This week is all about a very recent new introduced feature for Android Enterprise corporate-owned devices. That feature is the ability to freeze the install of system updates for a period of time. Freezing system updates on Android Enterprise corporate-owned devices enables organizations to stick to a specific version of Android for the specified period of time. That can be usefull to get the right support of the vendor of an app, or to make sure that a specific app works with the latest verison of Android. That level of control makes Android more and more enterprise ready, without the need of additional management tooling (OEMConfig). This post will start with a quick introduction to the freeze period for system updates, followed with the steps to configure that period. This post will end with a brief look at the user experience.
Important: The setting provided in this post requires Android 9.0 and later together with Android Enterprise.
Introducing the freeze period(s) for system updates
With the latest service release of Microsoft Intune (2203) a new device restriction setting became available for devices running Android 9.0 and later. That setting is Freeze periods for system updates and that setting relies on the FreezePeriod setting in the Android Management API. Using that setting makes it possible to configure freeze periods for system updates. A period during which no system updates can install. It’s possible to configure multiple periods, of up to 90 days, each year, as freeze period. Between every freeze period, there must be a minimum of 60 days during which system updates are allowed to install. A freeze period can be defined by specifying a start and an end date in the format of MM/DD. When multiple freeze periods are required during the year, a CSV-file can be created that contains the different start and end dates. The CSV-file is constructed of a line per freeze period that contains the start and end date in the format of MM/DD,MM/DD. An example of such a CSV-file is shown below in Figure 1. This CSV-file was created by simply exporting an existing configuration.
Configuring the freeze period(s) with device restrictions
When looking at the configuration of freeze periods, that can be achieved by using device configuration profiles for corporate-owned Android Enterprise devices. The following eight steps walk through the minimum configurations to create a device configuration profile that contains at least the configuration of the freeze period.
- Open the Microsoft Endpoint Manager admin center portal navigate to Devices > Android > Configuration profiles
- On the Android | Configuration profiles blade, select Create profile
- On the Create a profile page, provide the following information and click Create
- Platform: Select Android Enterprise as value
- Profile type: Select Fully Managed, Dedicated, and Corporate-Owned Work Profile > Device restrictions as value
- On the Basics page, provide a unique Name to distinguish the profile from other restriction profiles and click Next
- On the Configuration settings page, configure at least the following setting in the General section (as shown below in Figure 2) and click Next
- Freeze periods for system updates: Either use Import to import a CSV-file with the different start and end dates, or manually specify different lines with Start date and End date
Note: This example contains a freeze period that already started. That makes it possible to show the user experience. Besides that, this configuration is also similar to the CSV-file shown in Figure 1.
- On the Scope tags page, configure the applicable scope tags and click Next
- On the Assignments page, configure the assignment by selecting the required group of users or devices and click Next
- On the Review + create page, review the configuration and click Create
User experience
Once the configuration is applied, it’s interesting to have a look at the user experience. The reason why it’s interesting, is because the user hardly notices that the configuration is applied. Only when the user is trying to manually update the Android device, with the latest available system update, the user will notice that a configuration is in place. That experience is shown below in Figure 3. Besides that, the Android Device Policy can be used to literally verify if the configuration is applied. That information is shown below in Figure 4.
Note: As long as the freeze period is applicable, the user won’t be able to manually install a new system update and the device won’t be able to automatically install a new system update.
More information
For more information about freezing system updates on Android devices, refer to the following docs.
- Android Enterprise device settings in Microsoft Intune | Microsoft Docs
- REST Resource: enterprises.policies | Android Management API | Google Developers
Discover more from All about Microsoft Intune
Subscribe to get the latest posts sent to your email.
Hello
Nice one! How to generate the info shown in Figure 4?
Zak
Hi Zak,
You can enable debug information as shown here: https://petervanderwoude.nl/post/android-enterprise-and-microsoft-intune-and-android-device-policy/
Regards, Peter
Hi Peter,
So far i see there is only an option to delay the Android system updates.
Have you ever tried to make 2 policies so it delays the Android system updates all year round, if so does it work?
Hi Emre,
To my knowledge, you can only provide a period of 90 days to freeze the updates. After that a period of 60 days is required to allow updates.
Regards, Peter