Solved: Operating System policy - Android 15

KevinSiddique · ‎10-16-2024

In my Global Policy, I have an Operating system setting:

Allow Android devices:
Encourage users to update if less than the latest.
Encourage to update: after 30 days.
Block versions: if less than the latest.
Block: after 60 days.

The problem I'm having is that my users started getting Version Restricted blocked today if they were running Android 14. My question is: What does Duo consider the release date for Android 15? What is 30/60 days after that? 60 days before today was August 17, 2024 which doesn't sound right for Android 15.

KevinSiddique · ‎10-16-2024

Quick response from Support. Posting it here in case anyone else is searching the forums...

Hi Kevin,

Thanks for reaching out to Duo Security Support. I understand that you have set up your Android OS policy such that users are blocked after 60 days if not running the latest Android OS. However, Android 15 was released yesterday, and users on lower versions are already being blocked. I can absolutely assist with this!

I brought this information up to our product team, and we discovered a mistake in the policy logic that was resulting in a much earlier release date being used when determining allowed Android OS versions. We have now corrected this, such that October 15th is considered the Android 15 release date. This change should have kicked in already, but may take up to an hour to fully propagate through our systems.

Thank you for sharing your experience with us and helping us to identify this issue! Let me know if I can clarify or expand upon any of the above information.

Best regards,
Blake

View solution in original post

KevinSiddique · ‎10-16-2024

Quick response from Support. Posting it here in case anyone else is searching the forums...

Hi Kevin,

Thanks for reaching out to Duo Security Support. I understand that you have set up your Android OS policy such that users are blocked after 60 days if not running the latest Android OS. However, Android 15 was released yesterday, and users on lower versions are already being blocked. I can absolutely assist with this!

I brought this information up to our product team, and we discovered a mistake in the policy logic that was resulting in a much earlier release date being used when determining allowed Android OS versions. We have now corrected this, such that October 15th is considered the Android 15 release date. This change should have kicked in already, but may take up to an hour to fully propagate through our systems.

Thank you for sharing your experience with us and helping us to identify this issue! Let me know if I can clarify or expand upon any of the above information.

Best regards,
Blake

jvalciuk · ‎11-14-2024

Samsung delayed update of Android 15 till 2025. DUO is failing OS version check up. Are Android users stuck for 2 months? Some internal tools are limiting my access already.

DuoKristina · ‎11-14-2024

If an organization's Android user base is not able to update to Android 15 yet then the recommendation would be to not block Android versions below 15 or below "the latest" in the operating systems policy configuration.

The choice is left up to the organization. If your organization (which I belatedly noticed is "our" organization) decides they want to block Android 14 and below, then the org should make sure that affected users have another method of authentication to them.

Are you certain you are getting a block screen that won't let you proceed, vs. a screen that encourages you to update but still allows access (the "Encourage users to update" option in our policy)? I'm still using a Pixel 5 (waiting for Black Friday upgrade deals), so I'm still on 14, and I haven't been blocked from anything yet. However, I also have a Yubikey for OTP and WebAuthn registered in our internal Duo, as well as my Mac's Touch ID as another WebAuthn authenticator, so Duo Mobile is actually one of the authentication methods I use least.

You can go to the "DuoMFAforCiscoWorkforce" site in Sharepoint for information about how to order and use a Yubikey, or enrolling a platform authenticator like Touch ID or Windows Hello for internal use. At the very least you can go to HelpZone and open a case so that Cisco IT is aware that your otherwise current device won't receive Android 15 for a while, and they can consider if/how they might want to adjust our policies as a result.

Duo, not DUO.