The fully managed device solution set is intended for company-owned devices. Fully managed features give IT admins management of an extended range of device settings and extra policy controls not available in the work profile on personally-owned device.
1. Device provisioning |
|||
| 1.2. DPC identifier device provisioning | Android 6.0+ | You can provision a fully managed device using a DPC identifier ("afw#"). | |
| 1.3. NFC device provisioning | Android 6.0+ | IT admins can "bump" new or factory-reset devices with the EMMs NFC provisioning app to provision a device. | |
| 1.4. QR code device provisioning | Android 7.0+ | IT admins can use new or factory-reset device to scan a QR code generated by the EMM's console to provision the device. | |
| 1.5. Zero-touch enrollment | Android 8.0+ (Pixel: Android 7.1+) | IT admins can preconfigure devices purchased from authorized resellers and manage them using your EMM console. | |
| 1.6. Advanced zero-touch provisioning | Android 8.0+ (Pixel: Android 7.1+) | IT admins can automate much of the device enrollment process by deploying DPC registration details through zero-touch enrollment. | |
| 1.8. Google Account device provisioning | Android 5.0+ | For enterprises using Workspace, this feature guides users through the installation of their EMM's DPC after entering corporate Workspace credentials during device setup. | |
| 1.9. Direct zero-touch configuration | Android 7.0+ | IT admins can use the EMM's console to set up zero-touch devices using the zero-touch iframe. | |
2. Device security |
|||
| 2.1. Device security challenge | Android 5.0+ | IT admins can set and enforce a device security challenge (such as PIN/pattern/password) of a certain type and complexity on managed devices. | |
| 2.3. Advanced passcode management | Android 5.0+ | IT admins can set up advanced password settings on devices. | |
| 2.4. Smart Lock management | Android 6.0+ | IT admins can manage what trust agents in Android's Smart Lock feature are permitted to unlock devices. | |
| 2.5. Wipe and lock | Android 5.0+ | IT admins can use the EMM's console to remotely lock and wipe work data from a managed device. | |
| 2.6. Compliance enforcement | Android 5.0+ | The EMM restricts access to work data and apps on devices that aren't in compliance with security policies. | |
| 2.7. Default security policies | Android 5.0+ | EMMs must enforce the specified security policies on devices by default, without requiring IT admins to set up or customize any settings in the EMM's console. | |
| 2.9. SafetyNet support | N/A | The EMM uses the SafetyNet Attestation API to ensure devices are valid Android devices. | |
| 2.10. Verify Apps enforcement | Android 5.0+ | IT admins can turn on Verify Apps on devices. | |
| 2.11. Direct Boot support | Android 7.0+ | Direct Boot support ensures that the EMM's DPC is active and able to enforce policy, even if an Android 7.0+ device has not been unlocked. | |
| 2.12. Hardware security management | Android 5.1+ | IT admins can lock down hardware elements of a device to ensure data-loss prevention. | |
| 2.13. Enterprise security logging | Android 7.0+ | IT admins can gather usage data from devices that can be parsed and programmatically evaluated for malicious or risky behavior. | |
3. Account and app management |
|||
| 3.1. Enterprise binding | N/A | IT admins can bind the EMM to their organization, allowing the EMM to use managed Google Play to distribute apps to devices. | |
| 3.2. Managed Google Play Account provisioning | Android 5.0+ | The EMM can silently provision enterprise user accounts, called managed Google Play Accounts. | |
| 3.5. Silent app distribution | N/A | IT admins can silently distribute work apps to devices without any user interaction. | |
| 3.6. Managed configuration management | Android 5.0+ | IT admins can view and silently set managed configurations for any app that supports managed configurations. | |
| 3.7. App catalog management | N/A | IT admins can import a list of the apps approved for their enterprise from managed Google Play (play.google.com/work). | |
| 3.8. Programmatic app approval | N/A | The EMM's console uses the managed Google Play iframe to support Google Play's app discovery and approval capabilities | |
| 3.9. Basic store layout management | N/A | The managed Google Play Store app can be used on devices to install and update work apps. | |
| 3.10. Advanced store layout configuration | N/A | IT admins can customize the store layout seen in the managed Google Play Store app on devices. | |
| 3.11. App license management | N/A | IT admins can view and manage app licenses purchased in the managed Google Play from the EMM's console. | |
| 3.12. Google-hosted private app management | N/A | IT admins can update Google-hosted private apps through the EMM console instead of through the Google Play Console. | |
| 3.13. Self-hosted private app management | N/A | IT admins can set up and publish self-hosted private apps. | |
| 3.14. EMM pull notifications | N/A | This requirement is not applicable to the Android Management API. | |
| 3.15. API usage requirements | N/A | The EMM implements Google's APIs at scale, avoiding traffic patterns that could negatively impact enterprises' ability to manage apps in production environments. | |
| 3.16. Advanced managed configuration management | Android 5.0+ | The EMM supports managed configurations with up to four levels of nested settings and can retrieve and display any feedback sent from a Play app. | |
| 3.17. Web app management | N/A | IT admins can create and distribute web apps in the EMM console. | |
| 3.18. Managed Google Play Account lifecycle management | Android 5.0+ | The EMM can create, update, and delete managed Google Play Accounts on behalf of IT admins. | |
| 3.19. Application track management | Android 5.0+ | IT Admins can configure a set of development tracks for particular applications. | |
| 3.20. Advanced application update management | Android 5.0+ | IT Admins can allow apps to be updated immediately or postpone them from being updated for 90 days. | |
| 3.21. Provisioning methods management | N/A | The EMM can generate provisioning configurations and present these to the IT admin in a form ready for distribution to end users (such as QR code, zero-touch configuration, Play Store URL). | |
4. Device management |
|||
| 4.1. Runtime permission policy management | Android 6.0+ | IT admins can silently set a default response to runtime permission requests made by work apps. | |
| 4.2. Runtime permission grant state management | Android 6.0+ | After setting a default runtime permission policy, IT admins can silently set responses for specific permissions from any work app built on API 23 or higher. | |
| 4.3. Wi-Fi configuration management | Android 6.0+ | IT admins can silently provision enterprise Wi-Fi configurations on managed devices. | |
| 4.4. Wi-Fi security management | Android 6.0+ | IT admins can provision enterprise Wi-Fi configurations on managed devices. | |
| 4.5. Advanced Wi-Fi management | Android 6.0+ | IT admins can lock down Wi-Fi configurations on managed devices, to prevent users from creating new configurations or modifying corporate configurations. | |
| 4.6. Account management | Android 5.0+ | IT admins can ensure that unauthorized corporate accounts can't interact with corporate data for services such as SaaS storage and productivity apps, or email. | |
| 4.7. Workspace account management | Android 5.0+ | IT admins can ensure that unauthorized Workspace accounts can't interact with corporate data. | |
| 4.8. Certificate management | Android 5.0+ | Allows IT admins to deploy identity certificates and certificate authorities to devices to allow access to corporate resources. | |
| 4.9. Advanced certificate management | Android 7.0+ | Allows IT admins to silently select the certificates that specific managed apps should use | |
| 4.10. Delegated certificate management | Android 6.0+ | IT admins can distribute a third-party certificate management app to devices and grant that app privileged access to install certificates into the managed keystore. | |
| 4.11. Advanced VPN management | Android 7.0+ | Allows IT admins to specify an Always On VPN to ensure that data from specified managed apps will go through a set-up VPN. | |
| 4.13. Advanced IME management | Android 5.0+ | IT admins can manage what input methods (IMEs) are allowed on devices. | |
| 4.14. Accessibility services management | Android 5.0+ | IT admins can manage what accessibility services are allowed on devices. | |
| 4.16. Advanced Location Sharing management | Android 5.0+ | IT admins can enforce a given Location Sharing setting on a managed device. | |
| 4.17. Factory reset protection management | Android 5.1+ | Allows IT admins to protect company-owned devices from theft by ensuring unauthorized individuals can't factory reset devices. | |
| 4.18. Advanced app control | Android 5.0+ | IT admins can prevent the user from uninstalling or otherwise modifying managed apps through Settings. | |
| 4.19. Screen capture management | Android 5.0+ | IT admins can block users from taking screenshots when using managed apps. | |
| 4.20. Disable cameras | Android 5.0+ | IT admins can turn off use of device cameras by managed apps. | |
| 4.22. Advanced network statistics collection | Android 6.0+ | IT admins can query network usage statistics for an entire managed device. | |
| 4.23. Reboot device | Android 7.0+ | IT admins can remotely restart managed devices. | |
| 4.24. System radio management | Android 7.0+ | Enables IT admins granular management of system network radios and associated usage policies. | |
| 4.25. System audio management | Android 5.0+ | IT admins can silently manage device audio features. | |
| 4.26. System clock management | Android 5.0+ | IT admins can manage device clock and time zone settings, and prevent modifying automatic device settings.. | |
| 4.28. Delegated scope management | Android 8.0+ | IT admins are able to delegate extra privileges to individual packages. | |
5. Device usability |
|||
| 5.1. Managed provisioning customization | Android 7.0+ | IT admins can modify the default managed provisioning flow UX to include enterprise-specific features. | |
| 5.3. Advanced enterprise customization | Android 7.0+ | IT admins can customize managed devices with corporate branding. | |
| 5.4. Lock screen messages | Android 7.0+ | IT admins can set a custom message that's displayed on the device lock screen, and does not require device unlock to be viewed. | |
| 5.5. Policy transparency management | Android 7.0+ | IT admins can customize the help text provided to users when they attempt to modify managed settings on their device, or deploy an EMM-supplied generic support message. | |
| 5.8. System update policy | Android 6.0+ | IT admins can set up and apply over-the-air (OTA) system updates for devices. | |
| 5.10. Persistent preferred activity management | Android 5.0+ | Allows IT admins to set an app as the default intent handler for intents that match a certain intent filter. | |
| 5.12. Advanced keyguard feature management | Android 5.0+ | IT admins can control advanced device keyguard (lock screen) features. | |
| 5.13. Remote debugging | Android 7.0+ | IT admins can retrieve debugging resources from devices without requiring extra steps. | |
| 5.14. MAC address retrieval | Android 7.0+ | EMMs can silently fetch a device's MAC address, to be used to identify devices in other parts of the enterprise infrastructure. | |
6. Device admin deprecation |
|||
| 6.1. Device admin deprecation | Android 5.0+ | EMMs are required to post a plan by the end of 2021 ending customer support for Device Admin on GMS devices by the end of 2022. | |
7. API usage |
|||
| 7.1. Standard policy controller for new bindings | Android 5.0+ | By default devices must be managed using Android Device Policy for any new bindings. EMMs may provide the option to manage devices using a custom DPC in a settings area under a heading 'Advanced' or similar terminology. New customers must not be exposed to an arbitrary choice between technology stacks during any onboarding or setup workflows. | |
| 7.2. Standard policy controller for new devices | Android 5.0+ | By default devices must be managed using Android Device Policy for all new device enrollments, for both existing and new bindings. EMMs may provide the option to manage devices using a custom DPC in a settings area under a heading 'Advanced' or similar terminology. | |