A few weeks ago in September 2020, Google released Android 11. While major operating system updates of this type have always had a certain impact on enterprise customers in recent years, the leap to Android 11 is very large in certain use cases. Less from the user side, more about the way the devices are managed and, in a positive sense, the privacy of the users. In the following entry I will touch on a few topics, a comprehensive update would take up too much space at this point and require significantly more time:
- Android 11 – focus on privacy
- Android Enterprise COPE – a new approach
- Android Device Admin – setting the mode
- Android 10 and Device Admin – Attention!
- Additional information
1. Android 11 – focus on privacy
For years, Google has been following a very clear path on Android to steadily improve user privacy. Often these are changes that primarily have an impact on private users, e.g. new restrictions in Android 11 in the area of location tracking. With regard to Android Enterprise, there is also a big change in the latest Google release. The Android Enterprise COPE (Corporate Owned, Personally Enabled) mode, which was introduced with Android 8 and will also remain for Android 8 – Android 10, disappears in the form as it is known and is replaced by the Enhanced Work Profile.
What does this mean in detail? The graphic above shows on the left how Google has lived the Android Enterprise approach, and on the right is the new approach. In the first case it can be seen that device ownership is the decision criterion as to which management mode a device receives. In the second case it can be seen that this decision is now made taking into account the question of whether or not the focus is on privacy for the user. In practice, this means that the classic COPE mode will be replaced by the new Enhanced Work Profile mode on Android 11.
The migration is transparent for the user; if a device is updated from Android 10 to Android 11, no significant changes with regard to enterprise use are visible. Under the hood, however, the Agent Workspace ONE Intelligent Hub was deprived of the right to control many interfaces on the private (= work managed) side. A complete list can be found in the VMware Knowledge Base at entry 79915. Companies for which the options in the Enhanced Work Profile for controlling the device do not go far enough must switch to Work Managed (Device Owner) mode. A direct migration path is not possible with Workspace ONE, the device must be reset and re-enrolled.
An alternative or supplementary solution is being planned by individual Android OEMs in order to enable a kind of app separation in the future, as is the case with classic COPE.
2. Android Enterprise COPE – a new approach
Various, sometimes very complex preparations have been made on the Workspace ONE side to support the new mode. The following framework conditions must exist before (!) An update of the device to Android 11 – if this is not the case, the device can no longer be managed properly and must also be re-rolled:
- Workspace ONE UEM 126.96.36.199 or Workspace ONE UEM 20.08 as Backend
- Workspace ONE Intelligent Hub 20.08 or newer
- COPE 1.5 Mode enabled via Custom XML (please review: KB 79915)
The COPE 1.5 mode needs some explanation: In order to support the migration from Android 10 COPE to Android 11 Enhanced Work Profile, the COPE mode practically has to be upgraded. The following applies:
- Devices with Hub 20.08 (without Custom XML) are in COPE 1.0 mode.
- If the custom XML is assigned, the device is updated to COPE 1.5. Alternatively, it is planned to activate the COPE 1.5 mode in the 20.10 Hub by default
and to activate the mode automatically and remotely in the coming weeks for devices with a 20.09 hub via a Firebase Remote Config.[Update: COPE 1.5 is not activated automatically via a Firebase Remote Config for the time being. Updates for further planning will follow.] Caution, a notification may appear on the device – see KB 80582
- Following KB 79915, the custom XML shall used for testing purposes only at this time.
- The custom XML shall be used for migration purposes only. Auto Assignment is not recommended considering new enrollments.
- If the device is updated to Android 11 and migration prerequisites are met, it is in COPE 2.0 mode.
In the Workspace ONE console, the COPE status can be checked in the Device Details > Custom Attributes.
All Android devices in COPE management mode will be migrated to COPE 1.5, even devices that will never receive Android 11 as a system update, so that a consistent management approach is given. If you have any questions, it is advisable to open a support request or, if available, to contact your TAM / CSM / SAM / SE on VMware side.
3. Android Device Admin – retiring legacy management
Another change that is related to the changes around Android 11 but has no direct technical dependency is the retirement of the Android Device Admin Management approach. This will be implemented by VMware on March 31, 2022 – see also KB 80791. This step is necessary because Google requires a higher API level in the Workspace ONE Intelligent Hub. With the Intelligent Hub 20.09 in Device Admin mode, API Level 29 has been implemented for the first time, which means that the following APIs can no longer be controlled under Android 10:
Google announced these changes more than a year ago in the context of the Android 10 updates, so this step shouldn’t be too surprising.
4. Android 10 and Device Admin – attention!
Another change includes the point that enrollments with Hub 20.10 will no longer be possible under Android 10 – since clean management is no longer possible due to the missing interfaces, new enrollments will be blocked. Devices lower than the Android 10 release are not affected and can continue to be managed as usual until March 31, 2022. Workspace ONE UEM will no longer support Android Legacy mode in newly provisioned SaaS environments later in 2020 as part of a new release. Customers are encouraged to only use Android Enterprise. As a result, there is no influence on existing devices; new device admin enrollments will continue to be managed as usual until March 31, 2022, provided they have been enrolled in accordance with the general parameters listed.
5. Further information
Android 11 has other important changes on board. Developers should, for example, get used to the subject of scoped storage immediately, if not already done. However, there are also important changes in the area of notifications, screen recording, gesture control, smart home or privacy control. VMware is preparing customers for the upcoming innovations with the following KB entries:
Getting Ready for Android 11 (78104)
[URGENT] Changes to Corporate Owned Personally Enabled (COPE) in Android 11 (79915)
Announcing end of support for device administrator (Android Legacy) in Workspace ONE UEM (80971)
Users of Corporate-Owned Personally Enabled (COPE) devices may be prompted to remove Internal Apps after upgrading Intelligent Hub to 20.08+ (80582)
In general, in case of doubt, please contact your respective VMware contact.