Device Admin deprecation

Google announced the deprecation of the legacy Device Admin (DA) mode of operation. Google has transitioned to Android Enterprise, which uses a modern framework and offers enhanced security, easier deployment options (Work profile, Work Profile on Company Owned, Device Owner, Corporate Owned, Single Use), and advanced device management options.

To support the transition to Android Enterprise, Google announced the deprecation of the legacy Device Admin for the enterprise effective with the Android 10 Q release.

How Device Admin deprecation affects MaaS360

Security policies

The following policies are deprecated in Android 10:

Passcode policies: Minimum Passcode Quality, Minimum Passcode Length, and Minimum Passcode Age (In Days)
Restrictions: Camera
Security: Disable Keyguard Features
Device Management: Disable Device Management Actions
Wi-Fi: Ability to detect whether a Wi-Fi profile is configured is no longer available, which might impact users. Example: The same Wi-Fi profiles are configured the same amount of times.
Application Compliance: Configure Restricted Applications and Configure Restricted Applications by App Permissions
All OEM-specific policies for LG, Kyocera, M3, Panasonic, Bluebird will not work. Samsung and Zebra-specific policies continue to work.

Other device and reporting impacts

Factory WiFi MAC address, Platform Serial Number, and IMEI are no longer reported on Device Admin enrolled devices.
Google has deprecated Android Beam (NFC) support. This deprecation impacts NFC-based Device Owner enrollments for Android 10+ devices.
The Buzz and Send Message actions are now notifications, instead of a forced action. The Buzz action times out after 3 minutes if the user does not accept the action.
Background app restrictions are imposed on Android 10 devices. Some apps do not function in the background in the same way that they functioned previously.
The Security Policies on Apps workflow such as Enforce authentication and compliance is not supported.
The App compliance policy to block the app from use is not supported.
The Instant Install action works on Samsung and Zebra devices only. This action does not work on other OEM devices.

Device enrollment

Effective with the MaaS360 10.81 release, Android 10+ enrollments into the legacy Device Admin are not allowed for new customers.
Existing customers who enrolled before the MaaS360 10.80 release can continue to enroll Android 10 or earlier devices using Device Admin.
Existing customers who enrolled after the MaaS360 10.80 release can use Device Admin provided that they enable and configure Android Enterprise. If Android Enterprise is not configured, MaaS360 does the following:
- Hides the Device Admin enrollment options.
- Displays banners on the MaaS360 Portal Home page, Add Device window, and Directory and Enrollment settings page to inform administrators about the pending Android Enterprise configuration.
- Blocks Device Admin enrollments on end-user devices.
- Displays the Device Admin deprecation notification message on the following MaaS360 Portal pages:
  - Device > Enrollments > Other Enrollment Options > Android Configurator (Device Admin).
  - Device > Enrollments > Other Enrollment Options > Samsung Knox Mobile Enrollment.

Moving to Android Enterprise

Device Admin is no longer supported on Android 10+ devices. For existing customers who have been using Device Admin, you should move to Android Enterprise.

Migrating to the Work Profile

Customers on the BYOD program can use the migration option in the MaaS360 Portal to move to Android Enterprise Profile Owner (PO) mode. For a procedure on Device Admin to Profile Owner migration, see Migrating from Device Admin (DA) to the Work Profile.

Migrating to Device Owner and to Work Profile on Corporate Owned devices

Customers who want to move to Device Owner (DO) or Work Profile on Corporate Owned (WPCO) device modes must reset their devices to the original factory settings.