Migrating Teams Android Devices to AOSP Device Management from Device Administrator
Important
This article is being published ahead of the firmware update which supports the migration to Android Open Source Project (AOSP) Management. Publishing this article early allows organizations the time to prepare their environment to migrate from Android Device Administrator to the new mobile device enrollment (MDM) method created by Intune called Android Open Source Project (AOSP) Management. A message center post will be sent to your organization when the AOSP Management firmware is available.
This is a preview or early release feature.
This document describes how IT administrators can prepare their Teams Android Device environment for a migration. This migration is from Android Device Administrator to the new mobile device enrollment (MDM) method that was created and called Android Open Source Project (AOSP) Device Management. This new MDM enrollment method replaces the legacy Device Administrator enrollment method and serves as the basis for new features and functionality that are rolled out. For this migration to be successful, organizational IT administrators have specific actions they must take and all of which are covered in this article.
This article covers:
- Set up new AOSP Management Enrollment Profiles
- Set up AOSP Management Configuration & Compliance Policies
- Deploy AOSP Management capable device firmware
Step 1 - Set up new AOSP management enrollment profiles
In order for Teams Android Devices to enroll in AOSP Management, an enrollment profile must be created.
Prerequisites
To migrate from Android Device Administrator to Android AOSP management, you must have:
- Teams Android Devices deployed which are enrolled using Device Administrator.
- Teams Android Devices that are supported with AOSP Management. Any devices not listed aren't supported on AOSP Management: Click Here.
- Intune admin permissions in your Microsoft 365 environment.
Important
If your organization doesn't enroll your Teams Android devices in Intune (typically by disabling the Intune license on your resource accounts) then there is no need to set up an enrollment profile or create AOSP Management policies. Just upgrade your devices to the AOSP Management capable firmware at release to stay on current firmware but no Intune configuration is required.
Setup AOSP management enrollment profiles
These steps are specific to Teams Android devices. If you have non Teams devices, refer to the Intune guidance for setting up profiles: Set up Android (AOSP) device management in Intune for corporate-owned user-associated devices - Microsoft Intune | Microsoft Learn
When creating an enrollment profile, verify it doesn't conflict with any enrollment profiles that were created before.
Sign in to the Intune Management Console with an account with Intune administrator permissions: https://intune.microsoft.com/.
Select Devices > Enrollment > then Android.
Under Enrollment Profiles, select Corporate-owned, user-associated device.
Select Create policy.
Use the following settings for the profile configuration:
- Name Give the profile a name like 'AOSP – Teams Devices'.
- Description Put in a description so others in the organization know what this enrollment profile is used for. Use something like 'This AOSP Management enrollment profile is to allow Teams Android Devices to enroll in Intune'.
- Token expiration date This defaults to 65 years into the future and is best left at 65 years to avoid policy expiration which would block enrollment.
- Wi-Fi Select Not configured.
- Microsoft Teams devices Select Enabled.
Important
The enrollment profile defaults to a 65 year token expiration. If you are a customer participating in private preview of AOSP DM, you will need to have a 90 day or shorter expiration configured, customers waiting for general availability of AOSP DM can utilize the 65 year expiration. An expired enrollment token will not impact any existing devices, just new device enrollments and sign-ins.
- Select Next.
- Review the profile and then select Create.
The enrollment profile has been created and is now ready to enroll devices.
Step 2 - Set up AOSP Management Configuration & Compliance Policies
These steps aren't required for your Teams devices, any Teams Android Devices that are enrolled in AOSP Management support both Intune configuration policies and Intune compliance policies. While they aren't required for the devices to function properly, it's likely you want to use them on the Teams devices in your organization because they bring additional features, functionality, and security for your Teams devices.
AOSP management configuration policies
Currently, the only supported configuration policy for Teams Android Devices enrolled with AOSP Management is the Device Restrictions profile and only the “block screen capture” restriction inside of that profile. Support for more configuration policies is planned in the future.
Creating a AOSP Management Configuration Policy
These steps are specific to Teams Android devices. For non-Teams devices or for more information, please refer to the Intune guidance for setting up profiles: Device restriction settings for Android (AOSP) in Microsoft Intune | Microsoft Learn
- Sign in to the Intune Management Console with an account with Intune administrator permissions: https://intune.microsoft.com/.
- Select Devices > Configuration.
- Select Create > New Policy.
- For Platform select Android (AOSP).
- Under Profile type select Device Restrictions, then select Create.
- Provide a name and description for the policy, then select Next.
- Under General set Block screen capture to Yes, then select Next.
- Assign this profile to all devices or an Entra ID group of devices, select Next, then select Create.
AOSP Management Compliance Policies
There's currently a limited set of supported compliance policies for Teams Android Devices enrolled with AOSP Management but more are planned for in future releases:
- Device Health Rooted devices (Block).
- Device Properties Minimum OS version.
- Device Properties Maximum OS version.
- System Security Require encryption of data storage on device.
Creating a AOSP Management Compliance Policy
These steps are specific to Teams Android devices. For non-Teams devices or for more information, please refer to the Intune guidance for setting up profiles: Android (AOSP) compliance settings in Microsoft Intune | Microsoft Learn
- Sign in to the Intune Management Console with an account with Intune administrator permissions: https://intune.microsoft.com/.
- Select Devices > Compliance, then Create policy.
- Under Platform > Android (AOSP), then select Create.
- Provide a name and description for the policy.
- Select Next.
- Enable the desired compliance settings from the supported list.
- Select Next, then select Next.
- Assign this profile to all devices or an Entra ID group of devices.
- Select Next, then select Create.
Step 3 - Deploy AOSP Management capable device firmware
Important
You might not be able to complete these steps because they depend if the AOSP Management firmware is available for your devices or not. However, you'll still need to complete the enrollment profile creation prior to following these steps.
During the second half of 2024, a new Team Android Device firmware version will be released that supports the migration to AOSP Management both for currently deployed devices and any new Teams devices. This firmware update will be available in the Teams Admin Center as a manual update to allow admins the time needed to slowly migrate their devices over to AOSP.
Updating devices
These steps provide the guidance for how to update your devices through Teams Admin Center:
- Sign in to Microsoft Teams admin center with an account with Teams device administrator permissions: https://admin.teams.microsoft.com/.
- Select Teams then Devices.
- Select the desired device type.
- Select the display name of the device you wish to update.
- Select Update software.
- Open Manual updates.
- Select the new firmware update, then you can choose to update immediately or during a maintenance window.
- Select Update.
- Allow time for your device to update.
Once the device updates, it should automatically sign back in to Teams and function as normal.
Confirming the AOSP Management update is installed
- Log in to Microsoft Teams admin center with an account with Teams device administrator permissions: https://admin.teams.microsoft.com/.
- Select Teams, then select Devices.
- Select the desired device type.
- Select the display name of the device you wish to update.
- Select History.
- Look for a recent Software update action and confirm the status is Successful.
- When it's successful, select the Health tab.
A 'Microsoft Intune App' and 'Authenticator App' should be listed under software type and Up to date this message confirms that the device is now running an AOSP Management capable firmware.