Hello, Everyone. This week, let us learn how to Migrate Devices Enrolled in Device Admin Mode to Android for Work in Intune. In our previous blogs, we discussed enrolling users to Android for work and various modes of Anndroid Enterprise Enrollments like fully-managed enrollment and dedicated mode (KIOSK mode) enrollment and corporate devices with work profiles.
In the initial days of device management, the Android devices were enrolled into DeviceAdmin. We do not have any segregation between Work and Personal data. MDM will have complete control over the devices as the MDM agent will be granted full admin access over the device enrolled. It was introduced Android 2.2. With the introduction of a new OS, more advanced features are available in Android Enterprise.
Google also started limiting and deprecating the Android device administrator management in 2020 to encourage organizations to move to Android Enterprise for a more secure way of managing devices. Microsoft Intune is also ending its support for device administrator devices with access to Google Mobile Services in August 2024.
So, it is advised that you migrate your BYOD devices to Android for work. In this article, we will discuss how to enable your users to migrate their personal devices, which are enrolled in Android device admin mode, to Android for Work with almost no user impact. By the end of this article, you can Enable your users to migrate the device with four simple steps.
| Steps | User Action |
|---|---|
| 1 | Remove the Device from the Device Admin |
| 2 | Create Work Profile |
| 3 | Activate Work Profile |
| 4 | Confirm Device settings |
- Intune Best Guide to Enrol Corporate Android Devices with Work Profile
- Block Android Work Profile Lock Screen Notifications using Intune
Block Device Admin Mode Enrollments
When your organization starts migrating the devices, we must block new device administrator enrollment in Intune and enable Android for Work for new enrollments. This can be achieved with the help of Enrolment Restrictions. Let’s see how to create enrollment restrictions that block deviceadmin enrollment.
- Sign in to the Microsoft Intune admin centre.
- Select Devices > Enrol devices
- Click on Enrollment device platform restrictions
Now click on Android restrictions and click on Create Restrictions. In the initial days, we had a single tab that we used to create platform restrictions for all kinds of devices. Recently, Microsoft segregated the platform restrictions per OS.
Now, on the Basics page, provide the Name and Description for the platform restriction. This device platform restriction can block a specific model or BYOD device from enrolling devices into the Intune Environment. Click on Next
We have two options in the Platform Settings section: Android Enterprise (work profile) and Android device administrator. As we are required to block Android Device Administrator, select Block for Android device administrator. We can also block or allow enrollment to Intune based on a specific Android OS version. We must specify the Min and Max Os versions allowed next to the Android Enterprise.
Now click on Next to the Scope tags screen. Add any scope tags if you have any. Otherwise, click on Next to Assignments. Click on Add Groups and add the user group. Now click on the Review and Save page, review the settings, and save the restrictions. Users will be enrolled in Android For Work mode when they enrol.
Create a Conditional Policy
We have discussed a lot of conditional access policies in our previous blogs. Conditional policies play a crucial role in many of our requirements. Similarly, we need to create conditional access to Block Non-Compliant devices.
You ask why. We will create a compliance policy to mark all Android Device admin devices as non-compliant. This way, we block users from accessing data and force them to migrate their devices to Android for Work. To create a conditional access policy, please refer to this article, where we discussed creating a conditional access policy to block non-compliant devices.
Create a Compliance Policy to migrate Device Admin Mode to Android for Work
To migrate devices enrolled in Device Admin Mode, we need to mark them as non-compliant and create a compliance policy that treats devices as non-compliant
- Sign in to the Microsoft Intune admin centre.
- Select Devices > Android
- Click on Compliance Policies
We are creating a compliance policy for Android device admin devices. We need to create an Android device admin compliance policy. Click on Create Policy, select Android Device Admin under Platform, and click on Create.
On the Basics page, provide the compliance policy’s name and description, and click Next to the Compliance Settings page to create a compliance rule.
Now click on the Device Health tab, then select Block next to Devices managed with device administrator. Do not add any compliance rules to this Policy. Click on Next.
Now, on the Action for Non-compliance page, set Mark device non-compliant Immediately to mark it as non-compliant as soon as it syncs with Intune. You can configure Email Notification to inform the users. We can also delay marking devices as non-compliant per your organizational requirement.
After configuring the required actions, click Next. On the Assignment page, click Add group and add the required groups, then click Next to Review + Create page. Review the settings and create the Policy.
End User Experience
Let’s see how users are prompted to migrate their devices to a new device management mode. I have enrolled a Samsung device to Device Admin mode to show you. I have assigned the compliance policy to the device. As soon as the device syncs with Intune, it is marked as non-compliant, as I added it immediately.
When a user clicks on the Non-compliance reason, the user is prompted to Resolve the Non-compliance. When a user clicks on Resolve, the user is prompted to a new device management setup, i.e., Android For Work. Click on Begin, and the user will be prompted to connect to proper wifi and backup the local files.
Once the user clicks Begin, as the first step, the Company portal removes the device from Device Admin mode in the second step, the user’s Work Profile will be created. Users need to click Continue to start creating a Work Profile. When moving to Android For Work, the user is prompted with Privacy statements like what will be seen and what will not be captured.
As I’m using Samsung, I must Agree with the Samsung Knox Privacy policy. Step 6 might not be the same for all the devices. In the consecutive steps, Intune will start setting up and profile. Users need to wait a few minutes to finalize the Work Profile. Once done, Intune Will Activate the Work Profile. Click on Continue to activate the work profile.
While activating the Work Profile, Intune will register the device as Android for work device, finalize all the settings and activate the work profile. Click on Done to complete the migration.
Once migration is completed, users will be prompted to identify Work and Managed Play Store. When you click Home Screen, you can verify that a Work profile has been created for users. Users can view all the work-related apps in the profile.
Conclusion
This is how users can migrate their devices with four simple steps from Device admin mode to Android for work. If you want to migrate devices for Android Enterprise Corporate mode devices, we need to format the devices; we do not have any simple steps. I hope you like this article. We will meet another day with another article. Till then, Have great learning.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here.
Author
About Author – Narendra Kumar Malepati (Naren) has 11+ years of experience in IT, working on different MDM tools. Over the last seven years, Naren has been working on various features of Intune, including migration from different MDMs to Intune. Naren mainly focuses on Android, iOS, and MacOS.