In August this year Microsoft posted an important announcement in the M365 admin portal Message Center as MC665936 entitled "Device Management Changes for Microsoft Teams Android Devices". Microsoft is introducing a new method for managing Teams Android Devices, transitioning from the legacy Android Device Administrator to the Android Open Source Project (AOSP) Device Management. This migration is essential for leveraging new features and functionalities that enhance device management and security, and also because Google has deprecated the Device Administrator API since 2020. The migration will come in the form of a new firmware update to Microsoft Teams Android devices from ODM partners in 2024. The firmware update will move devices from Android device administrator to Android AOSP management. In this blogpost we provide a step-by-step guide on how to prepare the Intune environment for this upcoming migration. |
Note that MC665936 is not the same as other messages MC674247, MC726113 and MC902778 which are related to Intune ending support for Android device administrator on devices with GMS. Note that Teams Android devices do not use GMS and therefore are not impacted by these other notifications.
Preparation Steps
The shift to AOSP Device Management is driven by the need for a more robust and flexible mobile device management (MDM) method. AOSP Management offers several advantages over the traditional Device Administrator, including better support for new features, improved security policies, and a more streamlined enrollment process. In preparation for the migration to AOSP, it is important to keep Device Administrator enrolment enabled until AOSP enrolment is released by both Microsoft and the ODM firmware. Below is a step-by-step guide on preparing the environment:
Step 1: Set Up New AOSP Management Enrollment Profiles
In the Intune Management Console:
- Select Devices > Enrollment > then Android.
- Under Enrollment Profiles, select Corporate-owned, user-associated device.
- Select Create policy.
- Name Give the profile a name like 'AOSP – Teams Devices'.
- Description Put in a description so others in the organization know what this enrollment profile is used for. Use something like 'This AOSP Management enrollment profile is to allow Teams Android Devices to enroll in Intune'.
- Token expiration date This defaults to 65 years into the future and is best left at 65 years to avoid policy expiration which would block enrollment.
- Wi-Fi Select Not configured.
- Microsoft Teams devices Select Enabled"
Although not mandatory, setting up configuration and compliance policies can enhance device functionality and security. These are not automatically migrated from Device Administrator and we need to re-create AOSP policies for device restrictions and compliance settings like device health, OS version, and data encryption. Teams Android Devices that are enrolled in AOSP Management support both Intune configuration policies and Intune compliance policies
Currently, the only supported configuration policy for Teams Android Devices enrolled with AOSP Management is the Device Restrictions profile and only the “block screen capture” restriction inside of that profile. Support for more configuration policies is planned in the future. To create AOSP Management Configuration Policies, in the Intune Management Console:
- Select Devices > Configuration.
- Select Create > New Policy.
- For Platform select Android (AOSP).
- Under Profile type select Device Restrictions, then select Create.
- Provide a name and description for the policy, then select Next.
- Under General set Block screen capture to Yes, then select Next.
- Assign this profile to all devices or an Entra ID group of devices, select Next, then select Create.
There's currently a limited set of supported compliance policies for Teams Android Devices enrolled with AOSP Management but more are planned for in future releases:
- Device Health Rooted devices (Block).
- Device Properties Minimum OS version.
- Device Properties Maximum OS version.
- System Security Require encryption of data storage on device.
- Select Devices > Compliance, then Create policy.
- Under Platform > Android (AOSP), then select Create.
- Provide a name and description for the policy.
- Select Next.
- Enable the desired compliance settings from the supported list.
- Select Next, then select Next.
- Assign this profile to all devices or an Entra ID group of devices.
- Select Next, then select Create.
Now that the environment is prepared, the next phase is to wait for the release of AOSP capable firmware from ODMs for Teams devices. Until then, Device Administrator is still required and used for Teams devices signing-in to company portal for Teams.