Device management overview

Devices running Android 5.0 or higher support device management modes, enabling enterprise IT admins to set device policies on enrolled managed devices. The device policies available to a device management app might depend on the type of management mode used for enrollment. While a few device management APIs (see DevicePolicyManager for a full set of API elements) might have applications beyond enterprise use, most are designed for use in corporate environments to be deployed with Android Enterprise solutions.

How Android Enterprise works

Android Enterprise uses the device policy controller (DPC) app to enforce device management policies. An enterprise mobility management (EMM) solutions provider supplies customers with device management solutions, which typically include an on-device device policy app (DPC app) and a cloud-based EMM console. Enterprise customers can enroll devices and apply management policies to the devices they enrolled using the EMM console.

A DPC app can run in profile owner mode on personal and corporate-owned devices, or in device owner mode on corporate-owned devices.

Android Enterprise device management modes

Android Enterprise uses these device management modes:

  • Fully managed device (also referred to as device owner mode): A DPC app is set as a device owner during setup and it manages an entire device. This type of device management can be used only on organization-owned (company-owned) devices that are used for work.

  • Work profile (also referred to as managed profile mode): A DPC app is set as a profile owner and it manages only the work profile on a device, which can also have a personal profile. This type of device management can be used on a personal device or an organization-owned device.

Fully managed device provisioning (device owner provisioning)

Android comes with a broad set of management features that allow organizations to configure devices for everything from corporate employee use, to factory or industrial environments, to customer-facing signage and kiosk purposes. With device owner provisioning (fully managed devices), organizations can enforce Android's full range of management policies, including device-level policies that are unavailable to work profiles.

A Fully managed device:

  • Contains only work apps and data.
  • Is visible to the organization.
  • Is managed by the organization.

Device owner provisioning can be performed only during the out-of-box setup (or on a factory reset device) and should be provisioned only on devices that are owned by an enterprise. This is typically achieved by verifying unique device identifiers (such as an IMEI or a serial number), or by using a dedicated set of corporate accounts that are authorized for device enrollment. After device owner provisioning completes successfully, the DPC app is set as the device owner app.

Fully managed devices are particularly well suited for dedicated device use cases where a device is typically locked to a single app or set of apps , such as check-in kiosks or digital signage. Android supports several device owner enrollment methods such as QR code-based enrollment, NFC based enrollment, corporate accounts, or cloud-based enrollment. EMM solutions developers can refer to Key provisioning differences across Android versions for details.

Work profile provisioning (profile owner provisioning)

Profile owner provisioning enables the user to have both a work profile (managed profile) and a personal profile on a device. This type of device management can be used on an organization-owned device or a personal device. Profile owner provisioning can be performed during the out-of-box setup (used for organization-owned devices) or initiated after out-of-box setup on a device with a primary profile (bring-your-own-device type enrollment), depending on the type of device and enrollment method supported by the organization. In devices provisioned with a work profile, the DPC has control only over the work profile (work apps and data) and not the personal profile. Device policies are enforced only on the work profile with some exceptions, such as enforcing the lock screen, which is applicable across the device.

During profile-owner provisioning, the framework copies the DPC app into the managed profile and calls the ADMIN_POLICY_COMPLIANCE intent handler on the work profile user. When work profile provisioning is complete, work badged app icons appear in the launcher. After profile owner provisioning completes successfully, the DPC app is set as the Profile Owner app. Android supports various work profile enrollment methods such as QR code-based enrollment, NFC-based enrollment, accounts, or cloud-based enrollment. EMM solutions developers can refer to Key provisioning differences across Android versions for details.

Resources