Announcing End-of-Support for Device Admin Enrollment
Aug 01, 2022 | 42Gears Team
In line with Google’s End of Life announcement for Device Admin (DA) within 2022, 42Gears will not provide new features or bug fixes for Android Enterprise supported devices in DA enrollments from October 1st, 2022. This means, if you are one of our MDM customers, you should migrate all supported Android Lollipop and above devices with Android Enterprise support to Android Enterprise as soon as possible.
DA, being a legacy form of Android management, couldn’t match the growing needs of enterprises with its outdated security model and lack of clear demarcation of work and personal profiles. Android Enterprise, on the other hand, comes with advanced security features, and is now the standard method for enrolling devices. Because a Device Admin can be enabled by any application that the user authorizes, it doesn’t support several enterprise use cases, such as:
- Setting Factory Reset Protection (FRP) to ensure devices remain managed and can be recovered when employees leave.
- Secure reset of device passwords on encrypted devices.
- Prevent the removal of the device administrator
- Establishment of admin-defined passcodes to lock the user out of a device
- Asset tracking, OEM configuration, certification management, and most importantly, BYOD deployment
How to find which mode your device is in?
Once you log into the SureMDM console, check the Android Enterprise column to see which mode your device is in.
“Profile Owner” and “Device Owner” indicate that the devices are enrolled in Android Enterprise mode, whereas "Not Enrolled" indicates that they are in Device Admin mode. “Not Supported” indicates the device (Android version 5.0 or below) is not supported for Android Enterprise enrollment.
Why is Device Admin being deprecated by Google?
i) Enrollment is manual
DA enrollment is a manual process that requires an IT Admin to go through the entire setup procedure. Users have to go through additional steps and manually download the EMM agent via Google Play or sideloads. With Android Enterprise, enrollment can be as simple as scanning a QR code, and the EMM agent is automatically installed on the user device.
ii) Limited control
When EMMs implement management APIs, the EMM agent must have device administrator access, which the user should provide. Aside from basic security policies and simple email/WiFi/password configuration, device admins don't have much control over a legacy-managed Android device.
iii) Misuse of permissions by the user
With Device Admin, app permissions can be given only by the end-user. As a result, managed applications become dormant, which is very likely to cause an accidental or intentional denial of a critical permission. This issue is manageable when only a few devices are affected. However, when a significant population is affected, the time and associated costs can increase, resulting in loss of worker productivity.
iv) App conflicts
There is no sole "owner" of a device. A device can be controlled by as many device admin-enabled apps, with as many DA permissions as app developers desire. This may lead to app conflicts and device malfunctioning.
v) There is no future for Device Admin
Even if DA were considered acceptable today, its functionalities have been deprecated since 2017, so this legacy device management has no future. Enterprises will have to transition to Android Enterprise to avoid a loss in functionality and user experience. Feature support in Device Admin administration has been phased out after Android 10 releases.
Which devices would/wouldn't be affected?
The following devices are not impacted while running on Device Admin:
- Devices running Android KitKat or lower
- AOSP devices or non-GMS devices
- Devices that are not compatible with Android Enterprise
- Android Wear and Android VR devices.
- Non-Android devices (Windows, iOS, Mac, Linux, etc.)
Whereas, these devices will be impacted:
- All devices having Play Store and running Android 8.1 or above
- Devices running Android 5 and above that are compatible with Android Enterprise
In the near future, AE will be the default device management tool supported by EMMs. To make sure that devices are managed properly in the long run, it is time to migrate them from DA to AE.
Why Android Enterprise?
Android Enterprise enables Admins to have full management control of the apps, data, and settings over company-owned devices. It provides flexibility by provisioning work profiles (work only, mixed use, dedicated) without compromising on corporate data and employee privacy. At an OS level, Android Enterprise creates a secure isolated container, separating business data from personal data for BYOD devices. With no changes required in the Android native user interface and in Android applications, all business apps can be easily deployed and securely accessed from work containers. Here is why you should migrate to AE:
How 42Gears can help you transition to Android Enterprise, and the role of SureMDM
42Gears is an Android Enterprise Partner and a certified Google Android Enterprise solution provider, thus offering full support for Android Enterprise deployments.
SureMDM integration with Android Enterprise provides a flexible and effective solution to enable employee personal devices for work and counter security risks that come with that. It allows admins to create secure work containers by separating business and personal apps and restricts specific unsecure functions.
In addition, SureMDM also offers:
- SureMDM App Store – Admins can distribute, control and manage mobile applications on employee or company owned devices. Users can easily download apps from the list of corporate-approved apps from the app store.
- Disabled App Sideloading – Admin can block installing apps from unknown sources, enhancing device security and misuse
- Customized App Permissions – Admin can exercise fine-grain control by allowing or revoking individual permissions requested by apps.
- Managed Configuration – Enterprise apps supporting Android’s Managed Configurations framework can be configured remotely using SureMDM.
- Enterprise Wipe – When an employee leaves the company, the admin can just wipe the work container, deleting all apps and data within, leaving personal apps and data untouched.
The next critical step for your organization is to migrate to Android Enterprise to improve capabilities, data security, and employee productivity. For a step-by-step guide on how to migrate from DA to AE when using SureMDM, refer to this knowledge base article. Do you have any questions for us? Drop a line here.