AI-generated Key Takeaways
-
Dedicated device solutions are designed for company-owned devices used for a single purpose and allow IT admins to restrict device usage to a limited set of apps.
-
Key features include various methods for device provisioning such as NFC, QR code, and zero-touch enrollment, as well as robust device security management including security challenges, remote wipe and lock, and compliance enforcement.
-
Account and app management capabilities are provided, including silent app distribution, managed configuration management, and managing private and web apps.
-
The solution offers comprehensive device management features like controlling runtime permissions, configuring Wi-Fi and certificates, and managing factory reset protection.
-
Device usability features encompass customizing provisioning flows, setting lock screen messages, managing system updates, and controlling device features in lock task mode.
The dedicated device solution set is designed for company-owned devices that fulfill a single use case such as digital signage, ticket printing, or inventory management. This solution set allows IT admins to further lock down the usage of a device to a single app or small set of apps. IT admins can prevent other apps from starting and prevent other actions performed on the device.
Feature list
| required | optional | advanced | not supported |
1. Device provisioning |
|||
| 1.2. DPC identifier device provisioning | Android 6.0+ | You can provision a fully managed device using a DPC identifier ("afw#"). | |
| 1.3. NFC device provisioning | Android 6.0+ | IT admins can "bump" new or factory-reset devices with the EMMs NFC provisioning app to provision a device. | |
| 1.4. QR code device provisioning | Android 7.0+ | IT admins can use a new or factory-reset device to scan a QR code generated by the EMM's console to provision the device. | |
| 1.5. Zero-touch enrollment | Android 8.0+ (Pixel: Android 7.1+) | IT admins can preconfigure devices purchased from authorized resellers and manage them using your EMM console. | |
| 1.6. Advanced zero-touch provisioning | Android 8.0+ (Pixel: Android 7.1+) | IT admins can automate much of the device enrollment process by deploying DPC registration details through zero-touch enrollment. | |
| 1.9. Direct zero-touch configuration | Android 7.0+ | IT admins can use the EMM's console to set up zero-touch devices using the zero-touch iframe. | |
| 1.11. Dedicated device provisioning | Android 8.0+ | IT admins can enroll dedicated devices without the user being prompted to authenticate with a Google Account. | |
2. Device security |
|||
| 2.1. Device security challenge | Android 5.0+ | IT admins can set and enforce a device security challenge (such as PIN/pattern/password) of a certain type and complexity on managed devices. | |
| 2.3. Advanced passcode management | Android 5.0+ | IT admins can set up advanced password settings on devices. | |
| 2.4. Smart Lock management | Android 6.0+ | IT admins can manage what trust agents in Android's Smart Lock feature are permitted to unlock devices. | |
| 2.5. Wipe and lock | Android 5.0+ | IT admins can use the EMM's console to remotely lock and wipe work data from a managed device. | |
| 2.6. Compliance enforcement | Android 5.0+ | The EMM restricts access to work data and apps on devices that aren't in compliance with security policies. | |
| 2.7. Default security policies | Android 5.0+ | EMMs must enforce the specified security policies on devices by default, without requiring IT admins to set up or customize any settings in the EMM's console. | |
| 2.8. Security policies for dedicated devices | Android 6.0+ | Users cannot escape a locked down dedicated device to allow other actions. | |
| 2.9. SafetyNet support | N/A | The EMM uses the SafetyNet Attestation API to ensure devices are valid Android devices. | |
| 2.10. Verify Apps enforcement | Android 5.0+ | IT admins can turn on Verify Apps on devices. | |
| 2.11. Direct Boot support | Android 7.0+ | Direct Boot support ensures that the EMM's DPC is active and able to enforce policy, even if an Android 7.0+ device has not been unlocked. | |
| 2.12. Hardware security management | Android 5.1+ | IT admins can lock down hardware elements of a device to ensure data-loss prevention. | |
| 2.13. Enterprise security logging | Android 7.0+ | IT admins can gather usage data from devices that can be parsed and programmatically evaluated for malicious or risky behavior. | |
3. Account and app management |
|||
| 3.1. Enterprise binding | N/A | IT admins can bind the EMM to their organization, allowing the EMM to use managed Google Play to distribute apps to devices. | |
| 3.3. Managed Google Play device account provisioning | Android 5.0+ | The EMM can create and provision managed Google Play device accounts. | |
| 3.5. Silent app distribution | N/A | IT admins can silently distribute work apps to devices without any user interaction. | |
| 3.6. Managed configuration management | Android 5.0+ | IT admins can view and silently set managed configurations for any app that supports managed configurations. | |
| 3.7. App catalog management | N/A | IT admins can import a list of the apps approved for their enterprise from managed Google Play (play.google.com/work). | |
| 3.8. Programmatic app approval | N/A | The EMM's console uses the managed Google Play iframe to support Google Play's app discovery and approval capabilities | |
| 3.11. App license management | N/A | IT admins can view and manage app licenses purchased in the managed Google Play from the EMM's console. | |
| 3.12. Google-hosted private app management | N/A | IT admins can update Google-hosted private apps through the EMM console instead of through the Google Play Console. | |
| 3.13. Self-hosted private app management | N/A | IT admins can set up and publish self-hosted private apps. | |
| 3.14. EMM pull notifications | N/A | This requirement is not applicable to the Android Management API. | |
| 3.15. API usage requirements | N/A | The EMM implements Google's APIs at scale, avoiding traffic patterns that could negatively impact enterprises' ability to manage apps in production environments. | |
| 3.16. Advanced managed configuration management | Android 5.0+ | The EMM supports managed configurations with up to four levels of nested settings and can retrieve and display any feedback sent from a Play app. | |
| 3.17. Web app management | N/A | IT admins can create and distribute web apps in the EMM console. | |
| 3.18. Managed Google Play Account lifecycle management | Android 5.0+ | The EMM can create, update, and delete managed Google Play Accounts on behalf of IT admins. | |
| 3.19. Application track management | Android 5.0+ | IT Admins can set up a set of development tracks for particular applications. | |
| 3.20. Advanced application update management | Android 5.0+ | IT Admins can allow apps to be updated immediately or postpone them from being updated for 90 days. | |
| 3.21. Provisioning methods management | N/A | The EMM can generate provisioning configurations and present these to the IT admin in a form ready for distribution to end users (such as QR code, zero-touch configuration, Play Store URL). | |
| 3.22. Upgrade Enterprise binding | N/A | IT admins can upgrade the enterprise binding type to a managed Google domain enterprise, allowing the organization to access Google Account services and features on enrolled devices. | |
| 3.24. Managed Google Play Account upgrade | N/A | IT admins can upgrade the user account type to a managed Google Account, allowing the device to access Google Account services and features on enrolled devices. | |
4. Device management |
|||
| 4.1. Runtime permission policy management | Android 6.0+ | IT admins can silently set a default response to runtime permission requests made by work apps. | |
| 4.2. Runtime permission grant state management | Android 6.0+ | After setting a default runtime permission policy, IT admins can silently set responses for specific permissions from any work app built on API 23 or higher. | |
| 4.3. Wi-Fi configuration management | Android 6.0+ | IT admins can silently provision enterprise Wi-Fi configurations on managed devices. | |
| 4.4. Wi-Fi security management | Android 6.0+ | IT admins can provision enterprise Wi-Fi configurations on managed devices. | |
| 4.5. Advanced Wi-Fi management | Android 6.0+ | IT admins can lock down Wi-Fi configurations on managed devices, to prevent users from creating new configurations or modifying corporate configurations. | |
| 4.6. Account management | Android 5.0+ | IT admins can ensure that unauthorized corporate accounts can't interact with corporate data for services such as SaaS storage and productivity apps, or email. | |
| 4.8. Certificate management | Android 5.0+ | Allows IT admins to deploy identity certificates and certificate authorities to devices to allow access to corporate resources. | |
| 4.9. Advanced certificate management | Android 7.0+ | Allows IT admins to silently select the certificates that specific managed apps should use. | |
| 4.10. Delegated certificate management | Android 6.0+ | IT admins can distribute a third-party certificate management app to devices and grant that app privileged access to install certificates into the managed keystore. | |
| 4.11. Advanced VPN management | Android 7.0+ | Allows IT admins to specify an Always On VPN to ensure that data from specified managed apps will go through a set-up VPN. | |
| 4.13. Advanced IME management | Android 5.0+ | IT admins can manage what accessibility services are allowed on devices. | |
| 4.14. Accessibility services management | Android 5.0+ | IT admins can manage what accessibility services are allowed on devices. | |
| 4.16. Advanced Location Sharing management | Android 5.0+ | IT admins can enforce a given Location Sharing setting on a managed device. | |
| 4.17. Factory reset protection management | Android 5.1+ | Allows IT admins to protect company-owned devices from theft by ensuring unauthorized individuals can't factory reset devices. | |
| 4.18. Advanced app control | Android 5.0+ | IT admins can prevent the user from uninstalling or otherwise modifying managed apps through Settings. | |
| 4.19. Screen capture management | Android 5.0+ | IT admins can block users from taking screenshots when using managed apps. | |
| 4.20. Disable cameras | Android 5.0+ | IT admins can turn off use of device cameras by managed apps. | |
| 4.22. Advanced network statistics collection | Android 6.0+ | IT admins can query network usage statistics for an entire managed device. | |
| 4.23. Reboot device | Android 7.0+ | IT admins can remotely restart managed devices. | |
| 4.24. System radio management | Android 7.0+ | Gives IT admins granular management of system network radios and associated usage policies. | |
| 4.25. System audio management | Android 5.0+ | IT admins can silently manage device audio features. | |
| 4.26. System clock management | Android 5.0+ | IT admins can manage device clock and time zone settings, and prevent modifying automatic device settings. | |
| 4.27. Advanced dedicated device features | Android 6.0+ | Provides IT admins with the ability to manage more granular features of dedicated devices to support various kiosk use cases. | |
| 4.28. Delegated scope management | Android 8.0+ | IT admins are able to delegate extra privileges to individual packages. | |
| 4.30. Credential manager policy | Android 14.0+ | IT admins can manage which credential manager applications are allowed or blocked using the credential provider policy default or the credential provider policy. | |
| 4.31. Basic eSIM management | Android 15.0+ | Allows IT admins to provision a device with an eSIM profile and manage its lifecycle on the device. | |
5. Device usability |
|||
| 5.1. Managed provisioning customization | Android 7.0+ | IT admins can modify the default managed provisioning flow UX to include enterprise-specific features. | |
| 5.4. Lock screen messages | Android 7.0+ | IT admins can set a custom message that's displayed on the device lock screen, and does not require device unlock to be viewed. | |
| 5.5. Policy transparency management | Android 7.0+ | IT admins can customize the help text provided to users when they attempt to modify managed settings on their device, or deploy an EMM-supplied generic support message. | |
| 5.8. System update policy | Android 6.0+ | IT admins can set up and apply over-the-air (OTA) system updates for devices. | |
| 5.9. Lock task mode management | Android 6.0+ | IT admins can lock an app or set of apps to the screen, and ensure that the app can't be exited. | |
| 5.10. Persistent preferred activity management | Android 5.0+ | Allows IT admins to set an app as the default intent handler for intents that match a certain intent filter. | |
| 5.12. Advanced keyguard feature management | Android 5.0+ | IT admins can manage advanced device keyguard (lock screen) features. | |
| 5.13. Remote debugging | Android 7.0+ | IT admins can retrieve debugging resources from devices without requiring extra steps. | |
| 5.14. MAC address retrieval | Android 7.0+ | EMMs can silently fetch a device's MAC address, to be used to identify devices in other parts of the enterprise infrastructure. | |
| 5.15. Advanced lock task mode management | Android 9.0+ | With a dedicated device, IT admins can use the EMM's console to turn on and turn off the home button, notifications, and other features. | |
| 5.16. Advanced system update policy | Android 9.0+ | IT admins can block system updates on a device for a specified freeze period. | |
| 5.19. Manual system update | Android 11.0+ | The Android Management API doesn't support this feature. | |
6. Device admin deprecation |
|||
| 6.1. Device admin deprecation | Android 5.0+ | EMMs are required to post a plan by the end of 2022 ending customer support for Device Admin on GMS devices by the end of Q1 2023. | |
7. API usage |
|||
| 7.1. Standard policy controller for new bindings | Android 5.0+ | By default devices must be managed using Android Device Policy for any new bindings. EMMs may provide the option to manage devices using a custom DPC in a settings area under a heading 'Advanced' or similar terminology. New customers must not be exposed to an arbitrary choice between technology stacks during any onboarding or setup workflows. | |
| 7.2. Standard policy controller for new devices | Android 5.0+ | By default devices must be managed using Android Device Policy for all new device enrollments, for both existing and new bindings. EMMs may provide the option to manage devices using a custom DPC in a settings area under a heading 'Advanced' or similar terminology. |