Android Device Admin and Device Owner explained
Many organizations are facing the transition from Android Device Admin to newer Android device management implementations like Device Owner and Profile Owner. Here’s how to understand the transition from Device Admin to Device Owner, and what the differences between the two are in practice.
Android Device Admin vs Device Owner: What’s the difference?
Device Owner is an enterprise feature supported by Google as part of the Android operating system. Android Device Admin is a now-deprecated device control framework sometimes used to control Android devices by enterprises. The shortest way to think of the difference between the two is that Device Owner replaces and makes obsolete Android Device Admin. Device Owner is more secure, more extensible, and continues to be developed by Google.
Device Owner offers greater control for things like locking devices to kiosk mode and securely distributing enterprise apps than the old Android Device Admin framework. Device Owner also resolves many potentially insecure scenarios presented when using the older Android Device Admin framework. For example, Android Device Admin allows any end user of a device to grant installed applications potentially dangerous permissions. Similarly, they can also deny those permissions — potentially breaking critical enterprise app functionality.
The most important distinction between the two for enterprises is in device and application deployment. Android Device Admin requires a lot of manual work and is highly error-prone in the field as a result. Device Owner makes device and application deployment far more robust and repeatable.
For more about the differences between Device Admin and Device Owner and why the transition occurred, the official Android Enterprise resource on Device Admin EOL is a good place to learn.
Why is Android Device Admin going away?
First, let’s establish a historical timeline for Android Device Admin and Device Owner.
- In 2010, Android launched a feature called “Device Admin” as part of Android 2.2 (API level 8). It was never truly intended to function as an enterprise device management solution, though Google did encourage its use.
- In 2014, Google launched “Device Owner,” the replacement for Device Admin, in Android 5.0 Lollipop. Device Owner provided more features, much better security, and paved the way to a true enterprise device provisioning system.
- In 2018, Android 9.0 (API level 28) launched — this was the last version of Android to support Device Admin.
- In 2019, Android 10.0 (API level 29) launched — this was the first version of Android without Device Admin support.
- In 2022 (and beyond!), Device Admin has been unsupported by Google for 4+ years. Device Owner was introduced to replace Device Admin way back in 2014, but Android supported both until Android 10.0 launched in 2019. Confused yet? Good!
So, Device Admin actually “went away” a long time ago. Google removed Device Admin from Android as a feature in Android 10.0 back in 2019. However, Device Admin continues to be technically available on many older devices, even some available for purchase as new!
While Android 10.0 was the first version to fully deprecate Device Admin, Google technically continued to allow new Android 9.0 devices onto the market until around the end of 2021 (Google stopped approving new Android 9.0 devices long before that, but there’s a long grace period from GMS certification approval to device or software launch).
This is all a very long way of saying: Android 9.0 devices that use Device Admin are still being sold today, and that means there remains a demand for tools to manage them — especially in organizations with fleets that include much older Android hardware.
However, most EMM and MDM solutions have started dropping Device Admin support, as the number of new devices launching with Device Admin onboard has been at zero since the end of 2021 (at the very latest). Enrolling devices using Android Device Admin is also a cumbersome, unsecure, and easily-botched process. It’s far more secure and convenient to use the modern Android Device Owner paradigm.
Finally, Google stopped certifying new Android MDM and EMM Device Admin plugin apps in September 2020 as part of its moving API level requirements, meaning that no new Device Admin compatible solutions could be distributed on the Google Play Store after that date. All of this really put Device Admin at the end of the road, so to speak (though Google has continued to allow updates to Device Admin apps for existing Android MDM and EMM partners as a grandfathering solution).
Why would you use Android Device Admin?
For organizations that demanded a single device enrollment process across the entire device fleet, Device Admin was frequently the lowest common denominator — all the way from 2011 to, in some cases, today.
So, why didn’t enterprises and organizations switch to Device Owner sooner, given it launched with Android 5.0 eight years ago? Creating a brand new device enrollment flow (and migrating your fleet to Device Owner, if that was even possible) and implementing a brand new device control agent designed for the Device Owner mode had little appeal to MDM / EMM providers, and even less appeal to their cost-conscious customers. The associated time cost would be significant, and most users may have found somewhat nebulous process streamlining or security improvements difficult to justify given the complexity of migration.
However, Device Admin is quickly approaching untenability as a solution, and has long posed significant device security and reliability risks. If your organization still uses Android Device Admin as part of your provisioning process, you need to stop! You’re headed for a majorly painful transition if you haven’t accounted for the switch to Device Owner-based provisioning.
Can you switch from Android Device Admin to Device Owner?
Switching from Device Admin to Device Owner is possible, but is it practical? The answer depends heavily on your particular device and deployment scenario. Specifically:
- Devices running Android 4.4 (KitKat) or lower cannot use Device Owner, because they do not have it.
- Devices running Android 5.0 to Android 9.0 can use Device Owner, so switching may be possible.
- Devices running Android 10 and newer already use Device Owner and do not support Device Admin at all.
If you do have devices currently using Device Admin, there are other considerations to make before deciding if a transition to Device Owner actually makes sense. Here is a checklist you can use to determine whether a transition is practical.
- What version of Android are your devices running?
- This is crucial, as much older versions of Android (i.e., Android 5.0, 6.0, 7.0, 8.0) are simply not very secure in the first place. These devices don’t have up to date security patches, so a more secure enrollment and provisioning process is just “securing” an already unsecure device.
- When do you plan to EOL or retire your devices?
- If your devices are approaching retirement, replacing your older Android Device Admin-enrolled hardware may be much easier than architecting a Device Owner transition plan. Each device will need to be unenrolled from Device Admin, factory reset, and re-enrolled with the Device Owner process. This is a long, tedious, and costly project to manage.
- Why do you want Device Owner?
- What features of Device Owner are you trying to leverage in your deployment that Device Admin doesn’t support? Are you sure your devices support that feature? Have you tested Device Owner to validate that hypothesis?
These questions should give you pause, and they’re meant to: migrating devices from Device Admin to Device Owner is rarely advisable. Phasing out your hardware and replacing it is almost always the better option. There are some situations, however, where this can make sense.
If you are planning to slowly phase out older Android devices that currently enroll via Device Admin, you may already be enrolling newer devices using Device Owner as a provisioning method. If you still need to regularly enroll those older devices, your new Device Owner provisioning method could be adapted to streamline that process.
In general, though, switching is not a good idea.
Ready to retire Device Admin?
If you’re facing a major Device Admin “migrate or replace” decision, come talk to us at Esper. We’ve worked with customers navigating large fleet deployment scenarios that require careful consideration to any change in process. We can also show you how to massively streamline device provisioning with tools like Esper Seamless Provisioning. Go beyond basic MDM and automate your device enrollment.