Provisionnement pour la gestion des appareils

This page describes the process for deploying devices to corporate users using NFC or cloud services (for a complete list of requirements, see Implementing Device Management).

To get started, download the NfcProvisioning APK and Android-DeviceOwner APK.

Caution: If provisioning has already started, affected devices must be factory reset first.

Managed provisioning

Managed Provisioning is a framework UI flow to ensure users are adequately informed of the implications of setting a device owner or managed profile. It is designed to act as a setup wizard for managed profiles.

Note: The device owner can be set only from an unprovisioned device. If Settings.Secure.USER_SETUP_COMPLETE has ever been set, the device is considered provisioned and the device owner cannot be set.

Devices that enable default encryption offer a considerably simpler and quicker device management provisioning flow. The managed provisioning component:

  • Encrypts the device
  • Creates the managed profile
  • Disables non-required applications
  • Sets the enterprise mobility management (EMM) app as profile owner

In turn, the EMM app:

  • Adds user accounts
  • Enforces device compliance
  • Enables any additional system applications

In this flow, managed provisioning triggers device encryption. The framework copies the EMM app into the managed profile as part of managed provisioning. The instance of the EMM app inside of the managed profile gets a callback from the framework when provisioning is done. The EMM can then add accounts and enforce policies; it then calls setProfileEnabled(), which makes the launcher icons visible.

Profile owner provisioning

Profile owner provisioning enables the user to have both a work profile (managed profile) and a personal profile on a device. To enable profile owner provisioning, you must send an intent with appropriate extras. For an example, install the TestDPC app (download from Google Play or build from GitHub) on the device, launch the app from the launcher, then follow the app instructions. Provisioning is complete when badged icons appear in the launcher drawer.

Mobile Device Management (MDM) apps trigger the creation of the managed profile by sending an intent with the DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE action. The following command is a sample intent that triggers the creation of the managed profile and sets the DeviceAdminSample as the profile owner:

adb shell am start \
  -a \
  -c android.intent.category.DEFAULT \
  -e wifiSsid $(printf '%q' \"WifiSSID\") \
  -e deviceAdminPackage "" \
  -e $(printf '%q'.DeviceAdminSample\$DeviceAdminSampleReceiver) \
  -e "My Organisation"

Device owner provisioning

Use one of the following methods to set up device owner (DO) provisioning.

Provisioning using cloud services

Device owner provisioning using cloud services is another method through which a device can be provisioned in device owner mode during out-of-box setup. The device can collect credentials (or tokens) and use them to perform a lookup to a cloud service, which can then be used to initiate the device owner provisioning process.

Provisioning using NFC

DO provisioning using NFC is similar to other device owner provisioning methods (such as provisioning using cloud services or a QR code) but requires more bootstrapping. To use this method, NFC bump the device during the initial setup step (first page of the setup wizard). This low-touch flow configures Wi-Fi, installs the DPC, and sets the DPC as device owner.

A typical NFC bundle includes the following:


Devices must have NFC configured to accept the managed provisioning mimetype from the setup experience. To configure, ensure /packages/apps/Nfc/res/values/provisioning.xml contains the following lines:

<bool name="enable_nfc_provisioning">true</bool>

EMM benefits

An enterprise mobility management (EMM) app can help by conducting the following tasks:

  • Provision managed profile
  • Apply security policies
    • Set password complexity
    • Lockdowns: disable screenshots, sharing from managed profile, etc.
  • Configure enterprise connectivity
    • Use WifiEnterpriseConfig to configure corporate Wi-Fi
    • Configure VPN on the device
    • Use DPM.setApplicationRestrictions() to configure corporate VPN
  • Enable corporate app Single Sign-On (SSO)
    • Install desired corporate apps
    • Use DPM.installKeyPair() to silently install corp client certs
    • Use DPM.setApplicationRestrictions() to configure hostnames, cert alias’ of corporate apps

Managed provisioning is just one part of the EMM end-to-end workflow, with the end goal of making corporate data accessible to apps in the managed profile. For testing guidance, see Setting up Device Testing.

Automated provisioning testing

To automate the testing of enterprise provisioning processes, use the Android Enterprise Test Harness. For details, see Testing Device Provisioning.