Google has already announced the depreciation of the android enrollment using device administrator, for more information, please refer to https://developers.google.com/android/work/device-admin-deprecation and is highly encouraged to use Android enterprise for devices where GMS available.
There is still a need to fallback to device admin in countries where there are no GMS available such as mainland China. If you don't have GMS services available, the device cannot be managed by Microsoft Endpoint Manager using the work profile. I recently did a blog post on this, for more information, please refer to https://systemcenterdudes.com/endpoint-manager-android-china/
In this blog post, we will see how to move android users from device administrator to work profile (enterprise enrollment).
If you have created enrollment restrictions for users (due to other reasons such as no GMS etc) to use android device administrator, please remove the users from the enrollment group.
You can verify that from the enrollment restrictions policy.
Once you validated the enrollment restrictions, we will verify the number of devices/users that are enrolled using device admin.
You can also do a quick filter based on android (device administrator).
we will now configure the android compliance policy to move android devices from device administrator to work profile management with setting Block devices managed with device administrator.
When we configure this setting, it makes the android device non-compliant and the user clicks on the non-compliant, resolve. This process will take them to remove the device admin and enroll using the work profile. (When this process happens, make sure the user is not a member of the device admin enrollment). If user is a member of both device admin enrollment and enterprise enrollment, the enterprise enrollment profile takes precedence.
we will now go to the android compliance policy and edit the existing policy (if you have any) or create a new policy with platform: android device administrator.
Go to the android device compliance policy https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesAndroidMenu/compliancePolicies and edit/create policy.
Click on the android device admin policy, the Compliance settings page, in the Device Health section, set Block devices managed with device administrator , save policy.
Click review and save.
You can also customise the Actions for noncompliance such as email to user, send push notification etc.
Once the configuration is done, assign the policy to group of users who have devices enrolled with device admin.
once you save the changes, the device will be marked as non-compliant in the endpoint portal.
End-User Experience:
Moving the device from device admin to work profile is straight forward and end-user can do it
Based on the actions for non-compliance, user get notified and user can launch the company portal, click on device tab, select the android device, click on Resolve.
The process involves with the following steps.
1. Remove current management
2.Create work profile
3.Activate work profile
4.Update device settings.
After the enrollment is completed, a device will appear in the endpoint portal with OS as ‘Android work profile’.
The old entry for device admin still appears and it get removed as part of the device clean up (if you have configured) or you can perform clean up using script.
For troubleshooting, please refer https://docs.microsoft.com/en-us/mem/intune/enrollment/android-move-device-admin-work-profile#troubleshooting