Android Device Management deprecated in Android 10/Q - Part I

by | Jan 25, 2019 | Security, Workplace

Many customers asked me the question: “What should we do before Android device management is deprecated?”. This question is important because Google announced that Android Device Management will be deprecated in the upcoming version (Android Q). In other words, you need to take action soon to avoid losing currently managed devices before Android Q will be released. Currently, the release is expected somewhere in Q3 or Q4 2019.

This blog series describes my preferred way of mitigating the risks. The solution direction is based on the available features of Intune 201901. For example the capabilities of Android Enterprise management feature.

 

Android device management deprecated in Android Q, what is the impact for me?

This announcement has a high impact on both the employees and the IT department. This is because users need to re-enroll their Android mobile phone(s) which is a manual process and takes about 15-20 minutes. Therefore it is smart for the IT department to use the time between today and the release of Android Q to configure a new management style/solution like Android Enterprise. You can already mitigate the risk of losing devices by using a mixed mode management style. Were you already aware of this option?

Although depreciation of Android device management sounds very scary, it is not applicable for any device. You need to get insights in which devices are impacted followed up to ask if they need to do a manual enrollment in Intune. Please note, only the devices where the vendor like Samsung or Sony creates makes the upgrade possible to Android Q needs to be enrolled someday. It is plausible this will be only a selection of devices who are currently running Android 9. This means that any device who is running Android 8 or lower won’t be impacted at all! Although you need to consider if you want to replace those devices out of a security perspective. In almost any organization, the security officer enforces the IT department to set the compliance rules to the (N-1) version. This can means that the devices will be replaced instead of waiting until they are amortized.

Only if the user resets or replaces the phone the new management profile will be activated. 

Why is it so difficult to choose an Android profile?

Android device management is probably the preferred Android management option organizations. It is easy to configure and understand for employees. As soon you are using Android Enterprise there are functional you need to be aware of for example:

Example;
You need to explain company apps are separated from each other. This means that from a user perspective there are limitation in functionality if you want to use company data in none-company marked applications. An application like WhatsApp requires access to the (business)contact list before the application can ‘translate’ the numbers to names. Because the WhatsApp application is not marked as a company owned the application did not have access to the contact list which results in that the phone numbers and presented instead of contact names.

Step #1 – Investigate the currently running Android versions?

The Security stall have a lot of wishes and demands about the way mobile devices should be managed. In almost any case one of the requirements if those devices needs to be reset to factory defaults when the pin is filled xxx times the wrong code. In this example this demand can only be granted in case any device is running Android 8 or higher. In general, none of the enterprises where I did an assessment about Android devices (see the screenshot for an example of the results) can meet this requirement. Maybe the security people can enforce organizations to accelerate the device replacements after all?

Tip; You can easily obtain these insights when you use the built your own PowerBI report via the Intune Datawarehouse service.

Which management (security) features do you really require?

Now you have insights in your current running Android versions you can start determine which management capabilities are available. The overview below gives you an overview about highly demanded features and from which version they are available. 

 Table: Overview Android version and management capabilities with Microsoft Intune

Android version Features

Android 4.4

  • Oldest Intune supported version

Android

  • Support Android Work profile
  • ·Certificate distribution

Android 6

  • ·Android Enterprise        
  • (advanced) WIFI configuration management

Android 7

  • ·Capability for end-users to enable and disable the work profile (temporally)
  • Turn off or on the location (GPS)
  • Device Lock on work profile (example: biometrics, pin passcode)separated from the built-in device lock.
  • Control of notifications (hide application with possible sensitive information)
  • Built-in contact app to call or SMS from the managed application
  • QR code provisioning
  • Advanced certificate management (only for specific apps)
  • Always ON VPN (configuration push, only for specific vendors like Juniper or Cisco)
  • (remotely) reboot device

Android 8

  • Android zero touch;
  • Set app permission policies like which app (managed) app can have access to the microphone, camera or GPS;
  • List of all installed apps;
  • Admin can lock the device and reset password;
  • Failed password attempts before deleting all device data 
    XX attempts;
  • Admin can delete all device data.

Android 9

  • ·Android play protect

Android 10/Q

  • · Unkown

Summary

It is important to investigate how you can use an alternative management profile for the Android devices before Android Q is released. It’s smart to start the transformation as soon as possible to decrease the risk of losing Android managed devices. This blog described only the first step to investigate your current Android managed devices and shows a list of the most important and required Android management capabilities for Enterprise organizations. 

Next blog in the series –  Android Device management deprecated

 In the next part of this blog series, I will describe how to configure mixed-mode Android management in Intune. (Feb 2019).

Additional documentation and clarifications:

  • Google announcement Android device management;
  • Details of technical capabilities for the Android work profile can be found here;
  • Samsung Knox can add more capabilities for managing devices via Intune but you are losing the freedom to choose any Android device (Samsung Knox only). Due to this limitation it is not aligned with the goals of the modern workplace where you can buy a device with one of the supported operating systems to be productive;
  • Overview of Android work profile available in countries;
  • Android Enterprise feature list;
Share This