Workspace ONE Unified Endpoint Management Technical Guides

The Ultimate Guide to Android Enterprise Migration with Workspace ONE

This is your one stop shop for everything you need to know about migrating from Device Administrator (referred to as Android (Legacy) in the Workspace ONE UEM Console) to Android Enterprise. We understand this isn’t an easy change, but we’re happy to help you along your journey! Below you’ll find plenty of resources from VMware and Google. We will continue to update this page as more materials become available, so bookmark this and follow our social channels (@WorkspaceONE) to stay informed!

Background

Enterprise mobility management requirements have evolved significantly since Google first introduced Device Admin APIs with Android 2.2. Device Admin APIs offered early management capabilities for an Android device but were not quite the comprehensive, future-proof solutions needed by IT organizations. To keep up with the expanding demands of enterprises, Google introduced Android Enterprise (previously Android for Work) with Android 5.0 in 2014. The modern management framework of Android Enterprise delivers more sophisticated management, security and experience capabilities that continue to evolve with businesses’ needs. In 2017, Google announced the release of Android 10 would mark the official deprecation of Device Administrator-based management in favor of Android Enterprise.

Impacts to VMware Workspace ONE Customers

In preparation for Google’s deprecation of Device Admin, we announced our focus on growing the adoption of Android Enterprise by investing in Android Enterprise integrations with Workspace ONE. Fast forward to November 2020, the Workspace ONE Intelligent Hub’s target SDK level was updated to comply with Google’s Play Store policies. With this update, the deprecated Device Admin APIs on Android 10 could no longer be used. To guide customers toward best practices and provide the best user experience and management capabilities, additional changes were made to the Workspace ONE platform.

  • New customers deploying Workspace ONE UEM for the first time do not have the option to use Device Admin.
  • Existing customers with new Android 10+ deployments must use Android Enterprise.
  • Existing customers with existing Device Admin deployments can continue managing these devices and new Device Admin enrollments will not be blocked for devices on Android 9 or lower.

Continuing with Device Admin comes with inherent limitations by being tied to older Android OS versions. Further, VMware’s investments around Android are focused on the modern Android Enterprise platform and will continue to direct Workspace ONE product enhancements accordingly. In a previous blog, we announced that after March 31, 2022, VMware will no longer provide or guarantee support for devices enrolled using Device Administrator, regardless of enrollment date.

Customers currently using Device Admin are highly encouraged to plan a migration strategy to move to Android Enterprise. We again want to stress that we recognize the effort required for migration and hope the resources provided will prove to be helpful in this transition.

Android Migration

When planning your Android migration, it is important to start early and allow for time to work through the details to minimize disruptions to your workforce. Device Admin and Android Enterprise present plenty of differences and moving to a new management framework requires a thorough understanding of how your fleet of Android devices will be affected. Some key impacts that customers should anticipate are device management mode(s), profile management and application management. Read on below for more detail and resources related to Android device management modes.

Management Mode

One of the many benefits of moving to Android Enterprise is the flexible device management offered through multiple management modes. Modern businesses have varying needs and use cases, each requiring particular capabilities that cannot be supported with a one-size-fits-all solution.

Just like the management modes themselves, the process of migrating to each mode is unique.

Fully Managed/Work Managed: As the name suggests, devices in this mode are under full IT control and support business use cases in which corporate-owned devices are used for business-only or single-use purposes. Note: This mode is sometimes also referred to as ‘Work Managed.’

Typically, migration to Fully Managed/Work Managed mode requires a factory reset. A workflow can be used to reset the device through the Workspace ONE UEM console, then enrolled using Zero Touch or Knox Mobile Enrollment for Samsung devices.

There is one exception, though. For Zebra devices running Android 7.0+, a migration workflow can migrate devices to Fully Managed/Work Managed mode without a factory reset (available in the Workspace ONE UEM console 2006+).

Work Profile on Personally-Owned Devices: For BYOD (bring-your-own-device) use cases, a personally owned device utilizes the work profile to handle both work and personal uses. Migration to a work profile on employee owned devices is streamlined with the Workspace ONE migration tool (available in the Workspace ONE UEM console 1907+). Our migration tool requires minimal action by the end user and the admin never loses management during the migration process.

Work Profile on Company-Owned Devices/COPE: Work profiles can also be used to allow for both work and personal use on a company-owned device. Unlike the work profile for personally-owned devices, migration to this management mode requires a factory reset. As with the migration to Fully Managed, a workflow can be used to reset the device through the Workspace ONE UEM console, then enrolled using Zero Touch or Knox Mobile Enrollment for Samsung devices.

Profile Management

Android Enterprise profiles are separate from Device Admin profiles. It is necessary to re-create profiles for Android Enterprise for migration. These profiles are available for configuration after completing the Android Enterprise registration.

Application Management

Android Enterprise offers significant advantages over Device Admin when it comes to application management. Managed Google Play enables admins to approve public apps or create web and private apps for users, right from the Workspace ONE UEM console. Even better, managed configurations allow admins to specify app settings remotely, so device setup is streamlined for minimal end user interaction.

Once an app is added to the Workspace ONE UEM console, it can be distributed to Device Admin and Android Enterprise enrollments. Please note that if a public app was added to the Workspace ONE UEM console prior to Android Enterprise registration, some additional steps are required to ensure the Workspace ONE UEM console is aware the app has been approved on managed Google Play.

For more information on these topics as well as other migration factors to consider, please review our Workspace ONE documentation on Android management and the resources below.

Resources

VMware Blogs on Android Migration

VMware Video Series on Android Management

VMware Technical Resources

Google Resources

Kenny Takahashi

Kenny Takahashi is a Senior Product Marketing Manager for VMware End-User Computing (EUC).

Related Articles