Provisioning for Device Management

IT admins can deploy devices to corporate users using cloud services, QR code, or Near Field Communication (NFC) provisioning. To get started, download the NfcProvisioning APK and the Android-DeviceOwner APK. For a complete list of requirements, see Implementing Device Management.

Android 12 updates

  • ACTION_PROVISION_MANAGED_DEVICE is deprecated.

  • ACTION_PROVISION_MANAGED_PROFILE is supported only for DPC-first work profile provisioning, in which end users can provision a work profile after downloading the DPC.

  • DPC developers that want to support QR code or other provisioning methods must implement handlers for the DevicePolicyManager#ACTION_GET_PROVISIONING_MODE and DevicePolicyManager#ACTION_ADMIN_POLICY_COMPLIANCE intent actions. If the DPC doesn't implement these handlers, provisioning will fail.

  • The DPC ACTION_GET_PROVISIONING_MODE handler includes a new EXTRA_PROVISIONING_ALLOWED_PROVISIONING_MODES extra. The DPC must set the EXTRA_PROVISIONING_MODE extra to its resulting intent with a value that belongs to that list. If the DPC returns a value that isn't on that list, provisioning will fail.

  • To further increase the stability, maintainability, and simplicity of flows that happen during the setup wizard, DPC setup can't be started after the end of the setup wizard. DPCs that use the android.intent.category.PROVISIONING_FINALIZATION category with the ADMIN_POLICY_COMPLIANCE intent action to explicitly request being setup prior the end of the setup wizard can remove that category as this is now done by default.

Managed provisioning

Managed provisioning is a framework UI flow that ensures users are adequately informed of the implications of setting a device owner or managed profile. Devices that enable default encryption offer a considerably simpler and quicker device management provisioning flow.

During managed provisioning, the managed provisioning component performs the following activities:

  • Encrypts the device.
  • Creates the managed profile.
  • Disables non-required apps.
  • Sets the enterprise mobility management (EMM) app as profile or device owner.

In turn, the enterprise mobility management (EMM) app performs the following activities:

  • Adds user accounts.
  • Enforces device compliance.
  • Enables any additional system apps.

During managed provisioning, the framework copies the EMM app into the managed profile. After provisioning completes, the EMM app's ADMIN_POLICY_COMPLIANCE intent handler is called in the work profile user (for work profile provisioning) or in the device owner user (for device owner provisioning). The EMM then adds accounts and enforce policies, after which it calls setProfileEnabled() to make the launcher icons visible.

Profile owner provisioning

Profile owner provisioning enables the user to have both a work profile (managed profile) and a personal profile on a device. To enable profile owner provisioning, you must send an intent with appropriate extras. For an example, install the TestDPC app (download from Google Play or build from GitHub) on the device, launch the app from the launcher, then follow the app instructions. Provisioning is complete when badged icons appear in the launcher drawer.

The EMM DPC app triggers the creation of the managed profile by sending an intent with the DevicePolicyManager.ACTION_PROVISION_MANAGED_PROFILE action. The following command is a sample intent that triggers the creation of the managed profile and sets the DeviceAdminSample as the profile owner:

adb shell am start \
  -a android.app.action.PROVISION_MANAGED_PROFILE \
  -c android.intent.category.DEFAULT \
  -e wifiSsid $(printf '%q' \"WifiSSID\") \
  -e deviceAdminPackage "com.google.android.deviceadminsample" \
  -e android.app.extra.deviceAdminPackageName $(printf '%q'.DeviceAdminSample\$DeviceAdminSampleReceiver) \
  -e android.app.extra.DEFAULT_MANAGED_PROFILE_NAME "My Organisation"

Device owner provisioning with NFC

You can use NFC or cloud services to set up device owner (DO) provisioning during the out-of-box setup process for a device.

When using NFC, you provision devices in DO mode using NFC bump during the initial device setup step. This method requires more bootstrapping, but is low-touch and handles configuring Wi-Fi, installing the DPC, and setting the DPC as device owner.

A typical NFC bundle includes the following:

EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_LOCATION
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM
EXTRA_PROVISIONING_WIFI_SSID
EXTRA_PROVISIONING_WIFI_SECURITY_TYPE

Devices must have NFC configured to accept the managed provisioning mimetype from the setup experience. To configure, ensure /packages/apps/Nfc/res/values/provisioning.xml contains the following lines:

<bool name="enable\_nfc\_provisioning">true</bool>
<item>application/com.android.managedprovisioning</item>

Provisioning using cloud services

You can provision devices with a device owner or profile owner (work profile) using cloud services. The device collects and uses credentials (or tokens) to perform a lookup to a cloud service, which can then be used to initiate the provisioning process.

Enterprise mobility management benefits

An enterprise mobility management (EMM) app can help by conducting the following tasks:

  • Provisioning managed profile.
  • Applying security policies.
    • Set password complexity.
    • Lockdowns: disable screenshots, sharing from managed profile, etc.
  • Configuring enterprise connectivity.
    • Use WifiEnterpriseConfig to configure corporate Wi-Fi.
    • Configure VPN on the device.
    • Use DPM.setApplicationRestrictions() to configure corporate VPN.
  • Enabling corporate app Single Sign-On (SSO).
    • Install desired corporate apps.
    • Use DPM.installKeyPair() to silently install corp client certs.
    • Use DPM.setApplicationRestrictions() to configure hostnames, cert alias’ of corporate apps.

Managed provisioning is just one part of the EMM end-to-end workflow, with the end goal of making corporate data accessible to apps in the managed profile or managed device. For testing guidance, see Setting up Device Testing.