1. Device provisioning |
1.2. DPC identifier device provisioning |
Android 6.0+ |
star |
You can provision a fully managed device using a DPC identifier
("afw#"). |
1.3. NFC device provisioning |
Android 6.0+ |
star_border |
IT admins can "bump" new or factory-reset devices with the EMMs NFC
provisioning app to provision a device. |
1.4. QR code device provisioning |
Android 7.0+ |
star |
IT admins can use new or factory-reset device to scan a QR code generated
by the EMM's console to provision the device. |
1.5. Zero-touch enrollment |
Android 8.0+ (Pixel 7.1+) |
star_border |
IT admins can preconfigure devices purchased from authorized resellers
and manage them using your EMM console. |
1.6. Advanced zero-touch provisioning |
Android 7.0+ |
remove_circle_outline |
IT admins can automate much of the device enrollment process by
deploying DPC registration details through zero-touch enrollment. |
1.8 Google Account device provisioning |
Android 5.0+ |
remove_circle_outline |
For enterprises using Workspace, this feature guides users through the
installation of their EMM's DPC after entering corporate Workspace
credentials during device setup. |
1.9. Direct zero-touch configuration |
Android 7.0+ |
star |
IT admins can use the EMM’s console to set up zero-touch devices using the zero-touch iframe. |
2. Device security |
2.1. Device security challenge |
Android 5.0+ |
star |
IT admins can set and enforce a device security challenge
(such as PIN/pattern/password) of a certain type and complexity on managed
devices. |
2.3. Advanced passcode management |
Android 5.0+ |
star |
IT admins can set up advanced password settings on devices. |
2.4. Smart Lock management |
Android 6.0+ |
remove_circle_outline |
IT admins can manage what trust agents in Android's Smart Lock feature are permitted to unlock devices. |
2.5. Wipe and lock |
Android 5.0+ |
star |
IT admins can use the EMM’s console to remotely lock and
wipe work data from a managed device. |
2.6. Compliance enforcement |
Android 5.0+ |
star |
The EMM restricts access to work data and apps on devices that aren't in compliance with security policies. |
2.7. Default security policies |
Android 5.0+ |
star |
EMMs must enforce the specified security policies on
devices by default, without requiring IT admins to set up or customize
any settings in the EMM's console. |
2.9. SafetyNet support |
N/A |
star |
The EMM uses the SafetyNet Attestation API to ensure devices are valid Android devices. |
2.10. Verify Apps enforcement |
Android 5.0+ |
star |
IT admins can turn on Verify Apps on devices. |
2.11. Direct Boot support |
Android 7.0+ |
star |
Direct Boot support ensures that the EMM's DPC is active and able
to enforce policy, even if an Android 7.0+ device has not been unlocked. |
2.12. Hardware
security management |
Android 5.1+ |
star |
IT admins can lock down hardware elements of a device to ensure
data-loss prevention. |
2.13. Enterprise security logging |
Android 7.0+ |
remove_circle_outline |
IT admins can gather usage data from devices that can be parsed and
programmatically evaluated for malicious or risky behavior. |
3. Account and app management |
3.1. Managed Google Play Accounts enterprise enrollment |
N/A |
star |
IT admins can create a managed Google Play Accounts enterprise—an
entity that allows managed Google Play to distribute apps to devices. |
3.2. Managed Google Play Account provisioning |
Android 5.0+ |
star |
The EMM can silently provision enterprise user accounts, called
managed Google Play Accounts. |
3.5. Silent app distribution |
N/A |
star |
IT admins can silently distribute work apps to devices without
any user interaction. |
3.6. Managed configuration management |
Android 5.0+ |
star |
IT admins can view and silently set managed configurations for any app
that supports managed configurations. |
3.7. App catalog management |
N/A |
remove_circle_outline |
IT admins can import a list of the apps approved for their
enterprise from managed Google Play (play.google.com/work). |
3.8. Programmatic app approval |
N/A |
star |
The EMM's console uses the managed Google Play iframe to support Google
Play's app discovery and approval capabilities |
3.9. Basic store layout management |
N/A |
star |
The managed Google Play Store app can be used on devices to
install and update work apps. |
3.10. Advanced store layout configuration |
N/A |
remove_circle_outline |
IT admins can customize the store layout seen in the managed
Google Play Store app on devices. |
3.11. App license management |
N/A |
remove_circle_outline |
IT admins can view and manage app licenses purchased in the managed
Google Play from the EMM's console. |
3.12. Google-hosted private app management |
N/A |
star |
IT admins can update Google-hosted private apps through the EMM console
instead of through the Google Play Console. |
3.13. Self-hosted private app management |
N/A |
star_border |
IT admins can set up and publish self-hosted private apps. |
3.14. EMM pull notifications |
N/A |
remove_circle_outline |
This requirement is not applicable to the Android Management API. |
3.15. API usage requirements |
N/A |
star |
The EMM implements Google's APIs at scale, avoiding traffic patterns
that could negatively impact enterprises' ability to manage apps in
production environments. |
3.16. Advanced managed configuration management |
Android 5.0+ |
star |
The EMM supports managed configurations with up to four levels of nested
settings and can retrieve and display any feedback sent from a Play
app. |
3.17. Web app management |
N/A |
star |
IT admins can create and distribute web apps in the EMM console. |
3.18. Managed Google Play Account lifecycle management |
Android 5.0+ |
star |
The EMM can create, update, and delete managed Google Play Accounts on behalf of IT admins. |
3.19. Application track management |
Android 5.0+ |
star |
IT Admins can configure a set of development tracks for particular applications. |
3.20. Advanced application update management |
Android 5.0+ |
star |
IT Admins can allow apps to be updated immediately or postpone them from being updated for 90 days. |
4. Device management |
4.1. Runtime permission policy management |
Android 6.0+ |
star |
IT admins can silently set a default response to runtime permission
requests made by work apps. |
4.2. Runtime permission grant state management |
Android 6.0+ |
star |
After setting a default runtime permission policy, IT admins can
silently set responses for specific permissions from any work app built on
API 23 or above. |
4.3. Wi-Fi configuration management |
Android 6.0+ |
star |
IT admins can silently provision enterprise Wi-Fi configurations on managed devices. |
4.4. Wi-Fi security management |
Android 6.0+ |
star |
IT admins can provision enterprise Wi-Fi configurations on managed devices. |
4.5. Advanced Wi-Fi management |
Android 6.0+ |
star_border |
IT admins can lock down Wi-Fi configurations on managed devices, to
prevent users from creating new configurations or modifying corporate
configurations. |
4.6. Account management |
Android 5.0+ |
star |
IT admins can ensure that unauthorized corporate accounts can't
interact with corporate data for services such as SaaS storage and
productivity apps, or email. |
4.7. Workspace account management |
Android 5.0+ |
remove_circle_outline |
IT admins can ensure that unauthorized Workspace accounts can't interact
with corporate data. |
4.8. Certificate management |
Android 5.0+ |
star |
Allows IT admins to deploy identity certificates and certificate
authorities to devices to allow access to corporate resources. |
4.9. Advanced certificate management |
Android 7.0+ |
star |
Allows IT admins to silently select the certificates that specific
managed apps should use |
4.10. Delegated certificate management |
Android 6.0+ |
star_border |
IT admins can distribute a third-party certificate management app to
devices and grant that app privileged access to install certificates into
the managed keystore. |
4.11. Advanced VPN management |
Android 7.0+ |
star |
Allows IT admins to specify an Always On VPN to ensure that data from
specified managed apps will go through a set-up VPN. |
4.13. Advanced IME management |
Android 5.0+ |
star_border |
IT admins can manage what input methods (IMEs) are allowed on devices. |
4.14. Accessibility services management |
Android 5.0+ |
star_border |
IT admins can manage what accessibility services are allowed on devices. |
4.16. Advanced Location Sharing management |
Android 5.0+ |
star_border |
IT admins can enforce a given Location Sharing setting on a managed device. |
4.17. Factory reset protection management |
Android 5.1+ |
star |
Allows IT admins to protect company-owned devices from theft by
ensuring unauthorized individuals can't factory reset devices. |
4.18. Advanced app control |
Android 5.0+ |
star_border |
IT admins can prevent the user from uninstalling or otherwise modifying
managed apps through Settings. |
4.19. Screen capture management |
Android 5.0+ |
star_border |
IT admins can block users from taking screenshots when using managed apps. |
4.20. Disable cameras |
Android 5.0+ |
star_border |
IT admins can turn off use of device cameras by managed apps. |
4.22. Advanced network statistics collection |
Android 6.0+ |
remove_circle_outline |
IT admins can query network usage statistics for an entire managed
device. |
4.23. Reboot device |
Android 7.0+ |
star_border |
IT admins can remotely restart managed devices. |
4.24. System radio management |
Android 7.0+ |
star_border |
Enables IT admins granular management of system network radios and
associated usage policies. |
4.25. System audio management |
Android 5.0+ |
star_border |
IT admins can silently manage device audio features. |
4.26. System clock management |
Android 5.0+ |
star_border |
IT admins can manage device clock and time zone settings, and prevent
modifying automatic device settings.. |
4.28. Delegated scope management |
Android 8.0+ |
star |
IT admins are able to delegate extra privileges to individual packages. |
5. Device usability |
5.1. Managed provisioning customization |
Android 7.0+ |
star_border |
IT admins can modify the default managed provisioning flow UX to include enterprise-specific features. |
5.3. Advanced enterprise customization |
Android 7.0+ |
remove_circle_outline |
IT admins can customize managed devices with corporate branding. |
5.4. Lock screen messages |
Android 7.0+ |
star_border |
IT admins can set a custom message that's displayed on the device
lock screen, and does not require device unlock to be viewed. |
5.5. Policy transparency management |
Android 7.0+ |
star |
IT admins can customize the help text provided to users when they
attempt to modify managed settings on their device, or deploy an
EMM-supplied generic support message. |
5.8. System update policy |
Android 6.0+ |
star |
IT admins can set up and apply over-the-air (OTA) system updates for
devices. |
5.10. Persistent preferred activity management |
Android 5.0+ |
star_border |
Allows IT admins to set an app as the default intent handler for intents that match a certain intent filter. |
5.12. Advanced keyguard feature management |
Android 5.0+ |
star |
IT admins can control advanced device keyguard (lock screen)
features. |
5.13. Remote debugging |
Android 7.0+ |
remove_circle_outline |
IT admins can retrieve debugging resources from devices without
requiring extra steps. |
5.14. MAC address retrieval |
Android 7.0+ |
star_border |
EMMs can silently fetch a device's MAC address, to be used to identify
devices in other parts of the enterprise infrastructure. |
6. Device admin deprecation |
6. Device admin deprecation |
Android 5.0+ |
star |
EMMs are required to post a plan by the end of 2021 ending customer support for Device Admin on GMS devices by the end of 2022. |