Google is phasing out Android Device Administrator — the legacy form of Android device management— to provide a more secure and flexible way to manage Android devices in modern organizations. Due to the deprecation of Device Administrator, businesses must move to Android Enterprise promptly.
In this article, we cover:
- What is Android Device Administrator, and why is it sunsetting?
- What is Android Enterprise?
- When to migrate to Android Enterprise?
- How to migrate to Android Enterprise from the sunsetting Device Administrator?
- Making the transition with Miradore
What is Android Device Administrator, and why is it sunsetting?
Android Device Administrator (DA) was introduced back in 2010 as the first form of mobile device management in Android 2.2. Since then, IT admins have been able to use Device Administrator APIs to, for example, enforce the use of strong passwords and storage encryption, and lock and wipe a device when needed.
In 2014, Google introduced two new management modes in Android 5.0: fully managed (device owner) and work profile (profile owner). The new management modes provided more flexibility for device management, and even though most Device Administrator features continued to work in Lollipop devices, Device Administrator was considered a legacy management approach.
In the past ten years, the way mobile devices are used has changed dramatically. Devices are used to access more confidential information than before, and quite often, the same device is used for both personal and work purposes.
However, in the past ten years, the way mobile devices are used has changed dramatically. Devices are used to access more confidential information than before, and quite often, the same device is used for both personal and work purposes. Therefore, in 2017, Google announced its plan to discontinue the support for Device Administrator as it was no more well suited to support today’s enterprise mobility requirements.
What is Android Enterprise?
Android Enterprise (previously known as “Android for Work”) is Google’s modern Android device management framework, which is baked into all GMS-certified devices with Android 5 or higher. Compared to Device Administrator, it provides a more secure and flexible approach to device management.
What comes to remote device management capabilities, Android Enterprise offers all the same features the Device Administrator model did, but also adds many extensive management controls on top of that. It provides better support for modern business requirements, as it enables organizations to, for example:
- separate work data from personal data with the work profile,
- distribute applications and manage their data through Google Play and manage the Google Accounts needed for this
- and lock devices into a Kiosk mode.
All things considered, Android Enterprise is a massive upgrade to Android device management that decreases the headache of both: the device users as well as the IT staff.
One of the key features is the work profile, which enables the secure use of personal devices for business purposes without risking the user’s privacy. With the Device Administrator, managing employee-owned devices was challenging because there was no way to manage only the business use of the device. IT admins could either manage the entire device or not manage the device at all.
Android Enterprise also enables silent deployment and configuration of applications and offers a bunch of easy deployment methods to set up company-owned, fully managed devices — that obviates the need for a user to sideload or install the EMM agent from Play Store.
Additionally, Kiosk mode provides extra security as IT admins can turn devices into a Single App Kiosk Mode and restrict the usage of certain features.
All things considered, Android Enterprise is a massive upgrade to Android device management that decreases the headache of both: the device users as well as the IT staff.
When to migrate from Device Administrator to Android Enterprise?
With the release of Android 9.0 Pie in August 2018, the Device Administrator APIs for managing lock screen settings, passwords, and camera restrictions were marked as deprecated in Google’s documentation, namely:
- USES_POLICY_DISABLE_CAMERA
- USES_POLICY_DISABLE_KEYGUARD_FEATURES
- USES_POLICY_EXPIRE_PASSWORD
- USES_POLICY_LIMIT_PASSWORD
For a while, these APIs continued to function normally — until Android 10 on which the deprecated APIs no longer work. This means that IT admins cannot enforce passcode requirements, deny the use of camera or control the lock screen settings for Device Administrator-enrolled Android 10+ devices through an Enterprise Mobility Management (EMM) solution.
Now is the last time to migrate the Device Administrator-enrolled devices and Device Administrator policies to Android Enterprise.
Some of the affected features may still partly function for a couple of months, depending on the version of Device Policy Controller (DPC) API used by your EMM solution. However, all EMMs are required to update their DPCs by the fourth quarter of 2020, before Android 11 is launched. Therefore, now is the last time to migrate the Device Administrator-enrolled devices and Device Administrator policies to Android Enterprise.
What happens to Device Administrator-managed devices after the deprecation?
- Android 8 and older: no effect, only Android 10 devices are affected
- Android 9: deprecated APIs will show warnings in device logs (not visible to device user)
- Android 10+: the deprecated features will no longer function on any Android 10+ devices and device users will be shown error messages if IT staff tries to use the deprecated features through an EMM
How to migrate to Android Enterprise from the sunsetting Device Administrator?
To move to Android Enterprise, you need an Enterprise Mobility Management (EMM) solution that supports either Android’s work profile or fully managed device mode. Both methods can be used simultaneously, depending on your organization’s needs. Miradore is an official Google partner for Enterprise Mobility Management and supports both methods.
To assist businesses with the migration, Google has created the Android Enterprise Migration Bluebook, which provides a great deal of information and instructions for planning and moving from Device Administrator to Android Enterprise. It is a valuable resource for IT managers and worthwhile to check out. Jason Bayton has also gathered a comprehensive list of things to consider when migrating.
Making the transition with Miradore
Miradore users can move company-owned and personal devices to Android Enterprise by enrolling them in either fully managed or work profile mode. Device Administrator enrollment can still be used for pre-Android 5.0 devices, but for modern Android devices, Android Enterprise should be used. Therefore, Device Administrator is labeled as “not recommended” in the Miradore user interface.
Enrolling company-owned devices (fully managed mode)
One thing to note is that migrating company-owned devices from Device Administrator to Android Enterprise’s fully managed device mode requires a factory reset. Therefore, when purchasing new company-owned devices, we recommend buying devices that have been validated to fulfill the requirements of Android Enterprise and enroll them directly in fully managed device mode.
Devices which are already in use, need to be reset and enrolled in fully managed device mode, or you can use the work profile mode to manage them partly, in which case the factory reset is not needed.
If you are purchasing multiple new devices, you can use Android Zero-touch enrollment or Knox Mobile Enrollment for Samsung devices to automate the enrollment and configuration.
See the video below on how to set up the fully managed mode for Android devices or read our Knowledge Base articles:
How to enroll an Android device in fully managed device mode using NFC
How to enroll an Android device in fully managed device mode using QR code
How to enroll an Android device in fully managed device mode using a token
Enrolling employee-owned/BYOD devices (work profile mode)
The work profile mode is the correct management method for any employee-owned/BYOD devices, and it does not require a factory reset. Work profile is a container that isolates work data and apps from personal use on an Android device, and it enables you to secure company data on a personal device without risking the user’s privacy.
See the video below on how to set up the work profile for Android devices or read our Knowledge Base article:
How to set up Android Work Profile on Android devices
If you need assistance planning the migration, do not hesitate to contact our support team.
by Esa Hietikko
Esa has been with Miradore since 2010 when he joined the team to complete his traineeship in computer science studies. He works in the R&D team and enjoys tinkering with geeky gadgets and writing about software.
