Citrix is preparing for upcoming changes to Android Enterprise. Google is deprecating its device administrator mode for managing Android devices. Starting with Android 10, some deprecated device administrator APIs may result in a security exception when invoked, and Google is recommending that customers using device administrator mode migrate to Android Enterprise.
What’s Changing?
To support this transition and strengthen security, Citrix is encouraging customers to transition to Android Enterprise. Citrix will detect if Android Enterprise is already configured. If detected, Citrix Endpoint Management (CEM) will make Android Enterprise the default enrollment mode of all Android devices, newly enrolled or re-enrolled.
Please note, this change will come in a future release of CEM. This blog post is simply to help you prepare.
What Does This Mean?
If you want to manage devices in device administrator mode, you will select the Legacy (device administrator) option.
To create a new or modify an existing Enrollment Profile:
- Select Configure, followed by Enrollment Profiles, then navigate to Android Enterprise.
- Select Enrollment Type.
Once completed, the delivery groups associated with the enrollment profile will enroll in the selected enrollment type.
Please note, with the current release of CEM, customers do not have the option to select this enrollment type under Enrollment Profile.
It is important to note that with this release, Citrix is ONLY enabling the UI portion of this feature. The goal is to give administrators time to configure the appropriate enrollment type for Android Enterprise. The settings change will not take effect until the following release, after the UI change in CEM is deployed.
Customers who don’t have Android Enterprise configured will not need to make any changes until Android Enterprise is enabled in their existing deployment.
We recommend that customers who are in the process of migrating to Android Enterprise and still have devices in legacy Device Administrator mode set the “Legacy (device administrator)” enrollment type for those devices.
Below is a table summarizing our guidance to help you prepare for the upcoming changes. Please note, the CEM release with these changes is not yet available.
Site Details | Default Enrollment Profile | Comments/Recommendation |
New Site | Android Enterprise – Fully Managed/Work Profile | Any new sites will default to Android Enterprise (AE).
Recommendation: Set up AE if not already set up and enroll devices in AE, Device Admin is a legacy mode |
Existing Site with Android Enterprise (AE) setup | Android Enterprise – Fully Managed/Work Profile | Any sites with AE configured will default to Android Enterprise.
Recommendation: a) If the site is AE with no Device Admin enrollments – no change required; b) If the site has Device Admin mode enrollments, make sure to update the Enrollment Profile for those devices to point to Legacy (device administrator) |
Existing Site NOT set up with Android Enterprise | Legacy (device administrator) | Sites without Android Enterprise setup will default to Legacy (device administrator).
Recommendation: Set up Android Enterprise and plan migration |
Changes for On-Premises Environment
Similar changes will be coming to on-premise with the release of 10.12 which is currently available as an Early Access Release.
When upgrading to 10.12, please follow the guidance listed above and make the appropriate changes as needed. It is important to note, Android enterprise as default is enabled on 10.12 release.
Frequently Asked Questions
What’s happening with Android Enterprise as Default in the upcoming release?
You’ll now have the option to set up new and existing enrollment profiles with the Legacy (device administrator) or Fully Managed/Work Profile enrollment types. Please note, this will not take into effect until a future release of CEM is deployed to CEM service customers.
Customers with Android Enterprise configured and existing devices enrolled in Legacy (device administrator) mode should take this time to modify existing or create new enrollment profiles to prepare for the enforcement of this feature.
Setting the enrollment profile as Legacy (device administrator) enrollment type and assigning it to the appropriate delivery group will have no impact on the current setup or enrollment process.
Please note, in an upcoming release, the CEM UI will be updated to indicate Legacy (device administrator). This will emphasize that device administrator is indeed a legacy platform and administrators should start to migrate to Android Enterprise.
What happens once the feature “Android Enterprise as Default” is enforced?
All devices associated to enrollment profiles configured with Legacy (device administrator) will enroll into device administrator.
All devices associated to enrollment profiles configured with Fully Managed/Work Profile will enroll into Android Enterprise.
What happens if I am in the process of migrating to Android Enterprise but I still have some devices managed under device administrator mode? How should I set up CEM to manage my Android devices?
CEM will support enrollment profiles for both device administrator and Android Enterprise.
Administrators must configure their enrollment profiles and delivery group associations accordingly to each enrollment type and continue to migrate to Android Enterprise.
Will I have to make any changes if I have an on-premises environment of CEM?
Yes. This change is made available on the on-premise release starting 10.12.
When should I expect the CEM service to be updated with this change?
Citrix is working to have this change available within the cloud service in the next few weeks.