So we just migrated our email (actually a couple months ago, but besides the point) from being hosted on Google to a new platform, on Office365.
For various reasons, we have about 90 company owned devices (mostly Android phones) setup through Systems Manager, all of which are still authenticating with the Google domain.
We want to change that ASAP so that all devices authenticate to Azure AD or our local AD, and after several tests I believe we know fairly well what needs to be done to achieve this. However, one big question remains: What happens to all the authenticated devices the moment we Unenroll Systems Manager from the Google domain? (Organization - MDM settings - Android Enterprise)
Are the devices still able to access email and apps? Will they just go blank? Will they just try to authenticate until able to?
Most (95%) of the devices are scattered through Mexico (the country, not the city), so I can't just ask people to come in and wait here for the process to finish.
I also think that after unenrollment and setting up as Meraki managed and setting a new User authentication setting the devices will probably ask to authenticate again. After doing so, will SM just reload everything? Or is it just a matter of confirming credentials and after that its business as usual?
If anyone has experience with this kind of migrations, any insight into this process will be welcome.
Are the devices Android 8.0+? And purchased via a reseller?
The answer here might be to look in to Android Zero Touch that Meraki now support. Then the end result is asking the end-user to factory reset the device and then it will pick up all the settings and put then in to a manageable state for you to work forward from.
When you log in to your account there should be (at the top right) a drop down for cases. Or if you are not the main account holder, it may be the main account holder has hidden this from your login (branding) view.
Do you have a (second account/organisation) to be able to test this one? Having a test organisation or network is something I would highly advise when working with Meraki SM. This is especially important when Apple/Google could break something at the back-end without a moments notice. Meraki SM calls these API's.
I would be very interest in what the Meraki support team come back with here.
First, my understanding is that enrollment/authentication are actually two different stages. The enrollment is about setting up the secure connection (private/public key pairing) between the Android back-end Google API/SM and the device. If you unenroll you will lose remote control of the device as the system will forget the public key.
(This is briefly mentioned as a configuration step; here.)
Authentication is about which emm-managed account is using the device. See here.
For you, you want to change the authentication but keep the enrollment. In the above link, these settings are found under "System Manager -> General", NOT "Organization - MDM settings - Android Enterprise". Do not unenroll. I suspect (but cannot confirm) by changing the authentication settings, the device will be unable to retrieve its profile settings (due to there no longer being a valid authentication key connection) and strip the device back (removing all profile installed Apps and settings) as a safety measure. This would be same behaviour if you want in to the device page on Meraki SM and remove/blank the user.
Without knowing how Meraki interacts with the Google API over Authentication, or how a device handles its authentication over time, and without a deeper understanding of the Google API works when it comes to authentication I doubt forum members will able to assist here. I imagine the support desk would need to confer with the engineers in the US and they would need to take some time investigating this. However, by replicating your environment you can answer this much quicker.