Dedicated device

The dedicated device solution set is designed for company-owned devices that fulfill a single use case such as digital signage, ticket printing, or inventory management. This solution set allows IT admins to further lock down the usage of a device to a single app or small set of apps. IT admins can prevent other apps from starting and prevent other actions performed on the device.

Feature list

required optional advanced not supported


1. Device provisioning
1.2. DPC identifier device provisioning Android 6.0+
You can provision a fully managed device using a DPC identifier ("afw#").
1.3. NFC device provisioning Android 6.0+
IT admins can "bump" new or factory-reset devices with the EMMs NFC provisioning app to provision a device.
1.4. QR code device provisioning Android 7.0+
IT admins can use a new or factory-reset device to scan a QR code generated by the EMM's console to provision the device.
1.5. Zero-touch enrollment Android 8.0+ (Pixel: Android 7.1+)
IT admins can preconfigure devices purchased from authorized resellers and manage them using your EMM console.
1.6. Advanced zero-touch provisioning Android 8.0+ (Pixel: Android 7.1+)
IT admins can automate much of the device enrollment process by deploying DPC registration details through zero-touch enrollment.
1.9. Direct zero-touch configuration Android 7.0+
IT admins can use the EMM's console to set up zero-touch devices using the zero-touch iframe.
1.11. Dedicated device provisioning Android 8.0+
EMMs can enroll dedicated devices without the user being prompted to authenticate with a Google Account.

2. Device security
2.1. Device security challenge Android 5.0+
IT admins can set and enforce a device security challenge (such as PIN/pattern/password) of a certain type and complexity on managed devices.
2.3. Advanced passcode management Android 5.0+
IT admins can set up advanced password settings on devices.
2.4. Smart Lock management Android 6.0+
IT admins can manage what trust agents in Android's Smart Lock feature are permitted to unlock devices.
2.5. Wipe and lock Android 5.0+
IT admins can use the EMM's console to remotely lock and wipe work data from a managed device.
2.6. Compliance enforcement Android 5.0+
The EMM restricts access to work data and apps on devices that aren't in compliance with security policies.
2.7. Default security policies Android 5.0+
EMMs must enforce the specified security policies on devices by default, without requiring IT admins to set up or customize any settings in the EMM's console.
2.8. Security policies for dedicated devices Android 6.0+
Users cannot escape a locked down dedicated device to allow other actions.
2.9. SafetyNet support N/A
The EMM uses the SafetyNet Attestation API to ensure devices are valid Android devices.
2.10. Verify Apps enforcement Android 5.0+
IT admins can turn on Verify Apps on devices.
2.11. Direct Boot support Android 7.0+
Direct Boot support ensures that the EMM's DPC is active and able to enforce policy, even if an Android 7.0+ device has not been unlocked.
2.12. Hardware security management Android 5.1+
IT admins can lock down hardware elements of a device to ensure data-loss prevention.
2.13. Enterprise security logging Android 7.0+
IT admins can gather usage data from devices that can be parsed and programmatically evaluated for malicious or risky behavior.

3. Account and app management
3.1. Enterprise binding N/A
IT admins can bind the EMM to their organization, allowing the EMM to use managed Google Play to distribute apps to devices.
3.3. Managed Google Play device account provisioning Android 5.0+
The EMM can create and provision managed Google Play device accounts.
3.5. Silent app distribution N/A
IT admins can silently distribute work apps to devices without any user interaction.
3.6. Managed configuration management Android 5.0+
IT admins can view and silently set managed configurations for any app that supports managed configurations.
3.7. App catalog management N/A
IT admins can import a list of the apps approved for their enterprise from managed Google Play (play.google.com/work).
3.8. Programmatic app approval N/A
The EMM's console uses the managed Google Play iframe to support Google Play's app discovery and approval capabilities
3.11. App license management N/A
IT admins can view and manage app licenses purchased in the managed Google Play from the EMM's console.
3.12. Google-hosted private app management N/A
IT admins can update Google-hosted private apps through the EMM console instead of through the Google Play Console.
3.13. Self-hosted private app management N/A
IT admins can set up and publish self-hosted private apps.
3.14. EMM pull notifications N/A
This requirement is not applicable to the Android Management API.
3.15. API usage requirements N/A
The EMM implements Google's APIs at scale, avoiding traffic patterns that could negatively impact enterprises' ability to manage apps in production environments.
3.16. Advanced managed configuration management Android 5.0+
The EMM supports managed configurations with up to four levels of nested settings and can retrieve and display any feedback sent from a Play app.
3.17. Web app management N/A
IT admins can create and distribute web apps in the EMM console.
3.18. Managed Google Play Account lifecycle management Android 5.0+
The EMM can create, update, and delete managed Google Play Accounts on behalf of IT admins.
3.19. Application track management Android 5.0+
IT Admins can set up a set of development tracks for particular applications.
3.20. Advanced application update management Android 5.0+
IT Admins can allow apps to be updated immediately or postpone them from being updated for 90 days.

4. Device management
4.1. Runtime permission policy management Android 6.0+
IT admins can silently set a default response to runtime permission requests made by work apps.
4.2. Runtime permission grant state management Android 6.0+
After setting a default runtime permission policy, IT admins can silently set responses for specific permissions from any work app built on API 23 or higher.
4.3. Wi-Fi configuration management Android 6.0+
IT admins can silently provision enterprise Wi-Fi configurations on managed devices.
4.4. Wi-Fi security management Android 6.0+
IT admins can provision enterprise Wi-Fi configurations on managed devices.
4.5. Advanced Wi-Fi management Android 6.0+
IT admins can lock down Wi-Fi configurations on managed devices, to prevent users from creating new configurations or modifying corporate configurations.
4.6. Account management Android 5.0+
IT admins can ensure that unauthorized corporate accounts can't interact with corporate data for services such as SaaS storage and productivity apps, or email.
4.8. Certificate management Android 5.0+
Allows IT admins to deploy identity certificates and certificate authorities to devices to allow access to corporate resources.
4.9. Advanced certificate management Android 7.0+
Allows IT admins to silently select the certificates that specific managed apps should use.
4.10. Delegated certificate management Android 6.0+
IT admins can distribute a third-party certificate management app to devices and grant that app privileged access to install certificates into the managed keystore.
4.11. Advanced VPN management Android 7.0+
Allows IT admins to specify an Always On VPN to ensure that data from specified managed apps will go through a set-up VPN.
4.13. Advanced IME management Android 5.0+
IT admins can manage what accessibility services are allowed on devices.
4.14. Accessibility services management Android 5.0+
IT admins can manage what accessibility services are allowed on devices.
4.16. Advanced Location Sharing management Android 5.0+
IT admins can enforce a given Location Sharing setting on a managed device.
4.17. Factory reset protection management Android 5.1+
Allows IT admins to protect company-owned devices from theft by ensuring unauthorized individuals can't factory reset devices.
4.18. Advanced app control Android 5.0+
IT admins can prevent the user from uninstalling or otherwise modifying managed apps through Settings.
4.19. Screen capture management Android 5.0+
IT admins can block users from taking screenshots when using managed apps.
4.20. Disable cameras Android 5.0+
IT admins can turn off use of device cameras by managed apps.
4.22. Advanced network statistics collection Android 6.0+
IT admins can query network usage statistics for an entire managed device.
4.23. Reboot device Android 7.0+
IT admins can remotely restart managed devices.
4.24. System radio management Android 7.0+
Gives IT admins granular management of system network radios and associated usage policies.
4.25. System audio management Android 5.0+
IT admins can silently manage device audio features.
4.26. System clock management Android 5.0+
IT admins can manage device clock and time zone settings, and prevent modifying automatic device settings.
4.27. Advanced dedicated device features Android 6.0+
Provides IT admins with the ability to manage more granular features of dedicated devices to support various kiosk use cases.
4.28. Delegated scope management Android 8.0+
IT admins are able to delegate extra privileges to individual packages.

5. Device usability
5.1. Managed provisioning customization Android 7.0+
IT admins can modify the default managed provisioning flow UX to include enterprise-specific features.
5.4. Lock screen messages Android 7.0+
IT admins can set a custom message that's displayed on the device lock screen, and does not require device unlock to be viewed.
5.5. Policy transparency management Android 7.0+
IT admins can customize the help text provided to users when they attempt to modify managed settings on their device, or deploy an EMM-supplied generic support message.
5.8. System update policy Android 6.0+
IT admins can set up and apply over-the-air (OTA) system updates for devices.
5.9. Lock task mode management Android 6.0+
IT admins can lock an app or set of apps to the screen, and ensure that the app can't be exited.
5.10. Persistent preferred activity management Android 5.0+
Allows IT admins to set an app as the default intent handler for intents that match a certain intent filter.
5.12. Advanced keyguard feature management Android 5.0+
IT admins can manage advanced device keyguard (lock screen) features.
5.13. Remote debugging Android 7.0+
IT admins can retrieve debugging resources from devices without requiring extra steps.
5.14. MAC address retrieval Android 7.0+
EMMs can silently fetch a device's MAC address, to be used to identify devices in other parts of the enterprise infrastructure.
5.15. Advanced lock task mode management Android 9.0+
With a dedicated device, IT admins can use the EMM's console to turn on and turn off the home button, notifications, and other features.
5.16. Advanced system update policy Android 9.0+
IT admins can block system updates on a device for a specified freeze period.
5.19. Manual system update Android 11.0+
The Android Management API doesn't support this feature.

6. Device admin deprecation
6.1. Device admin deprecation Android 5.0+
EMMs are required to post a plan by the end of 2022 ending customer support for Device Admin on GMS devices by the end of Q1 2023.

7. API usage
7.1. Standard policy controller for new bindings Android 5.0+
By default devices must be managed using Android Device Policy for any new bindings. EMMs may provide the option to manage devices using a custom DPC in a settings area under a heading 'Advanced' or similar terminology. New customers must not be exposed to an arbitrary choice between technology stacks during any onboarding or setup workflows.
7.2. Standard policy controller for new devices Android 5.0+
By default devices must be managed using Android Device Policy for all new device enrollments, for both existing and new bindings. EMMs may provide the option to manage devices using a custom DPC in a settings area under a heading 'Advanced' or similar terminology.