Forum Discussion
How to Set Device Owner on Company-Owned Android Device Without Factory Reset
It is not possible to do what you are asking to do and that is due to the fundamental nature of the design of the Android Enterprise Device Owner system.
When AE was established as the next generation of management to replace legacy Device Administrator based management a decision was made to fork the management concepts into Fully Managed and Work Profile use cases. The naming convention has evolved and changed over time but effectively the split was between Device Owner and Profile Owner. This distinction was intentional as it solved one of the core issues of Device Administrator which is the fact that it could be abused as an elevated privilege by any app on the Play Store. An malicious actor could disguise an innocuous looking app like a flashlight, calculator, or game and request the Device Admin privilege. Google realized that many end users were not reading the permission granting prompts fully or at least not understanding the level of privilege (full device control) that they were granting to an app that they thought was just a flashlight. Device Administrator was fundamentally flawed in this way, since it was a permission that could be granted at any time to any app. There also was the issue of the possibility of there being multiple DA's running on the same device.
In order to correct for these fundamental flaws in the DA system Google made a series of strategic decisions around the newly formed DO and PO concepts. Relative to your issues they designed the system such that in order for a DPC to be granted Device Owner privileges it would need to be granted while the device was in a factory reset, out of box state. This way there would be no way for the permission to be accidentally granted by an unknowing end user to a malicious app since there had to be intention behind the enrollment and DO permission granting during the initial device set up process. Since your devices have already been set up and have broken their out of box seal of sorts, they can never be assigned the Device Owner privilege without first being factory reset.These are fundamental principals to Android Enterprise device management that have existed for many years. These principals apply across all Android Enterprise device management environments, regardless of what MDM, EMM, UEM, or other tools that you are using. These are very much core concepts that should have been understood and considered PRIOR to any initial device configuration work.
It is not possible to do what you are asking to do and that is due to the fundamental nature of the design of the Android Enterprise Device Owner system.
When AE was established as the next generation of management to replace legacy Device Administrator based management a decision was made to fork the management concepts into Fully Managed and Work Profile use cases. The naming convention has evolved and changed over time but effectively the split was between Device Owner and Profile Owner. This distinction was intentional as it solved one of the core issues of Device Administrator which is the fact that it could be abused as an elevated privilege by any app on the Play Store. An malicious actor could disguise an innocuous looking app like a flashlight, calculator, or game and request the Device Admin privilege. Google realized that many end users were not reading the permission granting prompts fully or at least not understanding the level of privilege (full device control) that they were granting to an app that they thought was just a flashlight. Device Administrator was fundamentally flawed in this way, since it was a permission that could be granted at any time to any app. There also was the issue of the possibility of there being multiple DA's running on the same device.
In order to correct for these fundamental flaws in the DA system Google made a series of strategic decisions around the newly formed DO and PO concepts. Relative to your issues they designed the system such that in order for a DPC to be granted Device Owner privileges it would need to be granted while the device was in a factory reset, out of box state. This way there would be no way for the permission to be accidentally granted by an unknowing end user to a malicious app since there had to be intention behind the enrollment and DO permission granting during the initial device set up process. Since your devices have already been set up and have broken their out of box seal of sorts, they can never be assigned the Device Owner privilege without first being factory reset.
These are fundamental principals to Android Enterprise device management that have existed for many years. These principals apply across all Android Enterprise device management environments, regardless of what MDM, EMM, UEM, or other tools that you are using. These are very much core concepts that should have been understood and considered PRIOR to any initial device configuration work.
