Citrix Endpoint Management

Migrate from device administration to Android Enterprise

This article discusses considerations and recommendations for migrating from legacy Android device administration to Android Enterprise. Google is deprecating the Android Device Administration API. That API supported enterprise apps on Android devices. Android Enterprise is the modern management solution recommended by Google and Citrix.

Endpoint Management is changing to Android Enterprise as the default enrollment method for Android devices. After Google deprecates the APIs, enrollment will fail for Android Q devices in device administration mode.

Android Enterprise includes support for fully managed and work profile device modes. The Google publication, Android Enterprise Migration Bluebook, explains in detail about how legacy device administration and Android Enterprise differ. We recommend that you read the migration information from Google.

We recommend that you also refer to the Citrix Tech Zone article, Migration from Android Device Administrator to Android Enterprise with Citrix Endpoint Management.

Impact of device administration deprecation

Google has deprecated the Device Administrator APIs and won’t support them as of November 2, 2020. These APIs won’t work on devices running Android 10+ after we upgrade Citrix Secure Hub to target Android API level 29:

  • Disable camera: Controls access to device cameras.
  • Keyguard features: Controls features that are related to device locking, such as biometrics and patterns.
  • Expire password: Forces users to change their password after a configurable time period.
  • Limit password: Sets restrictive password requirements.

Requirements and recommendations

  • If you can upgrade a device to Android 10+, you must enroll that device in Android Enterprise.

    • You must enroll Android 11 devices into Android Enterprise.
    • As of September 2020, for Android 10 devices: Citrix doesn’t support new enrollments or device re-enrollments into device administration mode. Devices already enrolled continue to work until November 2, 2020, as noted in the preceding section.
  • For devices running Android 9 and lower, we support the legacy device administration mode. However, we recommend moving those devices to Android Enterprise as soon as possible.

  • For new or existing devices enrolled in Citrix MAM-only mode, no action is needed. The deprecated Google APIs have no impact on devices in MAM-only mode. However, with the move to platform encryption, we highly recommend moving from MAM-only mode to Android Enterprise work profile mode (BYOD). Work profile mode provides MAM functionality, but in a container on the device.

Analysis

The analysis phase of migration consists of:

  • Understanding your legacy Android setup

  • Documenting your legacy setup so you can map legacy features to Android Enterprise features

  1. Evaluate Android Enterprise on Endpoint Management: Fully managed, fully managed with work profile, dedicated device, work profile (BYOD).

  2. Analyze your current device administration features against Android Enterprise.

  3. Document your device administration use cases.

To document your device administration use cases:

  1. Create a spreadsheet and list the current policy groups in your Endpoint Management console.

  2. Create separate use cases based on the existing policy groups.

  3. For each use case, document the following:

    • Name
    • Business owner
    • User identity model
    • Device Requirements
      • Security
      • Management
      • Usability
    • Device inventory
      • Make and model
      • OS Version
    • Apps
  4. For each app, list:

    • App name
    • Package name
    • Hosting method
    • Whether the app is public or private
    • Whether the app is mandatory (true/false)

Requirements mapping

Based on the completed analysis, determine your Android Enterprise feature requirements.

  1. Determine the management mode and enrollment method:

    • Work profile (BYOD): Requires re-enrollment. No factory reset needed.

    • Fully managed: Requires factory reset. Enroll devices by using QR code, Near field communication (NFC) bump, device policy controller (DPC) identifier, zero touch.

  2. Create an app migration strategy.

  3. Map use case requirements to Android Enterprise features. Document the feature for each device requirement that most closely matches the requirement and its corresponding Android version.

  4. Determine the minimum Android OS based on feature requirements (7.0, 8.0, 9.0).

  5. Choose an identity model:

    • Recommended: Managed Google Play Account

    • Use Google G-Suite accounts only if you’re a Google Cloud Identity Customer

  6. Create a device strategy:

    • No action: If devices meet the minimum OS level

    • Upgrade: If devices support and can be updated to the supported OS

    • Replace: If devices can’t be updated to the supported OS level

After you complete the requirements mapping, move the apps from the Android platform to the Android Enterprise platform. For details about publishing apps, see Add apps.

  • Public store apps

    1. Select the apps to migrate and then edit the apps to clear the Google Play setting and select Android Enterprise as the platform.

    2. Select the delivery group. If an app is mandatory, move the app to the Required Apps list in the delivery group.

    After you save an app, it appears in the Google Play Store. If you have a work profile, apps appear in the Google Play Store in the work profile.

  • Private (enterprise) apps

    Private apps are developed in-house or by a third-party developer. We recommend that you publish private apps by using Google Play.

    1. Select the apps to migrate and then edit the apps to select Android Enterprise as the platform.

    2. Upload the APK file and then configure the app settings.

    3. Publish the app to the required delivery group.

  • MDX apps

    1. Select the apps to migrate and then edit the apps to select Android Enterprise as the platform.

    2. Upload the MDX File. Go through the app approval process.

    3. Select the MDX policies.

    For Enterprise MDX apps, we recommend changing them to MDX SDK mode wrapped apps:

    • Option 1: Host the APK in Google Play with a developer account assigned privately to your organization. Publish the MDX file in Endpoint Management.

    • Option 2: Publish the app from Endpoint Management as an enterprise app. Publish the APK in Endpoint Management and select the platform Android Enterprise for the MDX file.

Citrix device policy migration

For policies that are available for both the Android (legacy DA) and Android Enterprise platforms: Edit the policy and select the platform Android Enterprise.

  • For Android Enterprise, consider the enrollment mode. Some policy options are available only for devices in work profile mode or fully managed mode. See Configure Android Enterprise device and app policies.

  • If you use the Exchange device policy for legacy DA devices, create an Android Enterprise managed configurations policy device policy instead to configure email settings.

  • To ensure that you target a policy to the intended devices (Android Enterprise versus legacy DA), add a deployment rule to the policy. For example, for the legacy DA platform, use this deployment rule:

     Limit by known device property name Android Enterprise
     Enabled Device? Isn’t equal to true
    

    That deployment rule checks if the device is NOT enabled for Android Enterprise and delivers the policy along with the apps to devices enabled for legacy DA.

Proof of concept

After you migrate apps to Android Enterprise, you can set up a migration test to verify that the features are working as intended.

  1. Set up the deployment infrastructure:

    • Create a Delivery Group for your Android Enterprise testing.

    • Configure Android Enterprise in Endpoint Management.

  2. Set up user apps.

  3. Configure Android Enterprise features.

  4. Assign policies to the Android Enterprise delivery group.

  5. Test and confirm features.

  6. Complete a device setup walkthrough for each use case.

  7. Document user setup steps.

Deployment

You can now deploy your Android Enterprise setup and prepare your users for migration.

The Citrix recommended deployment strategy is to test all of your production systems for Android Enterprise, then complete device migration later.

  • In this scenario, users continue to use legacy devices with their current configuration. You set up new devices for Android Enterprise management.

  • Migrate existing devices only when an upgrade or replacement is necessary.

  • Migrate existing devices to Android Enterprise management at the end of their usual lifecycle. Or, migrate those devices when they need replacement due to loss or breakage.

Migrate from device administration to Android Enterprise