Android Open Source Project (AOSP) Migration: A Critical Security Upgrade for Teams Android Devices

In today’s security-conscious enterprise landscape, outdated device management models are more than a limitation—they are a vulnerability. For organizations using Microsoft Teams Android Devices, including Teams Rooms, Panels, and Phones, the transition from Android Device Administrator to Android Open Source Project (AOSP) Device Management is not optional. It is essential.

This shift enables stronger compliance, modern policy enforcement, and integration with Microsoft Intune. Delaying this migration could lead to device sign-outs, failed enrollments, and non-compliance with organizational security requirements.

This article outlines why AOSP is the secure choice and how to implement the migration successfully.

Why Security Requires AOSP

1. Device Administrator Is Obsolete

The legacy Device Administrator model does not support modern security and compliance features. It cannot enforce conditional access or apply current security standards required by Microsoft 365 environments.

2. AOSP Delivers Enterprise-Grade Protection

AOSP Device Management enables organizations to:

• Block rooted or non-compliant devices

• Enforce device encryption

• Control device enrollment through secure Intune profiles

• Integrate with Microsoft Conditional Access policies

• Monitor compliance from a central dashboard

These capabilities are not available under Device Administrator and are essential for organizations with security-first policies.

3. Greater Control with Fewer Dependencies

AOSP removes the requirement for Google Mobile Services (GMS), allowing organizations to manage Android devices independently. This is particularly relevant for environments that restrict third-party services or operate in regulated industries.

What You Need to Begin

Before you start, ensure the following:

• Teams Android Devices are licensed for Microsoft Intune

• Devices are currently enrolled via Device Administrator

• Devices are supported by AOSP (see Microsoft’s official list)

• Your team has Intune and Teams administrative access

If your organization uses Teams Rooms Basic licenses without Intune, you only need to upgrade to AOSP-capable firmware when available.

Step-by-Step Guide to a Secure AOSP Migration

Step 1: Create an AOSP Enrollment Profile

1. Sign in to the Intune Admin Console

2. Go to Devices > Enrollment > Android

3. Under Android Open Source Project (AOSP), select Corporate-owned, user-associated devices

4. Select Create Policy

5. Use the following settings:

   • Name: AOSP – Teams Devices

   • Description: Clarify its use for Teams Android Devices

   • Token Expiration: Leave at 65 years

   • For Microsoft Teams Devices: Enabled

   • Wi-Fi: Not configured

6. Review and create the profile

Note: Only one Teams-specific AOSP profile can exist per tenant. Expired tokens prevent enrollment.

Step 2: Create an AOSP Compliance Policy

If your environment uses Conditional Access, compliance policies are required.

1. In Intune, go to Devices > Compliance > Create Policy

2. Select Android (AOSP) as the platform

3. Set policy conditions such as:

   • Block rooted devices

   • Specify minimum and maximum OS versions

   • Require encrypted storage

4. Assign the policy to all AOSP devices or relevant groups

5. Review and create the policy

Without this step, devices may be marked non-compliant after migration and could be signed out automatically.

Step 3: Review Migration Requirements

Before deploying AOSP firmware:

• Remove any Device Enrollment Manager (DEM) accounts

• Ensure that users can complete MFA directly on the device (device code flow is no longer supported)

• Confirm the organization’s Conditional Access does not prevent successful sign-in post-migration

There will be no visual change for end users after the migration, but security configurations will be enforced silently.

Step 4: Install AOSP-Capable Firmware

When available:

1. Sign in to the Teams Admin Center

2. Navigate to Teams > Devices

3. Select the device type and choose a specific device

4. Select Update Software > Manual Updates

5. Choose the firmware labeled AOSP and schedule or apply the update

Devices must be on the latest non-AOSP firmware before the AOSP firmware option becomes visible.

Step 5: Verify Migration Success

To confirm that migration is complete:

1. In Teams Admin Center, go to the device history

2. Look for a recent firmware update marked Successful

3. Open the Health tab

4. Verify that Microsoft Intune App and Authenticator App appear in the software list

This confirms that the device is now managed under AOSP and compliant with Intune policies.

Migrating to AOSP is more than a technical upgrade. It is a foundational security move. This transition ensures compliance with modern access controls, enables device-level security enforcement, and integrates fully with Microsoft’s cloud-first management ecosystem.

Organizations that act now will reduce risk, maintain service continuity, and gain a future-ready Android platform for Teams deployments. Those that delay risk losing device access, compliance status, and administrative control.

Begin your migration today and put security first.