1. Device provisioning |
| 1.1. DPC-first work profile provisioning |
Android 5.1+ |
remove_circle_outline |
You can provision a work profile after downloading
the EMM's DPC from Google Play. |
| 1.2. DPC-identifier device provisioning |
Android 12.0+ |
star |
IT admins cad provision a fully managed or dedicated device using a DPC
identifier ("afw"), according to the implementation guidelines defined in the
Play EMM API developer documentation. |
| 1.3. NFC device provisioning |
Android 12.0+ |
star_border |
NFC tags can be used by IT admins to provision new or factory-reset
devices according to the implementation guidelines defined in the Play EMM API developer documentation. |
| 1.4. QR code device provisioning |
Android 7.0+ |
star |
IT admins can use a new or factory-reset device to scan a QR code
generated by the EMM's console to provision the device, according to
implementation guidelines defined in the
Play EMM API developer documentation. |
| 1.5. Zero-touch enrollment |
Android 8.0+ (Pixel: Android 7.1+) |
star |
IT admins can preconfigure devices purchased from authorized resellers
and manage them using your EMM console. |
| 1.6. Advanced zero-touch provisioning |
Android 8.0+ (Pixel: Android 7.1+) |
star |
IT admins can automate much of the device enrollment process by
deploying DPC registration details through zero-touch enrollment. |
| 1.7. Google Account work profile provisioning |
Android 5.0+ |
remove_circle_outline |
Enterprises using Google Accounts or cloud Identity can set up a work
profile with their corporate accounts. |
| 1.8. Google Account device provisioning |
Android 5.0+ |
star_border |
For enterprises that use Workspace, this feature guides users through the
installation of their EMM's DPC after they enter their corporate Workspace
credentials during initial device setup. Once installed, the DPC completes
the setup of a company-owned device. |
| 1.9. Direct zero-touch configuration |
Android 7.0+ |
star |
IT admins can use the EMM's console to set up zero-touch devices using
the zero-touch iframe. |
| 1.10. Work profiles on company-owned devices |
Android 8.0+ |
star |
EMMs can enroll company-owned devices that have a work profile. |
2. Device security |
| 2.1. Device security challenge |
Android 5.0+ |
star |
IT admins can set and enforce a device security challenge
(such as PIN/pattern/password) of a certain type and complexity on managed
devices. |
| 2.2. Work security challenge |
Android 7.0+ |
star |
IT admins can set and enforce a security challenge for
apps and data in the work profile that is separate and has different
requirements from the device security challenge. |
| 2.3. Advanced passcode management |
Android 5.0+ |
star |
IT admins can set up advanced password settings on devices. |
| 2.4. Smart Lock management |
Android 6.0+ |
star_border |
IT admins can manage what trust agents in Android's Smart Lock feature
are permitted to unlock devices. |
| 2.5. Wipe and lock |
Android 5.0+ |
star |
IT admins can use the EMM's console to remotely lock and
wipe work data from a managed device. |
| 2.6. Compliance enforcement |
Android 5.0+ |
star |
The EMM restricts use of work data and apps on devices that aren't in
compliance with security policies. |
| 2.7. Default security policies |
Android 5.0+ |
star |
EMMs must enforce the specified security policies on
devices by default, without requiring IT admins to set up or customize
any settings in the EMM's console. |
| 2.9. SafetyNet support |
N/A |
star |
The EMM uses the SafetyNet Attestation API to ensure devices are valid Android devices. |
| 2.10. Verify Apps enforcement |
Android 5.0+ |
star |
IT admins can turn on Verify Apps on devices. |
| 2.11. Direct Boot support |
Android 7.0+ |
star |
Direct Boot support ensures that the EMM's DPC is active and able
to enforce policy, even if an Android 7.0+ device has not been unlocked. |
| 2.12. Hardware
security management |
Android 5.1+ |
star |
IT admins can lock down hardware elements of a company-owned device to ensure
data-loss prevention. |
3. Account and app management |
| 3.1. Enterprise binding |
N/A |
star |
IT admins can bind the EMM to their organization, allowing the EMM to
use managed Google Play to distribute apps to devices. |
| 3.2. Managed Google Play Account provisioning |
Android 5.0+ |
star |
The EMM can silently provision enterprise user accounts, called
Managed Google Play accounts. |
| 3.5. Silent app distribution |
N/A |
star |
IT admins can silently distribute work apps to devices without
any user interaction. |
| 3.6. Managed configuration management |
Android 5.0+ |
star |
IT admins can view and silently set managed configurations for any app
that supports managed configurations. |
| 3.7. App catalog management |
N/A |
remove_circle_outline |
IT admins can import a list of the apps approved for their
enterprise from managed Google Play (play.google.com/work). |
| 3.8. Programmatic app approval |
N/A |
star |
The EMM's console uses the managed Google Play iframe to support Google
Play's app discovery and approval capabilities |
| 3.9. Basic store layout management |
N/A |
star |
The managed Google Play Store app can be used on devices to install
and update work apps. |
| 3.10. Advanced store layout configuration |
N/A |
star_border |
IT admins can customize the store layout seen in the managed
Google Play Store app on devices. |
| 3.11. App license management |
N/A |
star_border |
IT admins can view and manage app licenses purchased in the managed
Google Play from the EMM's console. |
| 3.12. Google-hosted private app management |
N/A |
star |
IT admins can update Google-hosted private apps through the EMM console
instead of through the Google Play Console. |
| 3.13. Self-hosted private app management |
N/A |
star_border |
IT admins can set up and publish self-hosted private apps. |
| 3.14. EMM pull notifications |
N/A |
star_border |
The EMM uses pull notifications to receive Play event notifications
in real-time |
| 3.15. API usage requirements |
N/A |
star |
The EMM implements Google's APIs at scale, avoiding traffic patterns
that could negatively impact enterprises' ability to manage apps in
production environments. |
| 3.16. Advanced managed configuration management |
Android 5.0+ |
star |
The EMM supports managed configurations with up to four levels of nested
settings and can retrieve and display any feedback sent from a Play
app. |
| 3.17. Web app management |
N/A |
star |
IT admins can create and distribute web apps in the EMM console. |
| 3.18. Managed Google Play Account lifecycle management |
Android 5.0+ |
star |
The EMM can create, update, and delete managed Google Play Accounts on behalf of IT admins. |
| 3.19. Application track management |
Android 5.0+ |
star |
IT Admins can set up a set of development tracks for particular applications. |
| 3.20. Advanced application update management |
Android 5.0+ |
star |
IT Admins can allow apps to be updated immediately or postpone them from being updated for 90 days. |
| 3.21. Provisioning methods management |
N/A |
star |
The EMM can generate provisioning configurations and present these to
the IT admin in a form ready for distribution to end users (such as QR code,
zero-touch configuration, Play Store URL). |
4. Device management |
| 4.1. Runtime permission policy management |
Android 6.0+ |
star |
IT admins can silently set a default response to runtime permission
requests made by work apps. |
| 4.2. Runtime permission grant state management |
Android 6.0+ |
star |
After setting a default runtime permission policy, IT admins can
silently set responses for specific permissions from any work app built on
API 23 or higher. |
| 4.3. Wi-Fi configuration management |
Android 6.0+ |
star |
IT admins can silently provision enterprise Wi-Fi configurations on
managed devices. |
| 4.4. Wi-Fi security management |
Android 6.0+ |
star |
IT admins can provision enterprise Wi-Fi configurations on managed devices. |
| 4.6. Account management |
Android 5.0+ |
star |
IT admins can ensure that unauthorized corporate accounts can't
interact with corporate data for services such as SaaS storage and
productivity apps, or email. |
| 4.7. Workspace account management |
Android 5.0+ |
star_border |
IT admins can ensure that unauthorized Workspace accounts can't interact
with corporate data. |
| 4.8. Certificate management |
Android 5.0+ |
star |
Allows IT admins to deploy identity certificates and certificate
authorities to devices to allow access to corporate resources. |
| 4.9. Advanced certificate management |
Android 7.0+ |
star |
Allows IT admins to silently select the certificates that specific
managed apps should use. |
| 4.10. Delegated certificate management |
Android 6.0+ |
star_border |
IT admins can distribute a third-party certificate management app to
devices and grant that app privileged access to install certificates into
the managed keystore. |
| 4.11. Advanced VPN management |
Android 7.0+ |
star |
Allows IT admins to specify an Always On VPN to ensure that data from
specified managed apps will go through a set-up VPN. |
| 4.12. IME management |
Android 5.0+ |
star_border |
IT admins can manage what input methods (IMEs) are allowed on devices. |
| 4.14. Accessibility services management |
Android 5.0+ |
star_border |
IT admins can manage what accessibility services are allowed on devices. |
| 4.15. Location Sharing management |
Android 5.0+ |
star_border |
IT admins can prevent sharing location data with apps in the work profile. |
| 4.17. Factory reset protection management |
Android 5.1+ |
star |
Allows IT admins to protect company-owned devices from theft by
ensuring unauthorized individuals can't factory reset devices. |
| 4.19. Screen capture management |
Android 5.0+ |
star_border |
IT admins can block users from taking screenshots when using managed apps. |
| 4.20. Disable cameras |
Android 5.0+ |
star_border |
IT admins can turn off use of device cameras by managed apps. |
| 4.21. Network statistics collection |
Android 6.0+ |
star_border |
IT admins can query network usage statistics from a device's work
profile. |
| 4.24. System radio management |
Android 7.0+ |
star_border |
Allows IT granular management over system network radios and associated
use policies. |
| 4.28. Delegated scope management |
Android 8.0+ |
star |
IT admins are able to delegate extra privileges to individual packages. |
| 4.29. Enrollment-specific ID support |
Android 12.0+ |
star |
IT admins can set an enrollment-specific ID that persists through
factory resets for a work profile. |
5. Device usability |
| 5.1. Managed provisioning customization |
Android 7.0+ |
star_border |
IT admins can modify the default setup flow UX to include
enterprise-specific features. |
| 5.2. Enterprise customization |
Android 7.0+ |
star_border |
IT admins can customize aspects of the work profile with corporate
branding, for example by setting the work profile user icon to the
corporate logo, or setting up the background color of the work
challenge. |
| 5.4. Lock screen messages |
Android 7.0+ |
star_border |
IT admins can set a custom message that is always displayed on the
device lock screen, and does not require device unlock to be viewed. |
| 5.5. Policy transparency management |
Android 7.0+ |
star |
IT admins can customize the help text provided to users when they modify
managed settings on their device, or deploy an EMM-supplied generic support
message. Both short and long support messages can be customized. These
messages are displayed in instances such as attempting to uninstall a
managed app for which an IT admin has already blocked uninstallation. |
| 5.6. Cross-profile contact management |
Android 7.0+ |
star_border |
IT admins can manage what contact data can leave the work profile. |
| 5.7. Cross-profile data management |
Android 6.0+ |
star_border |
Grants IT admins control over what data can leave the work profile, beyond the default security features of the work profile. |
| 5.8. System update policy |
Android 6.0+ |
star |
IT admins can set up and apply over-the-air (OTA) system updates for
devices. |
| 5.10. Persistent preferred activity management |
Android 5.0+ |
star_border |
Allows IT admins to set an app as the default intent handler for intents
that match a certain intent filter. |
| 5.11. Keyguard feature management |
Android 7.0+ |
star |
IT admins can manage the features available before unlocking
the device keyguard (lock screen) and the work challenge keyguard
(lock screen). |
| 5.12. Advanced keyguard feature management |
Android 5.0+ |
star |
IT admins can manage advanced device keyguard (lock screen)
features. |
| 5.14. MAC address retrieval |
Android 7.0+ |
star_border |
EMMs can silently fetch a device's MAC address. The MAC address can be
used to identify devices in other parts of the enterprise infrastructure
(for example when identifying devices for network access control). |
| 5.17. Work profile policy transparency management |
Android 9.0+ |
star |
IT admins can customize the message displayed when removing the
work profile from a device. |
| 5.18. Connected app support |
Android 9.0+ |
star |
IT admins can set a list of packages that can communicate across the
work profile boundary. |
6. Device admin deprecation |
| 6.1. Device admin deprecation |
Android 5.0+ |
remove_circle_outline |
EMMs are required to post a plan by the end of 2022 ending customer
support for Device Admin
on GMS devices by the end of Q1 2023. |
7. API usage |
| 7.1. Standard policy controller for new bindings |
Android 5.0+ |
star |
By default devices must be managed using Android Device Policy for any
new bindings. EMMs may provide the option to manage devices using a custom
DPC in a settings area under a heading 'Advanced' or similar terminology.
New customers must not be exposed to an arbitrary choice between technology
stacks during any onboarding or setup workflows. |
| 7.2. Standard policy controller for new devices |
Android 5.0+ |
star_border |
By default devices must be managed using Android Device Policy for all
new device enrollments, for both existing and new bindings. EMMs may provide
the option to manage devices using a custom DPC in a settings area under a
heading 'Advanced' or similar terminology. |