Close Menu
    Android

    Migrate Android devices from device administrator to work profile management

    Peter KlapwijkBy Updated:44 Mins Read

    Since Android version 2.2. Android Device Administrator was used to manage Android devices. If you`re using Microsoft Intune to manage Android devices, you might also use Device Admin to manage your devices. But Device Admin is marked as deprecated by Google and Google is decreasing Device Admin support on new Android releases.
    A new management solution was already introduced by Google in Android 5.0, Android Enterprise, with improved management functionality. Because of these changes it`s time to migrate Android devices from Device Administrator to Android Enterprise Work Profile (or Fully managed).

    In this blog post I show the steps to make the migration process for the end-user as easy as possible.

    Microsoft made a new setting available to mark an Android Device Admin device not compliant. As soon as the end-user device is marked as not compliant by this setting, this is shown in the Company Portal app like it always was, but when the user this time clicks on Resolve on the Update device settings page, a migration process is started to migrate the device to Android Enterprise Work Profile.
    Besides that, you can also automatically send the user an email notification with explanation about the migration proces and mention the migration URL (The URL will launch the Android Company Portal to the Update device settings page).

    Configure the Compliance Policy

    I assume you already have an existing Compliance policy for Android Device Admin, otherwise create one.

    • Sign-in to the Device Management Portal
    • Browse to DevicesAndroid
    • On the Compliance Policies tab open the Device Admin policy
    • Browse to Properties
    • Click Edit next to Compliance settings and open Device Health
    • Set Devices managed with device administrator to Block
    • Click Review + Save – click Save

    This is all to mark Device Admin devices as non-compliant and make the migration flow available for your end-users.

    Configure push notifications (optional)

    • Browse to Devices – Android
    • On the Compliance Policies tab open the Device Admin policy
    • Browse to Properties
    • Click Edit next to Actions for noncompliance
    • Choose Send push notification to end user from the drop-down list
    • Leave the schedule value 0 to mark the device non compliant immediately
    • Click Review + Save
    • Click Save

    Configure Email notifications (optional)

    Optional you can automatically send an email to the end-user by following these steps.

    • Browse to DevicesCompliance Policies
    • On the Notifications tab click Create notification
    • Enter a Name
    • Enter a Subject
    • Enter a Message and refer to the URL https://portal.manage.microsoft.com/UpdateSettings.aspx
    • Click Next
    • Click Create
    • Browse to Devices – Android
    • On the Compliance Policies tab open the Device Admin policy
    • Browse to Properties
    • Click Edit next to Actions for noncompliance
    • Choose Send email to end user from the drop-down list
    • Click None selected under Message template
    • Select the previous create Email notification
    • Click Select
    • Click Review + Save – Click Save

    The Compliance policy is set, everything is ready for the new migration flow.

    End-user experience

    My device is marked as compliant before changing the Compliance policy.

    As soon as I change the Compliance policy and my Android device is synced with Intune, it is marked as Not in compliance.
    A pop-up is shown if that option is set in the Compliance policy.

    If you also set an email notification in the policy, the user should also receive an email.

    If you click on the pop-up message on the Android device, the Company portal app is opened.
    Click on Resolve to start the migration process.

    The user is informed of the migration steps.
    Click Begin.

    Take note of the information and click Begin.

    The old management profile is removed.
    Click Continue.

    After these steps the enrollment to Android Enterprise Work Profile is started.
    Click Continue.
    Screens might be different for you, depending on policies set in your Intune tenant, differences per Android version and Android vendor.

    The Work profile is created, several different screens are shown.

    The Work profile is created, click Continue.

    The Work profile is activated, policies applied.
    Click Done.

    The end-result is an Android device managed with Android Enterprise Work Profile.

    If you`d like to read more about managing Android devices with as Work Profile devices, I suggest to read this post.

    Thank you for reading!

    Share.

    Peter is a Security (Intune) MVP since 2020 and is working as Modern Workplace Engineer at Wortell in The Netherlands. He has more than 15 years of experience in IT, with a strong focus on Microsoft technologies like Microsoft Intune, Windows, and (low-code) automation.

    Related Posts

    View 4 Comments

    4 Comments

    2. stuart on

      hi
      is it possible to move from corporate-owned devices with device administrator privileges to Corporate-owned, fully managed user devices. if so what type of groups need to be created

      Reply
    Leave A Reply