On Tuesday, Google finally announced their intention to deprecate the Android device administration APIs – which have enabled enterprise device management since Android 2.2 Froyo in 2010 – in order to promote Android enterprise (or work profile and managed device APIs as Google refer to them) as the default and only management APIs for Android devices from 2019.

In their announcement, Google state device admin will remain supported in Oreo now and through the next major release, Android P. One rather important caveat in Android P however is passcode enforcement will be deprecated ahead of being removed entirely in Android Q. Once Android Q is announced, Android enterprise will be the only available solution for device management going forward.

This has been a long time coming.

As both an active proponent of Android enterprise and someone who’s seen device administrator capabilities abused by applications over the years, this is a really exciting announcement; it reinforces and validates the long-held opinion I’ve had that Android enterprise is the future of Android device management and will no doubt help to further improve the security of the Android platform.

What does that mean for organisations?

It depends to a degree, but it will sooner or later require a change in the way devices are managed. There’s a good chance many of the devices under management today won’t see an update to Android Q, since OEM’s typically provide only 18 months of support for updates. With Oreo being installed on only 0.5% of all Android devices, and Android P less than a year away already marking functionality as deprecated, it’s a good time to start thinking about a migration.

As you might imagine, Oreo and earlier devices won’t be receiving this change and therefore device admin won’t be going away overnight, but eventually devices will give up or get flagged for renewal and the organisation will need to be able to support Android enterprise within their chosen EMM platform when that happens.

That won’t be easy; a migration from legacy enrolment to Android enterprise work-managed enrolment, a deployment scenario most comparable to the device administrator management of today’s devices, will require a factory reset of each device and will therefore be highly disruptive. A better idea, recommended both by Google and myself previously, is to tie the migration in with the hardware lifecycle of the organisations Android estate.

Naturally that may be difficult or simply not possible for some organisations within the space of two years, so a hybrid management environment on the EMM platform will need to be supported during the migration.

Why is Android enterprise better?

The device admin API is based on an all-or-nothing approach requiring full device administrative permissions in order to manage a device. This applies to both corporately-owned devices and BYOD, which is hardly ideal. Furthermore, a Google account is required for public application installation, while enabling unknown sources is needed for private application installation. In both cases this has been something of a pain point, with the latter having the distinction of being a reluctantly accepted security risk.

Even when administrative permissions are granted, management APIs for individual OEMs are mostly non-existent and as such modern EMMs aren’t capable of managing just any Android device off the shelf. This is why Samsung is so dominant today, but more can be read about that here.

Android enterprise consists of a robust set of management APIs built right into GMS-certified devices that allow for universal and consistent management. Furthermore, with managed Google Play and managed Google Play accounts, not only will unknown sources be unavailable on work-managed devices by default, but only applications explicitly approved by administrators will be shown in managed Google Play, with silent application installation available as a standard feature. On the other hand for BYOD users, Android enterprise finally enables managed access to corporate resources without the organisation taking full control of the personal device. More can be read about Android enterprise here.

Importantly, EMM vendors are already working on making migrations easier for organisations, with AirWatch announcing a switch to an Android enterprise-first deployment experience in the very near future only a few days ago.

Getting started

Ultimately the sooner organisations start evaluating Android enterprise, the better. I’d recommend starting with considerations for migrating from device administrator to Android enterprise for those familiar with Android enterprise, or what is Android enterprise and why is it used? for those who are just beginning the journey.

I’m always happy to hear from organisations managing Android devices, so please feel free to reach out for a chat and/or advice.

Are you a considering or deploying Android enterprise? Will you be looking to do so in 2018?  Let me know your thoughts in the comments, @jasonbayton on twitter or @bayton.org on Facebook. If you’re on LinkedIn, you can also find me there – /in/jasonbayton.



Jason Bayton

I’m an accredited mobile technology & EMM (MDM) specialist with an interest in Linux, Virtualisation, Hosting, Disaster Recovery, Internet of Things, Web Development and Open Source. I play the Sousaphone, too!

Read more on my About page

Become a sponsor:

Sponsorship

If you liked the above post and would like your own product or solution reviewed, please fill out the short form linked below:

Apply here

If my articles have been informative or helpful, all contributions are appreciated and go to my tech fund for future reviews!

Donate

Comments

Comments are now linked to Discourse. Disqus has been removed due to introducing mandatory advertisements. If you'd like to comment, please hit the blue comment button to be taken to the relevant Bayton Discuss topic where you can log in using Twitter, Facebook, Google or Github.

Disqus comments will re-appear (read-only) here soon.

Start the conversation:

Comment

4 responses to “Google is deprecating device admin in favour of Android enterprise”

  1. […] of Device Administrator APIs should not be new information; Google announced it in December, I have written about it extensively both here and on social media, and at this point many mainstream media outlets have […]

  2. […] until they are eventually phased out. I’ve written more about the deprecation on my personal blog here. More recently, with the introduction of Android Enterprise Recommended, Google are making it much […]

  3. […] Google is deprecating device admin in favour of Android enterprise […]

  4. […] this point I’m starting to feel like everyone has talked, at length, about Device Administrator deprecation since its original announcement back […]