Android Enterprise feature list

This page provides the complete list of Android Enterprise features. To pass product review, your Android EMM solution must support all the required features (star) of at least one solution set (work profile, fully managed device, dedicated device, mobile application management (MAM)).

Select your development method to load the appropriate feature list:


Key

star required feature star_border optional feature remove_circle_outline not applicable

1. Device provisioning

1.1. DPC-first work profile provisioning

Android version
Work profile
Fully managed device
Dedicated device
MAM
5.1+
star
remove_circle_outline
remove_circle_outline
star

End users can provision a work profile after downloading Android Device Policy from Google Play.

1.1.1. The EMM provides an IT admin with a QR code or enrollment token to support this provisioning method (see enrolling and provisioning a device).

1.2. DPC-identifier device provisioning

Android version
Work profile
Fully managed device
Dedicated device
MAM
6.0+
remove_circle_outline
star
star
remove_circle_outline

End users can provision a fully managed or dedicated device by entering "afw#" in the device's setup wizard.

1.2.1.The EMM provides an IT admin with a QR code or enrollment token to support this provisioning method (see enrolling and provisioning a device).

1.3. NFC device provisioning

Android version
Work profile
Fully managed device
Dedicated device
MAM
5.0+
remove_circle_outline
star_border
star_border
remove_circle_outline

IT admins can "bump" new or factory-reset devices with the EMMs NFC provisioning app to provision a device, according to the implementation guidelines defined in the Android Management API developer documentation.

1.3.1. The NFC provisioning app must be published to Google Play, and must use provisioning extras to pass all non-sensitive registration details (e.g. server IDs, enrollment IDs) to a device. Registration details shouldn't include sensitive information, such as passwords or certificates.

1.4. QR code device provisioning

Android version
Work profile
Fully managed device
Dedicated device
MAM
7.0+
remove_circle_outline
star_border
star_border
remove_circle_outline

IT admins can use new or factory-reset device to scan a QR code generated by the EMM's console to provision the device, according implementation guidelines defined in the Android Management API developer documentation.

1.4.1. The QR code must use provisioning extras to pass all non-sensitive registration details (e.g. server IDs, enrollment IDs) to a device. Registration details must not include sensitive information, such as passwords or certificates.

1.5. Zero-touch enrollment

Android version
Work profile
Fully managed device
Dedicated device
MAM
8.0+ (Pixel 7.1+)
remove_circle_outline
star_border
star_border
remove_circle_outline

IT admins can preconfigure devices purchased from authorized resellers and manage them using your EMM console.

1.5.1. IT admins can provision company-owned devices using the zero-touch enrollment method, outlined in Zero-touch enrollment for IT admins.

1.5.2. When a device is first turned on, the device is automatically forced into the settings configured by the IT admin.

1.6. Advanced zero-touch provisioning

The Android Management API doesn't currently support this feature.

1.7. Google Account work profile provisioning

Android version
Work profile
Fully managed device
Dedicated device
MAM
6.0+
star_border
remove_circle_outline
remove_circle_outline
star_border

The Android Management API doesn't support this feature.

1.8 Google Account device provisioning

Android version
Work profile
Fully managed device
Dedicated device
MAM
6.0+
remove_circle_outline
star_border
remove_circle_outline
remove_circle_outline

The Android Management API doesn't support this feature.


2. Device security

2.1. Device security challenge

Android version
Work profile
Fully managed device
Dedicated device
MAM
5.0+
star
star
star
remove_circle_outline

IT admins can set and enforce a device security challenge (e.g. PIN/pattern/password) of a certain type and complexity on managed devices.

2.1.1. Device security challenge settings must be enforced via policy (parentProfilePasswordRequirements for work profile, passwordRequirements for fully managed and dedicated devices).

2.2 Work security challenge

Android version
Work profile
Fully managed device
Dedicated device
MAM
7.0+
star
remove_circle_outline
remove_circle_outline
remove_circle_outline

IT admins can set and enforce a security challenge for apps and data in the work profile that is separate and has different requirements from the device security challenge (2.1.).

2.2.1. The work profile security challenge must be enforced via policy.

2.3. Advanced passcode management

Android version
Work profile
Fully managed device
Dedicated device
MAM
5.0+
star_border
star_border
star_border
star_border

IT admins can configure advanced password settings on devices.

2.3.1. The following password quality types can be set for each lock screen available on a device:

    1. Unspecified: Sets no password requirement.
    2. Something: Requires a password but doesn't set a type restriction.
    3. Weak biometric: Allows low-security biometric unlock methods, such as face recognition.
    4. Numeric: Requires a password that includes numeric characters.
    5. Numeric complex: Requires a password that includes numeric characters and has no repeating (for example, 4444) or ordered sequences (for example, 1234).
    6. Alphabetic: Requires a password that includes alphabetic or other symbol characters.
    7. Alphanumeric: Requires a password that includes both numeric and alphabetic (or other symbol) characters.
    8. Complex: Requires a password that includes a numeric, alphabetic, and special character.

2.3.2. The following password length and complexity requirements can be set for each lock screen available on a device:

    1. Minimum length required for a valid password.
    2. Minimum number of numeric characters required for a valid password.
    3. Minimum number of non-letter characters required for a valid password.
    4. Minimum number of letters required for a valid password.
    5. Minimum number of lowercase letters required for a valid password.
    6. Minimum number of uppercase letters required for a valid password.
    7. Minimum number of symbols required for a valid password.

2.3.3. The following password lifecycle settings can be set for each lock screen available on a device:

    1. Password expiration timeout: Coupled with the compliance enforcement feature, this forces the user to periodically update their password according to the admin-specified timeout. IT admins must be able to disable this feature.
    2. Password history length: Specifies the length of time before a user can re-use any given password. IT admins must be able to disable this feature.
    3. Maximum failed passwords for wipe: Specifies the number of times the user can enter an incorrect password before corporate data is wiped from the device. IT admins must be able to disable this feature.

2.4. Smart lock management

Android version
Work profile
Fully managed device
Dedicated device
MAM
6.0+
star_border
star_border
star_border
remove_circle_outline

The Android Management API doesn't currently support this feature.

2.5. Wipe and lock

Android version
Work profile
Fully managed device
Dedicated device
MAM
5.0+
star
star
star
star

IT admins can use the EMM's console to remotely lock and wipe work data from a managed device.

2.5.1. Devices must be locked using the Android Management API.

2.5.2. Devices must be wiped using the Android Management API.

2.6. Compliance enforcement

Android version
Work profile
Fully managed device
Dedicated device
MAM
5.0+
star
star
star
star

If a device is not compliant with security policies, compliance rules put in place by the Android Management API automtically restrict access to work data.

2.6.1. At minimum, the security policies enforced on a device must include password policy.

2.7. Default security policies

Android version
Work profile
Fully managed device
Dedicated device
MAM
5.0+
star
star
star
star

EMMs must enforce the specified security policies on devices by default, without requiring IT admins to configure or customize any settings in the EMM's console. EMMs are encouraged (but not required) to not allow IT admins to change the default state of these security features.

2.7.1. Installing apps from unknown sources must be blocked. This subfeature is supported by default.

2.7.2. Access to debugging features must be blocked. This subfeature is supported by default.

2.8. Security policies for dedicated devices

Android version
Work profile
Fully managed device
Dedicated device
MAM
6.0+
remove_circle_outline
remove_circle_outline
star
remove_circle_outline

Users can't escape a locked down dedicated device to enable other actions.

2.8.1. Booting into safe mode must be disabled by default via policy (see safeBootDisabled).

2.9. SafetyNet Support

Android version
Work profile
Fully managed device
Dedicated device
MAM
remove_circle_outline
star_border
star_border
star_border
star_border

SafetyNet is enabled by default. No additional implementation is required.

2.10. Verify Apps enforcement

Android version
Work profile
Fully managed device
Dedicated device
MAM
5.0+
star_border
star_border
star_border
star_border

IT admins can enable Verify Apps on devices. Verify Apps scans apps installed on Android devices for malware before and after they're installed, helping to ensure that corporate data can't be compromised by malicious apps.

2.10.1. Verify Apps must be enabled by default via policy (see ensureVerifyAppsEnabled).

2.11. Direct Boot support

Android version
Work profile
Fully managed device
Dedicated device
MAM
7.0+
star_border
star_border
star_border
star_border

The Android Management API supports this feature by default. No additional implementation is required.

2.12. Hardware security management

Android version
Work profile
Fully managed device
Dedicated device
MAM
5.1+
remove_circle_outline
star_border
star_border
remove_circle_outline

IT admins can lock down hardware elements of a device to ensure data-loss prevention.

2.12.1. IT admins can block users from mounting physical external media via policy (see mountPhysicalMediaDisabled).

2.12.2. IT admins can block users from sharing data from their device using NFC beam via policy (see outgoingBeamDisabled).

2.12.3. IT admins can block users from transferring files over USB via policy (see usbFileTransferDisabled).

2.12.4. IT admins can toggle whether USB storage is enabled or disabled via policy (see usbMassStorageEnabled).

2.13. Enterprise security logging

Android version
Work profile
Fully managed device
Dedicated device
MAM
7.0+
remove_circle_outline
star_border
star_border
remove_circle_outline

The Android Management API doesn't currently support this feature.


3. Account and app management

3.1. Managed Google Play accounts enterprise enrollment

Android version
Work profile
Fully managed device
Dedicated device
MAM
remove_circle_outline
star
star
star
star

IT admins can create a managed Google Play Accounts enterprise—an entity that allows managed Google Play to distribute apps to devices. The following enrollment stages must be integrated into the EMM's console:

3.1.1. Enroll a managed Google Play Accounts enterprise using the Android Management API.

3.2. Managed Google Play account provisioning

Android version
Work profile
Fully managed device
Dedicated device
MAM
5.0+
star
star
remove_circle_outline
star

The EMM can silently provision enterprise user accounts, called managed Google Play accounts. These accounts identify managed users and enable unique, per-user app distribution rules.

3.2.1. Managed Google Play accounts (user accounts) are automatically created when devices are provisioned.

The Android Management API supports this feature by default. No additional implementation is required.

3.3. Managed Google Play device account provisioning

Android version
Work profile
Fully managed device
Dedicated device
MAM
5.0+
remove_circle_outline
remove_circle_outline
star
remove_circle_outline

The EMM can create and provision managed Google Play device accounts. Device accounts support silently installing apps from the managed Google Play store, and are not tied to a single user. Instead, a device account is used to identify a single device to support per-device app distribution rules in dedicated device scenarios.

3.3.1. Managed Google Play accounts are automatically created when devices are provisioned.

The Android Management API supports this feature by default. No additional implementation is required.

3.4. Managed Google Play account provisioning for legacy devices

Android version
Work profile
Fully managed device
Dedicated device
MAM
5.0 and below
remove_circle_outline
remove_circle_outline
remove_circle_outline
star

The Android Management API doesn't support this feature.

3.5. Silent app distribution

Android version
Work profile
Fully managed device
Dedicated device
MAM
remove_circle_outline
star
star
star
star

IT admins can silently distribute work apps on users' devices without any user interaction.

3.5.1. The EMM's console must use the Android Management API to allow IT admins to install work apps on managed devices.

3.5.2. The EMM's console must use the Android Management API to allow IT admins to update work apps on managed devices.

3.5.3. The EMM's console must use the Android Management API to allow IT admins to uninstall apps on managed devices.

3.6. Managed configuration management

Android version
Work profile
Fully managed device
Dedicated device
MAM
5.0+
star
star
star
star

IT admins can view and silently set managed configurations for any app that supports managed configurations.

3.6.1. The EMM's console must be able to retrieve and display the managed configuration settings of any Play app.

3.6.2. The EMM's console must allow IT admins to set any configuration type (as defined by the Android framework) for any Play app using the Android Management API.

3.6.3. The EMM's console must allow IT admins to set wildcards (e.g. $username$ or %emailAddress%) so that a single configuration for an app such as Gmail can be applied to multiple users.

3.7. App catalog management

Android version
Work profile
Fully managed device
Dedicated device
MAM
remove_circle_outline
star
star
star
star

This feature is not applicable to the Android Management API.

3.8. Programmatic app approval

Android version
Work profile
Fully managed device
Dedicated device
MAM
remove_circle_outline
star_border
star_border
star_border
star_border

The EMM's console uses the managed Google Play iframe to support Google Play's app discovery and approval capabilities. IT admins can search for apps, approve apps, and approve new app permissions without leaving the EMM's console.

3.8.1. IT admins can search for apps and approve them within the EMM's console using the managed Google Play iframe.

3.9. Basic store layout management

Android version
Work profile
Fully managed device
Dedicated device
MAM
remove_circle_outline
star
star
remove_circle_outline
star

End users can use the managed Google Play store app on their device to install and update work apps. By default, the managed Google Play store displays all apps approved for a user in a single list. This layout is referred to as basic store layout.

3.9.1. The EMM's console should allow IT admins to manage the apps visible in an end user's basic store layout.

3.10. Advanced store layout configuration

Android version
Work profile
Fully managed device
Dedicated device
MAM
remove_circle_outline
star_border
star_border
remove_circle_outline
star_border

This Android Management API does not currently support this feature.

3.11. App license management

Android version
Work profile
Fully managed device
Dedicated device
MAM
remove_circle_outline
star_border
star_border
star_border
star_border

This Android Management API doesn't currently support this feature.

3.12. Google-hosted private app management

Android version
Work profile
Fully managed device
Dedicated device
MAM
remove_circle_outline
star_border
star_border
star_border
star_border

IT admins can update Google-hosted private apps through the EMM console instead of through the Google Play console.

3.12.1. IT admins can upload new versions of apps that are already published privately to the enterprise using the Google Play Developer Publishing API.

3.13. Self-hosted private app management

Android version
Work profile
Fully managed device
Dedicated device
MAM
remove_circle_outline
star_border
star_border
star_border
star_border

IT admins can configure and publish self-hosted private apps. Unlike Google-hosted private apps, the APKs are not hosted by Google Play. Instead, the EMM helps IT admins host APKs themselves, and helps protects self-hosted apps by ensuring they can only be installed when authorized by managed Google Play.

3.13.1. The EMM's console must help IT admins host the app APK, by offering both of the following options:

  • Hosting the APK on the EMM's server. The server can be on-premise or cloud-based.
  • Hosting the APK outside of the EMM's server, at the discretion of the customer. The enterprise customer must specify in the EMM console where the APK is hosted.

3.13.2. The EMM's console must generate an appropriate APK definition file using the provided APK and must guide IT admins through the publishing process.

3.13.3. IT admins can update self-hosted private apps, and the EMM's console can silently publish updated APK definition files using the Google Play Developer Publishing API.

3.13.4. The EMM's server only serves download requests for the self-hosted APK that contain a valid JWT within the request's cookie, as verified by the private app's public key.

  • To facilitate this, the EMM's server must guide IT admins to download the self-hosted app's license public key from the Play Developer Console, and upload this to the EMM console.

3.14. EMM pull notifications

Android version
Work profile
Fully managed device
Dedicated device
MAM
remove_circle_outline
star_border
star_border
star_border
star_border

This feature is not applicable to the Android Management API.

3.15. API usage requirements

Android version
Work profile
Fully managed device
Dedicated device
MAM
remove_circle_outline
star
star
star
star

The EMM implements Android Management APIs at scale, avoiding traffic patterns that could negatively impact customers' ability to manage apps in production environments.

3.15.1. The EMM must adhere to the Android Management API usage limits. Failure to correct behavior that exceeds these guidelines may result in suspended API access, at Google's discretion.

3.15.2. The EMM should distribute traffic from different customers throughout the day, rather than consolidating all customers' traffic at specific or similar times. Behavior that fits this traffic pattern, such as scheduled batch operations for all enrolled customers, may result in suspend API access, at Google's discretion.

3.15.3. The EMM should not make consistent, incomplete or deliberately incorrect requests that make no attempt to retrieve or manage actual customer data. Behavior that fits this traffic pattern may result in suspended API access, at Google's discretion.


4. Device management

4.1. Runtime permission policy management

Android version
Work profile
Fully managed device
Dedicated device
MAM
6.0+
star
star
star
star

IT admins can silently set a default response to all runtime permission requests made by work apps.

4.1.1. IT admins must be able to choose from the following options when setting a default runtime permission policy for their organization:

  • prompt (allows users to choose)
  • allow
  • deny

The EMM should enforce these settings via policy.

4.2. Runtime permission grant state management

Android version
Work profile
Fully managed device
Dedicated device
MAM
6.0+
star
star
star
star

After setting a default runtime permission policy (see 4.1.), IT admins can silently set responses for specific permissions from any work app built on API 23 or above.

4.2.1. IT admins must be able to set the grant state (default, grant, or deny) of any permission requested by any work app built on API 23 or above. The EMM should enforce these settings via policy.

4.3. WiFi configuration management

Android version
Work profile
Fully managed device
Dedicated device
MAM
6.0+
star_border
star_border
star_border
star_border

IT admins can silently provision enterprise WiFi configurations on managed devices, including:

4.3.1. SSID, via policy.

4.3.2. Password, via policy.

4.4. WiFi security management

Android version
Work profile
Fully managed device
Dedicated device
MAM
6.0+
star_border
star_border
star_border
star_border

IT admins can provision enterprise WiFi configurations on devices that include the following advanced security features:

4.4.1. Identity

4.4.2. Certificates for client authorization

4.4.3. CA certificates

4.5. Advanced WiFi management

Android version
Work profile
Fully managed device
Dedicated device
MAM
6.0+
remove_circle_outline
star_border
star_border
remove_circle_outline

IT admins can lock down WiFi configurations on managed devices, to prevent users from creating new configurations or modifying corporate configurations.

4.5.1. IT admins can lock down corporate WiFi configurations via policy in either of the following configurations:

  • Users cannot modify any WiFi configurations provisioned by the EMM (see wifiConfigsLockdownEnabled), but may add and modify their own user-configurable networks (for instance personal networks).
  • Users cannot add or modify any WiFi network on the device (see wifiConfigDisabled), limiting WiFi connectivity to just those networks provisioned by the EMM.

4.6. Account management

Android version
Work profile
Fully managed device
Dedicated device
MAM
5.0+
star_border
star_border
star_border
remove_circle_outline

IT admins can ensure that only authorized corporate accounts can interact with corporate data, for services such as SaaS storage and productivity apps, or email. Without this feature, users can add personal accounts to those corporate apps that also support consumer accounts, enabling them to share corporate data with those personal accounts.

4.6.1. IT admins can prevent users from adding or modifying accounts (see modifyAccountsDisabled).

  • When enforcing this policy on a device, EMMs must set this restriction before provisioning is complete, to ensure users cannot circumvent this policy by adding accounts before the policy is enacted.

4.7. G Suite account management

Android version
Work profile
Fully managed device
Dedicated device
MAM
5.0+
star_border
star_border
remove_circle_outline
remove_circle_outline

The Android Management API doesn't support this feature.

4.8. Certificate management

Android version
Work profile
Fully managed device
Dedicated device
MAM
5.0+
star_border
star_border
star_border
remove_circle_outline

Allows IT admins to deploy identity certificates and certificate authorities to devices in order to enable access to corporate resources.

4.8.1. IT admins can install user identity certs generated by their PKI on a per-user basis. The EMM's console must integrate with at least one PKI and distribute certificates generated from that infrastructure.

4.8.2. IT admins can install certificate authorities (see caCerts) in the managed keystore.

4.9. Advanced certificate management

Android version
Work profile
Fully managed device
Dedicated device
MAM
7.0+
star_border
star_border
star_border
remove_circle_outline

Allows IT admins to silently select the certificates that should be used by specific managed apps. This feature also grants IT admins the ability to remove CAs and identity certs from active devices, and prevent users from modifying credentials stored in the managed keystore.

4.9.1. For any app distributed to devices, IT admins can specify a certificate that the app will be silently granted access to during runtime. (This subfeature is not currently supported)

  • Certificate selection must be generic enough to enable a single configuration that applies to all users, each of which may have a user-specific identity certificate.

4.9.2. IT admins can silently remove certificates from the managed keystore.

4.9.3. IT admins can silently uninstall a CA certificate. (This subfeature is not currently supported)

4.9.4. IT admins can prevent users from configuring credentials (see credentialsConfigDisabled) in the managed keystore.

4.10. Delegated certificate management

Android version
Work profile
Fully managed device
Dedicated device
MAM
6.0+
star_border
star_border
star_border
remove_circle_outline

IT admins can distribute a third-party certificate management app to devices and grant that app privileged access to install certificates into the managed keystore.

4.10.1. IT admins can specify a certificate management package (see delegatedCertInstallerPackage) to be set as the delegated certificate management app.

  • The EMM's may optionally suggest known certificate management packages, but must allow enterprise admin to choose from the list of all apps available for install, for applicable users.

4.11. Advanced VPN management

Android version
Work profile
Fully managed device
Dedicated device
MAM
7.0+
star_border
star_border
star_border
remove_circle_outline

Allows IT admins to specify an Always On VPN to ensure that data from specified managed apps will always go through a configured VPN. Note: this feature requires deploying a VPN client that supports both Always On and per-app VPN features.

4.11.1. IT admins can specify an arbitrary VPN package to be set as an Always On VPN.

  • The EMM's console may optionally suggest known VPN packages that support Always On VPN, but can't restrict the VPNs available for Always On configuration to any arbitrary list.

4.11.2. IT admins can use managed configurations to specify the VPN settings for an app.

4.12. IME management

Android version
Work profile
Fully managed device
Dedicated device
MAM
5.0+
star_border
remove_circle_outline
remove_circle_outline
remove_circle_outline

IT admins can control what input methods (IMEs) users can configure for their devices. Since the IME is shared across both work and personal profiles, blocking access to IMEs will prevent users from enabling those IMEs for personal use as well. IT admins may not, however, block access to system IMEs on work profiles (see advanced IME management for more details).

4.12.1. IT admins can configure an IME whitelist (see permitted_input_methods) of arbitrary length (including an empty list, which blocks all non-system IMEs), which may contain any arbitrary IME packages.

  • The EMM's console may optionally suggest known or recommended IMEs for whitelisting, but must allow IT admins to choose from the list of all apps available for install, for applicable users.

4.12.2. The EMM must inform IT admins that system IMEs are excluded from management on devices with work profiles.

4.13. Advanced IME management

Android version
Work profile
Fully managed device
Dedicated device
MAM
5.0+
remove_circle_outline
star_border
star_border
remove_circle_outline

IT admins can control what input methods (IMEs) users can configure for their device. Advanced IME management extends the basic feature by enabling IT admins to manage access to system IMEs as well, which are typically provided by the OEM or carrier of the device.

4.13.1. Enterprise admin can configure an IME whitelist (see permitted_input_methods) of arbitrary length (excluding an empty list, which blocks all IMEs including system IMEs), which may contain any arbitrary IME packages.

  • The EMM's console may optionally suggest known or recommended IMEs for whitelisting, but must allow IT admins to choose from the list of all apps available for install, for applicable users.

4.13.2. EMM must prevent IT admins from configuring an empty whitelist, as this will block all IMEs including system IMEs from being configured on the device.

4.13.3. EMM must ensure that if an IME whitelist does not contain system IMEs, that the third-party IMEs are silently installed before the whitelist is applied on the device.

4.14. Accessibility services management

Android version
Work profile
Fully managed device
Dedicated device
MAM
5.0+
star_border
star_border
star_border
remove_circle_outline

IT admins can control what accessibility services can be enabled on users' devices. While accessibility services are powerful tools for users with disabilities or that are temporarily unable to fully interact with their device, they may interact with corporate data in ways that are non-compliant with corporate policy. This feature allows admins to disable any non-system accessibility service.

4.14.1. IT admins can configure an accessibility service whitelist (see permittedAccessibilityServices) of arbitrary length (including an empty list, which blocks all non-system accessibility services), which may contain any arbitrary accessibility service package.

  • Console may optionally suggest known or recommended accessibility services for whitelisting, but must allow enterprise admin to choose from the list of all apps available for install, for applicable users.

4.15. Location sharing management

Android version
Work profile
Fully managed device
Dedicated device
MAM
5.0+
star_border
remove_circle_outline
remove_circle_outline
remove_circle_outline

IT admins can prevent users from sharing location data with apps in the work profile. Otherwise, the work profile location setting is user configurable in Settings.

4.15.1. IT admins can disable location services (see shareLocationDisabled) within the work profile.

4.16. Advanced location sharing management

Android version
Work profile
Fully managed device
Dedicated device
MAM
5.0+
remove_circle_outline
star_border
star_border
remove_circle_outline

IT admins can enforce a given location sharing setting on a managed device. This feature can ensure, for example, that corporate apps always have access to high accuracy location data, or that users don't consume extra battery by restricting location settings to battery saving mode.

4.16.1. IT admins can set the device location services to each of the following modes:

  • High accuracy.
  • Sensors only, for instance GPS, but not including network-provided location.
  • Battery saving, which limits the update frequency.
  • Off.

4.17. Factory reset protection management

Android version
Work profile
Fully managed device
Dedicated device
MAM
5.1+
remove_circle_outline
star_border
star_border
remove_circle_outline

Enables IT admins to protect company-owned devices from theft by ensuring only authorized users can factory reset devices. Admins can also disable factory reset protection entirely, if it introduces operational complexities when devices are returned to IT.

4.17.1. IT admins can prevent users from factory resetting (see factoryResetDisabled) their device from Settings.

4.17.2. IT admins can specify corporate unlock account(s) authorized to provision devices (see frpAdminEmails) after a factory reset.

  • This account can be tied to an individual, or used by the entire enterprise to unlock devices.

4.17.3. IT admins can disable factory reset protection (see factoryResetDisabled) for specified devices.

4.17.4. IT admins can initiate a remote device wipe that optionally wipes reset protection data, thereby removing factory reset protection on the reset device.

4.18. Advanced app control

Android version
Work profile
Fully managed device
Dedicated device
MAM
5.0+
remove_circle_outline
star_border
star_border
remove_circle_outline

IT admins can prevent the user from uninstalling or otherwise modifying managed apps through Settings, for instance force closing the app or clearing an app's data cache.

4.18.1. IT admins can block uninstall of any arbitrary managed apps, or all managed apps (see uninstallAppsDisabled).

4.18.2. IT admins can prevent users from modifying application data (see appsControlDisabled) from Settings.

4.19. Screen capture management

Android version
Work profile
Fully managed device
Dedicated device
MAM
5.0+
star_border
star_border
star_border
remove_circle_outline

IT admins can block users from taking screenshots when using managed apps. This includes blocking screensharing apps and similar apps (such as Google Assistant) that leverage the system screenshot capabilities.

4.19.1. IT admins can prevent users from capturing screenshots (see screenCaptureDisabled).

4.20. Disable cameras

Android version
Work profile
Fully managed device
Dedicated device
MAM
5.0+
remove_circle_outline
star_border
star_border
remove_circle_outline

IT admins can disable use of device cameras by managed apps.

4.20.1. IT admins can disable use of device cameras (see cameraDisabled) by managed apps.

4.21. Network statistics collection

Android version
Work profile
Fully managed device
Dedicated device
MAM
6.0+
star_border
remove_circle_outline
remove_circle_outline
remove_circle_outline

The Android Management API doesn't currently support this feature.

4.22. Advanced network statistics collection

Android version
Work profile
Fully managed device
Dedicated device
MAM
6.0+
remove_circle_outline
star_border
star_border
remove_circle_outline

The Android Management API doesn't currently support this feature.

4.23. Reboot device

Android version
Work profile
Fully managed device
Dedicated device
MAM
7.0+
remove_circle_outline
star_border
star_border
remove_circle_outline

IT admins can remotely reboot managed devices.

4.23.1. IT admins can remotely reboot a managed device.

4.24. System radio management

Android version
Work profile
Fully managed device
Dedicated device
MAM
7.0+
remove_circle_outline
star_border
star_border
remove_circle_outline

Provides IT admins with granular control over system network radios and associated usage policies via policy.

4.24.1. IT admins can disable cell broadcasts sent by service providers (see cellBroadcastsDisabled).

4.24.2. IT admins can prevent users from modifying mobile network settings in Settings (see mobileNetworksConfigDisabled).

4.24.3. IT admins can prevent users from resetting all network settings in Settings. (The Android Management API doesn't support this subfeature)

4.24.4. IT admins can configure if the device permits cellular data while roaming (see dataRoamingDisabled).

4.24.5. IT admins can configure whether the device can make outgoing phone calls, excluding emergency calls (see outGoingCallsDisabled).

4.24.6. IT admins can configure whether the device can send and receive SMS messages (see smsDisabled).

4.24.7. IT admins can prevent users from using their device as a portable hotspot by tethering (see tetheringConfigDisabled).

4.24.8. IT admins can set the WiFI timeout to default, only while plugged in, or never. (The Android Management API doesn't support this subfeature)

4.24.9. IT admins can prevent users from configuring or modifying existing bluetooth connections (see bluetoothConfigDisabled).

4.25. System audio management

Android version
Work profile
Fully managed device
Dedicated device
MAM
5.0+
remove_circle_outline
star_border
star_border
remove_circle_outline

IT admins can silently control device audio features, including muting the device, preventing users from adjusting volume settings, and preventing users from unmuting the device microphone.

4.25.1. IT admins can silently mute managed devices (see masterVolumeMuted).

4.25.2. IT admins can prevent users from modifying device volume settings (see adjustVolumeDisabled).

4.25.3. IT admins can prevent users from unmuting the device microphone (see unmuteMicrophoneDisabled).

4.26. System clock management

Android version
Work profile
Fully managed device
Dedicated device
MAM
5.0+
remove_circle_outline
star_border
star_border
remove_circle_outline

IT admins can control device clock and timezone settings, and prevent users from modifying automatic device settings.

4.26.1. IT admins can enforce system auto time (see autoTimeRequired), preventing the user from setting the date and time of the device.

4.26.2. IT admins can silently toggle both auto time and auto time zone. (The Android Management API doesn't support this subfeature)

4.27. Advanced dedicated device features

Android version
Work profile
Fully managed device
Dedicated device
MAM
6.0+
remove_circle_outline
remove_circle_outline
star_border
remove_circle_outline

For dedicated devices, IT admins can control the following features via policy to support a variety of kiosk use cases.

4.27.1. IT admins can disable the device keyguard (see keyguardDisabled).

4.27.2. IT admins can disable the device status bar, blocking notifications and quick settings (see statusBarDisabled).

4.27.3. IT admins can force the device screen to remain on while the device is plugged in (see stayOnPluggedModes).

4.27.4. IT admins can prevent the following system UIs from being displayed (see createWindowsDisabled):

  • Toasts
  • Phone activities (e.g. incoming calls) and priority phone activities (e.g. ongoing calls)
  • System alerts, system errors, and system overlays.

4.27.5. IT admins can enable the system recommendation for apps to skip their user tutorial and other introductory hints on first start-up (see skip_first_use_hints).


5. Device usability

5.1. Managed provisioning customization

Android version
Work profile
Fully managed device
Dedicated device
MAM
7.0+
star_border
star_border
star_border
star_border

IT admins can modify the default managed provisioning flow UX to include enterprise-specific features. Optionally, admins can display EMM-provided branding during provisioning.

5.1.1. IT admins can customize the provisioning process by specifying the following enterprise-specific details: enterprise color (see primaryColor), enterprise logo (see logo), enterprise terms of service and other disclaimers (see termsAndConditions).

5.1.2. IT admins can deploy a non-configurable, EMM-specific customization that includes the following details: EMM color (see primaryColor), EMM logo (see logo), EMM terms of service and other disclaimers (see termsAndConditions).

  • EMMs may set their non-configurable, EMM-specific customization as the default for all deployments, but must allow admins to configure their own customization.

5.2. Enterprise customization

Android version
Work profile
Fully managed device
Dedicated device
MAM
7.0+
star_border
remove_circle_outline
remove_circle_outline
remove_circle_outline

The Android Management API doesn't support this feature.

5.3. Advanced enterprise customization

Android version
Work profile
Fully managed device
Dedicated device
MAM
7.0+
remove_circle_outline
star_border
remove_circle_outline
remove_circle_outline

The Android Management API doesn't support this feature.

5.4. Lock screen messages

Android version
Work profile
Fully managed device
Dedicated device
MAM
7.0+
remove_circle_outline
star_border
star_border
remove_circle_outline

IT admins can set a custom message that's always displayed on the device lock screen, and does not require device unlock to be viewed.

5.4.1. IT admins can set a custom lock screen message (see deviceOwnerLockScreenInfo).

5.5. Policy transparency management

The Android Management API doesn't support this feature.

5.6. Cross-profile contact management

Android version
Work profile
Fully managed device
Dedicated device
MAM
7.0+
star_border
remove_circle_outline
remove_circle_outline
remove_circle_outline

IT admins can control what contact data can leave the work profile. Both telephony and messaging (SMS) apps must run in the personal profile, and require access to work profile contact data to offer functionality for work contacts, but admins may choose to disable these features to protect work data.

5.6.1. IT admins can disable cross-profile contact search (see crossProfileContactsSearchDisabled) for personal apps that use the system contacts provider.

5.6.2. IT admins can disable cross-profile caller ID lookup (see crossProfileCallerIdDisabled) for personal dialer apps that use the system contacts provider.

5.6.3. IT admins can disable bluetooth contact sharing with bluetooth devices (see bluetoothContactSharingDisabled) that use the system contacts provider, for instance hands-free calling in cars or headsets.

5.7. Cross-profile data management

Android version
Work profile
Fully managed device
Dedicated device
MAM
7.0+
star_border
remove_circle_outline
remove_circle_outline
remove_circle_outline

The Android Management API doesn't support this feature.

5.8. System update policy

Android version
Work profile
Fully managed device
Dedicated device
MAM
6.0+
remove_circle_outline
star_border
star
remove_circle_outline

IT admins can configure and apply over-the-air (OTA) system updates for devices.

5.8.1. The EMM's console allows IT admins to set the following OTA configurations:

  • Automatic: Devices receive OTA updates as soon as they become available.
  • Postpone: IT admins must be able to postpone OTA update for up to 30 days.
  • Windowed: IT admins must be able to schedule OTA updates within a daily maintenance window.

5.8.2. OTA configurations are applied to devices via policy.

5.9. Lock task mode management

Android version
Work profile
Fully managed device
Dedicated device
MAM
6.0+
remove_circle_outline
remove_circle_outline
star
remove_circle_outline

IT admins can lock an app or set of apps to the screen, and ensure that users can't exit the app.

5.9.1. The EMM's console allows IT admins to silently enable an arbitrary set of apps to install and lock to a device. Lock task mode is enabled by via policy.

5.10. Persistent preferred activity management

Android version
Work profile
Fully managed device
Dedicated device
MAM
5.0+
star_border
star_border
star_border
remove_circle_outline

Allows admins to set an app as the default intent handler for intents that match a certain intent filter. For example, this would allow admins to choose which browser app automatically opens all web links, or which launcher app is used when the user hits the home button.

5.10.1. IT admins can set any package as the default intent handler for any arbitrary intent filter.

  • The EMM's console may optionally suggest known or recommended intents for configuration, but cannot restrict intents to any arbitrary list.
  • The EMM's console must allow IT admins to choose from the list of all apps that are available to install for applicable users.

5.11. Keyguard feature management

Android version
Work profile
Fully managed device
Dedicated device
MAM
7.0+
star_border
remove_circle_outline
remove_circle_outline
remove_circle_outline

IT admins can control the features available to users before unlocking the device keyguard (lock screen) and the work challenge keyguard (lock screen).

5.11.1. The following device keyguard features can be disabled by via policy:

  • trust agents
  • fingerprint unlock
  • unredacted notifications

5.11.2. The following work profile keyguard features can be disabled via policy:

  • trust agents
  • fingerprint unlock

5.12. Advanced keyguard feature management

Android version
Work profile
Fully managed device
Dedicated device
MAM
5.0+
remove_circle_outline
star_border
star_border
remove_circle_outline

IT admins can control advanced device keyguard (lock screen) features.

5.12.1. IT admins can disable the following device keyguard features via policy:

  • Secure camera
  • All notifications
  • Unredacted
  • Trust agents
  • Fingerprint unlock
  • All keyguard features

5.13. Remote debugging

The Android Management API doesn't currently support this feature.

5.14. MAC address retrieval

Android version
Work profile
Fully managed device
Dedicated device
MAM
7.0+
remove_circle_outline
star_border
star_border
remove_circle_outline

EMMs can silently fetch a device's MAC address, to be used to identify devices in other parts of the enterprise infrastructure (for example when identifying devices for network access control).

5.14.1. The EMM can silently retrieve a device's MAC address and can associate it with the device in the EMM's console.

Send feedback about...

Android Enterprise