Fully managed device

The fully managed device solution set is intended for company-owned devices. Fully managed features give IT admins management of an extended range of device settings and extra policy controls not available in the work profile solution set.

Feature list

required optional advanced not supported


1. Device provisioning

1.2. DPC identifier device provisioning Android 6.0+
You can provision a fully managed device using a DPC identifier ("afw#").
1.3. NFC device provisioning Android 6.0+
IT admins can "bump" new or factory-reset devices with the EMMs NFC provisioning app to provision a device.
1.4. QR code device provisioning Android 7.0+
IT admins can use new or factory-reset device to scan a QR code generated by the EMM's console to provision the device.
1.5. Zero-touch enrollment Android 8.0+ (Pixel 7.1+)
IT admins can preconfigure devices purchased from authorized resellers and manage them using your EMM console.
1.6. Advanced zero-touch provisioning Android 7.0+
IT admins can automate much of the device enrollment process by deploying DPC registration details through zero-touch enrollment.
1.8 Google Account device provisioning Android 5.0+
For enterprises using Workspace, this feature guides users through the installation of their EMM's DPC after entering corporate Workspace credentials during device setup.
1.9. Direct zero-touch configuration Android 7.0+
IT admins can use the EMM’s console to set up zero-touch devices using the zero-touch iframe.

2. Device security

2.1. Device security challenge Android 5.0+
IT admins can set and enforce a device security challenge (such as PIN/pattern/password) of a certain type and complexity on managed devices.
2.3. Advanced passcode management Android 5.0+
IT admins can set up advanced password settings on devices.
2.4. Smart Lock management Android 6.0+
IT admins can manage what trust agents in Android's Smart Lock feature are permitted to unlock devices.
2.5. Wipe and lock Android 5.0+
IT admins can use the EMM’s console to remotely lock and wipe work data from a managed device.
2.6. Compliance enforcement Android 5.0+
The EMM restricts access to work data and apps on devices that aren't in compliance with security policies.
2.7. Default security policies Android 5.0+
EMMs must enforce the specified security policies on devices by default, without requiring IT admins to set up or customize any settings in the EMM's console.
2.9. SafetyNet support N/A
The EMM uses the SafetyNet Attestation API to ensure devices are valid Android devices.
2.10. Verify Apps enforcement Android 5.0+
IT admins can turn on Verify Apps on devices.
2.11. Direct Boot support Android 7.0+
Direct Boot support ensures that the EMM's DPC is active and able to enforce policy, even if an Android 7.0+ device has not been unlocked.
2.12. Hardware security management Android 5.1+
IT admins can lock down hardware elements of a device to ensure data-loss prevention.
2.13. Enterprise security logging Android 7.0+
IT admins can gather usage data from devices that can be parsed and programmatically evaluated for malicious or risky behavior.

3. Account and app management

3.1. Managed Google Play Accounts enterprise enrollment N/A
IT admins can create a managed Google Play Accounts enterprise—an entity that allows managed Google Play to distribute apps to devices.
3.2. Managed Google Play Account provisioning Android 5.0+
The EMM can silently provision enterprise user accounts, called managed Google Play Accounts.
3.5. Silent app distribution N/A
IT admins can silently distribute work apps to devices without any user interaction.
3.6. Managed configuration management Android 5.0+
IT admins can view and silently set managed configurations for any app that supports managed configurations.
3.7. App catalog management N/A
IT admins can import a list of the apps approved for their enterprise from managed Google Play (play.google.com/work).
3.8. Programmatic app approval N/A
The EMM's console uses the managed Google Play iframe to support Google Play's app discovery and approval capabilities
3.9. Basic store layout management N/A
The managed Google Play Store app can be used on devices to install and update work apps.
3.10. Advanced store layout configuration N/A
IT admins can customize the store layout seen in the managed Google Play Store app on devices.
3.11. App license management N/A
IT admins can view and manage app licenses purchased in the managed Google Play from the EMM's console.
3.12. Google-hosted private app management N/A
IT admins can update Google-hosted private apps through the EMM console instead of through the Google Play Console.
3.13. Self-hosted private app management N/A
IT admins can set up and publish self-hosted private apps.
3.14. EMM pull notifications N/A
This requirement is not applicable to the Android Management API.
3.15. API usage requirements N/A
The EMM implements Google's APIs at scale, avoiding traffic patterns that could negatively impact enterprises' ability to manage apps in production environments.
3.16. Advanced managed configuration management Android 5.0+
The EMM supports managed configurations with up to four levels of nested settings and can retrieve and display any feedback sent from a Play app.
3.17. Web app management N/A
IT admins can create and distribute web apps in the EMM console.
3.18. Managed Google Play Account lifecycle management Android 5.0+
The EMM can create, update, and delete managed Google Play Accounts on behalf of IT admins.
3.19. Application track management Android 5.0+
IT Admins can configure a set of development tracks for particular applications.

4. Device management

4.1. Runtime permission policy management Android 6.0+
IT admins can silently set a default response to runtime permission requests made by work apps.
4.2. Runtime permission grant state management Android 6.0+
After setting a default runtime permission policy, IT admins can silently set responses for specific permissions from any work app built on API 23 or above.
4.3. Wi-Fi configuration management Android 6.0+
IT admins can silently provision enterprise Wi-Fi configurations on managed devices.
4.4. Wi-Fi security management Android 6.0+
IT admins can provision enterprise Wi-Fi configurations on managed devices.
4.5. Advanced Wi-Fi management Android 6.0+
IT admins can lock down Wi-Fi configurations on managed devices, to prevent users from creating new configurations or modifying corporate configurations.
4.6. Account management Android 5.0+
IT admins can ensure that unauthorized corporate accounts can't interact with corporate data for services such as SaaS storage and productivity apps, or email.
4.7. Workspace account management Android 5.0+
IT admins can ensure that unauthorized Workspace accounts can't interact with corporate data.
4.8. Certificate management Android 5.0+
Allows IT admins to deploy identity certificates and certificate authorities to devices to allow access to corporate resources.
4.9. Advanced certificate management Android 7.0+
Allows IT admins to silently select the certificates that specific managed apps should use
4.10. Delegated certificate management Android 6.0+
IT admins can distribute a third-party certificate management app to devices and grant that app privileged access to install certificates into the managed keystore.
4.11. Advanced VPN management Android 7.0+
Allows IT admins to specify an Always On VPN to ensure that data from specified managed apps will go through a set-up VPN.
4.13. Advanced IME management Android 5.0+
IT admins can manage what input methods (IMEs) are allowed on devices.
4.14. Accessibility services management Android 5.0+
IT admins can manage what accessibility services are allowed on devices.
4.16. Advanced Location Sharing management Android 5.0+
IT admins can enforce a given Location Sharing setting on a managed device.
4.17. Factory reset protection management Android 5.1+
Allows IT admins to protect company-owned devices from theft by ensuring unauthorized individuals can't factory reset devices.
4.18. Advanced app control Android 5.0+
IT admins can prevent the user from uninstalling or otherwise modifying managed apps through Settings.
4.19. Screen capture management Android 5.0+
IT admins can block users from taking screenshots when using managed apps.
4.20. Disable cameras Android 5.0+
IT admins can turn off use of device cameras by managed apps.
4.22. Advanced network statistics collection Android 6.0+
IT admins can query network usage statistics for an entire managed device.
4.23. Reboot device Android 7.0+
IT admins can remotely restart managed devices.
4.24. System radio management Android 7.0+
Enables IT admins granular management of system network radios and associated usage policies.
4.25. System audio management Android 5.0+
IT admins can silently manage device audio features.
4.26. System clock management Android 5.0+
IT admins can manage device clock and time zone settings, and prevent modifying automatic device settings..

5. Device usability

5.1. Managed provisioning customization Android 7.0+
IT admins can modify the default managed provisioning flow UX to include enterprise-specific features.
5.3. Advanced enterprise customization Android 7.0+
IT admins can customize managed devices with corporate branding.
5.4. Lock screen messages Android 7.0+
IT admins can set a custom message that's displayed on the device lock screen, and does not require device unlock to be viewed.
5.5. Policy transparency management Android 7.0+
IT admins can customize the help text provided to users when they attempt to modify managed settings on their device, or deploy an EMM-supplied generic support message.
5.8. System update policy Android 6.0+
IT admins can set up and apply over-the-air (OTA) system updates for devices.
5.10. Persistent preferred activity management Android 5.0+
Allows IT admins to set an app as the default intent handler for intents that match a certain intent filter.
5.12. Advanced keyguard feature management Android 5.0+
IT admins can control advanced device keyguard (lock screen) features.
5.13. Remote debugging Android 7.0+
IT admins can retrieve debugging resources from devices without requiring extra steps.
5.14. MAC address retrieval Android 7.0+
EMMs can silently fetch a device's MAC address, to be used to identify devices in other parts of the enterprise infrastructure.

6. Device admin deprecation

6. Device admin deprecation Android 5.0+
EMMs are required to post a plan by the end of 2021 ending support for Device Admin on GMS devices by the end of 2022.