Decreasing support for Android device administrator

This post has been republished via RSS; it originally appeared at: Intune Customer Success articles.

Android device administrator management was released in Android 2.2 as a way to manage Android devices. Then beginning with Android 5, the more modern management framework of Android Enterprise was released (for devices that can reliably connect to Google Mobile Services). Google is encouraging movement off of device administrator management by decreasing its management support in new Android releases.

 

How does this affect me?

Because of these changes by Google, in the fourth quarter of 2020, you will no longer have as extensive management capabilities on impacted device administrator managed devices.

 

Note: This date was previously communicated as third quarter of 2020, but it has been moved out based on the latest information from Google.

 

Device types that will be impacted

Devices that will be impacted by the decreasing device administrator support are those for which all three conditions below apply:

  • Enrolled in device administrator management
  • Running Android 10 or later
  • Not a Samsung device

Devices will not be impacted if they are any of the below:

  • Not enrolled with device administrator management
  • Running an Android version below Android 10
  • Samsung devices (Samsung Knox devices won't be impacted in this timeframe because extended support is provided through Intune’s integration with the Knox platform. This gives you additional time to plan the transition off device administrator management for Samsung devices.)

 

Settings that will be impacted

Google's decreased device administrator support prevents configuration of these settings from applying on impacted devices.

 

Configuration profile device restrictions settings:

  • Block Camera
  • Set Minimum password length
  • Set Number of sign-in failures before wiping device (will not apply on devices without a password set, but will apply on devices with a password)
  • Set Password expiration (days)
  • Set Required password type
  • Set Prevent use of previous passwords
  • Block Smart Lock and other trust agents

Config-camera.pngConfig-password.png

 

 

Compliance policy settings

  • Set Required password type
  • Set Minimum password length
  • Set Number of days until password expires
  • Set Number of previous passwords to prevent reuse

compliance-password.png

 

 

Additional impacts based on Android OS version

Android 10: For all device administrator managed devices (including Samsung) running Android 10 and later, Google has restricted the ability for device administrator management agents like Company Portal to access device identifier information. This restriction impacts the following Intune features after a device is updated to Android 10 or later:

  • Network access control for VPN will no longer work
  • Identifying devices as corporate-owned with an IMEI or serial number won't automatically mark devices as corporate-owned
  • The IMEI and serial number will no longer be visible to IT admins in Intune

Android 11: We are currently testing Android 11 support on the latest developer beta release to evaluate if it will cause impact on device administrator managed devices.

User experience of impacted settings on impacted devices

Impacted configuration settings:

  • For already enrolled devices that already had the settings applied, the impacted configuration settings will continue being enforced.
  • For newly enrolled devices, newly assigned settings, and updated settings, the impacted configuration settings will not be enforced (but all other configuration settings will still be enforced).

Impacted compliance settings:

  • For already enrolled devices that already had the settings applied, the impacted compliance settings will still show as reasons for noncompliance on the “Update device settings” page, the device will be out of compliance, and the password requirements will still be enforced in the Settings app.
  • For newly enrolled devices, newly assigned settings, and updated settings, the impacted compliance settings will still show as reasons for noncompliance on the “Update device settings” page and the device will be out of compliance, but stricter password requirements will not be enforced in the Settings app.

Cause of impact

Devices will begin being impacted in the fourth quarter of 2020. At that time, there will be a Company Portal app update that will increase the Company Portal API targeting from level 28 to level 29 (as required by Google).

At that point, device administrator managed devices that are not manufactured by Samsung will be impacted once the user completes both these actions:

  • Updates to Android 10 or later
  • Updates the Company Portal app to the version that targets API level 2

 

What do I need to do to prepare for this change?

To avoid the reduction in functionality coming in the fourth quarter of 2020, we recommend the following:

Additional information

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.