Managing the Android Enterprise device life cycle

Managing the life cycle of an Android Enterprise device includes the following steps:

Removing Android Enterprise

Provisioning a Work managed device for Android Enterprise

Provisioning is necessary only for work managed devices. You can provision factory reset Android devices using one of these methods:

  • The Provisioner app, which uses the NFC bump and QR code method.
  • An afw# token
  • Android Zero Touch
  • Knox Mobile Enrollment (KME)

Provisioner (QR code) and Zero Touch can be used to provision Work Profile on Company Owned Devices. Once provisioned, a work-managed devices or Work Profile on Company Owned Devices can register with Ivanti EPMM.

Provisioning an Android Enterprise device

Registering a Work managed device for Android Enterprise

To register an Android Enterprise-capable device, the user follows the same registration process as for any Android device. The registration process detects if Ivanti EPMM and the device are Android Enterprise-capable, and performs the correct registration steps automatically.

To register an Android Enterprise-capable device to have an Android Enterprise work profile (as opposed to being registered as a regular Android device), the following must be in place:

  • Ivanti EPMM has been set up for Android Enterprise as described in Enabling Android Enterprise. To confirm the setup, go to Services > Google. In the Android enterprise section you should see Account Settings: information with Status: Connected.

  • The Android enterprise setting is applied to an appropriate label.

The user follows the registration process in the Ivanti Mobile@Work app.

Once registered, to verify that the device is using Android Enterprise:

  • On a device with a work profile, check that the Ivanti Mobile@Work app appears with the Android Enterprise badge

  • On a work managed device that was provisioned, look for the Google Play store icon, which will show the Work version of the store.

In-app registration for Android

Migrating devices to Android Enterprise

“Migrating” refers to the actions devices take when they are already registered and running Ivanti Mobile@Work and an update to Ivanti EPMM or Ivanti Mobile@Work takes effect. This section describes migration and what to expect.

Migration does not apply to work managed devices, because such devices are enabled for Android Enterprise after factory reset. Migration applies only to device that are not in work profile mode, yet.

A registered device may migrate to an Android Enterprise profile (assuming Ivanti EPMM has Android Enterprise enabled, and the device has the Android Enterprise setting applied to it) when the following occurs:

  • The device becomes Android Enterprise-capable after it receives a firmware update from the carrier

  • Ivanti EPMM is newly enabled for Android Enterprise.

In these migration scenarios, the Android devices begin their migration to use work profile automatically.

Preventing automatic migration

When all the conditions required to enable Android Enterprise are met, a device will automatically migrate to use the work profile. If you want to prevent a device from automatically migrating, ensure the device does not have the Android enterprise setting applied.

If you applied the Android label to the Android enterprise setting, then all Android devices potentially have the setting, and all Android Enterprise-capable devices be will be automatically migrated. If this is not desired, do not use the Android label for this configuration.

Migration effects on a device

This section addresses the changes that occur on a registered device when it is migrated to work profile:

Procedure 

  1. User is prompted to uninstall all secure apps, in-house apps, and public apps.

    The migration will not continue until the user completes this step or there are no secure or in-house apps installed.

  2. All managed configurations are removed, except for Wi-Fi configurations.

    As when a device is retired, no personal certificates are removed.

  3. The Android Enterprise work profile is created.

  4. The Ivanti Mobile@Work app icon appears with the Android Enterprise badge.

  5. Configuration steps appear as needed.

Quarantine on Android Enterprise devices

When an Android Enterprise device is quarantined (with all configurations removed) due to a compliance violation, the following changes are made on the device:

Table 8.   Android Enterprise quarantine behavior

Android Enterprise mode

"Quarantine app when device is quarantined" field is selected (checked)

"Quarantine app when device is quarantined" field is de-selected (not checked)

Work Profile

Work Managed Device

Managed Device with Work Profile (COPE) (Android versions 8-10 only)

Work Profile on Company Owned Devices (Android 11 or supported newer versions)

  • All the apps in the work profile are hidden, except:
    • Google Play
    • Ivanti Mobile@Work
    • Downloads
  • Contacts are hidden.

  • The Wi-Fi configurations are kept or removed, based on the quarantine settings.

Users will still see the app on the device.

The quarantine behavior of individual Android Enterprise apps is controlled by setting the configuration of each Android Enterprise app in the App Catalog.

For more information, see "Adding in-house apps for Android" section or the "Adding an Android Enterprise public app using the app wizard in the Ivanti EPMM Admin Portal" section in the Ivanti EPMM Apps@Work Guide.

Retiring an Android Enterprise device

When an Android Enterprise device gets the Retire command, the following behavior occurs:

Table 9.   Android Enterprise retire behavior

Android Enterprise status

Retire behavior

Work Profile

  • The work profile is removed.

  • All apps, data, and contacts in the work profile are removed.

  • A user can re-register a retired device by re-enabling Ivanti Mobile@Work through Google Play.

Work Managed Device

The device is reset to factory settings.

The device can be re-provisioned by an administrator.

Managed Device with Work Profile (COPE)

Work Profile on Company Owned Devices

  • The work profile is removed.

Removing an Android Enterprise configuration causes device to retire

Wiping an Android Enterprise device

When an Android Enterprise device gets the Wipe command, the following behavior occurs:

Table 10.   Android Enterprise wipe behavior

Android Enterprise status

Wipe behavior

Work Profile

  • The work profile is removed. (No changes are made to any apps or data on the personal profile.)

  • All apps, data, and contacts in the work profile are removed.

  • A user can re-register a wiped device by re-enabling Ivanti Mobile@Work in Google Play.

  • Work Managed Device

  • Managed Device with Work Profile (COPE)

  • Work Profile on Company Owned Devices

The device is reset to factory settings.

The device can be re-provisioned by an administrator.

Locking an Android Enterprise device

The Lock command locks the screen of an Android Enterprise device. To lock the device:

  1. Go to Devices & Users > Devices.

  2. Select the device.

  3. Select Actions > Lock.

    For work managed devices, the Lock command locks the entire device. The user must enter the device password to unlock the device.

    For work profile devices, the Lock command locks the work profile if a Work Challenge was set (Android 7.0 through etc).

Unlocking an Android Enterprise device

The Unlock command unlocks the screen of an Android Enterprise device. Before unlocking Samsung devices running in Device Administrator mode, the password must be reset in the DevicePolicyManager resetpassword() API. For unlocking devices with Knox licenses, administrators will need to make sure the Knox license is activated (Samsung General Policy in Policies & Configs) and then reset the password. This is applicable to Android 7 or supported newer versions.

To unlock the device:

  1. Go to Devices & Users > Devices.

  2. Select the device.

  3. Select Actions > Unlock Device.

The following table shows unlock support on Android Enterprise devices:

Table 11.  Support for unlocking the device on Android Enterprise devices

Android Enterprise device

Prior to Android 7.0

Android 7.0 or supported newer versions

  • Work Managed Devices

  • Managed Device with Work Profile (COPE)

Supported

Supported

  • Work Profile Devices

  • Work Profile on Company Owned Devices

Supported

Not supported

Setting the unlock PIN for a specific device

For Android Enterprises, the device user can, in the Self Service User portal, reset the PIN using the Unlock option. For this reason, and because employees can leave an organization without sharing the device's PIN, administrators can use the default setting of 0000 or create a custom 6-8 digit unlock PIN for specific devices.

Ivanti recommends using six numbers only, as the alphanumeric method can cause problems with different keyboards in different languages.

The Custom Unlock PIN feature is supported in direct boot mode.

If this setting is used, "Unlock Device with Custom Pin <Pin Value>" will display in the audit logs. You can also view the custom PIN in Devices & Users > Devices.

  • Select the "View Logs for Device" link.

  • If you need to, search on "Extended filters."

Procedure 

  1. Go to Devices & Users > Devices.

  2. Select the Android device.

  3. Select Actions > Unlock Device.

  4. In Enter minimum six digit unlock PIN, enter a 6-8 digit passcode. Alphanumeric characters are supported but not recommended.

  5. Select Unlock Device.