لیست ویژگی های Android Enterprise

این صفحه مجموعه کاملی از ویژگی‌های Android Enterprise را فهرست می‌کند.

اگر قصد دارید بیش از 500 دستگاه را مدیریت کنید، راه حل EMM شما باید از تمام ویژگی های استاندارد ( ) حداقل یک مجموعه راه حل قبل از اینکه به صورت تجاری در دسترس باشد، پشتیبانی کند. راه‌حل‌های EMM که تأیید ویژگی استاندارد را تأیید می‌کنند، در فهرست راه‌حل‌های سازمانی Android به‌عنوان مجموعه مدیریت استاندارد فهرست‌شده هستند.

یک مجموعه اضافی از ویژگی های پیشرفته برای هر مجموعه راه حل موجود است. این ویژگی ها در هر صفحه مجموعه راه حل مشخص می شوند: نمایه کاری ، دستگاه کاملاً مدیریت شده و دستگاه اختصاصی . راه‌حل‌های EMM که تأیید ویژگی‌های پیشرفته را انجام می‌دهند، در فهرست راه‌حل‌های سازمانی Android به‌عنوان مجموعه مدیریت پیشرفته فهرست‌شده هستند.

توجه: استفاده از Android Management API تابع خط مشی استفاده مجاز است.

کلید

ویژگی استاندارد ویژگی اختیاری قابل اجرا نیست

1. تهیه دستگاه

1.1. ارائه پروفایل کار DPC-First

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
دستگاه اختصاصی
5.1+

پس از بارگیری خط مشی دستگاه Android از Google Play ، کاربران می توانند نمایه کار را ارائه دهند.

1.1.1. EMM برای پشتیبانی از این روش تهیه ، یک کد QR یا کد فعال سازی را در اختیار شما قرار می دهد (به ثبت نام و تهیه دستگاه بروید).

1.2. تهیه دستگاه شناسایی کننده DPC

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
دستگاه اختصاصی
6.0+

وارد کردن "AFW#" در جادوگر تنظیم دستگاه یک دستگاه کاملاً مدیریت شده یا اختصاصی است.

1.2.1. EMM برای پشتیبانی از این روش تهیه ، یک کد QR یا کد فعال سازی را در اختیار شما قرار می دهد (به ثبت نام و تهیه دستگاه بروید).

1.3. تهیه دستگاه NFC

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
دستگاه اختصاصی
6.0+

براساس دستورالعملهای اجرای تعریف شده در اسناد توسعه دهنده نمایشنامه EMM API ، می توان از برچسب های NFC توسط مدیر IT برای تهیه دستگاه های جدید یا کارخانه ای استفاده کرد.

1.3.1. EMMS باید از برچسب های NFC Type 2 با حداقل 888 بایت حافظه استفاده کند. تهیه برای انتقال جزئیات ثبت نام غیر حساس مانند شناسه سرور و شناسه های ثبت نام به دستگاه باید از مواد اضافی استفاده کند. جزئیات ثبت نام نباید شامل اطلاعات حساس مانند رمزهای عبور یا گواهینامه باشد.

1.3.2. ما استفاده از برچسب های NFC را برای اندروید 10 به بعد به دلیل استهلاک پرتو NFC (همچنین به عنوان Bump NFC نیز شناخته می شود) توصیه می کنیم.

1.4. تأمین دستگاه QR

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
دستگاه اختصاصی
7.0+

کنسول EMM می تواند یک کد QR ایجاد کند که با توجه به دستورالعمل های اجرای تعریف شده در مستندات توسعه دهنده API مدیریت اندرویدی ، می تواند یک دستگاه کاملاً مدیریت شده یا اختصاصی را اسکن کند.

1.4.1. کد QR باید برای انتقال جزئیات ثبت نام غیر حساس (مانند شناسه سرور ، شناسه های ثبت نام) به یک دستگاه از مواد اضافی استفاده کند. جزئیات ثبت نام نباید شامل اطلاعات حساس مانند رمزهای عبور یا گواهینامه باشد.

1.5. ثبت نام پستال صفر

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
دستگاه اختصاصی
8.0+ (پیکسل 7.1+)

Admins می تواند دستگاه های پیش تنظیم شده از فروشندگان مجاز را از پیش تنظیم کرده و آنها را با استفاده از کنسول EMM خود مدیریت کند.

1.5.1. Admins می تواند دستگاه های متعلق به شرکت را با استفاده از روش ثبت نام با ارسال صفر ، که در ثبت نام با ارسال صفر برای Admins IT مشخص شده است ، تهیه کنند.

1.5.2. هنگامی که یک دستگاه برای اولین بار روشن می شود ، دستگاه به طور خودکار در تنظیمات تعریف شده توسط مدیر IT مجبور می شود.

1.6. تأمین پیشرفته صفر صفر

Admins می تواند بخش اعظم فرآیند ثبت نام دستگاه را با ثبت نام در محل کار به صورت خودکار انجام دهد. همراه با URL های ورود به سیستم ، Admins می تواند با توجه به گزینه های پیکربندی ارائه شده توسط EMM ، ثبت نام را به حساب ها یا دامنه های خاص محدود کند.

1.6.1. Admins می تواند یک دستگاه متعلق به شرکت را با استفاده از روش ثبت نام با ارسال صفر تهیه کند.

1.6.2. این نیاز مستهلک می شود.

1.6.3. با استفاده از URL ورود به سیستم ، EMM باید اطمینان حاصل کند که کاربران غیرمجاز نمی توانند با فعال سازی اقدام کنند. حداقل ، فعال سازی باید برای کاربران یک شرکت خاص قفل شود.

1.6.4. با استفاده از URL ورود به سیستم ، EMM باید این امکان را فراهم کند که Admins بتواند جزئیات ثبت نام قبل از جمع آوری (به عنوان مثال شناسه های سرور ، شناسه های ثبت نام) را جدا از اطلاعات کاربر یا دستگاه منحصر به فرد (به عنوان مثال نام کاربری/رمز عبور ، نشانه فعال سازی) ، بنابراین ، بنابراین که کاربران هنگام فعال کردن دستگاه مجبور نیستند جزئیات را وارد کنند.

 • EMMS نباید شامل اطلاعات حساس مانند رمزهای عبور یا گواهینامه ها در پیکربندی ثبت نام با پست صفر باشد.

1.7. ارائه پروفایل کار حساب Google

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
دستگاه اختصاصی
5.0+

API مدیریت Android از این ویژگی پشتیبانی نمی کند.

1.8 تهیه دستگاه حساب Google

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
دستگاه اختصاصی
5.0+

API مدیریت Android از این ویژگی پشتیبانی نمی کند.

1.9. پیکربندی مستقیم لمسی صفر

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
دستگاه اختصاصی
8.0+

Admins می تواند از کنسول EMM برای تنظیم دستگاه های لمسی صفر با استفاده از Iframe با لمس صفر استفاده کند.

1.10. پروفایل های کار در دستگاه های متعلق به شرکت

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
دستگاه اختصاصی
8.0+

EMMS می تواند دستگاه های متعلق به شرکت را که دارای مشخصات کار هستند با تنظیم AllowsersonalUsage ثبت نام کنند.

1.10.1. Admins می تواند دستگاهی را به عنوان مشخصات کار در یک دستگاه متعلق به شرکت با استفاده از کد QR یا ثبت نام با ارسال صفر تهیه کند.

1.10.2. سرپرستان می توانند اقدامات انطباق را برای پروفایل های کاری در دستگاه های متعلق به شرکت از طریق شخصی سازی های شخصی انجام دهند.

1.10.3. سرپرستان می توانند دوربین را در مشخصات کار یا کل دستگاه از طریق شخصی سازی های شخصی غیرفعال کنند.

1.10.4. سرپرستان می توانند ضبط صفحه را در مشخصات کار یا کل دستگاه از طریق شخصی سازی های شخصی غیرفعال کنند.

1.10.5. Admins می تواند یک لیست Allowlist یا Blocklist از برنامه هایی را تنظیم کند که از طریق PersonalApplicationPolicy قابل نصب یا نمی توان در پروفایل شخصی نصب کرد.

1.10.6. Admins می تواند با از بین بردن مشخصات کار یا پاک کردن کل دستگاه ، از مدیریت یک دستگاه متعلق به شرکت خودداری کند.


2. امنیت دستگاه

2.1. چالش امنیت دستگاه

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
دستگاه اختصاصی
5.0+

Admins می تواند یک چالش امنیتی دستگاه (پین/الگوی/رمز عبور) را از یک انتخاب از پیش تعریف شده از 3 سطح پیچیدگی در دستگاه های مدیریت شده تنظیم و اجرا کند.

2.1.1 خط مشی باید تنظیمات مدیریت چالش های امنیتی دستگاه را اجرا کند (ParentProfilePasswordRequirequirements برای مشخصات کار ، رمز عبور برای دستگاه های کاملاً مدیریت شده و اختصاصی).

2.1.2. پیچیدگی رمز عبور باید به پیچیدگی های رمز عبور زیر نقشه برداری کند:

 1. رمز عبور_ complexity_low - الگوی یا پین با توالی تکرار (4444) یا سفارش (1234 ، 4321 ، 2468).
 2. رمز عبور_ complexity_medium - پین بدون تکرار (4444) یا سفارش (1234 ، 4321 ، 2468) ، رمز عبور الفبایی یا الفبایی با طول حداقل 4
 3. رمز عبور_ complexity_high - پین بدون تکرار (4444) یا سفارش (1234 ، 4321 ، 2468) و طول حداقل 8 یا حروف الفبا یا الفبایی با طول حداقل 6

2.1.3. محدودیت های اضافی رمز عبور نیز به عنوان تنظیمات میراث در دستگاه های متعلق به شرکت قابل اجرا است.

2.2 چالش امنیتی کار

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
دستگاه اختصاصی
7.0+

Admins می تواند یک چالش امنیتی را برای برنامه ها و داده های موجود در نمایه کار که جداگانه است تنظیم و اجرا کند و نیازهای متفاوتی از چالش امنیت دستگاه (2.1) داشته باشد.

2.2.1. سیاست باید چالش امنیتی را برای مشخصات کار اجرا کند.

 1. به طور پیش فرض ، در صورت عدم مشخص شدن دامنه ، سرپرست ها فقط برای مشخصات کار محدود می شوند
 2. Admins می تواند با مشخص کردن دامنه ، این دستگاه را به طور گسترده تنظیم کند (به نیاز 2.1 مراجعه کنید)

2.2.2. پیچیدگی رمز عبور باید به پیچیدگی های رمز عبور از پیش تعریف شده زیر نقشه برداری کند:

 1. رمز عبور_ complexity_low - الگوی یا پین با توالی تکرار (4444) یا سفارش (1234 ، 4321 ، 2468).
 2. رمز عبور_ complexity_medium - پین بدون تکرار (4444) یا سفارش (1234 ، 4321 ، 2468) ، رمز عبور الفبایی یا الفبایی با طول حداقل 4
 3. رمز عبور_ complexity_high - پین بدون تکرار (4444) یا سفارش (1234 ، 4321 ، 2468) و طول حداقل 8 یا حروف الفبا یا الفبایی با طول حداقل 6

2.2.3. محدودیت های اضافی رمز عبور نیز به عنوان تنظیمات میراث قابل اجرا است

2.3. مدیریت پیشرفته رمز عبور

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
دستگاه اختصاصی
5.0+

Admins می تواند تنظیمات پیشرفته رمز عبور را در دستگاه ها تنظیم کند.

2.3.1. [عمداً خالی]

2.3.2. [عمداً خالی]

2.3.3. تنظیمات چرخه چرخه رمز عبور زیر را می توان برای هر صفحه قفل موجود در یک دستگاه تنظیم کرد:

 1. [عمداً خالی]
 2. [عمداً خالی]
 3. حداکثر گذرواژه های ناموفق برای پاک کردن: تعداد دفعاتی را که کاربران می توانند یک رمز عبور نادرست را قبل از پاک کردن داده های شرکت از دستگاه وارد کنند ، مشخص می کند. مدیر باید بتواند این ویژگی را خاموش کند.

2.3.4. . پس از دوره زمانی ، روش های احراز هویت غیر قوی (مانند اثر انگشت ، باز کردن قفل صورت) خاموش می شوند تا اینکه دستگاه با یک رمز عبور احراز هویت قوی باز شود.

2.4. مدیریت قفل هوشمند

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
دستگاه اختصاصی
6.0+

IT admins can manage whether trust agents in Android's Smart Lock feature are permitted to extend device unlock up to four hours.

2.4.1. IT admins can disable trust agents on the device.

2.5. Wipe and lock

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device
5.0+

IT admins can use the EMM's console to remotely lock and wipe work data from a managed device.

2.5.1. Devices must be locked using the Android Management API .

2.5.2. Devices must be wiped using the Android Management API .

2.6. Compliance enforcement

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device
5.0+

If a device is not compliant with security policies, compliance rules put in place by the Android Management API automatically restrict use of work data.

2.6.1. At minimum, the security policies enforced on a device must include password policy.

2.7. Default security policies

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device
5.0+

EMMs must enforce the specified security policies on devices by default , without requiring IT admins to set up or customize any settings in the EMM's console. EMMs are encouraged (but not required) to not allow IT admins to change the default state of these security features.

2.7.1. Installing apps from unknown sources must be blocked, including apps installed on the personal side of any Android 8.0+ device with a work profile. This subfeature is supported by default .

2.7.2. Debugging features must be blocked. This subfeature is supported by default.

2.8. Security policies for dedicated devices

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device
6.0+

No other actions are allowed for a locked down dedicated device.

2.8.1. Booting into safe mode must be turned off by default via policy (Go to safeBootDisabled ).

2.9. Play Integrity Support

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device

Play Integrity checks are made by default. No extra implementation is required.

2.9.1. Deliberately blank.

2.9.2. Deliberately blank.

2.9.3. IT admins can set up different policy responses based on the value of the device's SecurityRisk , including blocking provisioning, wiping corporate data, and allowing enrollment to proceed.

 • The EMM service will enforce this policy response for the result of each integrity check.

2.10. Verify Apps enforcement

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device
5.0+

IT admins can turn on Verify Apps on devices. Verify Apps scans apps installed on Android devices for harmful software before and after they're installed, helping to ensure that malicious apps can't compromise corporate data.

2.10.1. Verify Apps must be turned on by default via policy (Go to ensureVerifyAppsEnabled ).

2.11. Direct Boot support

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device
7.0+

The Android Management API supports this feature by default. No extra implementation is required.

2.12. Hardware security management

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device
5.1+

IT admins can lock down hardware elements of a company-owned device to ensure data-loss prevention.

2.12.1. IT admins can block users from mounting physical external media via policy (go to mountPhysicalMediaDisabled ).

2.12.2. IT admins can block users from sharing data from their device using NFC beam via policy (go to outgoingBeamDisabled ). This subfeature is optional since NFC beam function is no longer supported in Android 10 and higher.

2.12.3. IT admins can block users from transferring files over USB via policy (go to usbFileTransferDisabled ).

2.13. Enterprise security logging

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device
7.0+

The Android Management API doesn't currently support this feature.


3. Account and app management

3.1. Managed Google Play Accounts enterprise enrollment

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device

IT admins can create a managed Google Play Accounts enterprise —an entity that allows managed Google Play to distribute apps to devices. The following enrollment stages must be integrated into the EMM's console:

3.1.1. Enroll a managed Google Play Accounts enterprise using the Android Management API .

3.2. Managed Google Play Account provisioning

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device
5.0+

The EMM can silently provision enterprise user accounts, called managed Google Play accounts. These accounts identify managed users and allow unique, per-user app distribution rules.

3.2.1. Managed Google Play Accounts (user accounts) are automatically created when devices are provisioned.

The Android Management API supports this feature by default. No extra implementation is required.

3.3. Managed Google Play device account provisioning

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device
5.0+

The EMM can create and provision managed Google Play device accounts. Device accounts support silently installing apps from the managed Google Play Store, and are not tied to a single user. Instead, a device account is used to identify a single device to support app distribution rules per device in dedicated device scenarios.

3.3.1. Managed Google Play Accounts are automatically created when devices are provisioned.

The Android Management API supports this feature by default. No extra implementation is required.

3.4. Managed Google Play Account provisioning for legacy devices

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device

This feature is deprecated.

3.5. Silent app distribution

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device

IT admins can silently distribute work apps on devices without any user interaction.

3.5.1. The EMM's console must use the Android Management API to allow IT admins to install work apps on managed devices.

3.5.2. The EMM's console must use the Android Management API to allow IT admins to update work apps on managed devices.

3.5.3. The EMM's console must use the Android Management API to allow IT admins to uninstall apps on managed devices.

3.6. Managed configuration management

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device
5.0+

IT admins can view and silently set managed configurations for any app that supports managed configurations.

3.6.1. The EMM's console must be able to retrieve and display the managed configuration settings of any Play app.

3.6.2. The EMM's console must allow IT admins to set any configuration type (as defined by the Android Enterprise framework) for any Play app using the Android Management API .

3.6.3. The EMM's console must allow IT admins to set wildcards (such as $username$ or %emailAddress%) so that a single configuration for an app such as Gmail can be applied to multiple users.

3.7. App catalog management

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device

The Android Management API supports this feature by default. No additional implementation is required.

3.8. Programmatic app approval

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device

The EMM's console uses the managed Google Play iframe to support Google Play's app discovery and approval capabilities. IT admins can search for apps, approve apps, and approve new app permissions without leaving the EMM's console.

3.8.1. IT admins can search for apps and approve them within the EMM's console using the managed Google Play iframe .

3.9. Basic store layout management

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device

The managed Google Play Store app can be used to install and update work apps. By default, the managed Google Play Store displays apps approved for a user in a single list. This layout is referred to as basic store layout .

3.9.1. The EMM's console should allow IT admins to manage the apps visible in an end user's basic store layout.

3.10. Advanced store layout configuration

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device

3.10.1. IT admins can customize the store layout seen in the managed Google Play Store app.

3.11. App license management

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device

This feature is deprecated.

3.12. Google-hosted private app management

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device

IT admins can update Google-hosted private apps through the EMM console instead of through the Google Play Console.

3.12.1. IT admins can upload new versions of apps that are already published privately to the enterprise using:

3.13. Self-hosted private app management

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device

IT admins can set up and publish self-hosted private apps. Unlike Google-hosted private apps, Google Play does not host the APKs. Instead, the EMM helps IT admins host APKs themselves, and helps protect self-hosted apps by ensuring they can only be installed when authorized by managed Google Play.

3.13.1. The EMM's console must help IT admins host the app APK, by offering both of the following options:

 • Hosting the APK on the EMM's server. The server can be on-premise or cloud-based.
 • Hosting the APK outside of the EMM's server, at the discretion of the enterprise. The IT admin must specify in the EMM console where the APK is hosted.

3.13.2. The EMM's console must generate an appropriate APK definition file using the provided APK and must guide IT admins through the publishing process.

3.13.3. IT admins can update self-hosted private apps, and the EMM's console can silently publish updated APK definition files using the Google Play Developer Publishing API .

3.13.4. The EMM's server serves download requests for the self-hosted APK that contains a valid JWT within the request's cookie, as verified by the private app's public key.

 • To facilitate this process, the EMM's server must guide IT admins to download the self-hosted app's license public key from the Play Google Developers Console, and upload this key to the EMM console.

3.14. EMM pull notifications

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device

This feature is not applicable to the Android Management API. Set up Pub/Sub notifications instead.

3.15. API usage requirements

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device

The EMM implements Android Management APIs at scale, avoiding traffic patterns that could negatively impact enterprises' ability to manage apps in production environments.

3.15.1. The EMM must adhere to the Android Management API usage limits. Not correcting behavior that exceeds these guidelines may result in suspension of API use, at Google's discretion.

3.15.2. The EMM should distribute traffic from different enterprises throughout the day, rather than consolidating enterprise traffic at specific or similar times. Behavior that fits this traffic pattern, such as scheduled batch operations for each device enrolled, may result in suspending API use, at Google's discretion.

3.15.3. The EMM should not make consistent, incomplete, or deliberately incorrect requests that make no attempt to retrieve or manage actual enterprise data. Behavior that fits this traffic pattern may result in suspended API use, at Google's discretion.

3.16. Advanced managed configuration management

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device
5.0+

The EMM supports the following advanced managed configuration management features:

3.16.1. The EMM's console must be able to retrieve and display the up to four levels of nested managed configuration settings of any Play app, using:

3.16.2. The EMM's console must be able to retrieve and display any feedback returned by an app's feedback channel , when set up by an IT admin.

 • The EMM's console must allow IT admins to associate a specific feedback item with the device and app it originated from.
 • The EMM's console must allow IT admins to subscribe to alerts or reports of specific message types (such as error messages).

3.16.3. The EMM's console must only send values that either have a default value or are manually set by the admin using:

 • The managed configurations iframe, or
 • A custom UI.

3.17. Web app management

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device

IT admins can create and distribute web apps in the EMM console.

3.17.1. The EMM console allows IT admins to distribute shortcuts to web apps using:

3.18. Managed Google Play Account lifecycle management

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device
5.0+

The EMM can create, update, and delete managed Google Play Accounts on behalf of IT admins, and automatically recover from account expiration.

This feature is supported by default. No extra EMM implementation is required.

3.19. Application track management

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device
5.0+

3.19.1. IT Admins can pull a list of track IDs set by a developer for a particular app

3.19.2. IT Admins can set devices to use a particular development track for an application.

3.20. Advanced application update management

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device
5.0+

IT admins can allow apps to be updated immediately or postpone them from being updated for 90 days.

3.20.1. IT admins can allow apps to use high-priority app updates to be updated when an update is ready. 3.20.2. IT admins can allow apps to have their app updates postponed for 90 days.

3.21. Provisioning methods management

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device
مامان

The EMM can generate provisioning configurations and present these to the IT admin in a form ready for distribution to end users (such as QR code, zero-touch configuration, Play Store URL).


4. Device management

4.1. Runtime permission policy management

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device
6.0+

IT admins can silently set a default response to runtime permission requests made by work apps.

4.1.1. IT admins must be able to choose from the following options when setting a default runtime permission policy for their organization:

 • prompt (allows users to choose)
 • اجازه
 • انکار

The EMM should enforce these settings via policy .

4.2. Runtime permission grant state management

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device
6.0+

After setting a default runtime permission policy (go to 4.1.), IT admins can silently set responses for specific permissions from any work app built on API 23 or above.

4.2.1. IT admins must be able to set the grant state (default, grant, or deny) of any permission requested by any work app built on API 23 or above. The EMM should enforce these settings via policy .

4.3. Wi-Fi configuration management

نسخه اندروید
Work profile
دستگاه کاملاً مدیریت شده
Dedicated device
6.0+

IT admins can silently provision enterprise Wi-Fi configurations on managed devices, including:

4.3.1. SSID, via policy .

4.3.2. Password, via policy .

4.4. Wi-Fi security management

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device
6.0+

IT admins can provision enterprise Wi-Fi configurations on devices that include the following advanced security features:

4.4.1. هویت

4.4.2. Certificates for client authorization

4.4.3. گواهینامه های CA

4.5. Advanced Wi-Fi management

نسخه اندروید
نمایه کاری
دستگاه کاملاً مدیریت شده
Dedicated device
6.0+

IT admins can lock down Wi-Fi configurations on managed devices, to prevent users from creating configurations or modifying corporate configurations.

4.5.1. IT admins can lock down corporate Wi-Fi configurations via policy in either of the following configurations:

 • Users cannot modify any Wi-Fi configurations provisioned by the EMM (go to wifiConfigsLockdownEnabled ), but may add and modify their own user-configurable networks (for instance personal networks).
 • Users cannot add or modify any Wi-Fi network on the device (go to wifiConfigDisabled ), limiting Wi-Fi connectivity to just those networks provisioned by the EMM.

4.6. مدیریت حساب

نسخه اندروید
نمایه کاری
Fully managed device
Dedicated device
5.0+

IT admins can ensure that only authorized corporate accounts can interact with corporate data, for services such as SaaS storage and productivity apps, or email. Without this feature, users can add personal accounts to those corporate apps that also support consumer accounts, enabling them to share corporate data with those personal accounts.

4.6.1. IT admins can prevent users from adding or modifying accounts (see modifyAccountsDisabled ).

 • When enforcing this policy on a device, EMMs must set this restriction before provisioning is complete, to ensure users cannot circumvent this policy by adding accounts before the policy is enacted.

4.7. Workspace account management

Android version
Work profile
دستگاه کاملاً مدیریت شده
Dedicated device
5.0+

The Android Management API doesn't support this feature.

4.8. مدیریت گواهی

Android version
Work profile
Fully managed device
Dedicated device
5.0+

Allows IT admins to deploy identity certificates and certificate authorities to devices to allow use of corporate resources.

4.8.1. IT admins can install user identity certs generated by their PKI on a per-user basis. The EMM's console must integrate with at least one PKI and distribute certificates generated from that infrastructure.

4.8.2. IT admins can install certificate authorities (see caCerts ) in the managed keystore. However, this subfeature is currently unsupported.

4.9. Advanced certificate management

Android version
Work profile
Fully managed device
Dedicated device
7.0+

Allows IT admins to silently select the certificates that specific managed apps should use. This feature also grants IT admins the ability to remove CAs and identity certs from active devices, and prevent users from modifying credentials stored in the managed keystore.

4.9.1. For any app distributed to devices, IT admins can specify a certificate the app will be silently granted access during runtime. (This subfeature is not currently supported)

 • Certificate selection must be generic enough to allow a single configuration that applies to all users, each of which may have a user-specific identity certificate.

4.9.2. IT admins can silently remove certificates from the managed keystore.

4.9.3. IT admins can silently uninstall a CA certificate. (This subfeature is not currently supported)

4.9.4. IT admins can prevent users from configuring credentials (go to credentialsConfigDisabled ) in the managed keystore.

4.9.5. IT admins can pre-grant certificates for work apps using ChoosePrivateKeyRule .

4.10. Delegated certificate management

Android version
Work profile
Fully managed device
Dedicated device
6.0+

IT admins can distribute a third-party certificate management app to devices and grant that app privileged access to install certificates into the managed keystore.

4.10.1. IT admins can specify a certificate management package (go to delegatedCertInstallerPackage ) to be set as the delegated certificate management app.

 • The EMM's may optionally suggest known certificate management packages, but must allow the IT admin to choose from the list of apps available for install, for applicable users.

4.11. Advanced VPN management

Android version
Work profile
Fully managed device
Dedicated device
7.0+

Allows IT admins to specify an Always On VPN to ensure that the data from specified managed apps will always go through a set-up Virtual Private Network (VPN). Note: this feature requires deploying a VPN client that supports both Always On and per-app VPN features.

4.11.1. IT admins can specify an arbitrary VPN package to be set as an Always On VPN.

 • The EMM's console may optionally suggest known VPN packages that support Always On VPN, but can't restrict the VPNs available for Always On configuration to any arbitrary list.

4.11.2. IT admins can use managed configurations to specify the VPN settings for an app.

4.12. IME management

Android version
Work profile
دستگاه کاملاً مدیریت شده
Dedicated device
5.0+

IT admins can manage what input methods (IMEs) can be set up for devices. Since the IME is shared across both work and personal profiles, blocking use of IMEs will prevent users from allowing those IMEs for personal use as well. IT admins may not, however, block use of system IMEs on work profiles (go to advanced IME management for more details).

4.12.1. IT admins can set up an IME allowlist (Go to permitted_input_methods ) of arbitrary length (including an empty list, which blocks non-system IMEs), which may contain any arbitrary IME packages.

 • The EMM's console may optionally suggest known or recommended IMEs to include in the allowlist, but must allow IT admins to choose from the list of apps available for install, for applicable users.

4.12.2. The EMM must inform IT admins that system IMEs are excluded from management on devices with work profiles.

4.13. Advanced IME management

Android version
Work profile
Fully managed device
Dedicated device
5.0+

IT admins can manage what input methods (IMEs) users can set up on a device. Advanced IME management extends the basic feature by allowing IT admins to manage the use of system IMEs as well, which device manufacturer or carrier of the device typically provide.

4.13.1. IT admins can set up an IME allowlist (go to permitted_input_methods ) of arbitrary length (excluding an empty list, which blocks all IMEs including system IMEs), which may contain any arbitrary IME packages.

 • The EMM's console may optionally suggest known or recommended IMEs to include in the allowlist, but must allow IT admins to choose from the list of apps available for install, for applicable users.

4.13.2. EMM must prevent IT admins from setting up an empty allowlist, as this setting will block all IMEs including system IMEs from being set up on the device.

4.13.3. EMM must ensure that if an IME allowlist does not contain system IMEs, the third-party IMEs are silently installed before the allowlist is applied on the device.

4.14. Accessibility services management

Android version
نمایه کاری
Fully managed device
Dedicated device
5.0+

IT admins can manage what accessibility services users can allow on devices. Accessibility services are powerful tools for users with disabilities or those that are temporarily unable to fully interact with a device. However, they may interact with corporate data in ways that are non-compliant with corporate policy. This feature allows IT admins to turn off any non-system accessibility service.

4.14.1. IT admins can set up an accessibility service allowlist (go to permittedAccessibilityServices ) of arbitrary length (including an empty list, which blocks non-system accessibility services), which may contain any arbitrary accessibility service package. When applied to a work profile, this affects both the personal profile and the work profile.

 • Console may optionally suggest known or recommended accessibility services to include in the allowlist, but must allow IT admin to choose from the list of apps available for install, for applicable users.

4.15. Location Sharing management

Android version
Work profile
Fully managed device
Dedicated device
5.0+

IT admins can prevent users from sharing location data with apps in the work profile. Otherwise, the location setting in the work profile is configurable in Settings.

4.15.1. IT admins can disable location services (go to shareLocationDisabled ) within the work profile.

4.16. Advanced Location Sharing management

Android version
Work profile
Fully managed device
Dedicated device
5.0+

IT admins can enforce a given Location Sharing setting on a managed device. This feature can ensure that corporate apps always have high accuracy location data. This feature can also ensure that extra battery is not consumed by restricting location settings to battery saving mode.

4.16.1. IT admins can set the device location services to each of the following modes:

 • دقت بالا.
 • Sensors only, for instance GPS, but not including network-provided location.
 • Battery saving, which limits the update frequency.
 • خاموش

4.17. Factory reset protection management

Android version
Work profile
Fully managed device
Dedicated device
5.1+

Allows IT admins to protect company-owned devices from theft by ensuring unauthorized users can't factory reset devices. If factory reset protection introduces operational complexities when devices are returned to IT, IT admins can turn off factory reset protection entirely.

4.17.1. IT admins can prevent users from factory resetting (go to factoryResetDisabled ) their device from Settings.

4.17.2. IT admins can specify corporate unlock account(s) authorized to provision devices (go to frpAdminEmails ) after a factory reset.

 • This account can be tied to an individual, or used by the entire enterprise to unlock devices.

4.17.3. IT admins can disable factory reset protection (go to0 factoryResetDisabled ) for specified devices.

4.17.4. IT admins can start a remote device wipe that optionally wipes reset protection data, thus removing factory reset protection on the reset device.

4.18. Advanced app control

Android version
Work profile
Fully managed device
Dedicated device
5.0+

IT admins can prevent the user from uninstalling or otherwise modifying managed apps through Settings. For instance, preventing force closing the app or clearing an app's data cache.

4.18.1. IT admins can block uninstall of any arbitrary managed apps, or all managed apps (go to uninstallAppsDisabled ).

4.18.2. IT admins can prevent users from modifying application data from Settings. (The Android Management API doesn't support this subfeature)

4.19. Screen capture management

Android version
Work profile
دستگاه کاملاً مدیریت شده
Dedicated device
5.0+

IT admins can block users from taking screenshots when using managed apps. This setting includes blocking screen sharing apps and similar apps (such as Google Assistant) that leverage the system screenshot capabilities.

4.19.1. IT admins can prevent users from capturing screenshots (go to screenCaptureDisabled ).

4.20. Disable cameras

Android version
Work profile
Fully managed device
Dedicated device
وابسته
8.0+
5.0+
5.0+

IT admins can turn off use of device cameras by managed apps.

4.20.1. IT admins can disable use of device cameras (go to cameraDisabled ) by managed apps.

4.21. Network statistics collection

Android version
Work profile
Fully managed device
Dedicated device
6.0+

The Android Management API doesn't currently support this feature.

4.22. Advanced network statistics collection

Android version
نمایه کاری
Fully managed device
Dedicated device
6.0+

The Android Management API doesn't currently support this feature.

4.23. دستگاه را مجددا راه اندازی کنید

Android version
Work profile
Fully managed device
Dedicated device
7.0+

IT admins can remotely restart managed devices.

4.23.1. IT admins can remotely reboot a managed device.

4.24. System radio management

Android version
Work profile
Fully managed device
Dedicated device
7.0+

Provides IT admins with granular management over system network radios and associated use policies via policy .

4.24.1. IT admins can turn off cell broadcasts sent by service providers (go to cellBroadcastsConfigDisabled ).

4.24.2. IT admins can prevent users from modifying mobile network settings in Settings (go to mobileNetworksConfigDisabled ).

4.24.3. IT admins can prevent users from resetting all network settings in Settings. (go to networkResetDisabled ).

4.24.4. IT admins can set up whether the device permits mobile data while roaming (go to dataRoamingDisabled ).

4.24.5. IT admins can set up whether the device can make outgoing phone calls, excluding emergency calls (go to outGoingCallsDisabled ).

4.24.6. IT admins can set up whether the device can send and receive text messages (go to smsDisabled ).

4.24.7. IT admins can prevent users from using their device as a portable hotspot by tethering (go to tetheringConfigDisabled ).

4.24.8. IT admins can set the Wi-Fi timeout to default, while plugged in, or never. (The Android Management API doesn't support this subfeature)

4.24.9. IT admins can prevent users from setting up or modifying existing Bluetooth connections (go to bluetoothConfigDisabled ).

4.25. System audio management

Android version
Work profile
Fully managed device
Dedicated device
5.0+

IT admins can silently control device audio features , including muting the device, preventing users from modifying volume settings, and preventing users from unmuting the device microphone.

4.25.1. IT admins can silently mute managed devices. (The Android Management API doesn't support this subfeature)

4.25.2. IT admins can prevent users from modifying device volume settings (go to adjustVolumeDisabled ). This also mutes the devices.

4.25.3. IT admins can prevent users from unmuting the device microphone (go to unmuteMicrophoneDisabled ).

4.26. System clock management

Android version
Work profile
Fully managed device
Dedicated device
وابسته
8.0+
5.0+
5.0+

IT admins can manage device clock and time zone settings, and prevent users from modifying automatic device settings.

4.26.1. IT admins can enforce system auto time and auto time zone , preventing the user from setting the date, time, and time zone of the device.

4.27. Advanced dedicated device features

Android version
Work profile
Fully managed device
Dedicated device
6.0+

For dedicated devices, IT admins can manage the following features via policy to support various kiosk use cases.

4.27.1. IT admins can turn off the device keyguard (go to keyguardDisabled ).

4.27.2. IT admins can turn off the device status bar, blocking notifications and quick settings (go to statusBarDisabled ).

4.27.3. IT admins can force the device screen to remain on while the device is plugged in (go to stayOnPluggedModes ).

4.27.4. IT admins can prevent the following system UIs from being displayed (go to createWindowsDisabled ):

 • نان تست
 • Application overlays.

4.27.5. IT admins can allow the system recommendation for apps to skip their user tutorial and other introductory hints on first start-up (go to skip_first_use_hints ).

4.28. Delegated scope management

Android version
Work profile
Fully managed device
Dedicated device
8.0+

IT admins are able to delegate extra privileges to individual packages.

4.28.1. IT admins can manage the following scopes :

 • Certificate installation and management
 • Managed configurations management
 • Network logging
 • Security logging

4.29. Enrollment-specific ID Support

Android version
Work profile
Fully managed device
Dedicated device
12.0+

Starting in Android 12, work profiles will no longer have access to hardware-specific identifiers. IT admins can follow the lifecycle of a device with a work profile through the enrollment-specific ID, which will persist through factory resets

4.29.1. IT admins can obtain an enrollment-specific ID

4.29.2. This enrollment-specific ID must persist through a factory reset


5. Device usability

5.1. Managed provisioning customization

Android version
Work profile
Fully managed device
Dedicated device
7.0+

IT admins can modify the default setup flow UX to include enterprise-specific features. Optionally, IT admins can display EMM-provided branding during provisioning.

5.1.1. IT admins can customize the provisioning process by specifying enterprise-specific Terms of Service and other disclaimers (go to termsAndConditions ).

5.1.2. IT admins can deploy non-configurable, EMM-specific Terms of Service and other disclaimers (go to termsAndConditions ).

 • EMMs may set their non-configurable, EMM-specific customization as the default for deployments, but must allow IT admins to set up their own customization.

5.1.3 primaryColor has been deprecated for the enterprise resource on Android 10 and above.

5.2. Enterprise customization

Android version
Work profile
Fully managed device
Dedicated device
7.0+

The Android Management API doesn't support this feature.

5.3. Advanced enterprise customization

Android version
Work profile
Fully managed device
Dedicated device
7.0+

The Android Management API doesn't support this feature.

5.4. Lock screen messages

Android version
Work profile
Fully managed device
Dedicated device
7.0+

IT admins can set a custom message that's always displayed on the device lock screen, and does not require device unlock to be viewed.

5.4.1. IT admins can set a custom lock screen message (go to deviceOwnerLockScreenInfo ).

5.5. Policy transparency management

Android version
Work profile
Fully managed device
Dedicated device
مامان
7.0+

IT admins can customize the help text provided to users when they attempt to modify managed settings on their device, or deploy an EMM-supplied generic support message. Both short and long support messages can be customized, and are displayed in instances such as attempting to uninstall a managed app for which an IT admin has already blocked uninstallation.

5.5.1. IT admins can customize short and long user-facing support messages .

5.5.2. IT admins can deploy non-configurable, EMM-specific, short and long support messages (go to shortSupportMessage and longSupportMessage in policies ).

 • EMM may set their non-configurable, EMM-specific support messages as the default for deployments, but must allow IT admins to set up their own messages.

5.6. Cross-profile contact management

Android version
Work profile
Fully managed device
Dedicated device
7.0+

5.6.1. IT admins can disable displaying work contacts in personal profile contact searches and incoming calls .

5.6.2. IT admins can disable bluetooth contact sharing of work contacts, for instance hands-free calling in cars or headsets.

5.7. Cross-profile data management

Android version
نمایه کاری
Fully managed device
Dedicated device
7.0+

Allows IT admins to manage the types of data that can be shared between the work and personal profiles, allowing admins to balance usability and data security according to their requirements.

5.7.1. IT admins can configure cross-profile data sharing policy so that personal apps can resolve intents from the work profile, such as sharing intents or web links.

5.7.2. IT admins can allow applications from the work profile to create and display widgets on the home screen of the personal profile. This functionality is turned off by default, but can be set to allowed using workProfileWidgets and workProfileWidgetsDefault fields.

5.7.3. IT admins can control the ability to copy/paste between the work and personal profiles .

5.8. System update policy

Android version
Work profile
Fully managed device
Dedicated device
6.0+

IT admins can set up and apply over-the-air (OTA) system updates devices.

5.8.1. The EMM's console allows IT admins to set the following OTA configurations:

 • Automatic: Devices install OTA updates when they become available.
 • Postpone: IT admins must be able to postpone OTA update for up to 30 days. This policy does not affect security updates (eg monthly security patches).
 • Windowed: IT admins must be able to schedule OTA updates within a daily maintenance window.

5.8.2. OTA configurations are applied to devices via policy .

5.9. Lock task mode management

Android version
Work profile
Fully managed device
Dedicated device
6.0+

IT admins can lock an app or set of apps to the screen, and ensure that users can't exit the app.

5.9.1. The EMM's console allows IT admins to silently allow an arbitrary set of apps to install and lock to a device. Policy allows setting up dedicated devices.

5.10. Persistent preferred activity management

Android version
Work profile
Fully managed device
Dedicated device
5.0+

Allows IT admins to set an app as the default intent handler for intents that match a certain intent filter. For example, this feature would allow IT admins to choose which browser app automatically opens web links. This feature can manage which launcher app is used when tapping the home button.

5.10.1. IT admins can set any package as the default intent handler for any arbitrary intent filter.

 • The EMM's console may optionally suggest known or recommended intents for configuration, but cannot restrict intents to any arbitrary list.
 • The EMM's console must allow IT admins to choose from the list of apps that are available to install for applicable users.

5.11. Keyguard feature management

Android version
Work profile
Fully managed device
Dedicated device
7.0+

IT admins can manage the features available to users before unlocking the device keyguard (lock screen) and the work challenge keyguard (lock screen).

5.11.1. Policy can turn off the following device keyguard features:

 • trust agents
 • باز کردن قفل اثر انگشت
 • unredacted notifications

5.11.2. The following keyguard features of the work profile can be turned off via policy :

 • trust agents
 • باز کردن قفل اثر انگشت

5.12. Advanced keyguard feature management

Android version
Work profile
Fully managed device
Dedicated device
5.0+
IT admins can manage advanced device keyguard (lock screen) features on company-owned devices. 5.12.1. IT admins can turn off the following device keyguard features via policy :
 • Secure camera
 • All notifications
 • Unredacted
 • Trust agents
 • Fingerprint unlock
 • All keyguard features

5.13. Remote debugging

The Android Management API doesn't currently support this feature.

5.14. MAC address retrieval

Android version
Work profile
Fully managed device
Dedicated device
7.0+

EMMs can silently fetch a device's MAC address, to be used to identify devices in other parts of the enterprise infrastructure (for example when identifying devices for network access control).

5.14.1. The EMM can silently retrieve a device's MAC address and can associate it with the device in the EMM's console.

5.15. Advanced lock task mode management

Android version
Work profile
Fully managed device
Dedicated device
9.0+

With a dedicated device, IT admins can use the EMM's console to perform the following tasks:

5.15.1. Silently allow a single app to install and lock to a device .

5.15.2. Turn on or off the following System UI features:

5.15.3. Turn off System error dialogs .

5.16. Advanced system update policy

Android version
Work profile
Fully managed device
Dedicated device
9.0+

IT admins can set a specified freeze period for blocking system updates on a device.

5.16.1. The EMM's console must allow IT admins to block over-the-air (OTA) system updates for a specified freeze period .

5.17. Work profile policy transparency management

Android version
Work profile
Fully managed device
Dedicated device
9.0+

IT admins can customize the message displayed to users when removing the work profile from a device.

5.17.1. IT admins can provide custom text to display (go to wipeReasonMessage ) when a work profile is wiped.

5.18. Connected app support

Android version
Work profile
Fully managed device
Dedicated device
11.0+

IT admins can set a list of packages that can communicate across the work profile boundary by setting ConnectedWorkAndPersonalApp .

5.19. Manual system update

Android version
Work profile
Fully managed device
Dedicated device
11.0+

The Android Management API doesn't support this feature.

6. Device Admin Deprecation

6. Device Admin Deprecation

Android version
Work profile
Fully managed device
Dedicated device
مامان
5.0+

EMMs are required to post a plan by the end of 2022 ending customer support for Device Admin on GMS devices by the end of Q1 2023.