At the Android Enterprise Summit in London, Google shared more specific detail about the forthcoming changes in Device Admin.
When Android version Q is released some APIs used by Device Admin will be blocked and cause exceptions on the device and applications will stop working.
The same update will be released onto Android P “Pie” at the same time - with an important and useful difference. Those APIs will not be blocked but instead write errors into the device's logs (users will notice nothing.) These logs can be viewed by IT Administrators to make sure that nothing is in use that will fail when Android Q arrives at the device.
Android P and earlier will continue to run, for now, with Device Administrator. At some point in the future it is likely that Google Play Protect will detect and block the Device Admin APIs, again causing loss of access to applications. To be clear this is a potential future change and not something to force any action at this time.
If you have any Android P devices with the capacity to upgrade to Android Q when it is released (in some ways this is hopefully a high proportion of devices), you must enrol them into Android Enterprise before they update the Operating System to avoid loss of service. Whilst this does involve factory resetting the devices, it is better to carry out as a managed process than react after an upgrade.
The least disruptive way of adopting Android Enterprise (above point not withstanding) is to define a cut-off point where existing devices carry on with Android Device Admin but any new device, reset device or switch of handset between users is registered as Android Enterprise.
Some other recommended actions:
- Reach out to your MDM/EMM/UEM provider and seek confirmation that they fully support Android Enterprise along with the ability to help you configure all of your use cases and feature parity.
- Ensure that your MDM is able to support the full range of Android Enterprise deployment options and explain them clearly - there are more acronyms in current use than deployment variations! (BYOD, COPE, Work Profile, Fully Managed, COSU etc.)
Further investigation reveals that with Android Q and Work Profile, Google are enabling privacy by design (no visibility of personal side of device) and Shared Data between personal /business Calendar, Contacts and others. This sharing is being done in a managed way BUT please ensure that you fully understand any risks in relation to your organisation.