎Jun 09 2020 05:27 PM

Hi @chetan19871, Android Enterprise is not available in China. We’re continuing to evaluate our Android management options in China.

SumitKumar
Copper Contributor
‎Sep 03 2020 03:00 AM
‎Sep 03 2020 03:00 AM

Do we have specific date when this functionality will be deprecated? When exactly company portal app will be updated to newer version?

0 Likes
Like
sumitkumardsm
Copper Contributor
‎Sep 10 2020 01:30 AM
‎Sep 10 2020 01:30 AM

Password Complexity for devices running Android 10 and later. Has this gone live now?

0 Likes
Like
Intune_Support_Team
Microsoft
‎Sep 10 2020 12:46 PM
‎Sep 10 2020 12:46 PM

Hi @SumitKumar, thanks for the question! Though we don’t have any dates to share at this time, we’ll update this post as we learn more. See the latest information from Google to learn more about these changes. We're also targeting the Android Company Portal to be updated for mid/end of October.

0 Likes
Like
Intune_Support_Team
Microsoft
‎Sep 10 2020 12:53 PM
‎Sep 10 2020 12:53 PM

Hi @sumitkumardsm, this feature is currently in development and is expected to be rolled out with this month's service release (2009). More information about this feature can be found in our In development docs here.

0 Likes
Like
sumitkumardsm
Copper Contributor
‎Sep 24 2020 02:26 AM
‎Sep 24 2020 02:26 AM

Password Complexity setting feature was released 2 days back. While testing the setting (in compliance policy) we realized that this setting shows "Not Applicable" even for Android 10 and 11 devices (Used Google Pixel). Its not as per documentation.

 

My company portal app version is 5.0.4897.0. Will it start working with new company portal app (to be released in Mid/end of oct)? Can we test it in advance if the setting actually works? And Intune is able to read the password complexity of the Android 10 and higher devices.

0 Likes
Like
Intune_Support_Team
Microsoft
‎Oct 02 2020 08:33 AM
‎Oct 02 2020 08:33 AM

Hi @sumitkumardsm, thanks for the feedback! For impacted devices running Android 10 and later, admins will need to set the Password toggle to "Require". We recently updated both this post and our docs to clarify the settings needed for this setting. Learn more about these changes here.

0 Likes
Like
MattCFNZ
Copper Contributor
‎Oct 06 2020 12:57 PM
‎Oct 06 2020 12:57 PM

@Intune_Support_Team  I have gone down the path of removing DA as a valid enrollment path, however despite a number of support tickets with MS (unresolved) I have an issue where new users to the tenancy are only prompted with DA as an enrollment option, despite DA being implicitly blocked in Enrollment restrictions. How is this possible? Has anyone else had any issues where tenancies have moved to Android Enterprise but some legacy attribute (Clutching at straws) prevents new users from enrolling. I don't want to have extra DA policy overhead to allow people to enroll into Android Enterprise as described here: https://docs.microsoft.com/en-us/mem/intune/enrollment/enrollment-restrictions-set

Android Enterprise (work profile) and Android device administrator platforms have the following behavior:

If both platforms are allowed for the same group, then users will be enrolled with a work profile if their device supports it, otherwise they will enroll as DA.

sumitkumardsm
Copper Contributor
‎Oct 14 2020 11:19 AM
‎Oct 14 2020 11:19 AM

@Intune_Support_Team : For us Password Complexity setting is completely broken. This was showing as Not Applicable so far. And suddenly today morning, all Android devices started showing as "Non Compliant" because of password complexity. We had to remove the setting from production to make it work again. Looks like this was released to production without proper testing. 

0 Likes
Like
brendabdo
Copper Contributor
‎Oct 22 2020 09:48 AM
‎Oct 22 2020 09:48 AM

I have been working on setting up Android Enterprise. When users go to update settings in company portal after Device administrator is blocked, the re-enroll and it creates a new "workspace". All other apps previously managed are useless. They also remail on the device and the user is forced to reinstall from managed google play. Very confusing and messy in my opinion

0 Likes
Like
Flotech5
Copper Contributor
‎Nov 16 2020 01:03 AM
‎Nov 16 2020 01:03 AM

Hello,

1) Samsung Knox devices will no longer be considered by Intune from what date?

2) Samsung Knox devices are not taken into account in Android Enterprise companies, what to do? do I have to stop Samsung Knox and go directly to Android Enterprise or do I have to change MDM if I want to continue using Samsung Knox?

Thank you

0 Likes
Like
Intune_Support_Team
Microsoft
‎Dec 01 2020 05:49 PM
‎Dec 01 2020 05:49 PM

Hi @Flotech5,  Samsung Knox devices are fully supported by Intune for management with app protection policies and Android Enterprise management methods. The decreasing support is only for the device administrator method of management and it is caused by a change from Google and is not specific to Intune. Hope this helps!

0 Likes
Like
vikalp065
Copper Contributor
‎Dec 10 2021 03:02 AM
‎Dec 10 2021 03:02 AM

Hello Team 

Will there be any impact on already published LoB , Public App or Web Link ? 

Will there be any impact on App Protection policies ?

 

/Vikalp

0 Likes
Like
Version history
Last update:
‎Dec 19 2023 01:18 PM
Updated by: