In this article, I will discuss Android Management in general with Intune, how it has evolved, and the different management modes that are available on Android Enterprise.
A dive into the evolution of Android Management – the demise of Device Admin API and the way forward with Android Enterprise.
I have also tried to explain why Device Admin mode failed to lead to its deprecation and the way forward to Android Enterprise – how to plan if you still have Android devices in your environment managed via Legacy Device Admin mode.
Let’s get started.
Android Management with Intune
Android is the undeniable leader (?) in the Mobile OS market, and its popularity comes down to the fact that the core source code is open-source. This has led to many variants of Android we see today in the market.
Though Android continues to lead the market, iOS has better preferences in IT Enterprise scenarios due to its security (iOS is Apple proprietary and a closed ecosystem) and consistent management capabilities (since only Apple manufactures iPhones/iPads).
When we look down at the Android space, there are numerous OEMs in the market, and each has Android customized to suit their needs –
Smartphone Brand | Customized Android Version |
---|---|
Xiaomi | MIUI based on Android |
Vivo | FunTouch OS based on Android |
Oppo | Color OS based on Android |
HTC | Sense UI based on Android |
Samsung | One UI (previously TouchWiz) based on Android |
- Xiaomi smartphones run MIUI based on Android
- Vivo smartphones run FunTouch OS based on Android
- Oppo smartphones run Color OS based on Android
- HTC smartphones run Sense UI based on Android
- Samsung smartphones run One UI (previously TouchWiz) based on Android
Only a few OEMs manufacture smartphones running stock Android with bare minimum modifications made to the source code, like Nokia, Motorola, and Google’s own Pixel devices, to name a few.
NB: The phones under the Android One program also offer a stock Android experience.
When we discuss the Enterprise scenario, administrative capability and manageability become the top priorities for IT admins. We all want to control the devices that are used in our enterprise landscape, don’t we?
Mobile Device Management came into existence due to mobile devices sneaking into corporate workspaces and more employees using portable devices to access the data required to perform their work.
Android originally introduced the support for the management of mobile devices in Android 2.2 (Froyo) with the Device Admin APIs, and it has continued to be the lone way of managing Android devices till Android 4.4 (KitKat)
What led to the demise of the Device Admin management mode?
Android 2.2 was launched in 2010, and Android 4.4 in 2013. In these three years, it was clear enough to understand that Android’s Device Admin management mode is inconsistent and falls short in many enterprise use cases, making iOS devices the 1st choice for Enterprise scenarios.
The Device Admin API falls short when it comes to the below scenarios (as much as I can think of)
- Separation of work content from personal content in BYOD devices
- Distribution of business applications through Google Play
- Setting factory reset protection (FRP) ensures devices remain managed and can be recovered when employees leave.
- Secure reset of device passwords on encrypted devices.
- Prevent removal of the device administrator.
- Establishment of admin-defined passcodes to lock the user out of a device.
Not many administrators can manipulate and control anything beyond basic security policies and perhaps a simple email/Wi-Fi, etc., configuration.
When I mentioned inconsistent behavior in device manageability, you can understand it essentially comes down to having numerous Android variants.
The reason is that the Device Admin APIs were not a standard part of the Android Source code, but Google provided it as an optional package.
As such, while creating many times, OEMs (as mentioned above) decided to omit the management APIs provided by Google and instead have their in-house API integrated.
No EMM solution can provide a consistent management experience across a wide range of Android management devices in such a scenario.
On the other hand, Samsung devices have had deep EMM integration via their KNOX standard APIs incorporated into them, which has allowed EMM solutions with an abundance of restrictions available, excellent visibility of device posture, integration with corporate back-end solutions, and more flexibility in how a device is deployed.
More restrictions are available on a Samsung KNOX device than an equivalent work-managed device as Google continues to work towards feature parity.
However, Samsung KNOX devices still succumb to Device Admin mode shortcomings.
- Need to enable unknown sources for LOB application deployment from EMM provider,
- Require device administrator permissions for the DPC,
- Need for a Google account for application management (there are some APIs for silent application installation. However, these are based around in-house applications, not public Play Store apps).
The Device Admin management mode has always been the “all or none.”
Device Admin mode has been considered a Legacy since the introduction of Android Enterprise Management APIs with Android 5.0 (Lollipop) and was marked deprecated with Android 9. Many features were taken off in the subsequent release, with full decommission with the release of Android 10.
Android Enterprise – A standard
With Android Enterprise Management APIs, Google did not repeat the mistake of leaving them optional like in the case of the Device Admin APIs but instead made them a standard package in the Android Source code.
As a result, an OEM that takes the source code now and makes heavy modifications will still have the management APIs intact, resulting in consistent management behavior across the device range.
Did anyone ask about the benefits?
- Consistent manageability is irrespective of OEM.
- Managed Google Play store to help deploy LOB apps without enabling Unknown Sources.
- Ability to wipe only corporate data leaving personal data intact for Work Profile devices.
- Various management modes suit the different requirements in an Enterprise scenario.
With advancement and evolution over the years, Google with Android Enterprise has positioned Android as a good fit for enterprise use.
Still, we might see inconsistency in rare cases due to the OEM’s changes to the Android source code, leading to a bug.
Google insists OEMs use the Android’s inbuilt security feature instead of making changes to the core kernel.
According to Google’s Project Zero security team, several phone makers have tinkered with the software to make their devices more secure. However, they have made the phones vulnerable to serious security bugs in the process. This includes Samsung, whose tinkering with the Android Linux kernel has exposed the company’s devices to a range of threats.
Intune and Android Management
Below is a schematic representation of the different Android management modes available with Microsoft Intune.
Leaving the Legacy and now deprecated Device Admin management mode, Android Enterprise management in Intune supports
- Profile Owner mode (BYOD), which we still often say is Android for Work
- Device Owner mode (COD)
Device Owner mode again gives you a choice of two types of device management.
- Fully Managed (COBO)
- Dedicated Device (COSU)
If you check the Google documentation for Android Enterprise, you will see that Device Owner mode supports one more scenario: Fully Managed with Work Profile (COPE); however, this is not supported in Intune yet.
How to decide the mode of management – Migrating from Device Admin to Android Enterprise (Android Management)
If you are still managing Android devices in your organization using the Legacy Device Admin method, it’s high time you start migrating to Android Enterprise.
Below is a decision flowchart to help plan the mode of AE management required as per environment requirements.
Ending– Android Management with Intune
I hope this article helps you understand the evolution of Android Management and the current supported Android management scenarios with Intune.
Once again, if you are still managing Android devices using the legacy Device Admin mode, it’s high time you should start planning the migration to Android Enterprise.
I will end this today but follow up with the internals of AE management sometime later. Until then, keep reading and keep learning!
Resources
- https://developers.google.com/android/work/overview
- https://developers.google.com/android/work/device-admin-deprecation
- https://docs.microsoft.com/en-us/intune/enrollment/android-enroll
- New iOS Android macOS Device Management Options with Intune
We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.
Author
Joymalya Basu Roy is an experienced IT service professional with almost 5 years of experience working with Microsft Intune. He is currently working as a Senior Consultant – Architect with Atos India. He is an ex-MSFT where he worked as a Premiere Support Engineer for Microsoft Intune. He was also associated with Wipro and TCS in the early stages of his career. He is awarded the Microsoft MVP award for Enterprise Mobility in 2021. You can find all his latest posts on his own blog site MDM Tech Space at https://joymalya.com