Nathan Ziehnert

5 minute read


This is somewhat old news, but Google is sunsetting Android Device Administrator. It shouldn’t come as any surprise because frankly Android Enterprise is 1000x better. Since Google is removing support for the platform, Microsoft will only (at least as of the time of writing this) support device administrator through the end of Summer 2020. If you’ve still got device administrator devices in your environment, it’s time to talk about migration and mitigation strategies. Don’t get stuck without support!



If the goal is to make the transition for your end users seamless, we’re doing this in advance so you actually have policies that can manage the devices.

Roll Safe


Blocking New Android Device Administrator Enrollments

The easiest win we can have up front is disabling new enrollments. You’ll want to consider the potential impact to end users who have devices which don’t support Android Enterprise. This will include users who wipe their device and re-enroll.

Now’s your chance to learn to navigate the new Microsoft Endpoint Manager Admin Center as well (I promise it won’t hurt too much).

  1. Open up with an account that has Intune Administrator or higher privileges
  2. Click on the Devices blade
  3. Click on the Enroll Devices blade
  4. Select Enrollment restrictions
  5. At minimum you will have a default policy for both Device type restrictions and Device limit restrictions. You can modify the default policies if you wish, but it might be a better idea to create a new policy so that you can test it with a pilot group.
  6. Select Create restriction > Device type restriction if you want to create a new policy, or click on the name of the policy you want to edit.
    1. If you’re creating a new policy, give it a Name and press Next
    2. On the Platform Settings page, select Block on Android device administrator, and then press Next
    3. On the Assignments page, choose the group you want this policy to apply to (possibly a pilot group, or just go full in and send it to all users), then press Next
    4. On the Create restriction page, review your settings and then press Next
  7. Celebrate!

If you need to go back and change settings later, just go back to the Enrollment restrictions blade, click on the name of the policy you want to edit, and then select Properties.

Users who have the policy applied won’t be able to enroll a device that doesn’t support Android Enterprise. Now, just wait for those phone calls to roll into the service desk and be ready to have those conversations about maybe buying a device newer than 5 years old.

Kiddy Cell Phone


Migrating Existing Android Device Administrator Devices

So now your users can’t enroll new devices or re-enroll existing devices into Android Device Administrator. What do we do about the devices that are already in the environment? Well, first we should gather a list of devices that are enrolled with Android Device Administrator.

Gather a List of Android Device Administrator Devices

Finding the devices is pretty easy. From the Microsoft Endpoint Manager Admin Center, open the Devices blade, and then the All devices blade. You’ll be looking for devices with an OS of Android (device administrator).

All Devices

To get a list of just these devices, you can filter your list and in the OS section select just Android (device administrator). You could also create an Azure AD Dynamic Group to send updated policies to these devices or notifications to their company portal. The dynamic device query that you’ll want to use is:

(device.deviceOSType -eq "Android")

Prepare for Migration

The good news is that it is a bit easier to migrate now than it was just over a month ago. There is now a dedicated workflow for end users to guide them through the process. Before this was introduced, users had to unenroll their devices and then reenroll the device. Gross.

You’ll still want to test this process against a subset of devices and users before proceeding, and it would be a good idea to capture screenshots on a test device to provide your end users. If you don’t have the time to write an end-user guide - Microsoft has a very basic one available here:

Two additional considerations we have for the migration are:

  • Devices being migrated need to have Company Portal version 5.0.4720.0 or later installed
  • You may also want to increase device enrollment limits if users are close to the limit already

This is why finding these devices in advance of the migration is a good idea. You now have the ability to give them guidance on updating to the latest Company Portal.

To force devices to reenroll with Android Enterprise we’ll first create a device compliance policy for Android device administrator. You should be intimately familiar with this process already. Under the Device Health section of this new policy select Block for Devices managed with device administrator. Don’t apply this policy just yet - that’s the next section.

Migration Time!

To begin the process of migrating users, start applying the policy we just created to the users or groups you want to migrate. As soon as devices belonging to the user check in (or if you applied the policy to a group of devices) they’ll become noncompliant. Depending on your organizational policies (Conditional Access, etc.) these devices may begin to have a depreciated experience. At minimum the user will be notified via Company Portal that the device is noncompliant and they will be given a list of steps they need to take to bring the device back in compliance - which will also enroll the device in Android Enterprise (if the device supports it).



So it’s pretty simple… for you! The biggest thing about this migration effort is adequately preparing your end users for the migration. You’ll experience more success if you don’t skimp on preparing your users by:

  • Ensuring they are running the latest version of Company Portal
  • Ensuring they have clear guides on what the migration is going to look like for them

Happy Admining!

comments powered by Disqus

Table of Contents