We have a number of Samsung Galaxy A20 handsets in the field that are stuck on Android 9.

The handsets are entitled to OS updates through to Android 11 based on standard support and date of purchase etc. etc.

They are enrolled in Maas360 as Device Owner and use Android for Work.

The policy System Update is configured to "Install Immediately".

On the handsets themselves there is no option available to manually apply the OS update within Settings, anywhere (not as a separate Software Update section, not as an update link from About Phone etc.).

This seems ... sub-optimal for a management system that should be keeping things up to date.

I know that if we remove control from the devices and do a quick and dirty non-MDM setup we can get to the OS update and bring them forwards, then re-enrol them. However, that means swapping out nearly 40 handsets for existing users which is both time consuming and expensive.

Have I missed something in a configuration option somewhere, or is this working as designed?

------------------------------
Pete Croft
------------------------------

Hi Pete
A few points to note: 
- General controls over Android OS updates are light on the Google side, and are left to individual hardware manufacturers. 
This means that you don't have control over when your hardware manufacturer (such as Samsung) releases the system update for a specific make and model - in addition the telecoms network (mobile) operator can also have some control here meaning you could end up with 2 same model devices on different networks which can have upgrades only up to different levels. 
- MaaS360 has done what Google have allowed us to do, which is to specify time frames around updates when these are available. Assuming that you've already migrated to Android Enterprise - if not see below - the policy settings are described on this page: https://www.ibm.com/docs/en/maas360?topic=device-system-update-settings
- Samsung do have their own solution called e-FOTA ONE which can be set up on the Samsung platform to 'call' the MaaS360 platform and send specific updates to specific devices. This is a paid solution which you can contract directly with Samsung - you have a 90 day free trial to start. For more information:
https://www.samsungknox.com/en/solutions/it-solutions/samsung_e-fota
https://docs.samsungknox.com/admin/efota-one/before-you-start-ibm.htm
Please note that as this makes a 'web call' from the Samsung platform, you need to set up a REST API Web Services call key on the MaaS360 platform, in order to 'receive the call' from Samsung. Details here: 
https://www.ibm.com/docs/en/maas360?topic=web-services
*********
Regarding Android Enterprise, our team has delivered a number of webinars which are recorded and can be found on this page: 
https://community.ibm.com/community/user/security/blogs/ciaran-darcy/2022/05/12/android-enterprise-webinars

------------------------------
Eamonn O'Mahony
Technical Client Success Manager
IBM Security
Dublin, Ireland
------------------------------

Original Message:
Sent: Thu January 12, 2023 11:13 AM
From: Pete Croft
Subject: Android handsets stuck on old OS

We have a number of Samsung Galaxy A20 handsets in the field that are stuck on Android 9.

The handsets are entitled to OS updates through to Android 11 based on standard support and date of purchase etc. etc.

They are enrolled in Maas360 as Device Owner and use Android for Work.

The policy System Update is configured to "Install Immediately".

On the handsets themselves there is no option available to manually apply the OS update within Settings, anywhere (not as a separate Software Update section, not as an update link from About Phone etc.).

This seems ... sub-optimal for a management system that should be keeping things up to date.

I know that if we remove control from the devices and do a quick and dirty non-MDM setup we can get to the OS update and bring them forwards, then re-enrol them. However, that means swapping out nearly 40 handsets for existing users which is both time consuming and expensive.

Have I missed something in a configuration option somewhere, or is this working as designed?

------------------------------
Pete Croft
------------------------------

Hi Eamonn,

Thank you for the reply.

I'm aware that we're at the mercy of the manufacturer in general, and also of E-FOTA which the client doesn't want to subscribe to at this point.

I suppose the main issue I have is that there are a number of handsets that are elligible for the OS updates, but for whatever reason cannot access them whilst enrolled. If we remove control, do a quick setup on the device as a standalone handset, we can go through the software update process and bring the OS up to the maximum supported.

I don't understand why we can't apply that self-same OS update to the self-same handset whilst it's under MDM via Maas360 and Android for Enterprise.

I guess I'm going to have to accept that we can't, and therefore we're going to have to go through a significant handset replacement programme; it just seems an odd limitation.

------------------------------
Pete Croft
------------------------------

Original Message:
Sent: Fri January 13, 2023 04:49 AM
From: Eamonn O'Mahony
Subject: Android handsets stuck on old OS

Hi Pete
A few points to note: 
- General controls over Android OS updates are light on the Google side, and are left to individual hardware manufacturers. 
This means that you don't have control over when your hardware manufacturer (such as Samsung) releases the system update for a specific make and model - in addition the telecoms network (mobile) operator can also have some control here meaning you could end up with 2 same model devices on different networks which can have upgrades only up to different levels. 
- MaaS360 has done what Google have allowed us to do, which is to specify time frames around updates when these are available. Assuming that you've already migrated to Android Enterprise - if not see below - the policy settings are described on this page: https://www.ibm.com/docs/en/maas360?topic=device-system-update-settings
- Samsung do have their own solution called e-FOTA ONE which can be set up on the Samsung platform to 'call' the MaaS360 platform and send specific updates to specific devices. This is a paid solution which you can contract directly with Samsung - you have a 90 day free trial to start. For more information:
https://www.samsungknox.com/en/solutions/it-solutions/samsung_e-fota
https://docs.samsungknox.com/admin/efota-one/before-you-start-ibm.htm
Please note that as this makes a 'web call' from the Samsung platform, you need to set up a REST API Web Services call key on the MaaS360 platform, in order to 'receive the call' from Samsung. Details here: 
https://www.ibm.com/docs/en/maas360?topic=web-services
*********
Regarding Android Enterprise, our team has delivered a number of webinars which are recorded and can be found on this page: 
https://community.ibm.com/community/user/security/blogs/ciaran-darcy/2022/05/12/android-enterprise-webinars

------------------------------
Eamonn O'Mahony
Technical Client Success Manager
IBM Security
Dublin, Ireland

Original Message:
Sent: Thu January 12, 2023 11:13 AM
From: Pete Croft
Subject: Android handsets stuck on old OS

We have a number of Samsung Galaxy A20 handsets in the field that are stuck on Android 9.

The handsets are entitled to OS updates through to Android 11 based on standard support and date of purchase etc. etc.

They are enrolled in Maas360 as Device Owner and use Android for Work.

The policy System Update is configured to "Install Immediately".

On the handsets themselves there is no option available to manually apply the OS update within Settings, anywhere (not as a separate Software Update section, not as an update link from About Phone etc.).

This seems ... sub-optimal for a management system that should be keeping things up to date.

I know that if we remove control from the devices and do a quick and dirty non-MDM setup we can get to the OS update and bring them forwards, then re-enrol them. However, that means swapping out nearly 40 handsets for existing users which is both time consuming and expensive.

Have I missed something in a configuration option somewhere, or is this working as designed?

------------------------------
Pete Croft
------------------------------

Hi Pete
Thanks for clarification. 
I think if you configure policy settings so that System Updates happen automatically during a certain period, this should happen on the device irrespective of whether it is in kiosk mode and whether a user is using it. Ideally scheduled outside of operational hours to avoid device performance reductions. 
Please ask customer to test using this and see when they know there are updates pending, whether it does the job as expected. 
Am interested to hear the result. 
Best

------------------------------
Eamonn O'Mahony
Technical Client Success Manager
IBM Security
Dublin, Ireland
------------------------------

Original Message:
Sent: Fri January 13, 2023 09:41 AM
From: Pete Croft
Subject: Android handsets stuck on old OS

Hi Eamonn,

Thank you for the reply.

I'm aware that we're at the mercy of the manufacturer in general, and also of E-FOTA which the client doesn't want to subscribe to at this point.

I suppose the main issue I have is that there are a number of handsets that are elligible for the OS updates, but for whatever reason cannot access them whilst enrolled. If we remove control, do a quick setup on the device as a standalone handset, we can go through the software update process and bring the OS up to the maximum supported.

I don't understand why we can't apply that self-same OS update to the self-same handset whilst it's under MDM via Maas360 and Android for Enterprise.

I guess I'm going to have to accept that we can't, and therefore we're going to have to go through a significant handset replacement programme; it just seems an odd limitation.

------------------------------
Pete Croft

Original Message:
Sent: Fri January 13, 2023 04:49 AM
From: Eamonn O'Mahony
Subject: Android handsets stuck on old OS

Hi Pete
A few points to note: 
- General controls over Android OS updates are light on the Google side, and are left to individual hardware manufacturers. 
This means that you don't have control over when your hardware manufacturer (such as Samsung) releases the system update for a specific make and model - in addition the telecoms network (mobile) operator can also have some control here meaning you could end up with 2 same model devices on different networks which can have upgrades only up to different levels. 
- MaaS360 has done what Google have allowed us to do, which is to specify time frames around updates when these are available. Assuming that you've already migrated to Android Enterprise - if not see below - the policy settings are described on this page: https://www.ibm.com/docs/en/maas360?topic=device-system-update-settings
- Samsung do have their own solution called e-FOTA ONE which can be set up on the Samsung platform to 'call' the MaaS360 platform and send specific updates to specific devices. This is a paid solution which you can contract directly with Samsung - you have a 90 day free trial to start. For more information:
https://www.samsungknox.com/en/solutions/it-solutions/samsung_e-fota
https://docs.samsungknox.com/admin/efota-one/before-you-start-ibm.htm
Please note that as this makes a 'web call' from the Samsung platform, you need to set up a REST API Web Services call key on the MaaS360 platform, in order to 'receive the call' from Samsung. Details here: 
https://www.ibm.com/docs/en/maas360?topic=web-services
*********
Regarding Android Enterprise, our team has delivered a number of webinars which are recorded and can be found on this page: 
https://community.ibm.com/community/user/security/blogs/ciaran-darcy/2022/05/12/android-enterprise-webinars

------------------------------
Eamonn O'Mahony
Technical Client Success Manager
IBM Security
Dublin, Ireland

Original Message:
Sent: Thu January 12, 2023 11:13 AM
From: Pete Croft
Subject: Android handsets stuck on old OS

We have a number of Samsung Galaxy A20 handsets in the field that are stuck on Android 9.

The handsets are entitled to OS updates through to Android 11 based on standard support and date of purchase etc. etc.

They are enrolled in Maas360 as Device Owner and use Android for Work.

The policy System Update is configured to "Install Immediately".

On the handsets themselves there is no option available to manually apply the OS update within Settings, anywhere (not as a separate Software Update section, not as an update link from About Phone etc.).

This seems ... sub-optimal for a management system that should be keeping things up to date.

I know that if we remove control from the devices and do a quick and dirty non-MDM setup we can get to the OS update and bring them forwards, then re-enrol them. However, that means swapping out nearly 40 handsets for existing users which is both time consuming and expensive.

Have I missed something in a configuration option somewhere, or is this working as designed?

------------------------------
Pete Croft
------------------------------

Hi Eamonn,

That's the thing, these particular handsets just do not update.

The policy they are under is configured for "Install Immediately" for system updates, as we can't rely on the phones being on during the maintenance window (although i do understand that in theory after a period of elapsed time the update should be forced on regardless if the maintenance window is used).

Despite updates being configured for immediate install in the policy, they simply never go on. And the option within the phone's Settings to manually check for or apply updates is not present.

The system policy isn't in kiosk/COSU mode, simply configured under Android Enterprise with various app restrictions etc.although none that I can see that should impact OS updates.

------------------------------
Pete Croft
------------------------------

Original Message:
Sent: Fri January 13, 2023 09:59 AM
From: Eamonn O'Mahony
Subject: Android handsets stuck on old OS

Hi Pete
Thanks for clarification. 
I think if you configure policy settings so that System Updates happen automatically during a certain period, this should happen on the device irrespective of whether it is in kiosk mode and whether a user is using it. Ideally scheduled outside of operational hours to avoid device performance reductions. 
Please ask customer to test using this and see when they know there are updates pending, whether it does the job as expected. 
Am interested to hear the result. 
Best

------------------------------
Eamonn O'Mahony
Technical Client Success Manager
IBM Security
Dublin, Ireland

Original Message:
Sent: Fri January 13, 2023 09:41 AM
From: Pete Croft
Subject: Android handsets stuck on old OS

Hi Eamonn,

Thank you for the reply.

I'm aware that we're at the mercy of the manufacturer in general, and also of E-FOTA which the client doesn't want to subscribe to at this point.

I suppose the main issue I have is that there are a number of handsets that are elligible for the OS updates, but for whatever reason cannot access them whilst enrolled. If we remove control, do a quick setup on the device as a standalone handset, we can go through the software update process and bring the OS up to the maximum supported.

I don't understand why we can't apply that self-same OS update to the self-same handset whilst it's under MDM via Maas360 and Android for Enterprise.

I guess I'm going to have to accept that we can't, and therefore we're going to have to go through a significant handset replacement programme; it just seems an odd limitation.

------------------------------
Pete Croft

Original Message:
Sent: Fri January 13, 2023 04:49 AM
From: Eamonn O'Mahony
Subject: Android handsets stuck on old OS

Hi Pete
A few points to note: 
- General controls over Android OS updates are light on the Google side, and are left to individual hardware manufacturers. 
This means that you don't have control over when your hardware manufacturer (such as Samsung) releases the system update for a specific make and model - in addition the telecoms network (mobile) operator can also have some control here meaning you could end up with 2 same model devices on different networks which can have upgrades only up to different levels. 
- MaaS360 has done what Google have allowed us to do, which is to specify time frames around updates when these are available. Assuming that you've already migrated to Android Enterprise - if not see below - the policy settings are described on this page: https://www.ibm.com/docs/en/maas360?topic=device-system-update-settings
- Samsung do have their own solution called e-FOTA ONE which can be set up on the Samsung platform to 'call' the MaaS360 platform and send specific updates to specific devices. This is a paid solution which you can contract directly with Samsung - you have a 90 day free trial to start. For more information:
https://www.samsungknox.com/en/solutions/it-solutions/samsung_e-fota
https://docs.samsungknox.com/admin/efota-one/before-you-start-ibm.htm
Please note that as this makes a 'web call' from the Samsung platform, you need to set up a REST API Web Services call key on the MaaS360 platform, in order to 'receive the call' from Samsung. Details here: 
https://www.ibm.com/docs/en/maas360?topic=web-services
*********
Regarding Android Enterprise, our team has delivered a number of webinars which are recorded and can be found on this page: 
https://community.ibm.com/community/user/security/blogs/ciaran-darcy/2022/05/12/android-enterprise-webinars

------------------------------
Eamonn O'Mahony
Technical Client Success Manager
IBM Security
Dublin, Ireland

Original Message:
Sent: Thu January 12, 2023 11:13 AM
From: Pete Croft
Subject: Android handsets stuck on old OS

We have a number of Samsung Galaxy A20 handsets in the field that are stuck on Android 9.

The handsets are entitled to OS updates through to Android 11 based on standard support and date of purchase etc. etc.

They are enrolled in Maas360 as Device Owner and use Android for Work.

The policy System Update is configured to "Install Immediately".

On the handsets themselves there is no option available to manually apply the OS update within Settings, anywhere (not as a separate Software Update section, not as an update link from About Phone etc.).

This seems ... sub-optimal for a management system that should be keeping things up to date.

I know that if we remove control from the devices and do a quick and dirty non-MDM setup we can get to the OS update and bring them forwards, then re-enrol them. However, that means swapping out nearly 40 handsets for existing users which is both time consuming and expensive.

Have I missed something in a configuration option somewhere, or is this working as designed?

------------------------------
Pete Croft
------------------------------

Hi Pete
I think you are referring to the fact that when you are expecting system updates they don't come, or do you mean that you have verified that updates are available for specific models and via specific network operators and still don't come? 
If the former it may be just a question of checking wtih manufacturer and network operator to see which specific updates are avaiable for a given make and model. 
If the latter then there would appear to be an issue but I just want to confirm that you are 100% sure based on confirmation, that updates are available. 
This is effectively a guessing game without confirmation - except for where you contract eFOTA with Samsung. 
Please let me know your thoughts. 
Best

------------------------------
Eamonn O'Mahony
Technical Client Success Manager
IBM Security
Dublin, Ireland
------------------------------

Original Message:
Sent: Fri January 13, 2023 11:03 AM
From: Pete Croft
Subject: Android handsets stuck on old OS

Hi Eamonn,

That's the thing, these particular handsets just do not update.

The policy they are under is configured for "Install Immediately" for system updates, as we can't rely on the phones being on during the maintenance window (although i do understand that in theory after a period of elapsed time the update should be forced on regardless if the maintenance window is used).

Despite updates being configured for immediate install in the policy, they simply never go on. And the option within the phone's Settings to manually check for or apply updates is not present.

The system policy isn't in kiosk/COSU mode, simply configured under Android Enterprise with various app restrictions etc.although none that I can see that should impact OS updates.

------------------------------
Pete Croft

Original Message:
Sent: Fri January 13, 2023 09:59 AM
From: Eamonn O'Mahony
Subject: Android handsets stuck on old OS

Hi Pete
Thanks for clarification. 
I think if you configure policy settings so that System Updates happen automatically during a certain period, this should happen on the device irrespective of whether it is in kiosk mode and whether a user is using it. Ideally scheduled outside of operational hours to avoid device performance reductions. 
Please ask customer to test using this and see when they know there are updates pending, whether it does the job as expected. 
Am interested to hear the result. 
Best

------------------------------
Eamonn O'Mahony
Technical Client Success Manager
IBM Security
Dublin, Ireland

Original Message:
Sent: Fri January 13, 2023 09:41 AM
From: Pete Croft
Subject: Android handsets stuck on old OS

Hi Eamonn,

Thank you for the reply.

I'm aware that we're at the mercy of the manufacturer in general, and also of E-FOTA which the client doesn't want to subscribe to at this point.

I suppose the main issue I have is that there are a number of handsets that are elligible for the OS updates, but for whatever reason cannot access them whilst enrolled. If we remove control, do a quick setup on the device as a standalone handset, we can go through the software update process and bring the OS up to the maximum supported.

I don't understand why we can't apply that self-same OS update to the self-same handset whilst it's under MDM via Maas360 and Android for Enterprise.

I guess I'm going to have to accept that we can't, and therefore we're going to have to go through a significant handset replacement programme; it just seems an odd limitation.

------------------------------
Pete Croft

Original Message:
Sent: Fri January 13, 2023 04:49 AM
From: Eamonn O'Mahony
Subject: Android handsets stuck on old OS

Hi Pete
A few points to note: 
- General controls over Android OS updates are light on the Google side, and are left to individual hardware manufacturers. 
This means that you don't have control over when your hardware manufacturer (such as Samsung) releases the system update for a specific make and model - in addition the telecoms network (mobile) operator can also have some control here meaning you could end up with 2 same model devices on different networks which can have upgrades only up to different levels. 
- MaaS360 has done what Google have allowed us to do, which is to specify time frames around updates when these are available. Assuming that you've already migrated to Android Enterprise - if not see below - the policy settings are described on this page: https://www.ibm.com/docs/en/maas360?topic=device-system-update-settings
- Samsung do have their own solution called e-FOTA ONE which can be set up on the Samsung platform to 'call' the MaaS360 platform and send specific updates to specific devices. This is a paid solution which you can contract directly with Samsung - you have a 90 day free trial to start. For more information:
https://www.samsungknox.com/en/solutions/it-solutions/samsung_e-fota
https://docs.samsungknox.com/admin/efota-one/before-you-start-ibm.htm
Please note that as this makes a 'web call' from the Samsung platform, you need to set up a REST API Web Services call key on the MaaS360 platform, in order to 'receive the call' from Samsung. Details here: 
https://www.ibm.com/docs/en/maas360?topic=web-services
*********
Regarding Android Enterprise, our team has delivered a number of webinars which are recorded and can be found on this page: 
https://community.ibm.com/community/user/security/blogs/ciaran-darcy/2022/05/12/android-enterprise-webinars

------------------------------
Eamonn O'Mahony
Technical Client Success Manager
IBM Security
Dublin, Ireland

Original Message:
Sent: Thu January 12, 2023 11:13 AM
From: Pete Croft
Subject: Android handsets stuck on old OS

We have a number of Samsung Galaxy A20 handsets in the field that are stuck on Android 9.

The handsets are entitled to OS updates through to Android 11 based on standard support and date of purchase etc. etc.

They are enrolled in Maas360 as Device Owner and use Android for Work.

The policy System Update is configured to "Install Immediately".

On the handsets themselves there is no option available to manually apply the OS update within Settings, anywhere (not as a separate Software Update section, not as an update link from About Phone etc.).

This seems ... sub-optimal for a management system that should be keeping things up to date.

I know that if we remove control from the devices and do a quick and dirty non-MDM setup we can get to the OS update and bring them forwards, then re-enrol them. However, that means swapping out nearly 40 handsets for existing users which is both time consuming and expensive.

Have I missed something in a configuration option somewhere, or is this working as designed?

------------------------------
Pete Croft
------------------------------

Hi Eamonn,

Apologies for the delay, there's been quite a lot going on this end.

Sorry for the confusion, I thought I'd been clear in the OP and since, but the problem is the latter:

• the handsets are known to be elligible for OS updates
• they are enrolled in Maas as DO devices using Android Enterprise policies
• they are not in Kiosk or COSU mode
• the security policy they are under is configured to allow instant OS updates
• whilst they are under MDM
  • those OS updates do not get applied
  • there is no mechanism for the end user to force the update
  • there is no mechanism for us as admins to force the update
• as a result we have a number of Samsung Galaxy A20 models that are stuck on Android 9

For further clarity, let's say we have a handset called A20-1 and it's under MDM and is on Android 9. If I get the user to send me that handset back, and I then remove control (and reset protection) so that the handset resets ready for fresh setup. I configure the handset without enrolling it in Maas, and in Settings on the handset I can check for OS updates and apply updates all the way to Android 11.

If I then reset the handset again and enrol it in Maas, it goes in happily and obviously remainds on Android 11.

So I know for a stone cold fact that the handset is elligible for the OS update. But unless it is completely removed from Maas and configured stand-alone, then wiped and re-enrolled in Maas, I cannot shift it off Android 9.

Which is about to give me a 30 handset headache for security compliance ...

------------------------------
Pete Croft
------------------------------

Original Message:
Sent: Wed January 18, 2023 08:31 AM
From: Eamonn O'Mahony
Subject: Android handsets stuck on old OS

Hi Pete
I think you are referring to the fact that when you are expecting system updates they don't come, or do you mean that you have verified that updates are available for specific models and via specific network operators and still don't come? 
If the former it may be just a question of checking wtih manufacturer and network operator to see which specific updates are avaiable for a given make and model. 
If the latter then there would appear to be an issue but I just want to confirm that you are 100% sure based on confirmation, that updates are available. 
This is effectively a guessing game without confirmation - except for where you contract eFOTA with Samsung. 
Please let me know your thoughts. 
Best

------------------------------
Eamonn O'Mahony
Technical Client Success Manager
IBM Security
Dublin, Ireland

Original Message:
Sent: Fri January 13, 2023 11:03 AM
From: Pete Croft
Subject: Android handsets stuck on old OS

Hi Eamonn,

That's the thing, these particular handsets just do not update.

The policy they are under is configured for "Install Immediately" for system updates, as we can't rely on the phones being on during the maintenance window (although i do understand that in theory after a period of elapsed time the update should be forced on regardless if the maintenance window is used).

Despite updates being configured for immediate install in the policy, they simply never go on. And the option within the phone's Settings to manually check for or apply updates is not present.

The system policy isn't in kiosk/COSU mode, simply configured under Android Enterprise with various app restrictions etc.although none that I can see that should impact OS updates.

------------------------------
Pete Croft

Original Message:
Sent: Fri January 13, 2023 09:59 AM
From: Eamonn O'Mahony
Subject: Android handsets stuck on old OS

Hi Pete
Thanks for clarification. 
I think if you configure policy settings so that System Updates happen automatically during a certain period, this should happen on the device irrespective of whether it is in kiosk mode and whether a user is using it. Ideally scheduled outside of operational hours to avoid device performance reductions. 
Please ask customer to test using this and see when they know there are updates pending, whether it does the job as expected. 
Am interested to hear the result. 
Best

------------------------------
Eamonn O'Mahony
Technical Client Success Manager
IBM Security
Dublin, Ireland

Original Message:
Sent: Fri January 13, 2023 09:41 AM
From: Pete Croft
Subject: Android handsets stuck on old OS

Hi Eamonn,

Thank you for the reply.

I'm aware that we're at the mercy of the manufacturer in general, and also of E-FOTA which the client doesn't want to subscribe to at this point.

I suppose the main issue I have is that there are a number of handsets that are elligible for the OS updates, but for whatever reason cannot access them whilst enrolled. If we remove control, do a quick setup on the device as a standalone handset, we can go through the software update process and bring the OS up to the maximum supported.

I don't understand why we can't apply that self-same OS update to the self-same handset whilst it's under MDM via Maas360 and Android for Enterprise.

I guess I'm going to have to accept that we can't, and therefore we're going to have to go through a significant handset replacement programme; it just seems an odd limitation.

------------------------------
Pete Croft

Original Message:
Sent: Fri January 13, 2023 04:49 AM
From: Eamonn O'Mahony
Subject: Android handsets stuck on old OS

Hi Pete
A few points to note: 
- General controls over Android OS updates are light on the Google side, and are left to individual hardware manufacturers. 
This means that you don't have control over when your hardware manufacturer (such as Samsung) releases the system update for a specific make and model - in addition the telecoms network (mobile) operator can also have some control here meaning you could end up with 2 same model devices on different networks which can have upgrades only up to different levels. 
- MaaS360 has done what Google have allowed us to do, which is to specify time frames around updates when these are available. Assuming that you've already migrated to Android Enterprise - if not see below - the policy settings are described on this page: https://www.ibm.com/docs/en/maas360?topic=device-system-update-settings
- Samsung do have their own solution called e-FOTA ONE which can be set up on the Samsung platform to 'call' the MaaS360 platform and send specific updates to specific devices. This is a paid solution which you can contract directly with Samsung - you have a 90 day free trial to start. For more information:
https://www.samsungknox.com/en/solutions/it-solutions/samsung_e-fota
https://docs.samsungknox.com/admin/efota-one/before-you-start-ibm.htm
Please note that as this makes a 'web call' from the Samsung platform, you need to set up a REST API Web Services call key on the MaaS360 platform, in order to 'receive the call' from Samsung. Details here: 
https://www.ibm.com/docs/en/maas360?topic=web-services
*********
Regarding Android Enterprise, our team has delivered a number of webinars which are recorded and can be found on this page: 
https://community.ibm.com/community/user/security/blogs/ciaran-darcy/2022/05/12/android-enterprise-webinars

------------------------------
Eamonn O'Mahony
Technical Client Success Manager
IBM Security
Dublin, Ireland

Original Message:
Sent: Thu January 12, 2023 11:13 AM
From: Pete Croft
Subject: Android handsets stuck on old OS

We have a number of Samsung Galaxy A20 handsets in the field that are stuck on Android 9.

The handsets are entitled to OS updates through to Android 11 based on standard support and date of purchase etc. etc.

They are enrolled in Maas360 as Device Owner and use Android for Work.

The policy System Update is configured to "Install Immediately".

On the handsets themselves there is no option available to manually apply the OS update within Settings, anywhere (not as a separate Software Update section, not as an update link from About Phone etc.).

This seems ... sub-optimal for a management system that should be keeping things up to date.

I know that if we remove control from the devices and do a quick and dirty non-MDM setup we can get to the OS update and bring them forwards, then re-enrol them. However, that means swapping out nearly 40 handsets for existing users which is both time consuming and expensive.

Have I missed something in a configuration option somewhere, or is this working as designed?

------------------------------
Pete Croft
------------------------------

Hi Pete
It's reasonably clear to me that there may be some interaction between our product and the OS updates, as you have evidenced. Our Support team will be able to bring this further, if you raise a ticket. If you summarise the information above this should help, please provide sample device/usernames and if possible a Bug Report log from device as well as MaaS360 app logs, instructions below. The reason for so much detail is that as the issue could be found either at MaaS360 app level or Android OS level we need to examine both. 
Thanks for your patience and if you want to message me individually on my profile with the case number I'll ensure it gets given priority. 
Regards
https://www.ibm.com/support/pages/collect-and-share-android-bug-report
https://www.ibm.com/support/pages/how-collect-android-logs

------------------------------
Eamonn O'Mahony
Technical Client Success Manager
IBM Security
Dublin, Ireland
------------------------------

Original Message:
Sent: Tue January 24, 2023 10:39 AM
From: Pete Croft
Subject: Android handsets stuck on old OS

Hi Eamonn,

Apologies for the delay, there's been quite a lot going on this end.

Sorry for the confusion, I thought I'd been clear in the OP and since, but the problem is the latter:

• the handsets are known to be elligible for OS updates
• they are enrolled in Maas as DO devices using Android Enterprise policies
• they are not in Kiosk or COSU mode
• the security policy they are under is configured to allow instant OS updates
• whilst they are under MDM
  • those OS updates do not get applied
  • there is no mechanism for the end user to force the update
  • there is no mechanism for us as admins to force the update
• as a result we have a number of Samsung Galaxy A20 models that are stuck on Android 9

For further clarity, let's say we have a handset called A20-1 and it's under MDM and is on Android 9. If I get the user to send me that handset back, and I then remove control (and reset protection) so that the handset resets ready for fresh setup. I configure the handset without enrolling it in Maas, and in Settings on the handset I can check for OS updates and apply updates all the way to Android 11.

If I then reset the handset again and enrol it in Maas, it goes in happily and obviously remainds on Android 11.

So I know for a stone cold fact that the handset is elligible for the OS update. But unless it is completely removed from Maas and configured stand-alone, then wiped and re-enrolled in Maas, I cannot shift it off Android 9.

Which is about to give me a 30 handset headache for security compliance ...

------------------------------
Pete Croft

Original Message:
Sent: Wed January 18, 2023 08:31 AM
From: Eamonn O'Mahony
Subject: Android handsets stuck on old OS

Hi Pete
I think you are referring to the fact that when you are expecting system updates they don't come, or do you mean that you have verified that updates are available for specific models and via specific network operators and still don't come? 
If the former it may be just a question of checking wtih manufacturer and network operator to see which specific updates are avaiable for a given make and model. 
If the latter then there would appear to be an issue but I just want to confirm that you are 100% sure based on confirmation, that updates are available. 
This is effectively a guessing game without confirmation - except for where you contract eFOTA with Samsung. 
Please let me know your thoughts. 
Best

------------------------------
Eamonn O'Mahony
Technical Client Success Manager
IBM Security
Dublin, Ireland

Original Message:
Sent: Fri January 13, 2023 11:03 AM
From: Pete Croft
Subject: Android handsets stuck on old OS

Hi Eamonn,

That's the thing, these particular handsets just do not update.

The policy they are under is configured for "Install Immediately" for system updates, as we can't rely on the phones being on during the maintenance window (although i do understand that in theory after a period of elapsed time the update should be forced on regardless if the maintenance window is used).

Despite updates being configured for immediate install in the policy, they simply never go on. And the option within the phone's Settings to manually check for or apply updates is not present.

The system policy isn't in kiosk/COSU mode, simply configured under Android Enterprise with various app restrictions etc.although none that I can see that should impact OS updates.

------------------------------
Pete Croft

Original Message:
Sent: Fri January 13, 2023 09:59 AM
From: Eamonn O'Mahony
Subject: Android handsets stuck on old OS

Hi Pete
Thanks for clarification. 
I think if you configure policy settings so that System Updates happen automatically during a certain period, this should happen on the device irrespective of whether it is in kiosk mode and whether a user is using it. Ideally scheduled outside of operational hours to avoid device performance reductions. 
Please ask customer to test using this and see when they know there are updates pending, whether it does the job as expected. 
Am interested to hear the result. 
Best

------------------------------
Eamonn O'Mahony
Technical Client Success Manager
IBM Security
Dublin, Ireland

Original Message:
Sent: Fri January 13, 2023 09:41 AM
From: Pete Croft
Subject: Android handsets stuck on old OS

Hi Eamonn,

Thank you for the reply.

I'm aware that we're at the mercy of the manufacturer in general, and also of E-FOTA which the client doesn't want to subscribe to at this point.

I suppose the main issue I have is that there are a number of handsets that are elligible for the OS updates, but for whatever reason cannot access them whilst enrolled. If we remove control, do a quick setup on the device as a standalone handset, we can go through the software update process and bring the OS up to the maximum supported.

I don't understand why we can't apply that self-same OS update to the self-same handset whilst it's under MDM via Maas360 and Android for Enterprise.

I guess I'm going to have to accept that we can't, and therefore we're going to have to go through a significant handset replacement programme; it just seems an odd limitation.

------------------------------
Pete Croft

Original Message:
Sent: Fri January 13, 2023 04:49 AM
From: Eamonn O'Mahony
Subject: Android handsets stuck on old OS

Hi Pete
A few points to note: 
- General controls over Android OS updates are light on the Google side, and are left to individual hardware manufacturers. 
This means that you don't have control over when your hardware manufacturer (such as Samsung) releases the system update for a specific make and model - in addition the telecoms network (mobile) operator can also have some control here meaning you could end up with 2 same model devices on different networks which can have upgrades only up to different levels. 
- MaaS360 has done what Google have allowed us to do, which is to specify time frames around updates when these are available. Assuming that you've already migrated to Android Enterprise - if not see below - the policy settings are described on this page: https://www.ibm.com/docs/en/maas360?topic=device-system-update-settings
- Samsung do have their own solution called e-FOTA ONE which can be set up on the Samsung platform to 'call' the MaaS360 platform and send specific updates to specific devices. This is a paid solution which you can contract directly with Samsung - you have a 90 day free trial to start. For more information:
https://www.samsungknox.com/en/solutions/it-solutions/samsung_e-fota
https://docs.samsungknox.com/admin/efota-one/before-you-start-ibm.htm
Please note that as this makes a 'web call' from the Samsung platform, you need to set up a REST API Web Services call key on the MaaS360 platform, in order to 'receive the call' from Samsung. Details here: 
https://www.ibm.com/docs/en/maas360?topic=web-services
*********
Regarding Android Enterprise, our team has delivered a number of webinars which are recorded and can be found on this page: 
https://community.ibm.com/community/user/security/blogs/ciaran-darcy/2022/05/12/android-enterprise-webinars

------------------------------
Eamonn O'Mahony
Technical Client Success Manager
IBM Security
Dublin, Ireland

Original Message:
Sent: Thu January 12, 2023 11:13 AM
From: Pete Croft
Subject: Android handsets stuck on old OS

We have a number of Samsung Galaxy A20 handsets in the field that are stuck on Android 9.

The handsets are entitled to OS updates through to Android 11 based on standard support and date of purchase etc. etc.

They are enrolled in Maas360 as Device Owner and use Android for Work.

The policy System Update is configured to "Install Immediately".

On the handsets themselves there is no option available to manually apply the OS update within Settings, anywhere (not as a separate Software Update section, not as an update link from About Phone etc.).

This seems ... sub-optimal for a management system that should be keeping things up to date.

I know that if we remove control from the devices and do a quick and dirty non-MDM setup we can get to the OS update and bring them forwards, then re-enrol them. However, that means swapping out nearly 40 handsets for existing users which is both time consuming and expensive.

Have I missed something in a configuration option somewhere, or is this working as designed?

------------------------------
Pete Croft
------------------------------

Thansk Eamonn, I genuinely appreciate that. Unfortunately we are constrained by time at our end, so we're having to just go with sending out new handsets to affected users, and getting theirs back in to be removed, updated, and re-enrolled. We have a deadline to hit for a security compliance certification, so waiting to do it elegantly will see the client in a troublesome area.

Hopefully it's a one-off that relates to some issue in Android 9 and won't hit us again, but if I spot it happening with devices on e.g. Android 10 I'll re-visit this in a more timely fashion so that we can address it properly.

------------------------------
Pete Croft
------------------------------

Original Message:
Sent: Wed January 25, 2023 06:17 AM
From: Eamonn O'Mahony
Subject: Android handsets stuck on old OS

Hi Pete
It's reasonably clear to me that there may be some interaction between our product and the OS updates, as you have evidenced. Our Support team will be able to bring this further, if you raise a ticket. If you summarise the information above this should help, please provide sample device/usernames and if possible a Bug Report log from device as well as MaaS360 app logs, instructions below. The reason for so much detail is that as the issue could be found either at MaaS360 app level or Android OS level we need to examine both. 
Thanks for your patience and if you want to message me individually on my profile with the case number I'll ensure it gets given priority. 
Regards
https://www.ibm.com/support/pages/collect-and-share-android-bug-report
https://www.ibm.com/support/pages/how-collect-android-logs

------------------------------
Eamonn O'Mahony
Technical Client Success Manager
IBM Security
Dublin, Ireland

Original Message:
Sent: Tue January 24, 2023 10:39 AM
From: Pete Croft
Subject: Android handsets stuck on old OS

Hi Eamonn,

Apologies for the delay, there's been quite a lot going on this end.

Sorry for the confusion, I thought I'd been clear in the OP and since, but the problem is the latter:

• the handsets are known to be elligible for OS updates
• they are enrolled in Maas as DO devices using Android Enterprise policies
• they are not in Kiosk or COSU mode
• the security policy they are under is configured to allow instant OS updates
• whilst they are under MDM
  • those OS updates do not get applied
  • there is no mechanism for the end user to force the update
  • there is no mechanism for us as admins to force the update
• as a result we have a number of Samsung Galaxy A20 models that are stuck on Android 9

For further clarity, let's say we have a handset called A20-1 and it's under MDM and is on Android 9. If I get the user to send me that handset back, and I then remove control (and reset protection) so that the handset resets ready for fresh setup. I configure the handset without enrolling it in Maas, and in Settings on the handset I can check for OS updates and apply updates all the way to Android 11.

If I then reset the handset again and enrol it in Maas, it goes in happily and obviously remainds on Android 11.

So I know for a stone cold fact that the handset is elligible for the OS update. But unless it is completely removed from Maas and configured stand-alone, then wiped and re-enrolled in Maas, I cannot shift it off Android 9.

Which is about to give me a 30 handset headache for security compliance ...

------------------------------
Pete Croft

Original Message:
Sent: Wed January 18, 2023 08:31 AM
From: Eamonn O'Mahony
Subject: Android handsets stuck on old OS

Hi Pete
I think you are referring to the fact that when you are expecting system updates they don't come, or do you mean that you have verified that updates are available for specific models and via specific network operators and still don't come? 
If the former it may be just a question of checking wtih manufacturer and network operator to see which specific updates are avaiable for a given make and model. 
If the latter then there would appear to be an issue but I just want to confirm that you are 100% sure based on confirmation, that updates are available. 
This is effectively a guessing game without confirmation - except for where you contract eFOTA with Samsung. 
Please let me know your thoughts. 
Best

------------------------------
Eamonn O'Mahony
Technical Client Success Manager
IBM Security
Dublin, Ireland

Original Message:
Sent: Fri January 13, 2023 11:03 AM
From: Pete Croft
Subject: Android handsets stuck on old OS

Hi Eamonn,

That's the thing, these particular handsets just do not update.

The policy they are under is configured for "Install Immediately" for system updates, as we can't rely on the phones being on during the maintenance window (although i do understand that in theory after a period of elapsed time the update should be forced on regardless if the maintenance window is used).

Despite updates being configured for immediate install in the policy, they simply never go on. And the option within the phone's Settings to manually check for or apply updates is not present.

The system policy isn't in kiosk/COSU mode, simply configured under Android Enterprise with various app restrictions etc.although none that I can see that should impact OS updates.

------------------------------
Pete Croft

Original Message:
Sent: Fri January 13, 2023 09:59 AM
From: Eamonn O'Mahony
Subject: Android handsets stuck on old OS

Hi Pete
Thanks for clarification. 
I think if you configure policy settings so that System Updates happen automatically during a certain period, this should happen on the device irrespective of whether it is in kiosk mode and whether a user is using it. Ideally scheduled outside of operational hours to avoid device performance reductions. 
Please ask customer to test using this and see when they know there are updates pending, whether it does the job as expected. 
Am interested to hear the result. 
Best

------------------------------
Eamonn O'Mahony
Technical Client Success Manager
IBM Security
Dublin, Ireland

Original Message:
Sent: Fri January 13, 2023 09:41 AM
From: Pete Croft
Subject: Android handsets stuck on old OS

Hi Eamonn,

Thank you for the reply.

I'm aware that we're at the mercy of the manufacturer in general, and also of E-FOTA which the client doesn't want to subscribe to at this point.

I suppose the main issue I have is that there are a number of handsets that are elligible for the OS updates, but for whatever reason cannot access them whilst enrolled. If we remove control, do a quick setup on the device as a standalone handset, we can go through the software update process and bring the OS up to the maximum supported.

I don't understand why we can't apply that self-same OS update to the self-same handset whilst it's under MDM via Maas360 and Android for Enterprise.

I guess I'm going to have to accept that we can't, and therefore we're going to have to go through a significant handset replacement programme; it just seems an odd limitation.

------------------------------
Pete Croft

Original Message:
Sent: Fri January 13, 2023 04:49 AM
From: Eamonn O'Mahony
Subject: Android handsets stuck on old OS

Hi Pete
A few points to note: 
- General controls over Android OS updates are light on the Google side, and are left to individual hardware manufacturers. 
This means that you don't have control over when your hardware manufacturer (such as Samsung) releases the system update for a specific make and model - in addition the telecoms network (mobile) operator can also have some control here meaning you could end up with 2 same model devices on different networks which can have upgrades only up to different levels. 
- MaaS360 has done what Google have allowed us to do, which is to specify time frames around updates when these are available. Assuming that you've already migrated to Android Enterprise - if not see below - the policy settings are described on this page: https://www.ibm.com/docs/en/maas360?topic=device-system-update-settings
- Samsung do have their own solution called e-FOTA ONE which can be set up on the Samsung platform to 'call' the MaaS360 platform and send specific updates to specific devices. This is a paid solution which you can contract directly with Samsung - you have a 90 day free trial to start. For more information:
https://www.samsungknox.com/en/solutions/it-solutions/samsung_e-fota
https://docs.samsungknox.com/admin/efota-one/before-you-start-ibm.htm
Please note that as this makes a 'web call' from the Samsung platform, you need to set up a REST API Web Services call key on the MaaS360 platform, in order to 'receive the call' from Samsung. Details here: 
https://www.ibm.com/docs/en/maas360?topic=web-services
*********
Regarding Android Enterprise, our team has delivered a number of webinars which are recorded and can be found on this page: 
https://community.ibm.com/community/user/security/blogs/ciaran-darcy/2022/05/12/android-enterprise-webinars

------------------------------
Eamonn O'Mahony
Technical Client Success Manager
IBM Security
Dublin, Ireland

Original Message:
Sent: Thu January 12, 2023 11:13 AM
From: Pete Croft
Subject: Android handsets stuck on old OS

We have a number of Samsung Galaxy A20 handsets in the field that are stuck on Android 9.

The handsets are entitled to OS updates through to Android 11 based on standard support and date of purchase etc. etc.

They are enrolled in Maas360 as Device Owner and use Android for Work.

The policy System Update is configured to "Install Immediately".

On the handsets themselves there is no option available to manually apply the OS update within Settings, anywhere (not as a separate Software Update section, not as an update link from About Phone etc.).

This seems ... sub-optimal for a management system that should be keeping things up to date.

I know that if we remove control from the devices and do a quick and dirty non-MDM setup we can get to the OS update and bring them forwards, then re-enrol them. However, that means swapping out nearly 40 handsets for existing users which is both time consuming and expensive.

Have I missed something in a configuration option somewhere, or is this working as designed?

------------------------------
Pete Croft
------------------------------