MC988140 – Plan for Change: Moving to Android Management API and web enrollment for Android personally owned work profile (archived)

Product:

Entra, Intune, Microsoft 365 admin center

Platform:

Android, Online, Web, World tenant

Status:

Change type:

User impact, Admin impact

Links:

MC1052156

Details:

Later this year we are making two significant improvements for the management of Android personally owned work profile devices. These include a web-based enrollment process and a new implementation to deliver policies by moving to Google's Android Management API. These updates are designed to modernize device management and improve the user enrollment flow.
For more details, review the blog: New policy implementation and web enrollment for Android personally owned work profile

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2025-01-25

updated:
2025-01-25

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

linked item details

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Wi-Fi Access Disruption
Users will lose access to corporate Wi-Fi after migration if using username and password for Wi-Fi policies, requiring them to sign in again.
   - roles: End Users, IT Support
   - references: https://learn.microsoft.com/mem/intune/configuration/wi-fi-settings-android-enterprise#enterprise-personally-owned-work-profile

Policy Configuration Changes
Changes in work profile settings may lead to unexpected behavior if not properly configured, affecting user experience and device functionality.
   - roles: IT Administrators, End Users
   - references: https://learn.microsoft.com/mem/intune/configuration/device-restrictions-android-enterprise-personal#work-profile-password

User Notifications and App Visibility
Users will receive notifications about the installation of the Android Device Policy app, which will be hidden and not accessible, potentially causing confusion.
   - roles: End Users, IT Support
   - references: https://aka.ms/Intune-personal-WP-updates

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

Enhanced User Enrollment Experience
The introduction of a web-based enrollment process simplifies the onboarding of personally owned devices, making it easier for users to enroll their devices without extensive IT intervention. This can lead to a more positive user experience and increased compliance with enrollment policies.
   - next-steps: Develop a communication plan to inform users about the new enrollment process, including guides and FAQs. Train IT support staff to assist users during the transition to the new enrollment method.
   - roles: IT Support, HR, End Users
   - references: https://learn.microsoft.com/mem/intune/configuration/device-enrollment, https://aka.ms/Intune-personal-WP-updates

Improved Policy Management with Android Management API
Transitioning to the Android Management API allows for more efficient policy management and deployment. This API provides a more streamlined approach to manage settings and configurations, reducing administrative overhead and potential errors.
   - next-steps: Audit existing policies and configurations to ensure compatibility with the Android Management API. Create a migration plan for existing devices and schedule the migration process in phases to minimize disruption.
   - roles: IT Administrators, Compliance Officers
   - references: https://learn.microsoft.com/mem/intune/protect/certificates-configure" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/mem/intune/protect/certificates-configure, https://learn.microsoft.com/mem/intune/configuration/device-restrictions-android-enterprise-personal

Enhanced Security with Certificate Authentication
By recommending certificate authentication over username and password for Wi-Fi policies, the organization can enhance security and reduce the risk of unauthorized access. This change also minimizes disruption during the migration process.
   - next-steps: Evaluate current Wi-Fi authentication methods and develop a plan to implement certificate-based authentication. Provide training for IT staff on managing certificates and communicate changes to users to ensure a smooth transition.
   - roles: IT Security, Network Administrators, End Users
   - references: https://learn.microsoft.com/mem/intune/configuration/wi-fi-settings-android-enterprise#enterprise-personally-owned-work-profile, https://learn.microsoft.com/mem/intune/protect/certificates-configure" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/mem/intune/protect/certificates-configure

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

Later this year, there will be two important updates for managing Android devices that employees use for work. These updates aim to make managing these devices easier and improve how users set them up for work purposes.

First, imagine you’re setting up a new smartphone. In the past, you might have had to follow a series of steps that felt like filling out a paper form with lots of questions. With the new web-based enrollment process, it’s more like filling out a simple online form that guides you through the setup quickly and efficiently. This change means that when new devices are set up, they will automatically use this new, streamlined process without needing any extra work from IT administrators.

The second update involves moving to Google's Android Management API. Think of this like upgrading from a basic car to a more modern vehicle with advanced features. This new system will allow for better management of devices, much like how a modern car offers more control and options than an older model. Existing devices will need to be switched over to this new system, but there will be tools available to help make this transition smooth. If no action is taken, devices will automatically switch over by 2026.

For users, this means they might notice some changes. For example, the Intune app and another app called Android Device Policy will be installed on their devices. However, the Android Device Policy app will be hidden, so users won’t see it or be able to open it. If employees use a username and password to connect to corporate Wi-Fi, they will need to sign in again after their device is updated. To avoid this inconvenience, it’s recommended to use a more secure method like certificate authentication.

Some settings related to work contacts and screen timeouts will also be adjusted. For instance, if you have set rules about displaying work contacts or locking the device after a certain period of inactivity, these settings will be updated to work with the new system.

To prepare for these changes, it’s a good idea to review any current policies you have in place and update your documentation. Let your users or helpdesk know about these changes so they’re not caught off guard. More information and specific timelines will be shared in the coming months to help everyone get ready.