Move from device administrator to Android Enterprise

Since the release of Android 9, Google encourages administrators to move from device administrator to Android Enterprise to manage Android devices. Since Android 10 and later, support for device administrator is actually phased out. As a result, it is no longer possible to use functionality that was previously available through Device Administrator. Fortunately with Intune it is possible to migrate Android devices that are managed with device administrator to Android Enterprise without having to re-roll them in Intune. In this blog post I will show you how to do that using a compliance policy.

 

Prerequisites:

The first step you need to perform is to allow Android Enterprise in the Device type restrictions. This will ensure that new users signing up will be enrolled with Android Enterprise instead of device administrator. (If both platforms are allowed then users will be enrolled with Android Enterprise).

 

Compliance Policy

Now that it is possible for new users to use Android Enterprise and no new device administrator devices are added, we need to adjust the existing compliance policy. In the to compliance policy, under “Device Health” you need to set “Devices managed with device administrator” to “Block”. This setting ensures that existing device administrator devices are no longer compliant and that an option to move from device administrator to Android Enterprise is shown.

 

Demo: Move from device administrator to Android Enterprise

In this demonstration, we have a user named Tim who has an Android device that is managed by Intune using Android device administrator.

The device Tim is using is currently compliant.After the compliance policy is updated and the device is rechecked it is no longer compliant and a message appears “You need to update settings on this device”.

 

1. Clicking on the message in the previous step will show you the reason why the device is not compliant. In this case it is clearly “Move to new device management setup”. By pressing “Resolve” you start the move.

 

2. You now get to see the enrollment screen that you get to see while configuring the work profile with the difference of the first step “Remove current management”. Press “Begin” to continue.

If you have not changed the enrollment restrictions and allowed the Android Enterprise platform, you will now get an error message “Unable to resolve”. 

 

3. A popup is shown that the user must connect to a connection that is not configured by device administrator. In addition, it is important that the local company documents are copied to, for example: Onedrive. So that they can be accessed from the work profile. Pressing “begin” deletes the Android device administrator management profile.

 

4. Now that the existing management has been removed, a work profile must be created. Press “continue” to proceed.

 

5. In the privacy view, the user sees what the administrator can and cannot see. Press “Continue” to proceed.

 

6. Press “Accept & Continue” to proceed and create the work profile.

 

7. Now the work profile has been created it needs to be activated and registered in Intune. Press “Continue” to proceed.

 

8. The work profile setup is finished. Press “Done” to continue.

 

9. The screen below appears. This contains information about the work profile such as separating work and personal apps, as well as how to recognize and add work apps. Press “Got it” to continue.

 

10. The move to Android Enterprise has made the device compliant again.

 

11. In the device overview in Intune, you can now see that the device is no longer managed by Android device adminstrator, but now contains a personally-owned work profile.

 

I hope you liked this blog about How to move from device administrator to Android Enterprise. Just leave a reply if you have questions or remarks about this post.

2 thoughts on “Move from device administrator to Android Enterprise

  1. Ankitha

    Hi Aad,

    I have 15k devices and i have to move them phase by phase, So if I change the compliance policy it will affect the whole 15k device, So how do i migrate 500 or 200 user’s phase by phase

    Reply
    1. Aad Lutgert Post author

      Hi Ankitha,

      You can do this by excluding devices from the existing policy and assigning them a new compliance policy with the setting “Device managed with device administrator” set to “Block”. The device restriction for device administrator only applies to new devices, not existing devices.

      hope this answers your question.

      regards, Aad

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *