Knox SDK frequently asked questions — Device admin deprecation
In December 2017, Google publicly announced the deprecation of the device admin (DA) mode of mobile device management.
This deprecation is designed to expedite the migration:
-
from the legacy device admin API
-
to the new Android Management API, which was designed for the Android Enterprise (AE) ecosystem
Android originally introduced device admin in Android 2.2. Since then, the needs of enterprises have evolved. Devices are increasingly accessing more confidential resources and being used in a wider variety of use cases for which device admin was intended.
DA has been considered a legacy management approach since the launch of AE and its device owner (DO) and work profile owner (PO) model in Android 5. With DA, an app had access to privileged resources on the device by mere virtue of it being a DA app. Because DA isn’t well suited for today’s enterprise requirements, customers and partners are strongly advised to adopt AE from now on.
To this end, Google has deprecated four essential DA policies that managed passwords, the keyguard (lockscreen), and camera. These deprecated policies:
- were marked as legacy in Android 9 (or Pie, API level 28)
- now throw security exceptions and no longer work when used in Android 10 (or Q, API level 29)
Apps uploaded to the Google Play store now need to target a recent Android API level to ensure that users benefit from significant security and performance improvements. By November 2, 2020, Google requires app updates to target API level 29, which corresponds with Android 10 (Q). So by this date, the deprecated DA policies stop working.
For more, see:
The following Android device admin (DA) policies have been deprecated:
- USES_POLICY_DISABLE_CAMERA
- USES_POLICY_DISABLE_KEYGUARD_FEATURES
- USES_POLICY_EXPIRE_PASSWORD
- USES_POLICY_LIMIT_PASSWORD
All other DA policies including the following consumer-oriented policies are not impacted:
For information about alternative Samsung Knox SDK APIs you can use to manage the deprecated DA policies on Samsung devices, see DA deprecation and Samsung.
The Android platform provides a framework API that apps can use to interact with the underlying Android system. Each framework API version is identified by an API level.
By November 1, 2020, Google requires all apps to update to API level 29, which corresponds with Android 10 (Q). So by this date, the deprecated device admin policies will cease to work.
Samsung Knox SDK APIs that require the caller to be a device admin (DA) will continue to be fully supported. There is no change required from UEM providers, app developers, or Knox customers.
Those using the deprecated Android device policies can use Knox APIs as an alternative workaround until migration to Android Enterprise is complete. For details, see DA deprecation and Samsung.
If you are a UEM provider that is managing devices, we recommend that you plan to migrate to the Android Enterprise Device Owner (DO) and Profile Owner (PO) management modes, to take advantage of all new Android Enterprise features which will be rolled out for the AE DO/PO management mode only.
For details, see Google’s Android Enterprise Migration Bluebook.
If you are a Solution Partner, for example, a Systems Integrator or Independent Software Vendor, you can continue to call APIs in the Samsung Knox SDK. If you are calling Android DevicePolicyManager APIs, however, you will need to work with the UEM app on the device and request delegation.
The following device admin (DA) policies will fail to work when your EMM DPC is upgraded to target the Android Q API level 29:
If your DA App relies on any of these, you must migrate your app to an Android Enterprise Device Owner (DO) or Profile Owner (PO) as the above four polices cannot be delegated by a DO/PO to a DA. Only devices that run DPCs targeting Q features are required to migrate if they are still on DA. DPCs targeting an API level below Q:
- will not be impacted, even if the devices are upgraded to Android Q.
- will continue to be installable on devices running Android Q.
Apps uploaded to the Google Play store now need to target a recent Android API level to ensure that users benefit from significant security and performance improvements. By November 2, 2020, Google requires apps to target API level 29, which corresponds with Android 10 (Q).
This depends on whether or not you are using the deprecated device admin policies :
-
If you are not using the deprecated Android DA policies, you can upgrade at any time without impact.
-
If you are using the Samsung Knox SDK to manage the policies, you can upgrade at any time without impact.
-
If you are using the deprecated Android DA policies, you should block device firmware updates to Android Q until you have migrated to the Android Enterprise management mode, which must be by November 1, 2020 when Google requires all apps to update to API level 29 (Android Q). On November 1, apps still using the deprecated DA policies will throw an exception error and no longer be able to manage the policies.
Android Q will continue to work on devices that are using the deprecated device admin policies. However, on November 1, 2020, when Google requires all apps to update to API level 29 (Android Q), apps still using the deprecated DA policies will throw an exception error and no longer be able to manage the policies.
Device Admin (DA) apps can coexist with a UEM app running as DO, as long as it:
- targets an API level below Q
- doesn’t invoke any of the four deprecated polices
You will need to work with the UEM to delegate the required permissions if your DA app needs to do either of the following:
- target Android Q or higher
- manage devices via Android APIs
For details, see: DevicePolicyManager.DELEGATION_APP_RESTRICTIONS.
In Android Enterprise, there is only one Device Owner and it optionally delegates to other apps to enforce specific policies in its name. Hence, if multiple apps are applying the same policy, then the policy is set to the last value that was set.
In the case of Knox DA, if both DO and Knox DA set the same policy, then the policy that is enforced is the more restrictive one. For example, if the Knox DA disables Camera, Wi-Fi, etc., the DO will not be able to enable Camera, Wi-Fi, etc.
Knox Configure is not impacted by DA deprecation.
Yes, Knox APIs that require caller to be a device admin (DA) will continue to be fully supported, so Knox Configure is not impacted.
If however your DA app invokes any of the four polices deprecated by Google, then you will need to update your DA app. These changes are independent of Knox Configure.
Yes, Knox Mobile Enrollment will continue to support UEM apps using the DA management mode. With Knox Mobile Enrollment, a device installs its associated UEM app via a direct URL in a UEM server.
However, UEM apps should be updated through Google Play. If Google blocks the update of DA apps through Play, then Knox Mobile Enrollment cannot update UEM apps using DA.
Knox Mobile Enrollment is targeting to support enrolling into Work Profile only. However, at this point, this is not committed.
Is this page helpful?