Android Admin Apps

[Annegret Haldiman]

Withthe release of Android 11.0, the USES_POLICY_RESET_PASSWORDis marked as deprecated when invoked by a device admin and stops functioning.It will throw a SecurityExceptionon apps targeting API level 24 and above.

Android 9.0: Device admin is marked deprecated for enterprise usethrough updates to documentation. Existing functionality continues to workfor applications targeting the API level 28, though its use is discouraged. Allpartners and customers should migrate to work profiles or fully managed devicesbefore the release of Android 10.0.

We recommend partners and customers start to prepare now for this change. Usageof device admin can be identified by a screen (See Figure 1 for an example),when activating management of your device:

We recommend work profiles be used for all personally-owned devices. Migrationfrom legacy device admin to a work profile can be handled with minimaldisruption. This can be handled either by pushing personal devices to install awork profile, or by having new devices enroll with a work profile as existingdevices phase out of the fleet.

We recommend that company-owned devices be set up as fully managed devices.Migrating a device from device admin to managed device requires a factory reset.Since this is more disruptive to users, we suggest a phased adoption, where newdevices are enrolled as fully managed devices but existing devices are left ondevice admin.

Phased adoption: New users and new devices are configured with the newmanagement modes as they are enrolled. Older device admin devices are aged outof the fleet through natural attrition.

When Android 10.0 is released, we expect all devices running it tosupport managed device or work profile modes. Older devices can be migrated asdescribed earlier or managed using device admin until they are replaced.

We recommend that these apps have a mechanism to detect if a device is managedby an EMM and defer to the EMM provider for management. This detection can beachieved via a token exchange through Mobile Configuration Management (MCM).

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

I was assisting a user today with adding his Android device to our MDM system (Microsoft Intune), and he came across the message "Activate Outlook as Device Administrator App," which probably all of us have undoubtedly seen and handled.

Also, it is a legitimate question for the end user to wonder why the Outlook software needs to be added as the device administrator on his own Android smartphone. And why is this required? I was able to convince him of its necessity and significance, which made me wonder: Why not spread the word to everyone so that everyone is aware of what the Device Admin App is and why it is necessary? So, let's get going, then!

Android 2.2 was the first version of Android to support managing mobile devices. Enterprise requirements have changed since then. Devices are being used in a wider range of use cases and accessing more private resources than the original device admin API for Android was intended for. Some examples of these use cases are:

Since Android 5.0 introduced device owner and work profile modes, device administration has been seen as an outdated technique. With the release of Android 9.0, Google has been removing a few policies to make Android Enterprise more secure. Few policies that are deprecated now:

In most cases, a user is denied from accessing corporate resources if their device is evaluated to be non-compliant with the security policies in place. In a nutshell, if a device (for example, a legacy device) does not support all of the stated policies, there is no way to allow the device to connect.

The strictest policy is enforced if a device contains multiple enabled admin apps. There is no way to target a particular admin app. Users must first unregister the app as an administrator to remove an existing device admin app.

In the modern era there is a variety of mobile devices that play a great role in contributing towards organizations success. One of the main challenge with exotechnology is with securing corporate data. An end user accesses corporate data from all type of devices like personal, corporate or kiosks and for each type of device there exists a policy for securing the data.

An EMM deploys a work profile to create an OS-level container that separates a user's personal and work data and programs on their devices. The option to deploy applications utilizing managed Google Play gives businesses greater assurance that data won't be unintentionally or knowingly shared with unapproved applications. Furthermore, if a person leaves the company, IT administrators have the ability to selectively delete enterprise data without affecting their private files.

Lockdown of hardware features, defense against factory reset and unenrollment, administrative remote wipe and reset of the entire device, and customization of programs with support for kiosk or single application deployments are all included in this. The three deployment modes listed below are often administered by organizations utilizing managed device mode, though these can be combined throughout an organization's fleet depending on its needs:

Device Administration is an old way to get Admin access for your App and access features which otherwise is not available, like getting failed login notification, change pin and lock screen. It used to be difficult to uninstall an app on an Android phone with device admin enabled, but with newer Android versions, it's simpler because the user will receive a popup instructing him to turn off the program's admin privileges.

Use the most recent Android Management APIs if you want to make it very tough to uninstall the app. The organization controls the app, and only has the authority to unlock it for uninstallation. This is typically utilized by companies who give their staff mobile devices and have stringent regulations requiring that they install a certain number of apps.

In 2010, Android created a feature known as Device Admin or Device Administrator. The feature was originally launched with Android version 2.2. However, while this feature gives users the ability to change settings on an administrator level, it does not work as an MDM or EMM. Users can use Device Admin with their MDM or EMM to fully take advantage of its management tools.

Device Administration in Android is an API that contains administration features for Android devices. As enterprises expand and require more control over Android devices, Device Admin and its uses have changed.

MDMs or EMMs are then used to make more specifications for the device, including enrolling the device in a company group associated with lists of permissions, pre-downloaded apps, and security procedures that help maintain the safety of company data.

Having password policies on a device is helpful to maintain the security of the device and, therefore, the data that is stored on the device. For companies and those who are storing personal or private data, enforcing the use of secure passwords is paramount.

There is also a policy that requires data storage encryption on supported devices. This feature is great for devices that store sensitive work-related data. This policy is available for devices that run Android versions 3.0 and above.

Another Android Device Admin policy is one that can specify that the camera should be disabled. You may disable the camera based on time, context, and other specifications. This policy is only available for Android versions 4.0 and above.

If you want to enable Device Admin on an Android phone, you only need to follow a few simple steps. You cannot use Device Admin without it enabled through the phone itself. If a user does not enable the app, then Device Admin cannot be used.

There are three different modes which all allow users to make changes to Android devices. These modes are Device Admin, which was introduced in Android 2.2, and Profile Owner and Device Owner modes which are managed device modes. The Profile Owner and Device Owner modes were added in 5.0 in order to better support enterprise environments that use Android devices.

This change is a slow-occurring change that has been planned out over several device updates. Eventually, Device Administrators Android will be a thing of the past for Android users. Instead, they will rely on the Profile Owner and Device Owner modes in order to make similar changes.

Android is phasing out Device Admin by removing functions slowly but surely. For Android version 9.0, some capabilities of Device Admin will no longer be functional, and by the Android 10.0 update, Device Admin will no longer be able to be used.

As an IT admin, you can use an MDM to update the device to operating system 5.0 or higher, depending on your needs. Updating the device to operating system 5.0 or higher will allow the device to have access to Device Admin again.

Keep in mind that Device Admin will no longer be available for Android 9.0 or 10.0. Companies should instead focus on using Profile Owner and Device Owner modes in conjunction with an MDM, such as AirDroid Business.

Hi!

We have drupal site that in bound with discourse forum (sso). Trying to subscribe to our forum from Discourse IOS app (and android too) - add forum in app, proceed to authorize api page, and It can be posible only if we on admin account. New account, moderator account, user with generated API key by admin - just a blank page after login and push Authorize button. Admin account - Discourse app works and authorize normally on IOS and Android.

When I go to my phone's Security Settings > Device Admin Apps, I can remove Bitdefender from the device admin apps. Then, I can uninstall Bitdefender just like any other app. Applock and Anti-Theft are gone. What's the point of using Bitdefender?

3a8082e126