Android (Legacy), also known as Device administrator, is the legacy method of enrolling Android devices with the Workspace ONE UEM console after Android’s Work Managed and Work Profile modes were introduced in Android 5.0. Customers who are enrolled into Workspace ONE UEM using Android (Legacy) deployment can migrate to Android Enterprise to take advantage of device functionality for the enterprise.

This section gives you information and best practices on how to move from the Android (Legacy) deployment to Android Enterprise.

Google deprecated certain device administrator APIs in favor or more up-to-date device functionality because device administrator is not well suited to support current enterprise requirements. Workspace ONE UEM customers can adopt Work Managed (ideal for corporate owned devices), Work Profile (ideal for BYOD deployments), and Corporate Owned Personally Enabled (COPE) modes to manage their Android devices by migrating from Android (Legacy) to Android Enterprise.

Best Practices for Legacy Android Migration

When to migrate to Android Enterprise is at the discretion of your business needs and timing of the actual migration depends on you organization's use cases. Here are a few considerations:

  • If your current devices are unlikely to receive Android 10, or the OS updates are controlled by your organization, it is not necessary to migrate these devices. You can deploy Android enterprise for newly purchased devices.

  • BYOD devices are the most vulnerable as end users are likely to update their devices to the latest operating system. A migration from device administrator to work profile can be achieved using the Android Legacy Migration feature in the Workspace ONE UEM console.

How to Migrate Between Device Modes

Migrate from Legacy Android to Android Work Managed Mode Using Zebra Android Devices

Zebra devices running Android 7 and higher and MXMF 7 and higher support a migration from Android (Legacy) to Android Enterprise Work Managed mode. Contact Zebra support to retrieve a certificate for your company, which is required from a security perspective to ensure the integrity of the migration. Certificates typically have a short lifespan (30-90 days). The certificate should be a .pem format.

Zebra may request the following information for the certificate generation:

  • App performing the migration:Zebra MX Service
  • App being migrated to Work Managed: Workspace ONE Intelligent Hub for Android
  • Customer Name

The migration requirements and features from this flow include:

  • VMware Workspace ONE UEM 2006 or later
  • Workspace ONE Intelligent Hub 20.05 for Android and Zebra MX Service 4.8 for Android.
  • If using APF files for enrollment or Hub Upgrade, the Device Administrator (Android (Legacy)), listed as DA, version of the APF file should be used for enrollment, and the Work Managed (Android Enterprise), listed as DO, version should be used for upgrade.
  • The migration is done remotely and silently.
  • Google accounts cannot be present on the device, as it will cause migration to fail. Remove any Google accounts before migrating.
  • Devices do not power off, reboot, or reset during the migration ensuring app data to remains intact.
  • Wi-Fi connectivity is maintained during the migration.
  • Products which do not contain profiles remain installed.
  • Migration to AOSP/Closed Network mode is fully supported.

Android EMM Registration

Set up Android EMM Registration in your environment to enable enrollment and migration of devices into Android Enterprise.

Migration Eligibility

Two new custom attributes, migration.do.eligible and migration.do.ineligibilityReason, are reported to the console. If migration.do.eligible has a value of 'true' then the device is capable of migration. The console will automatically check this attribute prior to sending a migration command to the device. If the value is 'false' then please check migration.do.ineligibilityReason for further guidance.

Migrate to Android Work Profile from Android (Legacy)

The Workspace ONE UEM console provides a seamless process that helps you migrate all devices from Android (Legacy) to a Work Profile for Android Enterprise. The migration features in the UEM console help you to make sure that:

  • Your legacy administration remains intact until migration is complete.
  • Devices not being migrated are never affected.
  • Monitor which devices are complete, in progress, and assigned.
  • Create staging or test Smart Groups to make sure that all user devices successfully migrate before migrating your entire device fleet.

Migrate from Android (Legacy) to Android Enterprise with Corporate Owned Devices

You can migrate from Android (Legacy) to Android Enterprise with your corporate owned devices into Work Managed Mode or Corporate Owned Personally Enabled (COPE). The enrollment and migration options vary depending on Android OS, device type, and whether the devices have access to Google Services. This scenario is best for migrating non- Zebra Android devices.

The migration and enrollment options are:

  • Use Fully Managed enrollment for Android 8.0+ devices.
  • Use Knox Mobile Enrollment for Samsung Android 8.0+ devices.
  • Follow the Cap and Grow strategy and continue to use your current Android devices enrolled through Android (Legacy). A Cap and Grow strategy means that any new device rollouts are automatically enrolled into Android Enterprise and managed simultaneously with older deployments (Android (Legacy) until your organization is ready to move all devices to Android Enterprise.

Migrate from Android (Legacy) to Android Enterprise Without Google Services

If you are currently enrolled into Workspace ONE UEM with Android devices deployed through Android (Legacy) and want to switch to Android Enterprise without Google Services, we offer Closed Network support for corporated owned devices and unmanaged enrollment for BYOD devices.

If you have a device that has no network connectivity or the device can connect to a network but has no Google services (a non-GMS certified device), you can enroll these devices into Android Enterprise into Work Managed Mode and push internal applications and apply policies with Android profiles.

If you have a device that has network connectivity but has restrictions on Google Services, for example devices being in China, you can use Closed Network support for corporate devices. For BYOD devices, you can use SDK-based MAM only mode called Registered Mode to enable unmanaged enrollment for Android devices.

Migrate to Android Enterprise Using Zero Touch Enrollment

Zero-touch enrollment allows Android devices to be configured in bulk with Workspace ONE UEM as your EMM provider right out of the box without having to manually setup each device. Using Zero-touch enrollment with your Android (Legacy) migration allows you to move your devices to Fully Managed mode with ease and ensuring the migration is completed securely.

  1. Setup the Workspace ONE UEM console by completing the prerequisites for Android (Legacy) Migration.
  2. Complete Zero-Touch enrollment to get your devices added into the Zero-Touch portal.
  3. Test and make sure the migration flow works for your test devices. Remember a Wi-Fi profile has to be created for the migration to be successful.
  4. Send a "Device Wipe" command to the devices previously managed under Android (Legacy).

Impact on APIs

Google deprecated certain device administrator APIs in favor of more up-to-date device functionality because device administrator is not well suited to support current enterprise requirements. The following APIs available with device administrator no longer function on devices running Android 10 and above. Devices remaining on Android 9.0 and below are not impacted:

  • USES_POLICY_DISABLE_CAMERA
  • USES_POLICY_DISABLE_KEYGUARD_FEATURES
  • USES_POLICY_EXPIRE_PASSWORD
  • USES_POLICY_LIMIT_PASSWORD

Frequently Asked Questions for Android (Legacy) Migration

To help you better understand the Android (Legacy) migration, here are some commonly asked questions and best practices to make for a successful migation.

  • When I enable Android enterprise in an organization group, does it affect my existing device administrator enrollments?

    • Current device administrator enrollments will remain enrolled and will receive all assigned profiles and apps. Enabling Android enterprise will affect new enrollments only; when a new Android enterprise-capable device enrolls it will use Android enterprise. If a device is not Android enterprise capable, it will enroll using device administrator.
  • Can device administrator and Android enterprise co-exist in the same UEM console?

    • Device administrator enrollments and Android enterprise enrollments can co-exist in the same organization group. Profile management is separated as Android and Android (Legacy) for Android enterprise and device administrator enrollments respectively.

      Additionally, with UEM console v9.2.0+ it is possible to override Android enterprise enrollments at specific organization groups, or even limit it to specific smart groups.

  • Can I use Product Provisioning with Android enterprise?

    • Product Provisioning is supported on Fully Managed devices.
  • Are OEM-specific management capabilities available on devices enrolled through Android enterprise?

    • OEM-specific management capabilities are possible through OEMConfig. OEMs such as Samsung and Zebra have created public apps that can be added to the Workspace ONE UEM console. These apps provide app configuration key-value pairs that can alter device capabilities.
  • Does Workspace ONE Assist work with Android Enterprise?

    • Workspace ONE Assist is compatible with all Android Enterprise enrollment options.
  • Can new customers use Android (Legacy)?

    • New Workspace ONE UEM customers must setup Android Enterprise to deploy Android devices.

    • Existing customers can disable and re-enable Android (Legacy) as desired.

Now that you understand Android (Legacy) migration, you can proceed to complete the prerequisites to being migration.

check-circle-line exclamation-circle-line close-line
Scroll to top icon