Device Admin deprecation

Google announced the deprecation of the Device Admin (DA) mode of operation. Google completes the transition to Android Enterprise (AE) that uses a modern framework and offers enhanced security. AE also offers advanced device management options, and multiple deployment options (Work profile, Work Profile on Company Owned, Device Owner, Corporate Owned, Single Use).

To support the transition to Android Enterprise, Google announced the deprecation of the Device Admin for the enterprise effective with the Android 10Q release.

How Device Admin deprecation affects IBM MaaS360

Security policies

The following policies are deprecated in Android 10.
  • Passcode policies: Minimum Passcode Quality, Minimum Passcode Length, and Minimum Passcode Age (In Days)
  • Restrictions: Camera
  • Security: Disable Keyguard Features
  • Device Management: Disable Device Management Actions
  • Wifi: The ability to detect a configured wifi profile is no longer available. Example: The same wifi profiles are configured the same number of times.
  • Application Compliance: Configure Restricted Applications and Configure Restricted Applications by App Permissions
  • All OEM-specific policies for LG, Kyocera, M3, Panasonic, Bluebird do not work. Samsung and Zebra-specific policies continue to work.

Other device and reporting impacts

  • Factory wifi MAC address, Platform Serial Number, and IMEI are no longer reported on Device Admin-enrolled devices.
  • Google deprecates Android Beam (NFC) support. This deprecation impacts NFC-based Device Owner enrollments for Android 10+ devices.
  • The Buzz and Send message actions are now notifications, instead of a forced action. The Buzz action times out after 3 minutes if the user does not accept the action.
  • Background app restrictions are imposed on Android 10 devices. Some apps do not function in the background in the same way that they functioned previously.
  • The Security policies on Apps workflow such as Enforce authentication and compliance are not supported.
  • The App compliance policy to block the app from use is not supported.
  • The Instant Install action works on Samsung and Zebra devices only. This action does not work on other OEM devices.

Device enrollment

  • Android 10+ enrollments into the Device Admin are not allowed for new customers effective from IBM® MaaS360® 10.81 release (12 March 2021).
  • From Android version 14 and later, IBM MaaS360 discontinues support for Device Admin enrollments. For more information, see Release Notes for 10.90.
  • Existing customers who enrolled after the IBM MaaS360 10.80 release can use Device Admin if they enable and configure Android Enterprise. If Android Enterprise is not configured, IBM MaaS360 does the following.
    • Hides the Device Admin enrollment options.
    • Displays banners on the IBM MaaS360 Portal home page, Add Device window, and Directory and Enrollment settings page to inform administrators about the pending Android Enterprise configuration.
    • Blocks Device Admin enrollments on user devices.
    • Displays a message for the Device Admin deprecation notification on the following IBM MaaS360 Portal pages:
      • Device > Enrollments > Other Enrollment Options > Android Configurator (Device Admin).
      • Device > Enrollments > Other Enrollment Options > Samsung Knox Mobile Enrollment.

Moving to Android Enterprise

Device Admin is no longer supported on Android 10+ devices. Existing customers who were using Device Admin must move to Android Enterprise.

Migrating to the Work Profile

Customers on the BYOD program can use the migration option in the IBM MaaS360 Portal to move to Android Enterprise Profile Owner (PO) mode. For a procedure on Device Admin to Profile Owner migration, see Migrating from Device Admin (DA) to the Work Profile.

Migrating to Device Owner and to Work Profile on Corporate Owned devices

Customers who want to move to Device Owner (DO) or Work Profile on Corporate Owned (WPCO) device modes must reset their devices to the original factory settings.