Target API Level Policy Changes & Its Impact on Enterprises

Overview

With the service release 2211 of Intune, password complexity settings for Android Enterprise 12+ devices have been changed. This brings a major change in Password complexity settings for Android Enterprise.

The reason for the new password complexity settings is the latest Android OS – Android 13 & API levels! With the release of the new OS, Google has mandated that all apps published to the Play Store must “target” or be “optimized” to work with the previous year’s API version. Google Play has updated its requirements for Android’s Target API Levels to increase app security.

In particular, an app must declare an “API level” released within two years of the most recent major version of Android if it is to be installed by users on the most current version of the Android OS.

Alright, but how this is related to password complexity and how it could impact you as an organization?

It’s a bit complicated and with this post I will try to explain the reasoning behind it and how it affects your organization.

Android versions & Target API levels

Whenever a new Android version is released, a unique “name” and a unique integer identifier, called “API level” is given to it. For eg:

The Android version, such as Android 12.0
A code (or dessert) name, such as Snow Cone
A corresponding API level, such as API level 31

An Android code name may correspond to multiple versions and API levels but each Android version corresponds to exactly one API level.

Each Android device runs at exactly one API level – this API level is guaranteed to be unique per Android platform version. The API level precisely identifies the version of the API set that your app can call into; it identifies the combination of manifest elements, permissions, etc. Android’s system of API levels helps Android determine whether an application is compatible with an Android system image prior to installing the application on a device.

When an application is built, it contains the following API level information:

The target API level of Android that the app is built to run on.
The minimum Android API level that an Android device must have to run your app.

These settings are used to ensure that the functionality needed to run the app correctly is available on the Android device at installation time. If not, the app is blocked from running on that device. For example, if the API level of an Android device is lower than the minimum API level that you specify for your app, the Android device will prevent the user from installing your app.

The framework API is updated to give new or alternative capabilities with each new iteration of Android. With a few rare exceptions, older Android versions’ API functionality is preserved unchanged in later Android versions. As a result, if your app works on one version of the Android API, it should work without any changes on a later version.

If you also want your app to work on older Android versions then some APIs may be unavailable to your app at runtime and your app may still work on older devices, albeit with limited functionality.

Because the Intune company portal is also available on Google Play, Microsoft must also adhere to the new target API level in order to keep the app compliant with Google’s new privacy policies.

What does that imply?

From January 31, 2023, if an application targets API level 29 or lower, it will no longer be discoverable or installable through Google Play for new users with devices running Android 11 or higher, and thus distributing an application with a lower targetSDK will simply never appear on new devices. What this actually means for enterprise & public store applications?

Existing devices remain unaffected.
New devices enrolled running Android 10 or lower will receive the application without issue.
New devices enrolled running Android 11 or later will not receive the application and will not see it within managed Google Play either.

The earlier deadline was November 2022 but now Google has extend till Jan’2023 with an extension request also available.

How this will affect your organization:

In the API level 31, there are series of changes and updates which impact enterprise apps and devices (work-profile). Few of them are listed below:

The password complexity feature sets device-wide password requirements in predefined complexity buckets (High, Medium, Low, and None). If required, strict password requirements can instead be placed on the work profile security challenge.

Onboarding for the work profile security challenge has been eased. Now that setup considers whether the device passcode satisfies admin requirements, it is simple for the user to decide whether to strengthen their device passcode or utilize the security challenges associated with their work profile.

A factory reset won’t affect an enrollment-specific ID, which offers a distinct ID that identifies the work profile enrollment in a specific organisation. In Android 12, access to the device’s hardware identifiers (IMEI, MEID, serial number) is disabled for personal devices with a work profile.

Company-owned devices, with and without work profiles, can adopt the features listed in the preceding list items, but are not required to adopt them in Android 12.

setPasswordQuality() and getPasswordQuality() are deprecated for setting device-wide passcode on work profile devices that are personal devices rather than company-owned

What to do to comply for your enterprise apps?

The requirements are quite simple and straightforward:

When you publish a new app, make sure to target API 31 or above.
If your existing app’s target API level is 30 or above, then your app is compliant with this policy.
Suppose your existing app’s target is below API 30. In that case, it will stop being discoverable to all Google Play users whose devices run Android OS versions newer than your apps’ target API levels, as your app wasn’t built to meet the safety and quality standards that these users expect from newer Android OS versions.
If you plan to update this app to target API level 31 or above, you can submit an extension request to continue getting distributed to all users on Google Play until May 1, 2023. Impacted apps will receive an extension request form link in their Play Console Inbox message.

What you need to do to prepare for Android Enterprise devices:

There is no impact for existing devices where Required password type or Minimum password length settings are configured.

If you are using these settings and do not configure the new Password complexity setting, devices running Android 12 or higher will default to Password complexity High in the following scenarios:

When a new Android 12 or higher device is enrolled and is targeted with the existing policy.
When a device updates to Android 12 or higher and the existing policy is edited.
When a new work profile password policy is assigned to Android 12 or higher.

Users will receive a prompt to update their password if they do not meet the password requirements.

However, it is recommended that you update the policies in Intune for Required password type and Minimum password length configurations with the Password complexity setting for devices running Android 12 or higher.

Conclusion

I believe I was able to explain to you why these password policy changes are being enforced and how you can prepare yourself to accommodate them in your Intune tenant.

References:

https://aka.ms/Intune/Android13/?WT.mc_id=EM-MVP-5004955

Target API level requirements for Google Play apps – Play Console Help

https://learn.microsoft.com/en-us/xamarin/android/app-fundamentals/android-api-levels?tabs=windows/?WT.mc_id=EM-MVP-5004955