Android Device Administration Vs Android Enterprise
Updated: Jul 8, 2022
In this blog, I will explain what is Android Device Administration and Android Enterprise, why device administration got depreciated by Android and the benefits of using Android Administration for better device management. and the difference between DA and AE
What is Device Administration? and why does it gets depreciated?
Android introduced support for the management of mobile devices in Android 2.2, to manage some permission that can be implemented locally within the app or by remote management tools, with the help of android device admin API which provides device admin features at the system level. The APIs allow the creation of security-aware apps that are useful in enterprise settings, in which device admin require rich control over employee devices for example the native email client which leveraged the API to improve the exchange support, by informing password complexity to the app by helping administrators to improve the security. Administrators can remotely wipe the lost or stolen device.
Since then the need for enterprises has evolved, devices are used to access more confidential resources and used in a wider variety of use cases, device admin API was originally designed for some of the below use cases
Separation of work data from personal data in mixed-use or BYOD deployments.
Distribution of business applications and management of their data through Google Play and managing the Google Accounts needed for this.
Locking devices into a kiosk to tailor them for specific application uses.
Certificate management to allow for access to PKI-secured resources.
Establishment of per-app and per-profile VPNs to support remote enterprise applications while protecting privacy.
At the same time, enterprises started demanding a better trust relationship than device admin because a device admin can be enabled by any application authorized by the user, which lacks the support of different enterprise use cases
Setting factory reset protection (FRP) to ensure devices remain managed and can be recovered when employees leave.
Secure reset of device passwords on encrypted devices.
Prevent removal of the device administrator (removed in Nougat for security reasons).
Establishment of admin-defined passcodes to lock the user out of a device (removed in Android 7.0 Nougat for security reasons).
Considering better management for enterprise use cases android had come up with Android enterprise and depreciated Device Administration from 2019 and Android 10, it will no longer be possible to use legacy Device Administrator APIs for managing Android devices. It was always difficult to manage the android devices using device administration, during my days I remember Samsung Knox was the only device that supported device administration better than other devices. Samsung who have developed and leveraged Knox Mobile Enrolment (KME) for several years to ease device administration EMM enrolment, for organizations that didn’t or couldn’t use it, Android enrolment has been consistently complex and error-prone.
What is Android Enterprise?
Android Enterprise is a Google-led initiative to enable the use of Android devices and apps in the workplace. The program offers APIs and other tools for developers to integrate support for Android into their enterprise mobility management (EMM) solutions
An Android Enterprise solution is a combination of three components: your EMM console, Android Device Policy, and managed Google Play.
Some benefits of Enterprise administration
Consistent, reliable management
Flexible, simple & safe application management
Zero-day support for new features and functionality
Secure by default
A solid foundation on which to build
There are four different use cases for Android Enterprise
Work profile for employee-owned devices (BYOD)
Work profile for mixed-used company-owned devices
Full management for work-only company-owned devices
Full management for dedicated devices
I had written a blog explaining the different use cases of android enterprise and how to migrate from Device administration to Android Enterprise Please refer to the blog @ https://howtomanagedevices.com/intune/2233/android-enterprise-administration-intune/
Android Enterprise (AE) offers a few things:
A reliable EMM experience, knowing when a configuration is pushed, all AE devices will support and execute the relevant requests.
A containerized work/life separation primarily aimed at BYOD is referred to as a work profile.
A fully locked-down, managed mode for complete corporate ownership with no personal space, referred to as fully managed (previously work-managed).
A single-use mode (Android Kiosk, but on a fully managed device) for Kiosk-like applications, referred to as dedicated (previously COSU – Corporately Owned, Single Use).
A combined, COPE mode brings together a fully managed and work profile to provide a fully managed device with personal space (fully managed devices with work profiles).
Out-of-the-box, zero-touch enrolment for Android 8.0 and above (or 7.0 for Pixel).
A managed Google Play portal offering an application store for work devices containing only explicitly approved applications.
Silent application installation without the need for a user-provided Google account on the device.
Managed configs, a way of deploying corporate settings to managed applications (think Exchange profiles, but configurable in Gmail directly. See below).
Mandatory device encryption.
OEMConfig, a means for OEMs to provide additional APIs over and above Android Enterprise easily managed directly through an EMM
The Picture Above Explains the Break Down of Management Scenarios for Android Enterprises
Device Administration VS Android Enterprise
It is recommended to use Android Enterprise for better management and Secure.