Rediger

Del via

Move Android devices from device administrator to personally owned work profile management

  • Artikel

Important

Microsoft Intune is ending support for Android device administrator management on devices with access to Google Mobile Services (GMS) on December 31, 2024. After that date, device enrollment, technical support, bug fixes, and security fixes will be unavailable. If you currently use device administrator management, we recommend switching to another Android management option in Intune before support ends. For more information, see Ending support for Android device administrator on GMS devices.

You can help users move their Android devices from device administrator to personally owned work profile management by using the compliance setting to Block devices managed with device administrator. This setting lets you make devices noncompliant if they're managed with device administrator.

When users see that they're out of compliance for this reason, they can tap Resolve. They are directed to a checklist that guides them through these steps:

  1. Unenroll from device administrator management.
  2. Enroll into personally owned work profile management.
  3. Resolve any compliance issues.

Prerequisites

Create device compliance policy

  1. In the Microsoft Intune admin center, go to Devices.

  2. Select Compliance > Create Policy.

    Create policy

  3. On the Create a policy page, set Platform to Android device administrator > Create.

  4. On the Basics page, type in the Name and Description > Next.

    Basics page

  5. On the Compliance settings page, in the Device Health section, set Block devices managed with device administrator to Yes > Next.

    Block devices

  6. On the Actions for noncompliance tab, you can configure the available actions for noncompliance to customize the end-user experience for this flow.

    Noncompliance actions

    Some actions to consider include:

    • Mark device noncompliant: By default, this action is set to zero (0) days, marking devices as noncompliant immediately. You can increase the number of days to give users a grace period. During this grace period, they can see the flow to move to work profile management without yet being marked noncompliant. For example, you can set this action to 14 days to give users the time to move from device administrator to work profile management without the risk of losing access to resources.

    • Send push notification to end user: Configure this action to send push notifications to the device administrator devices. When a user selects the notification, the Android Company Portal opens to the Update device settings screen. Users can start the flow from there to set up their work profile.

    • Send email to end user: Use this action to notify users about the move from device administrator to work profile management. In the email, you can include the following URL. When this URL is selected, it launches the Android Company Portal to the Update device settings page. From this page, they can start the flow to move to work profile management.

      • https://portal.manage.microsoft.com/UpdateSettings.aspx.
      • For US government, you can use this link instead: https://portal.manage.microsoft.us/UpdateSettings.aspx.

      Note

      • Of course, you can use user-friendly hyper-text for the links in your communication with users. However, don't use URL-shorteners because the links may not work if changed that way.
      • If the Android Company Portal is open and in the background, when a user taps the link they might go to the last page they had open instead.
      • Users must tap the link on an Android device to open the Intune Company Portal app. If they paste the link in a browser, the app won't open.

  7. Select Next.

  8. On the Scope tags page, select any scope tags you want to include.

  9. On the Assignments page, assign the policy to a group that has devices enrolled with device administrator management > Next.

  10. On the Review + create page, confirm all your settings, and then select Create.

Troubleshooting

The end user flow to move to new device management setup guides users through unenrolling from device administrator management. It also helps users set up work profile management on their personal devices. Users must have Android device administrator enrolled devices with Android Company Portal version 5.0.4720.0 or later.

User sees an error after tapping Resolve

If users see an error after tapping the Resolve button, it's likely because of one of these reasons:

  • Work profile enrollment isn't set up correctly. Either an Android Enterprise account isn't connected or enrollment restrictions are set to block personally owned work profile enrollment.
  • The device is running Android 4.4 or earlier, which doesn't support personally owned work profile enrollment.
  • The device manufacturer doesn't support personally owned work profile enrollment on the device model.

Resolve button doesn't appear on the user's device

The Resolve button won't appear on the user's device if the user enrolls into device administrator management after they are targeted with the device compliance policy explained above.

To get the Resolve button to appear, the user must postpone setup and restart the process from the notification.

To avoid this condition, use enrollment restrictions to block enrollment into device administrator management.

User sees an error after tapping URL to Update device settings page

Users might see an error page in the browser when they tap the URL to the Update device settings page of the Android Company Portal. This error can be caused by one of the following conditions:

  • The device isn't an Android.
  • The Android device doesn't have the Company Portal app.
  • The Android Company Portal version is earlier than 5.0.4720.0.
  • The Android device uses Android 6 or earlier.

Next steps

See the end user flow

Manage Android work profile devices with Intune