This post has been republished via RSS; it originally appeared at: Intune Customer Success articles.
Android device administrator management was released in Android 2.2 as a way to manage Android devices. Then beginning with Android 5, the more modern management framework of Android Enterprise was released (for devices that can reliably connect to Google Mobile Services). Google is encouraging movement off of device administrator management by decreasing its management support in new Android releases.
How does this affect me?
Because of these changes by Google, in the fourth quarter of 2020, you will no longer have as extensive management capabilities on impacted device administrator managed devices.
Note: This date was previously communicated as third quarter of 2020, but it has been moved out based on the latest information from Google.
Device types that will be impacted
Devices that will be impacted by the decreasing device administrator support are those for which all three conditions below apply:
- Enrolled in device administrator management
- Running Android 10 or later
- Not a Samsung device
Devices will not be impacted if they are any of the below:
- Not enrolled with device administrator management
- Running an Android version below Android 10
- Samsung devices (Samsung Knox devices won't be impacted in this timeframe because extended support is provided through Intune’s integration with the Knox platform. This gives you additional time to plan the transition off device administrator management for Samsung devices.)
Settings that will be impacted
Google's decreased device administrator support prevents configuration of these settings from applying on impacted devices.
Configuration profile device restrictions settings:
- Block Camera
- Set Minimum password length
- Set Number of sign-in failures before wiping device (will not apply on devices without a password set, but will apply on devices with a password)
- Set Password expiration (days)
- Set Required password type
- Set Prevent use of previous passwords
- Block Smart Lock and other trust agents
Compliance policy settings
- Set Required password type
- Set Minimum password length
- Set Number of days until password expires
- Set Number of previous passwords to prevent reuse
Additional impacts based on Android OS version
Android 10: For all device administrator managed devices (including Samsung) running Android 10 and later, Google has restricted the ability for device administrator management agents like Company Portal to access device identifier information. This restriction impacts the following Intune features after a device is updated to Android 10 or later:
- Network access control for VPN will no longer work
- Identifying devices as corporate-owned with an IMEI or serial number won't automatically mark devices as corporate-owned
- The IMEI and serial number will no longer be visible to IT admins in Intune
Android 11: We are currently testing Android 11 support on the latest developer beta release to evaluate if it will cause impact on device administrator managed devices.
User experience of impacted settings on impacted devices
Impacted configuration settings:
- For already enrolled devices that already had the settings applied, the impacted configuration settings will continue being enforced.
- For newly enrolled devices, newly assigned settings, and updated settings, the impacted configuration settings will not be enforced (but all other configuration settings will still be enforced).
Impacted compliance settings:
- For already enrolled devices that already had the settings applied, the impacted compliance settings will still show as reasons for noncompliance on the “Update device settings” page, the device will be out of compliance, and the password requirements will still be enforced in the Settings app.
- For newly enrolled devices, newly assigned settings, and updated settings, the impacted compliance settings will still show as reasons for noncompliance on the “Update device settings” page and the device will be out of compliance, but stricter password requirements will not be enforced in the Settings app.
Cause of impact
Devices will begin being impacted in the fourth quarter of 2020. At that time, there will be a Company Portal app update that will increase the Company Portal API targeting from level 28 to level 29 (as required by Google).
At that point, device administrator managed devices that are not manufactured by Samsung will be impacted once the user completes both these actions:
- Updates to Android 10 or later
- Updates the Company Portal app to the version that targets API level 2
What do I need to do to prepare for this change?
To avoid the reduction in functionality coming in the fourth quarter of 2020, we recommend the following:
- New enrollments: Onboard new devices into Android Enterprise management (where available) and/or app protection policies. Avoid onboarding new devices into device administrator management.
- Previously enrolled devices: If a device administrator managed device is running Android 10 or later or may update to Android 10 or later (especially if it is not a Samsung device), move it off of device administrator management to Android Enterprise management and/or app protection policies. You can leverage the streamlined flow to move Android devices from device administrator to work profile management.
- Move Android devices from device administrator to work profile management
- Set up enrollment of Android Enterprise work profile devices
- Set up enrollment of Android Enterprise dedicated devices
- Set up enrollment of Android Enterprise fully managed devices
- How to create an assign app protection policies
- How to use Intune in environments without Google Mobile Services
- Understanding app protection policies and work profiles on Android Enterprise devices
- Google’s blog about what you need to know about Device Admin deprecation
- Google's guidance for migration from device administrator to Android Enterprise
- Google's documentation of deprecated device administrator APIs