Migrating from Device Administrator to Android Enterprise

Last year, Google announced the deprecation of certain device administrator APIs in favor of modern management APIs, which is referred to as Android enterprise (formerly Android for Work). You can also learn more about the deprecation on this video blog post. For customers currently deploying device administrator, moving to Android enterprise can be a major shift as there are considerations for enrollment, app management and policy management.  

This post is meant to provide best practices and answer FAQs for the migration. Google has also provided best practices on the device admin deprecation page. This guide is a living document. As Android Enterprise evolves, we will continue to update it to reflect new features and best practices. 

Note: Currently the Android Enterprise enrollment does not support Telecom Service that collects telecom data from devices.


Configuring the console for migration 

Profile Management 

Android enterprise profiles are separate from device administrator profiles; it is necessary to re-create profiles for Android enterprise. These profiles are available for configuration after completing the Android enterprise registration. 

On consoles lower than 9.4.0, Android enterprise profiles are available under Devices > Profiles & Resources > Profiles > Add > Add Profile > Android > Android for Work. 

On consoles 9.4.0 and higher, Android enterprise profiles are available under Devices > Profiles & Resources > Profiles > Add > Add Profile > Android. 


Application Management 

Once an app is added to the Workspace ONE UEM console, it can be distributed to device administrator and Android enterprise enrollments.  

If a public app has been added to the UEM console prior to Android enterprise registration, follow these steps to ensure the app can be distributed to Android enterprise devices: 

  1. Navigate to https://play.google.com/work (log in with the same Gmail account used to configure Android enterprise), search for the app(s) and approve it for your organization.  
  2. In the UEM console, navigate to Apps & Books > Native > Public > Add Application > select Android as the platform > Import from Play.
  3. A list of approved apps is shown, click Import. 

By following these steps, there will be no impact to existing app assignments. Apps will continue to function for device administrator enrollments. These steps simply ensure the UEM console is aware the app has been approved on managed Google Play. It is now possible to assign this app to Android enterprise enrollments. 

No steps are required for internal apps added prior to the Android enterprise registration. Internal apps can be distributed to work managed devices running Android 6.0 and above. 


Frequently Asked Questions (FAQs) 

Where can I learn more about Android enterprise? 

Google’s primary website provides an overview of the enterprise capabilities available with Android. Jason Bayton, has written a blog post that introduces the concepts behind Android enterprise.  

VMware has also introduced a video series to discuss the various enrollment methods and considerations when using Android enterprise.  


When is the deprecation taking place and what is being deprecated? 

Google’s post states the following APIs will be deprecated as part of the Android OS release in 2019.  

The major use case that will no longer be possible is the ability to set password constraints on the device when enrolled as a device administrator. Only Android enterprise enrollments will be able to enforce a password constraint starting with the 2019 Android release. 


Is VMware removing support for device administrator? 

No, VMware has no current plans to remove support for device administrator. It will be referred to as Android (Legacy) starting with console 9.4, but the option will be available. However, APIs that are deprecated by Google will no longer work with the Android 2019 release. 


Do I need to migrate all my device administrator enrollments to Android enterprise right away? 

We strongly recommend that organizations begin testing Android enterprise as soon as possible, to ensure use cases can be met. The timing of the actual migration depends on the organization’s use cases. Here are a few considerations: 

  • If your current devices are unlikely to receive the new Android updatein 2019, or the OS updates are controlled by your organization, it is not necessary to migrate these devices. You can deploy Android enterprise for newly purchased devices. 
  • If you are planning to enrollwork managed devices, migration would require a factory reset of these devices.  
  • BYOD devices are the most vulnerable as end users are likely to update their devices to the latest operating system. A migration from device administrator towork profile requires un-enrollment and re-enrollment using the AirWatch Agent. 


Does Android enterprise include all the restrictions and policies that Device Administrator provided? 

The best way to learn about the restrictions available with Android enterprise is to review this matrix. 


When I enable Android enterprise in an organization group, does it affect my existing device administrator enrollments? 

No, current device administrator enrollments will remain enrolled and will receive all assigned profiles and apps. Enabling Android enterprise will affect new enrollments only; when a new Android enterprise-capable device enrolls it will use Android enterprise. If a device is not Android enterprise capable, it will enroll using device administrator. 


Can device administrator and Android enterprise co-exist in the same UEM console? 

Yes, device administrator enrollments and Android enterprise enrollments can co-exist in the same organization group. Profile management is separated as Android and Android (Legacy) for Android enterprise and device administrator enrollments respectively.  

Additionally, with console 9.2.0+ it is possible to override Android enterprise enrollments at specific organization groups, or even limit it to specific smart groups.  


Are internal apps only distributed through the managed Play Store? 

For work profile enrollments, internal apps can only be distributed through the Play Store. It is possible to upload an internal app to the Google Play developer console and limit it to your organization. The UEM console treats these apps as a public app. A $25 fee is required to become a Google Play developer.  

For work managed enrollments, it is possible to distribute the app either through the Play Store or through the UEM console. Android 6.0 and above is required to distribute the app through the UEM console. 


Can I configure the ‘native’ email client on my device? 

Gmail is the default email client for Android enterprise enrollments and can be configured using an Exchange profile. OEM-specific email clients are not supported.  


Can I use Product Provisioning with Android enterprise? 

Yes, Products are supported on Work Managed devices. 


Are OEM-specific management capabilities available on devices enrolled through Android enterprise? 

OEM capabilities with Android enterprise are currently limited to Zebra MX capabilities on Work Managed Devices. A list of supported Zebra MX capabilities is available here. 

Other Languages: 日本語

Have more questions? Submit a request


Article is closed for comments.