December 19th, 2017
Enterprise devices regularly access mission-critical data and are a key conduit for company communications. To ensure that organizations can power their mobility efforts with great features and security, Android offers managed device and work profile modes for mobile management.
Many organizations, however, are still using the Device Administration API, which was made available for developers in Android 2.2. When it was first released in 2010, device admin API provided enterprises with a reliable support system for enterprise applications. Since then, the needs of businesses have grown to require more vigorous management and security requirements.
Managing personal and company-owned devices
In Android 5.0, we created managed device (device owner) and work profile (profile owner) modes, which match the security needs of organizations that manage mobile devices. These are feature-rich and secure ways to manage devices. Most organizations are now using these modes to manage mobile devices, and we’re encouraging all organizations to make the switch.
We understand that for some organizations this switch may take time so we will have developed an extended timeline for the transition. Device admin API will be supported through Android Oreo and existing functionality will continue to be available in the next major Android release, though device admin APIs for password enforcement will no longer be supported. In the following Android release, expected in 2019, the APIs for password enforcement will no longer be available. We strongly recommend that businesses plan to move to work profile and managed device APIs. By sharing this update early, we aim to provide companies with sufficient time to migrate existing devices or start fresh as new ones are added to their fleet.
Non-enterprise device management
Some of the device admin APIs are used for non-enterprise device management, like Find My Device, which enables locking and wiping a lost phone. APIs commonly used by these applications will not be affected. Please see the developer migration guide for details on the specific changes.
Making the transition to work profiles or managed devices
For those currently using device admin, there are two strategies available to move to Android’s management APIs. Both options require companies to have an EMM provider that supports either Android’s work profile or managed device mode.
For personal devices used by employees for work, we recommend using the work profile. Migration from a legacy device admin to the work profile can be done with minimal disruption. This can be handled either by enabling personal devices to install a work profile, or by having new devices enroll with a work profile as existing devices phase out of the fleet.
We recommend that company-owned devices be set up as managed devices. Migrating a device from device admin to managed device requires a factory reset, so we recommend a phased adoption, where new devices are enrolled as managed devices while existing devices are left on device admin. New users and new devices should be configured with the new management modes as they are enrolled. Then, older device admin devices can be aged out of the fleet through natural attrition. We recommend that you begin to enroll all new company-owned devices running the major Android release after Oreo as managed devices, in preparation for the removal in the release after that.
Major mobility transitions are typically a large and important undertaking but we know that the needs of companies will be better served with the modern capabilities of Android’s managed device and work profile modes. For specific implementation details, see our developer migration guide.