Today, let’s explore how to Streamline your Android OS Updates using Intune. Intune helps IT admins take control of Android OS updates for their Corporate Devices. Managing OS updates is critical for any organisation.
In today’s world, keeping your device fleet OS up to date is a foremost task for your IT admins. Operating System updates often contain bug fixes, security features, new features, stability improvements and critical bug fixes. It is always advised to keep your device fleet up-to-date with the latest OS updates.
Relying solely on end-users or default device settings for Android OS updates on corporate devices is not a good idea. Your organization should take control over the OS updates on Corporate devices in order to protect the corporate data from malicious attacks.
It is easy to manage manually for a few devices. Managing device fleet of hundred and Thousands of devices will be a challenge to any organisation. If you do not take control of the OS updates it will disrupt the user experience. It is always advisable to update any device in timely fashion improve your company’s security and compliance posture, reducing the risk of exposing your devices to malware and vulnerablities.
Table of Contents
Types of Android OS updates
Before managing Android OS updates, we should understand what Android OS versions and their release patterns are. Google releases a new Android OS version every year. The current Android OS version is Android 15, also known as Vanilla Ice Cream(previously named after desserts and dropped from Android 10). Android 16 is due later this year, 2025. Google releases 2 types of Android updates
- Operating System Upgrades
- Security Updates
Operating System Upgrades: These upgrades are released once in a year. They usually contains new features, UI changes, and perfomance improvements and additional security features. These updates are associated with a new Android Version for example Android 15, Android 14 etc.
- How to Block OS Updates on iOS Devices using Intune
- Protect Corporate Data using Data Loss Protection Policies with Microsoft Purview Portal
Security Updates: These updates do not have much changes to UI. These are released by Google every month and often contains security improvements, Bug fixes, Stability improvements. These updates are depends on your manufacturer and the age and model of your device.
Manage Android OS Updates using Intune
Intune manages Android devices primarily through the Android Enterprise framework. This framework provides standardized management APIs across different device manufacturers, bringing order to the sometimes fragmented Android ecosystem.
Intune doesn’t store or host the OS updates, but it allow admins to configure the policies which in turn tell the Android devices how or what to do when and OS update is made available to the devices by the manufacturer or OEM or Carriers.
As an Intune admin the control over Android OS updates depends on the mode enrollment of the devices. Devices that are enrolled as Corporate Owned Fully Managed, Corporate Owned Dedicated devices and Corporate Owned Personally Enabled devices provide full control over the OS updates. Updates on Personal owned devices cannot be managed.
Configuring Android Update Policy in Intune
Intune provide granular contorl for managing the updates. This can be configured through a Device Configuration profile for Android devices. Let’s see below how we can manage and options available in Intune for Android devices.
- Login to Microsoft Intune Admin Center
- Click Devices > Configuration > Create > New Policy
- Select Platform as Android Enterprise
- Select Profile Type as Device Restrictions
- Click on Create
Now provide Name and Description to the Policy. Provide a valid name to identify the policy and you can add change number or what is the policy about in the description to identify why we created this policy, this is the best practise which we need to follow while creating any configuration in Intune.
Now the in the configuration setting page, the Restrictions are grouped together in different categories. Software updates configurations are available in General category. So click on Genearal and look for System update.
The Intune gives you 4 options to manage the Software updates the options are as below.
| Value | Function |
|---|---|
| Default | This is the default value, when set the updates are available and install as per device settings |
| Automatic | When we set to Automatic, the devices will install updates as soon as the updates are made available to the device |
| Postpone | When System updates are set to Postpone, Intune will not allow users to update the devices for 30 days, after 30 days users are prompted to install the updates |
| Maintenance window | In Maintaince Window settings, we need to provide a maintainance window in which the device can install update |
Use the above table to make a decision on how you want to manage the updates. Select the options as per your organizational requirement and click on Next to proceed to assign the policy end users. Intune also provide Annual Freeze periods for system updates. In Maitenance Window Mode, we need to select Start Time and End time. Updates will be installed during the Maintenance window.
Add Scope tags in the Scope page if you have any scope tags. Click on Next to the Assignment page, Click search for the user group to which we need to assign the policy. We can assign this policy to users, this policy doesn’t apply for BYOD devices.
NOTE: When we set the Updates to Maintenance window, device will try to install the updates during the Maintenance window upto 30 days, after 30 days, Android will prompt to install the updates
Once the assignment is done, click on Next to move to Review+Create screen. Review the policy and if you need to make any changes click on Edit and make the changes and Create the policy. This will create the Software Update policy and aissgn to only the devices that are enrolled as Corporate devices method.
As mentioned above, Intune also provide your Freeze period for System updates to freeze the OS updates. An organization can freeze updates upto 90 days. This freeze period can be used when people go on vacation especially during December period.
Click on Start date enter start date of the freeze period as MM/DD format (04/23) for 23rd April. Similarly enter the End date as MM/DD format(06/24) for 24th June. We can have multiple freeze periods. Make sure there is a minimum of 60 days of gap between any two freeze periods.
Once the freeze period is over, the software updates are deliverd to the device as per the setting configured in System update settings. So, while creating the freeze period we need to create the System updates behavior as per your organization requirement.
Note: When we postpone the System updates, monthly security updates cannot be postponed, users an update their devices manually. It postpones major updates like quarterly updates or Version updates like Android 14 to Android 15. During Freeze period, even monthly updates are blocked from installing.
User Experience
Now let’s see how the devices behave when this policy assigned, for our discussion I have enrolled a device as Corporate Owned Fully Managed device and assigned the policy we created above. Now to check the device update Open settings –> System update(depending on the device you are using the steps may chage to check system update).
I cannot check for the updates. I got the toast message as “System updates are managed by your organization” as shown in above screenshot. The OS updates for Android are depends on individual OEMs. So before deploying the Software Update policy for Android devices, we need to be more cautious.
Conclusion
With Microsoft Intune, now we can manage the Android OS updates. It provides necessary controls wither install automatically, postpone or schedule the OS update as per your organizational requirements. By implementing Software update policies enhances the organization’s security posture.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
About Author – Narendra Kumar Malepati (Naren) has 13+ years of experience in IT, working on different MDM tools. Over the last seven years, Naren has been working on various features of Intune, including migration from different MDMs to Intune. Naren mainly focuses on Android, iOS, and MacOS.