Agenda Timeline for device admin support Android management

Agenda Timeline for device admin support Android management solutions Google’s timeline How to get there from device admin management Our timeline Functionality Features to help with moving off device admin

Agenda Timeline for device admin support Android management solutions Google’s timeline How to get there from device admin management Our timeline Functionality Features to help with moving off device admin

Google’s device admin support timeline Google documented that beginning with Android 10 (September 2019), device admin apps can no longer enforce these four policies. 1. Set password minimum length and complexity 2. Set password expiration 3. Disable camera https: //developers. google. com/android/work/device-admin-deprecation 4. Disable keyguard features (lock screen settings)

Our device admin support timeline In summer 2020 (when Android 11 releases), Intune device admin devices running Android 10+ will not receive the four policies Google removed. Samsung devices will not be impacted yet because Knox provides equivalent functionality for what Google removed Devices running Android versions below 10 will not be impacted It is time to make a plan for managing Android devices without device admin. Android Enterprise App protection policies

Agenda Timeline for device admin support Android management solutions Google’s timeline How to get there from device admin management Our timeline Functionality Features to help with moving off device admin

Android management solutions Solution Description Enrollment method Device admin Legacy management using device admin rights In Company Portal App protection policies Management at the app level In managed apps Work profile Personal device management with a separate profile for work apps and data In Company Portal Fully managed Corporate device and enrolled with user account Factory reset Dedicated Corporate device without an account, such as kiosk or shared devices Android Enterprise Device owner Factory reset

From device admin to what? Moving from device admin to…. Scenario App protection policies Personally owned and no need for device level controls Work profile Personally owned and requiring device pin, Wi-Fi certs, VPN Fully managed Corporate owned and tied to a user account Dedicated Corporate owned and no need for user affinity, such as kiosk usage

Main features across management solutions Experience/ Feature Device admin App protection policies Work profile Fully managed Dedicated Recommended ownership Personal & corporate Personal Corporate Enrollment/ unenrollment UX In Company Portal Out-of-box/ factory reset User affinity Yes Yes No App store for company apps Company Portal Managed Google Play Personal data separation No Yes No No PIN settings Device PIN App PIN Device PIN and/or work profile PIN Device PIN Wi-Fi and VPN Yes No Yes Yes

Steps for moving from device admin to Android Enterprise 1. Publish apps in Managed Google Play 2. Set policies 3. Phase out device admin • Publish line of business apps and approve public apps in either the iframe or the Play website. • Configure Android Enterprise policies and/or app protection policies to align with previous device admin use cases.

Agenda Timeline for device admin support Android management solutions Google’s timeline How to get there from device admin management Our timeline Functionality Features to help with moving off device admin

Functionality Feature Status Samsung Knox equivalent device admin functionality for what Google removed Live Removal of device admin as the default for Android enrollment and simplification of work profile setup (for new tenants) Live Enrollment restriction specification of which OS versions enroll with device admin versus work profile Live Chart showing number of devices enrolled with each Android management solution Live Coming soon: Streamlined flow for moving from device admin to work profile Q 1 CY 2020

Removal of device admin as the default for Android enrollment and simplification of work profile setup (for new tenants)

Removal of device admin as the default for Android enrollment and simplification of work profile setup (for new tenants)

Enrollment restriction specification of which OS versions enroll with device admin versus work profile

Chart showing number of devices enrolled with each Android management solution

Coming soon: Streamlined flow for moving from device admin to work profile 1. Create compliance policy with new setting to block device admin

1. Create compliance policy with new setting to block device admin setting (new) Prevent device administrator devices from having corporate access. Resolving this from the Company Portal will guide users to move to work profile management.

2 A. Set non-compliance notification: email

2 B. Set non-compliance notification: push notification

3. User prompted for a streamlined flow for moving from device admin to work profile

Join us in shaping product experiences! Scan code to enroll https: //aka. ms/Device. Mgmt. Admin

Takeaways Starting next summer, device admin managed devices (that are not Samsung) running Android 10 and later will have limited manageability. It is time to make a plan for managing Android devices without device admin – either Android Enterprise or app protection policies.

Thank you If you have questions, my team and I will be at the Microsoft Endpoint Management section of booth 29 in the Hub after this.

Please evaluate this session Your feedback is important to us! https: //aka. ms/ignite. mobileapp https: //myignite. techcommunity. microsoft. com/evaluations

Find this session in Microsoft Tech Community