How to Migrate from Android Device Admin (legacy) to Android Enterprise with Microsoft Intune

A few days ago I wrote a blog on How to Enable Android Enterprise and configure Personal devices with a Work Profile in Microsoft Intune. After posting this blog I got some questions from people who asked me how to migrate the current enrolled devices to Android Enterprise.

Unfortunately, this process cannot be fully automated. Current Android managed devices needs to be re-enrolled before you can manage them via Android Enterprise. In this blog I will tell you my best-practice on how to migrate for Android Device Admin (DA) to Android Enterprise in 3 easy steps.

Step 1: Create a Pilot security group

The Android Enterprise Profiles / Policies differ from the current Device Admin (legacy) profiles. Therefore, a complete new policy set needs to be created. And with every new policy set, my advise is to test it first on a select group of pilot users. So the first step is to create an (Azure) AD Security group, if you have not already done so, and make the relevant pilot users a member of it.

Step 2: Configure the Profiles, Apps and Conditional Access

Second step is to create the new Profiles, Publish the Play Store Managed Apps, App Protection policies and Conditional Access policies as step-by-step described in one of my previous blogs (click here). Make sure that you assign everything to the (Azure) AD Security group created in step one.

Step 3: Configuring the Microsoft Intune Enrollment restrictions

If you take a look at the Device enrollment Restrictions within your Microsoft Intune console, you properly see that Android is Allowed and Android work profile is Blocked for the All Users profile. Like in the screenshot below;

If we turn this around (block Android, Allow Android work profile), this would mean that every new Android device that enrolls with Microsoft Intune will automatically be enrolled with an Android Enterprise work profile. Because it’s recommended to test the new Android Enterprise configuration first for a selected group of test users, you can leave this as it is for now.

For the test user group a new restriction profile must be created with a higher priority. To do so, follow the next steps.

Open the Microsoft Azure Portal and navigate to: Microsoft Intune > Device enrollment > Enrollment restrictions and click + Create restriction

Enter a Name and a Description and select Device Type Restriction as Restriction type. Open the Select platforms page and make sure Android is set to Block and Android work profile is set to Allow

Click OK

Open the Configure platform page. You can change any setting like minimum or maximum OS version. Click OK and click Create

Final step is to Assign this profile to the group with test/pilot users. Click Assignments and select the Android Enterprise Pilot user group created in step 1

Click Save

Go back to the Enrollment restrictions page. As you can see, the new Restrictions profile is created with Priority 1. The following has now been realized;

  • Users who are member of the Pilot / Test group and enroll their Android device with Microsoft Intune get an Android Enterprise work profile pushed.
  • Users who are NOT member of the Pilot / Test group will still get the old Device Admin profiles
  • Users in the Pilot / Test group that already have their Android devices enrolled with Microsoft Intune with the Device Admin profiles first needs to un-enroll and re-enroll to get the Android Enterprise work profile.

When Android Enterprise test phase is successful you change the All Users Restrictions profile to block Android and Allow Android work profile. You can also delete the Restriction profile created in Step 3 and the Security group created in Step 1.

After that every new Android device that enrolls or re-enrolls with Microsoft Intune will then get the Android work profile pushed.

About Robin Hobo

I work as a Senior Solution Architect with focus on the Modern Workspace. I am specialized in Azure Virtual Desktop (AVD), Windows 365 and Microsoft EM+S (including Microsoft Endpoint Manager - Microsoft Intune).

For my full bio, check the About Me page.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close