Recently Microsoft released a feature that will enable you manage the move to Android Enterprise with Intune and force your users to move from Android device administrator to Android Enterprise work profile. As Google is removing more and more support for device administrator for each release, this is a very useful feature. Staying with Android device administrator management is not an option if you want to manage your Android 10 and above devices.
This new feature is utilizing device compliance and will tell your users that they need to move to new management to stay compliant on their devices. It will guide the users trough the migration process and effectively block users from accessing email and other Azure AD integrated resources if they don’t make the move.
This post will guide you through how to block users from enrolling to Android device administrator management and the setup of this new device compliance policy that will trigger your users to start the migration to Android Enterprise work profile.
Blocking Android device administrator
This feature is not new, and we have had this option for a long time. But I still see many tenants that still have the default setup where everything is enabled for enrollment, or even Android Enterprise (work profile) is blocked.
If your settings is like the picture above and you want to block Android device administrator for all users, just edit this setting to block and your users will not be able to enroll with legacy management anymore. It will not affect your currently enrolled users at this stage. If you want to have a staged rollout of this restriction create a new enrollment restriction and target this at a group of users.
In the Microsoft Endpoint Manager admin center, go to Devices -> Enroll Devices -> Enrollment restrictions and click on Create restriction and choose Device Type Restriction
Give the policy a descriptive name and maybe a description and click on Next.
Flip Android device administrator to Block and click Next, assign the policy to a pilot or staging group before you click Next and then Create. You have now effectively blocked those targeted users from getting enrolled into Android legacy management. You can always switch this assignment to All Users at a later stage. Just make sure this policy has a higher priority than your other policies.
Notify your users
Now that our users are no longer able to enroll into legacy management and we have made sure that Android Enterprise (work profile) is allowed, it’s soon time to setup the compliance policy that will tell the users to move over. But before we do that, I recommend that you make a notification policy so that you make sure your users are notified in good time before their device is rendered not compliant with this policy.
Go to Microsoft Endpoint Manager admin center -> Devices -> Notifications and click on Create notification
Give it a name, subject and write the message you want to send out to your users. If you have set up branding in for company portal you could also include your logo and contact information automatically. This notification message will be sent to your users when we activate the new Compliance policy.
Migration Compliance policy
Go to https://endpoint.microsoft.com -> Devices -> Android -> Compliance Policies and click on Create policy. Select platform Android device administrator and click on Create
Give your new policy a descriptive name and click on Next.
In the list of compliance settings, set the Devices managed with device administrator to Block. Click Next on Locations.
In the Actions for noncompliance you should give the users some days to act on this before you cut their access to email and other services. I have chosen to set this to 7 days. Add a second setting – Send email to end user and choose the notification email template your created earlier.
Click Next and assign to the group of users you want to move over. I would start with a staged approach combining this with the block group you defined earlier. Now the targeted users will get emails to migrate to Android Enterprise (work profile) and have a grace period of 7 days to do so. You will also see in the admin portal that the Android device administrator devices is in grace period.
The user experience
Let’s assume that the end users start with getting the email from Intune. The email based on my example template will look like this with my company logo
The user would then hopefully, you never know what the users do, open up company portal where they would see a notification that the device needs to update it’s settings. Below is a picture gallery of all the images in the process where the user is guided through the process.
This concludes the move, have fun with your testing and migration.
The official docs on this can be found here:
I have a conditional access that requires that access to Exchange online the device must be compliant. After migrating one user to Android Enterprise Work profile, the user is no longer compliant.
I have a Android Enterprise work profile compliance policy that the test user is part of, and marks the device as compliant, yet the CA states the client does not have access to Echange due to device not being complaint.
Every system says the device is complaint, but the sign-in logs says otherwise. What am i missing?
Are you actually accessing exchange from within the Work Profile? When using Android Enterprise Work Profile any access from outside the workprofile will be blocked by your CA rules.
Okey. So when the pilot user was using the native samsung mail/calender applications with android device administrator, they would now fail to work due to being outside of the work profile.