Migrate from device administration to Android Enterprise

This article discusses considerations and recommendations for migrating from legacy Android device administration to Android Enterprise. Google is deprecating the Android Device Administration API. That API supported enterprise apps on Android devices. Android Enterprise is the modern management solution recommended by Google and Citrix.

Endpoint Management is changing to Android Enterprise as the default enrollment method for Android devices. After Google deprecates the APIs, enrollment will fail for Android Q devices in device administration mode.

Android Enterprise includes support for fully managed and work profile device modes. The Google publication, Android Enterprise Migration Bluebook, explains in detail about how legacy device administration and Android Enterprise differ. We recommend that you read the migration information from Google.

That publication also describes the four phases of device administration migration and includes the following diagram. This article includes recommendations specific to Citrix Endpoint Management for the migration phases.

Phases of migration to Android Enterprise

Diagram from the Android Enterprise Migration Bluebook. Republished with the permission of Google.

Impact of device administration deprecation

Google will deprecate the following Device Administration APIs. These APIs won’t work on devices running Android Q after you upgrade Secure Hub to target the Android Q API level:

  • Disable camera: Controls access to device cameras.
  • Keyguard features: Controls features that are related to device locking, such as biometrics and patterns.
  • Expire password: Forces users to change their password after a configurable time period.
  • Limit password: Sets restrictive password requirements.

The deprecated APIs have no impact on devices enrolled in Citrix MAM-only mode.

Recommendations

The following recommendations are for devices already enrolled in the Android legacy device administration mode, unenrolled devices, and devices enrolled in Citrix MAM-only mode.

Device enrollment status Recommended action
Existing device is enrolled in device administration mode and upgradeable to Android Q. Before upgrading the device to Android Q, migrate from device administration mode to Android Enterprise.
Existing device is enrolled in device administration mode. The device can’t upgrade to Android Q. Device can remain in device administration mode. However, plan to move the device to Android Enterprise on device refresh.
Existing device is enrolled in device administration mode and is upgraded to Android Q. Migrate from device administration mode to Android Enterprise before Google deprecates the APIs. A warning message for these devices appears in the Endpoint Management console.
New device delivered with Android Q and enrolled in device administration mode. Migrate from device administration mode to Android Enterprise before Google deprecates the APIs. A warning message for these devices appears in the Endpoint Management console.
New device delivered with or upgradeable to Android Q. The device isn’t enrolled. Use Android Enterprise for any new devices.
New or existing device on Android Q gets enrolled in device administration mode after Google deprecates the APIs. To avoid the impacts of deprecated Google APIs, Citrix recommends migrating to Android Enterprise before Google deprecates the APIs. After that date, enrollments of these devices will fail.
New or existing devices enrolled in Citrix MAM-only mode No action needed. The deprecated Google APIs have no impact on devices in MAM-only mode.

Analysis

The analysis phase of migration consists of:

  • Understanding your legacy Android setup

  • Documenting your legacy setup so you can map legacy features to Android Enterprise features

  1. Evaluate Android Enterprise on Endpoint Management: Fully managed, fully managed with work profile, dedicated device, work profile (BYOD).

  2. Analyze your current device administration features against Android Enterprise.

  3. Document your device administration use cases.

To document your device administration use cases:

  1. Create a spreadsheet and list the current policy groups in your Endpoint Management console.

  2. Create separate use cases based on the existing policy groups.

  3. For each use case, document the following:

    • Name
    • Business owner
    • User identity model
    • Device Requirements
      • Security
      • Management
      • Usability
    • Device inventory
      • Make and model
      • OS Version
    • Apps
  4. For each app, list:

    • App name
    • Package name
    • Hosting method
    • Whether the app is public or private
    • Whether the app is mandatory (true/false)

Requirements mapping

Based on the completed analysis, determine your Android Enterprise feature requirements.

  1. Determine the management mode and enrollment method:

    • Work profile (BYOD): Requires re-enrollment. No factory reset needed.

    • Fully managed: Requires factory reset. Enroll devices by using QR code, Near field communication (NFC) bump, device policy controller (DPC) identifier, zero touch.

  2. Create an app migration strategy.

  3. Map use case requirements to Android Enterprise features. Document the feature for each device requirement that most closely matches the requirement and its corresponding Android version.

  4. Determine the minimum Android OS based on feature requirements (7.0, 8.0, 9.0).

  5. Choose an identity model:

    • Recommended: Managed Google Play Account

    • Use Google G-Suite accounts only if you’re a Google Cloud Identity Customer

  6. Create a device strategy:

    • No action: If devices meet the minimum OS level

    • Upgrade: If devices support and can be updated to the supported OS

    • Replace: If devices can’t be updated to the supported OS level

After you complete the requirements mapping, move the apps from the Android platform to the Android Enterprise platform. For details about publishing apps, see Add apps.

  • Public store apps

    1. Select the apps to migrate and then edit the apps to clear the Google Play setting and select Android Enterprise as the platform.

    2. Select the delivery group. If an app is mandatory, move the app to the Required Apps list in the delivery group.

    After you save an app, it appears in the Google Play Store. If you have a work profile, apps appear in the Google Play Store in the work profile.

  • Private (enterprise) apps

    Private apps are developed in-house or by a third-party developer. We recommend that you publish private apps by using Google Play.

    1. Select the apps to migrate and then edit the apps to select Android Enterprise as the platform.

    2. Upload the APK file and then configure the app settings.

    3. Publish the app to the required delivery group.

  • MDX apps

    1. Select the apps to migrate and then edit the apps to select Android Enterprise as the platform.

    2. Upload the MDX File. Go through the app approval process.

    3. Select the MDX policies.

    For Enterprise MDX apps, we recommend changing them to MDX SDK mode wrapped apps:

    • Option 1: Host the APK in Google Play with a developer account assigned privately to your organization. Publish the MDX file in Endpoint Management.

    • Option 2: Publish the app from Endpoint Management as an enterprise app. Publish the APK in Endpoint Management and select the platform Android Enterprise for the MDX file.

Citrix device policy migration

For policies that are available for both the Android and Android Enterprise platforms: Edit the policy and select the platform Android Enterprise.

For Android Enterprise, consider the enrollment mode. Some policy options are available only for devices in work profile mode or fully managed mode.

Proof of concept

After you migrate apps to Android Enterprise, you can set up a migration test to verify that the features are working as intended.

  1. Set up the deployment infrastructure:

    • Create a Delivery Group for your Android Enterprise testing.

    • Configure Android Enterprise in Endpoint Management.

  2. Set up user apps.

  3. Configure Android Enterprise features.

  4. Assign policies to the Android Enterprise delivery group.

  5. Test and confirm features.

  6. Complete a device setup walkthrough for each use case.

  7. Document user setup steps.

Deployment

You can now deploy your Android Enterprise setup and prepare your users for migration.

The Citrix recommended deployment strategy is to test all of your production systems for Android Enterprise, then complete device migration later.

  • In this scenario, users continue to use legacy devices with their current configuration. You set up new devices for Android Enterprise management.

  • Migrate existing devices only when an upgrade or replacement is necessary.

  • Migrate existing devices to Android Enterprise management at the end of their usual lifecycle. Or, migrate those devices when they need replacement due to loss or breakage.

Migrate from device administration to Android Enterprise