Menu

Knox Manage support for deprecated device modes in Android 11

Environment

  • Knox Manage
  • Android Enterprise, Android Legacy
  • Samsung devices

Overview

Google recently deprecated two Android device management modes:

  • Fully managed device with a work profile (FMDWP): was deprecated in Android 11 and replaced with a new work profile on company-owned device
  • Device admin (DA): was already deprecated in Android 10, and now app updates must target Android 10

Read on to learn how these deprecated modes are now supported by Knox Manage and the actions you must take to avoid service disruptions.

Fully managed device with a work profile

As previously mentioned through the Knox Manage release notes — August 27, 2020, Android 11 continues to protect user privacy, by limiting an enterprise's ability to view or manage personal activities on a company device. More specifically, Google has replaced fully managed device with a work profile with a new work profile on company-owned device.

With Android 11:

  • New device enrollments: Knox Manage no longer allows a fully managed device with a work profile, by Google policy.
  • Existing device enrollments: Knox Manage provides these migration options:
    • Work profile on company-owned device: Upon firmware update to Android 11, Knox Manage automatically migrates a fully managed device with a work profile to this new mode by default. A work profile on a corporate device differs from that on a personal device in that additional management policies are allowed at the device level. For details, see work profile on company-owned devices.
    • Fully managed device: Knox Manage provides a Device Command called Switch to Fully Managed (Remove Work Profile) so the IT Admin doesn’t have to conduct a device factory reset. This migration using the Device Command must be done before the upgrade to Android 11.
    • Separated Apps: Once you migrate to a fully managed device, you can then use the Knox Service Plugin to add a Separated Apps folder to contain authorized third-party business apps. For details, see Separated Apps.

Android Legacy

With the shift in deployment mode from Android Legacy to Android Enterprise, most of the major EMM vendors stopped supporting the legacy device admin mode in Android 10. However, Knox Manage kept supporting legacy enrollments for devices with Android 10.

With Android 11:

  • New device enrollments: Knox Manage no longer allows deployments to Android Legacy mode.
  • Existing device enrollments: Upon firmware update to Android 11, Knox Manage continues to support devices already enrolled as Android Legacy in Android 10 and lower.

Since new Knox Manage features and product designs will be focused on Android Enterprise implementations, the support scope for Android Legacy will be limited to bug fixes, and migration to Android Enterprise is highly recommended.

Device admin (DA) deprecation

In Android 10 (Q OS), to encourage migration to Android Enterprise, Google deprecated four key device admin (DA) policies that controlled the device camera, password, keyguard, and Wi-fi. Furthermore, by November 2, 2020, Google requires app updates to target API level 29 or Android 10. So, from this date onwards, app updates will start throwing exceptions if they call the four deprecated DA policies.

The Knox Manage v20.11 release no longer supports the four deprecated DA policies in Android Legacy mode.

  • Android Legacy > System > Camera
    • For a Samsung device, the Android policies will be supported constantly by using equivalent Knox policies.
    • For a non-Samsung device, the policies are no longer available and must be released from the policy set before the v20.11 release.
  • Android Legacy > Security > Device Password
    • For a Samsung device, the Android policies will be supported constantly by using equivalent Knox policies.
    • For a non-Samsung device, these policies are no longer available and must be released from policy set before the v20.11 release.
  • Android Legacy > Security > Device Password > KeyGuard (Block Functions on the Lock Screen)
    • For both Samsung and non-Samsung devices, the policies are no longer available and must be released from the policy set before the v20.11 release.
  • Android Legacy > Interface > Wi-Fi
    • For both Samsung and non-Samsung devices, the policies are no longer available and must be released from the policy set before the v20.11 release.
Share it: