Android Open Source Project (AOSP) Migration: A Critical Security Upgrade for Teams Android Devices
- bsapsford6
- Jul 21
- 3 min read
Updated: 3 days ago

In today’s security-conscious enterprise landscape, outdated device management models are more than a limitation—they are a vulnerability. For organizations using Microsoft Teams Android Devices, including Teams Rooms, Panels, and Phones, the transition from Android Device Administrator to Android Open Source Project (AOSP) Device Management is not optional. It is essential.
This shift enables stronger compliance, modern policy enforcement, and integration with Microsoft Intune. Delaying this migration could lead to device sign-outs, failed enrollments, and non-compliance with organizational security requirements.
This article outlines why AOSP is the secure choice and how to implement the migration successfully.
Why Security Requires AOSP
1. Device Administrator Is Obsolete
The legacy Device Administrator model does not support modern security and compliance features. It cannot enforce conditional access or apply current security standards required by Microsoft 365 environments.
2. AOSP Delivers Enterprise-Grade Protection
AOSP Device Management enables organizations to:
Block rooted or non-compliant devices
Enforce device encryption
Control device enrollment through secure Intune profiles
Integrate with Microsoft Conditional Access policies
Monitor compliance from a central dashboard
These capabilities are not available under Device Administrator and are essential for organizations with security-first policies.
3. Greater Control with Fewer Dependencies
AOSP removes the requirement for Google Mobile Services (GMS), allowing organizations to manage Android devices independently. This is particularly relevant for environments that restrict third-party services or operate in regulated industries.
What You Need to Begin
Before you start, ensure the following:
Teams Android Devices are licensed for Microsoft Intune
Devices are currently enrolled via Device Administrator
Devices are supported by AOSP (see Microsoft’s official list)
Your team has Intune and Teams administrative access
If your organization uses Teams Rooms Basic licenses without Intune, you only need to upgrade to AOSP-capable firmware when available.
Step-by-Step Guide to a Secure AOSP Migration
Step 1: Create an AOSP Enrollment Profile
Sign in to the Intune Admin Console
Go to Devices > Enrollment > Android
Under Android Open Source Project (AOSP), select Corporate-owned, user-associated devices
Select Create Policy
Use the following settings:
Name: AOSP – Teams Devices
Description: Clarify its use for Teams Android Devices
Token Expiration: Leave at 65 years
For Microsoft Teams Devices: Enabled
Wi-Fi: Not configured
Review and create the profile
Note: Only one Teams-specific AOSP profile can exist per tenant. Expired tokens prevent enrollment.
Step 2: Create an AOSP Compliance Policy
If your environment uses Conditional Access, compliance policies are required.
In Intune, go to Devices > Compliance > Create Policy
Select Android (AOSP) as the platform
Set policy conditions such as:
Block rooted devices
Specify minimum and maximum OS versions
Require encrypted storage
Assign the policy to all AOSP devices or relevant groups
Review and create the policy
Without this step, devices may be marked non-compliant after migration and could be signed out automatically.
Step 3: Review Migration Requirements
Before deploying AOSP firmware:
Remove any Device Enrollment Manager (DEM) accounts
Ensure that users can complete MFA directly on the device (device code flow is no longer supported)
Confirm the organization’s Conditional Access does not prevent successful sign-in post-migration
There will be no visual change for end users after the migration, but security configurations will be enforced silently.
Step 4: Install AOSP-Capable Firmware
When available:
Sign in to the Teams Admin Center
Navigate to Teams > Devices
Select the device type and choose a specific device
Select Update Software > Manual Updates
Choose the firmware labeled AOSP and schedule or apply the update
Devices must be on the latest non-AOSP firmware before the AOSP firmware option becomes visible.
Step 5: Verify Migration Success
To confirm that migration is complete:
In Teams Admin Center, go to the device history
Look for a recent firmware update marked Successful
Open the Health tab
Verify that Microsoft Intune App and Authenticator App appear in the software list
This confirms that the device is now managed under AOSP and compliant with Intune policies.
Migrating to AOSP is more than a technical upgrade. It is a foundational security move. This transition ensures compliance with modern access controls, enables device-level security enforcement, and integrates fully with Microsoft’s cloud-first management ecosystem.
Organizations that act now will reduce risk, maintain service continuity, and gain a future-ready Android platform for Teams deployments. Those that delay risk losing device access, compliance status, and administrative control.
Begin your migration today and put security first.