Companies that use Android devices have a number of possibilities to manage and secure them. Until recently, the most common way of enrolling an Android device was Device Admin API. However, as we informed in this article from 2019, this approach was considered legacy management even back in 2014 and in Android 10 was about to be deprecated. Now, in November 2020, we can already say that Device Admin is fully deprecated. Why did this happen and what are the consequences?
Android Device Admin is an API that’s proposing something of a limited offering to fill the void for apps requiring elevated administrative permissions in order to perform certain tasks. You can use the Device Administration API to write device admin apps that users install on their devices. It’s used for email clients, security apps that do remote wipe and device management services and apps.
Device Admin has been available since Android 2.2, so quite a long time. It was considered a legacy management approach even back in 2014, when Android 5 with a fully managed device and work profile was released. Since the Device Admin introduction in 2010, Android came a really long way. As a result, Device Admin is not well suited to support today’s enterprise requirements. Enterprises demand a higher trust, because devices are increasingly accessing more confidential resources and are being used in a wider variety of use cases than Android’s original Device Admin API was designed for.
Read about Device Admin deprecation on Google’s developers site.
As communicated a number of times (e.g. in this article), this year (2020) Google deprecated the Device Admin approach to remote management of devices. This change is now live with the Android 11 (R) update as well as Android Security Update in November.
How does this affect Samsung (and many other) devices managed by FAMOC? The devices most affected by this transition will be devices enrolled using the Device Admin scenario which will soon receive the update to Android 11 or the November security update for Android 10 devices. Such devices will be rendered NON MANAGEABLE and the only way to regain management with FAMOC, you will need to re-enroll FAMOC on each and every device (if the device is to be re-enrolled in the Device Owner mode or enhanced BYOD mode then a restore to factory defaults will also be necessary).
If you are using a Device Owner scenario without the Work Profile, none of those changes will affect you. If you are using the Device Owner with the Work Profile please refer to this article.
IMPORTANT! If you are currently using the legacy mode (Device Admin) on a Samsung or Zebra device, which is running Android 10 and want to avoid these changes, block the possibility of updates on those devices using FAMOC manage’s security policy (see more information here).
Google for the past years has been encouraging customers to adopt Android Enterprise instead of Device Admin, which offers a modern management framework for the evolving needs of enterprise customers.
A full comparison of the Device Admin and Android Enterprise approaches you can find in this article.
Google prepared a short video that outlines the key changes that IT admins can expect now and strategies to prepare for a transition to Android Enterprise. Please also refer to Android Enterprise Migration Bluebook, which provides detailed steps and best practices for moving from a legacy Device Admin deployment to Android Enterprise.
This article may be updated in case of any new changes.