Migrate Android devices from device administrator to work profile management

Since Android version 2.2. Android Device Administrator was used to manage Android devices. If you`re using Microsoft Intune to manage Android devices, you might also use Device Admin to manage your devices. But Device Admin is marked as deprecated by Google and Google is decreasing Device Admin support on new Android releases.
A new management solution was already introduced by Google in Android 5.0, Android Enterprise, with improved management functionality. Because of these changes it`s time to migrate Android devices from Device Administrator to Android Enterprise Work Profile (or Fully managed).

In this blog post I show the steps to make the migration process for the end-user as easy as possible.

Microsoft made a new setting available to mark an Android Device Admin device not compliant. As soon as the end-user device is marked as not compliant by this setting, this is shown in the Company Portal app like it always was, but when the user this time clicks on Resolve on the Update device settings page, a migration process is started to migrate the device to Android Enterprise Work Profile.
Besides that, you can also automatically send the user an email notification with explanation about the migration proces and mention the migration URL (The URL will launch the Android Company Portal to the Update device settings page).

Configure the Compliance Policy

I assume you already have an existing Compliance policy for Android Device Admin, otherwise create one.

  • Sign-in to the Device Management Portal
  • Browse to DevicesAndroid
  • On the Compliance Policies tab open the Device Admin policy
  • Browse to Properties
  • Click Edit next to Compliance settings and open Device Health
  • Set Devices managed with device administrator to Block
  • Click Review + Save – click Save

This is all to mark Device Admin devices as non-compliant and make the migration flow available for your end-users.

Configure push notifications (optional)

  • Browse to Devices – Android
  • On the Compliance Policies tab open the Device Admin policy
  • Browse to Properties
  • Click Edit next to Actions for noncompliance
  • Choose Send push notification to end user from the drop-down list
  • Leave the schedule value 0 to mark the device non compliant immediately
  • Click Review + Save
  • Click Save

Configure Email notifications (optional)

Optional you can automatically send an email to the end-user by following these steps.

  • Browse to DevicesCompliance Policies
  • On the Notifications tab click Create notification
  • Enter a Name
  • Enter a Subject
  • Enter a Message and refer to the URL https://portal.manage.microsoft.com/UpdateSettings.aspx
  • Click Next
  • Click Create
  • Browse to Devices – Android
  • On the Compliance Policies tab open the Device Admin policy
  • Browse to Properties
  • Click Edit next to Actions for noncompliance
  • Choose Send email to end user from the drop-down list
  • Click None selected under Message template
  • Select the previous create Email notification
  • Click Select
  • Click Review + Save – Click Save

The Compliance policy is set, everything is ready for the new migration flow.

End-user experience

My device is marked as compliant before changing the Compliance policy.

As soon as I change the Compliance policy and my Android device is synced with Intune, it is marked as Not in compliance.
A pop-up is shown if that option is set in the Compliance policy.

If you also set an email notification in the policy, the user should also receive an email.

If you click on the pop-up message on the Android device, the Company portal app is opened.
Click on Resolve to start the migration process.

The user is informed of the migration steps.
Click Begin.

Take note of the information and click Begin.

The old management profile is removed.
Click Continue.

After these steps the enrollment to Android Enterprise Work Profile is started.
Click Continue.
Screens might be different for you, depending on policies set in your Intune tenant, differences per Android version and Android vendor.

The Work profile is created, several different screens are shown.

The Work profile is created, click Continue.

The Work profile is activated, policies applied.
Click Done.

The end-result is an Android device managed with Android Enterprise Work Profile.

If you`d like to read more about managing Android devices with as Work Profile devices, I suggest to read this post.

Thank you for reading!


  1. hi
    is it possible to move from corporate-owned devices with device administrator privileges to Corporate-owned, fully managed user devices. if so what type of groups need to be created

Leave a Reply

Your email address will not be published.