Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Enrolling an Android device on OS version 10+ to Legacy is failing.While enrolling Android 10+ devices in device administrator (Android legacy), you might see one of the below errors in Intelligent Hub based on the version. "Android 10+ enrollments into device administrator are not allowed" (Intelligent Hub 20.10)"Because your device is running Android 10 (or a newer version), Android Enterprise is required for enrollment. Please check with your IT admin about enabling Android Enterprise"(Intelligent Hub 20.11+) In November 2020, the Android Workspace ONE Intelligent Hub and the Workspace ONE UEM Console has been updated with the following changes: Workspace ONE will not allow new device administrator/ Android (Legacy) enrollments on devices running Android 10 and above. A new version of Workspace ONE Intelligent Hub (v20.10) for Android in November will block all new enrollments that use device administrator for Android 10 and above only. This change is for all customers. Existing customers will still be able to enroll using device administrator on Android 9 and below using Workspace ONE Intelligent Hub (v20.10). For New Workspace ONE Customers: New customers (new Workspace ONE environments and Organization Groups of type 'Customer') must use Android Enterprise. There will be no option to use Android (Legacy) for new customers. This change will take place in Workspace ONE UEM Console version 2011. If a customer is deploying with VMware for the first time and starts with Workspace ONE UEM Console version 2011, they must use Android Enterprise. There will not be an option for Android Legacy/ Device Administrator if the customer begins their Workspace ONE deployment with UEM Console 2011. For existing customers on Workspace ONE UEM Console version 2010 and earlier: Android legacy deployments will not be affected on upgrade to Workspace ONE UEM Console version 2011. You can continue to use Android legacy and VMware will support Android Legacy till March 31st, 2022, as outlined in the Knowledge Base article Announcing end of support for device administrator (Android Legacy) in Workspace ONE UEM. Note that existing customers will still be subject to the new enrollment restriction in Workspace ONE Intelligent Hub version 20.10 as described above. For more information about support for legacy Android devices and end of support information, see Announcing end of support for device administrator (Android Legacy) in Workspace ONE UEM.
Device administration will no longer be supported in Android 10+ devices. VMware encourages the customers to consider migrating to Android Enterprise. Migration considerations: Android Enterprise offers distinct enrollment modes based on the use cases. For an overview of the three enrollment modes, see Understanding Android Device Modes. Migrating to work managed: For Zebra devices running Android 7.0 and above, a migration workflow will soon be available to move devices from device administrator to work managed without a factory reset. We expect this feature to release with Workspace ONE UEM console version 2006 and Intelligent Hub version 20.05. For all other devices, the only available option to migrate a device enrolled using device administrator to work managed enrollment is through a factory reset. A workflow can be used in which a device is reset through the UEM Console, and then enrolled using Zero Touch, or Knox Mobile Enrollment for Samsung devices. For more information, see the product documentation. Customers are encouraged to use a cap and grow strategy; begin enrolling new devices with Android Enterprise and phase out devices enrolled using device administrator over time. Migrating to work profile: The Workspace ONE UEM console (1907+) includes a migration tool for moving device administrator deployments to the work profile. For more information, see the product documentation. Migrating to corporate-owned, personally enabled (COPE): The only available option to migrate a device enrolled using the device administrator to COPE is through a factory reset. Customers are encouraged to use a cap and grow strategy; begin enrolling new devices with Android Enterprise and phase out devices enrolled using device administrator over time. A workflow can be used in which a device is reset through the UEM Console, and then enrolled using Zero Touch (or Knox Mobile Enrollment for Samsung devices). For more information, please review the Migrating from Android (Legacy) Using Migration Tool.
Understanding Device Admin Deprecation on Android 10 In November 2020, VMware Workspace ONE UEM will block all new Android 10 enrollments on Device Administrator. With the release of Android 10, device administrators are subject to API deprecations and behavioral changes that impact UEM workflows. Device administrators can no longer use the following APIs: USES_POLICY_DISABLE_CAMERAUSES_POLICY_DISABLE_KEYGUARD_FEATURESUSES_POLICY_EXPIRE_PASSWORDUSES_POLICY_LIMIT_PASSWORD Every new version of Android brings new features and security improvements. App developers can only take advantage of these by updating their app’s target SDK level when packaging the app for release. The deprecated APIs will only stop working on Android 10 devices when VMware updates the target SDK level for Workspace ONE Intelligent Hub to level 29 (which corresponds to Android 10’s SDK level). Currently, VMware’s Intelligent Hub is targeting API level 28. Google requires all app developers update their apps to API level 29 by November 1st, 2020. VMware will delay the SDK level update until the Intelligent Hub release in late September to provide feature continuity for customers that upgrade their device administrator deployments to Android 10. Additionally, Google has made behavioral changes in Android 10 that make it difficult for a Device Administrator-based UEM app to function. Some of these behavioral changes are in effect even if Intelligent Hub does not target API level 29. In Android 10 applications no longer can bring themselves to the foreground from the background. Newly enrolling an Android 10 device into Android Legacy may require that the user manually re-open the Intelligent Hub during enrollment depending on the selected enrollment flow in the environment. Hub cannot force the user to setup a passcode by bringing itself to the foreground Android 10 and higher place restrictions on when apps can start activities when the app is running in the background. Device administrators can no longer sample IMEI or serial numbers. This limitation could directly impact assignments, access controls, network restrictions, and more. Useful links to learn more about these behavioral changes: Behavior changes for all apps on Android 10.Behavior changes for apps targeting SDK level 29.Restrictions on starting activities from the background. Learn more in VMware’s Knowledge Base article on “Getting Ready for Android 10”. Documentation Migration guidance in VMware DocsNetwork Requirements for AndroidGoogle Announcement for Device Administrator Deprecation for Android Video Migration to Android Enterprise: VMworld Session RecordingAndroid Series: Episode on migration to Android Enterprise Getting Started With Android Enterprise - Feature Walk-through Work Profile Adoption Kit Blog post and kit Podcast Android 10 and Device Admin Deprecation Google Resources Migration Bluebook Blog and Video: What you need to know about Device Admin Deprecation Android Enterprise Employee Adoption Kit Device admin deprecation data sheet Video: Why you should migrate from Device Admin to Android Enterprise Video: Best practices for migrating from Device Admin to Android Enterprise Android Enterprise Website Android Enterprise Recommended Android Enterprise Security White Paper Android Security Center Android Transparency Report Android Enterprise Resources Page Disclaimer: VMware is not responsible for the reliability of any data, opinions, advice, or statements made on third-party websites. Inclusion of such links does not imply that VMware endorses, recommends, or accepts any responsibility for the content of such sites.