Historically, Google releases a new Android version every year in late Q3/early Q4, and mandates that by mid-Q4, apps uploaded to the Play Store “target,” or are optimized to run on, the previous year’s API version. Android 13 has officially been released by Google. Our Microsoft Endpoint Manager app protection policies (APP) and mobile device management (MDM) teams have been working hard to make sure Microsoft Intune customers are supported on the new OS release. In this post, we’ll share some of what we’ve found from testing the latest Android beta builds and highlight other noteworthy changes that you should be aware of.
Most APP and MDM scenarios will continue to be fully compatible with Android 13. However, Google has made some significant changes in this release that affect management capabilities available to Intune, particularly for management via device administrator mode. Google has been decreasing management support for device administrator since the release of Android 10 in 2019. As a result, customers should not use device administrator for devices that can be managed by Android Enterprise and/or app protection policies. For more resources on moving from device administrator to Android Enterprise, see the additional information in Decreasing support for Android device administrator.
We’ll update this blog post with new items we discover during our continued testing. We also encourage you to read through Google’s Android 13 change documentation, Behavior Changes for Apps Targeting Android 13, and Behavior Changes for Apps Targeting Android 12 to identify other changes that may be relevant to your organization. Keep us posted on what APP and MDM learnings you find from your testing too!
Versioning vs targeting
When we say “Day Zero support” on Android, we are typically referring to two things: OS version and API targeting.
OS version is the version of Android that a device is running. New versions of Android are released every year or so, first on Google Pixel devices and later by various OEMs as they build out support. This year, the OS version is Android 13.
Date of release: Android 13 was officially released August 15th.
API targeting is set within Intune client apps. Google mandates that apps must target the two most recent versions to be approved in the Play store. This year, we’re targeting Android 12 (API 31).
Date of targeting going into effect: November 1, 2022
Throughout this doc, you may see changes attributed to either Android 13 readiness or API 31 targeting readiness. It is important to note their differing release dates.
Changes for MDM scenarios
Starting with the release of Android 13, there will be a new runtime permission for sending notifications from an app. Users enrolling an Android 13 device into management will need to allow the permission for Intune client apps to enable the best user experience with notifications.
What to expect:
On device administrator and personally-owned work profile scenarios, we recommend guiding your users to allow permission so they receive important notifications on device compliance.
On corporate-owned devices with a work profile and on fully managed devices, the Microsoft Intune app will display the permission prompt. If the user swipes away the prompt, the notifications permission state will not change. For example, if it's not allowed by default, as will be the case on Android 13 devices, the permission will remain disabled. Note that the prompt will only display for profiles that are enrolling into management on Android 13 devices. Devices already enrolled that are upgrading to Android 13 will continue to follow the current notification permissions on the device.
Changes to device administrator
On API 31, apps that the user hasn’t interacted with for eight or more days may be placed in the “restricted” bucket. This allows the OS to prioritize saving battery life over performing important background tasks on the device. If your users don’t open the Company Portal app very frequently, the Company Portal may not be able to run correctly.
What to expect:
For new Android 13 enrollments to device administrator, we recommend guiding your users to disable battery optimization for the Company Portal to ensure Company Portal will run on the device.
Company Portal will notify the user that they need to disable battery optimization for the app. This notification cannot be dismissed. Tapping on the notification will guide them through the process.
If you have developed an OEMConfig app or other management app for your organization, we recommend checking with the developers to ensure that the app can continue to run as normal.
Changes to personally-owned work profile
When Company Portal targets API 31 (November 1), Google is deprecating the ability to set a required password type and minimum password length for device configuration and compliance profiles. According to Google, overly complex passwords are difficult for users to remember. Brute force attempts to remember the password cause security and performance issues. You can read Google’s full statement on the deprecation in their DevicePolicyManager document.
What to Expect:
Before November 1, admins will be able to configure the following password complexity requirements in their device configuration and device compliance policies:
None: No password required.
Low: No Pattern or PIN with repeating (4444) or ordered (1234, 4321, 2468) sequences.
Medium: PIN with no repeating (4444) or ordered (1234, 4321, 2468) sequences, length at least 4. Or alphabetic, length at least 4. Or alphanumeric, length at least 4.
High: PIN with no repeating (4444) or ordered (1234, 4321, 2468) sequences, length at least 8. Or alphabetic, length at least 6. Or alphanumeric, length at least 6.
We recommend that admins with current required password type and minimum password length configurations update to using the password complexity setting once it’s released for devices running Android 12 or higher.
If you continue to use the required password type and minimum password length settings without configuring the password complexity setting, new devices running Android 12 or higher will default to password complexity High.
Changes for APP scenarios
Similar to MDM scenarios, Android 13 devices will have notifications disabled by default. Users with APP-protected apps will need to allow a new runtime permission to enable notifications.
What to expect:
APP-protected apps will prompt the user to “allow” or “not allow” the post notifications runtime permission. If the user selects “not allow,” the app will not be able to send notifications. If you have developed an OEMConfig app or other management app for your organization, we recommend checking with the developers to ensure that the app can continue to run as normal.
Other ways to prepare for Android 13
Update apps: Encourage your users to update to the latest version of the Company Portal, Intune, Edge, and other APP-supported apps. The latest version will provide the best experience with devices running Android 13.
Check compatibility for other managed apps: As with previous major Android OS updates, check mobile app compatibility with your app providers to confirm your users' apps work with Android 13. You’ll see a “What’s New for the app” notice in the Google Play app store, in-app details, or updates on an application’s website. Some apps provide Day Zero support, while others update over time.
How can you reach us?
Keep us posted on your Android 13 experience through comments on this blog post, through Twitter @IntuneSuppTeam, and request any new features on our Intune Feedback Portal. We will update this post with any additional information we learn as testing continues, and when Android 13 releases.