In this article, I will be talking about Android Management in general with Intune – how the management has evolved and the different management modes that are oth Android Enterprise.
A dive into the evolution of Android Management – the demise of Device Admin API and the way forward with Android Enterprise…
I have also tried to explain why Device Admin mode failed to lead to its deprecation and the way forward to Android Enterprise – how to plan if you still have Android devices in your environment managed via Legacy Device Admin mode.
Subscribe to this blog
Let’s get started.
Android is the undeniable leader (?) in the Mobile OS market, and its popularity comes down to the fact that the core source code is open-source. This has led to many variants of Android we see today in the market.
Though Android continues to lead the market, iOS has better preferences in the IT Enterprise scenarios due to its security (iOS is Apple proprietary and is a closed eco-system) and consistent management capabilities (since it’s only Apple that manufactures iPhones/iPads).
When we look down at the Android space, there are numerous OEMs in the market, and each has Android customized to suit their needs –
- Xiaomi smartphones run MIUI based on Android
- Vivo smartphones run FunTouch OS based on Android
- Oppo smartphones run Color OS based on Android
- HTC smartphones run Sense UI based on Android
- Samsung smartphones run One UI (previously TouchWiz) based on Android
There are only a few OEMs that manufacture smartphones running stock Android with bare minimum modifications made to the source code, like Nokia, Motorola, and Google’s own Pixel devices, to name a few.
NB: The phones under the Android One program also offer a stock Android experience.
When we talk about the Enterprise scenario, administrative capability and manageability become the top priority for IT admins. We all want to control the devices that are being used in our enterprise landscape, aren’t we?
The advent of mobile devices sneaking into corporate workspaces and more and more employees using portable devices to get to the data required to perform their work is why Mobile Device Management even came into existence.
Android originally introduced the support for the management of mobile devices in Android 2.2 (Froyo) with the Device Admin APIs, and it has continued to be the lone way of managing Android devices till Android 4.4 (KitKat)
What led to the demise of the Device Admin management mode?
Android 2.2 was launched in 2010, and Android 4.4 in 2013. In these three years, it was clear enough to understand that the Device Admin management mode as provided by Android is inconsistent and falls short in many enterprise use cases, which made iOS devices the 1st choice for Enterprise scenarios.
The Device Admin API falls short when it comes to the below scenarios (as much as I can think off)
- Separation of work content from personal content in BYOD devices
- Distribution of business applications through Google Play
- Setting factory reset protection (FRP) to ensure devices remain managed and can be recovered when employees leave.
- Secure reset of device passwords on encrypted devices.
- Prevent removal of the device administrator.
- Establishment of admin-defined passcodes to lock the user out of a device.
Beyond basic security policies and perhaps a simple email/Wi-Fi, etc., configuration, there are not many administrators can manipulate and control.
When I mentioned inconsistent behavior in device manageability, you can understand it essentially comes down to the same fact of having numerous variants of Android.
The reason is that the Device Admin APIs were not a standard part of the Android Source code, but Google provided it as an optional package.
As such, OEMs (as mentioned above), while creating many times, decided to omit the management APIs as provided by Google and instead have their in-house API integrated.
No EMM solution can provide a consistent management experience across a wide range of Android devices in such a scenario.
On the other hand, Samsung devices have had deep EMM integration via their KNOX standard APIs incorporated into their devices, which allowed EMM solutions with an abundance of restrictions available, excellent visibility of device posture, integration with corporate back-end solutions, and more flexibility in how a device is deployed.
More restrictions are available on a Samsung KNOX device than an equivalent work-managed device, as Google continues to work towards feature parity.
However, Samsung KNOX devices still succumb to shortcomings of Device Admin mode, namely.
- Need to enable unknown sources for LOB application deployment from EMM provider,
- Require device administrator permissions for the DPC,
- Need for a Google account for application management (there are some APIs for silent application installation. However, these are based around in-house applications, not public Play Store apps).
The Device Admin management mode has always been the “all or none.”
Device Admin mode has been considered Legacy since the introduction of Android Enterprise Management APIs with Android 5.0 (Lollipop) and was marked deprecated with Android 9. Many features were taken off in the subsequent release, with full decommission with the release of Android 10.
Android Enterprise – A standard
With Android Enterprise Management APIs, Google did not repeat the mistake of leaving them optional like in the case of the Device Admin APIs but instead made them a standard package in the Android Source code.
As a result, an OEM taking the source code now and doing heavy modifications will still have the management APIs intact, resulting in a consistent management behavior across the device range.
Did anyone ask about the benefits?
- Consistent manageability is irrespective of OEM.
- Managed Google Play store to help deploy LOB apps without the need to enable Unknown Sources.
- Ability to wipe only corporate data leaving personal data intact for Work Profile devices.
- Various management modes suit the different requirements in an Enterprise scenario.
With advancement and evolution over the years, Google with Android Enterprise has positioned Android as a good fit for enterprise use.
Still, we might see inconsistency in rare cases, which again is due to the changes made by the OEM to the Android source code leading to a bug.
Google insists OEMs use the Android’s inbuilt security feature instead of making changes to the core kernel.
According to Google’s Project Zero security team, several phone makers have tinkered with the software to make their devices more secure. However, they have ended up making the phones vulnerable to serious security bugs in the process. This includes Samsung, whose tinkering with the Android Linux kernel has exposed the company’s devices to a range of threats.
Intune and Android Management
Below is a schematic representation of the different management modes available for Android with Microsoft Intune.
Leaving the Legacy and now deprecated Device Admin management mode, Android Enterprise management in Intune supports
- Profile Owner mode (BYOD), which we still often say as Android for Work
- Device Owner mode (COD)
Device Owner mode again gives you a choice of two types of device management.
- Fully Managed (COBO)
- Dedicated Device (COSU)
If you check the Google documentation for Android Enterprise, you will see there is one more scenario that Device Owner mode supports – Fully Managed with Work Profile (COPE); however, this is not supported in Intune yet.
How to decide the mode of management – Migrating from Device Admin to Android Enterprise
If you are still managing Android devices in your organization using the Legacy Device Admin method, it’s high time you start the migration to Android Enterprise.
Below is a decision flowchart to help plan the mode of AE management required as per environment requirements.
I hope this article helps you understand the evolution of Android Management and the current supported Android management scenarios with Intune.
Once again, if you are still managing Android devices using the legacy Device Admin mode, it’s high time you should start planning about the migration to Android Enterprise.
I will end this today but follow it up with the internals of AE management sometime later. Till then, keep reading, keep learning!
- New iOS Android macOS Device Management Options with Intune