Managing the Android Enterprise device life cycle

Managing the life cycle of an Android Enterprise device includes the following steps:

• Provisioning a Work managed device for Android Enterprise
• Registering a Work managed device for Android Enterprise
• Migrating devices to Android Enterprise
• Preventing automatic migration
• Migration effects on a device
• Quarantine on Android Enterprise devices
• Retiring an Android Enterprise device
• Wiping an Android Enterprise device
• Locking an Android Enterprise device
• Unlocking an Android Enterprise device

Related topics 

Removing Android Enterprise

Provisioning a Work managed device for Android Enterprise

Provisioning is necessary only for work managed devices. You can provision factory reset Android devices using one of these methods:

• the MobileIron Provisioner app, which uses the NFC bump and QR code method.
• an afw# token
• Android Zero Touch
• Knox Mobile Enrollment (KME)

Mobileiron Provisioner (QR code) and Zero Touch can be used to provision Work Profile on Company Owned Devices. Once provisioned, a work-managed devices or Work Profile on Company Owned Devices can register with MobileIron Core.

Related topics 

Provisioning an Android Enterprise device

Registering a Work managed device for Android Enterprise

To register an Android Enterprise-capable device, the user follows the same registration process as for any Android device. The registration process detects if MobileIron Core and the device are Android Enterprise-capable, and performs the correct registration steps automatically.

To register an Android Enterprise-capable device to have an Android Enterprise work profile (as opposed to being registered as a regular Android device), the following must be in place:

• Core has been set up for Android Enterprise as described in Enabling Android Enterprise. To confirm the setup, go to Services > Google. In the Android enterprise section you should see Account Settings: information with Status: Connected.
• The Android enterprise setting is applied to an appropriate label.

The user follows the registration process in the Mobile@Work app.

Once registered, to verify that the device is using Android Enterprise:

• on a device with a work profile, check that the Mobile@Work app appears with the Android Enterprise badge
• on a work managed device that was provisioned, look for the Google Play store icon, which will show the Work version of the store.

Related topics 

In-app registration for iOS and Android

Migrating devices to Android Enterprise

“Migrating” refers to the actions devices take when they are already registered and running Mobile@Work and an update to MobileIron Core or Mobile@Work takes effect. This section describes migration and what to expect.

Migration does not apply to work managed devices, because such devices are enabled for Android Enterprise after factory reset. Migration applies only to device that are not in work profile mode, yet.

A registered device may migrate to an Android Enterprise profile (assuming Core has Android Enterprise enabled, and the device has the Android Enterprise setting applied to it) when the following occurs:

• the device becomes Android Enterprise-capable after it receives a firmware update from the carrier
• Core is newly enabled for Android Enterprise.

In these migration scenarios, the Android devices begin their migration to use work profile automatically.

Preventing automatic migration

When all the conditions required to enable Android Enterprise are met, a device will automatically migrate to use the work profile. If you want to prevent a device from automatically migrating, ensure the device does not have the Android enterprise setting applied.

NOTE:

If you applied the Android label to the Android enterprise setting, then all Android devices potentially have the setting, and all Android Enterprise-capable devices be will be automatically migrated. If this is not desired, do not use the Android label for this configuration.

Migration effects on a device

The following changes occur on a registered device when it is migrated to work profile:

1. User is prompted to uninstall all secure apps, in-house apps, and public apps.

   NOTE:

   The migration will not continue until the user completes this step or there are no secure or in-house apps installed.

2. All managed configurations are removed, except for Wi-Fi configurations.

   As when a device is retired, no personal certificates are removed.

3. The Android Enterprise work profile is created.
4. The Mobile@Work app icon appears with the Android Enterprise badge.
5. Configuration steps appear as needed.

Quarantine on Android Enterprise devices

When an Android Enterprise device is quarantined (with all configurations removed) due to a compliance violation, the following changes are made on the device:

Table 1. Android Enterprise quarantine behavior

Android Enterprise mode	"Quarantine app when device is quarantined" field is selected (checked)	"Quarantine app when device is quarantined" field is de-selected (not checked)
• Work Profile mode • Work Managed Device • Managed Device with Work Profile (COPE) (Android versions 8-10 only) • Work Profile on Company Owned Devices (Android 11 through most recently released version as supported by MobileIron)	• All the apps in the work profile are hidden, except: - Google Play - Mobile@Work - Downloads • Contacts are hidden. • The Wi-Fi configurations are kept or removed, based on the quarantine settings.	Users will still see the app on the device.

NOTE:

The quarantine behavior of individual Android Enterprise apps is controlled by setting the configuration of each Android Enterprise app in the App Catalog.

For more information, see "Adding in-house apps for Android" section or the "Adding an Android Enterprise public app using the app wizard in the Core Admin Portal" section in the MobileIron Apps@Work Guide.

Retiring an Android Enterprise device

When an Android Enterprise device gets the Retire command, the following behavior occurs:

Table 2. Android Enterprise retire behavior

Android Enterprise status	Retire behavior
Work Profile	• The work profile is removed. • All apps, data, and contacts in the work profile are removed. • A user can re-register a retired device by re-enabling Mobile@Work through Google Play.
• Work Managed Device • Managed Device with Work Profile (COPE) • Work Profile on Company Owned Devices	The device is reset to factory settings. (Note: Retire and Wipe have the same effect.) The device can be re-provisioned by an administrator.

Related topics 

Removing an Android Enterprise configuration causes device to retire

Wiping an Android Enterprise device

When an Android Enterprise device gets the Wipe command, the following behavior occurs:

Table 3. Android Enterprise wipe behavior

Android Enterprise status	Wipe behavior
Work Profile	• The work profile is removed. (No changes are made to any apps or data on the personal profile.) • All apps, data, and contacts in the work profile are removed. • A user can re-register a wiped device by re-enabling Mobile@Work in Google Play.
• Work Managed Device • Managed Device with Work Profile (COPE) • Work Profile on Company Owned Devices	The device is reset to factory settings. (Note: Retire and Wipe have the same effect.) The device can be re-provisioned by an administrator.

Locking an Android Enterprise device

The Lock command locks the screen of an Android Enterprise device. To lock the device:

1. Go to Devices & Users > Devices.
2. Select the device.

3. Click Actions > Lock.

   For work managed devices, the Lock command locks the entire device. The user must enter the device password to unlock the device.

   For work profile devices, the Lock command locks the work profile if a Work Challenge was set (Android 7.0 through etc).

Unlocking an Android Enterprise device

The Unlock command unlocks the screen of an Android Enterprise device. Before unlocking Samsung devices running in Device Administrator mode, the password must be reset in the DevicePolicyManager resetpassword() API. For unlocking devices with Knox licenses, administrators will need to make sure the Knox license is activated (Samsung General Policy in Policies & Configs) and then reset the password. This is applicable to Android 7 through the latest version as supported by MobileIron.

To unlock the device:

1. Go to Devices & Users > Devices.
2. Select the device.
3. Click Actions > Unlock Device.

The following table shows unlock support on Android Enterprise devices:

Table 4. Support for unlocking the device on Android Enterprise devices

Android Enterprise device	Prior to Android 7.0	Android 7.0 through the most recently released version as supported by MobileIron
• Work Managed Devices • Managed Device with Work Profile (COPE)	Supported	Supported
• Work Profile Devices • Work Profile on Company Owned Devices	Supported	Not supported