Android EMM (also known as Android for Work) contains a wide range of management technologies for Android devices. It helps device management in separating business apps and data from personal ones, hence supporting the Bring Your Own Device (BYOD) model.

For an introduction to Android for Work, see:

• Android at work – https://www.android.com/work/
• EMM Developer's Overview – https://developers.google.com/android/work/overview

In this article, we look how Android EMM is configured with the EMM service.

Solution sets

Android includes a wide variety of EMM features, which are grouped as overlapping solution sets. Each set includes the features to solve a particular use case in enterprise mobility.

The EMM client app aims to support the following solution sets:

Work Profile

The Work Profile solution set has features to separate applications and their data between a personal and a work profile.

Work Managed Device

The Work Managed Device set is aimed for Company-Owned Business Only (COBO) devices.

The two solution sets are described in detail below. They are supported on most Android 6.0+ devices. Support depends on the Android operating system implementation. Some manufacturers may limit which solution sets are possible.

Work Profile

The Work Profile is intended for Bring Your Own Device (BYOD) environments, where the work profile and personal profiles are separated. The whole device is not managed, only the contained work profile. Work apps and data are kept in the work profile and access between the two profiles is restricted. An app can run in both profiles at the same time, but have access to different files.

For detailed requirements, see Work profile in the Android EMM Developer's Overview.

Server-Side Setup

A device profile must be set up for work profile devices. The platform should be Android.

It is highly recommended that only managed Google Play accounts are used with work profiles. This enables remote app management (install, uninstall, managed configurations), which is the primary management use case with work profiles.

TODO list of supported policies

Provisioning

See Provisioning Android Devices.

Management

The Work Profile restricts which management tasks are possible. A device using the work profile is, nevertheless, a personally owned device, so it cannot be remotely wiped and the password cannot be changed forcefully. Applications can only be installed using the Play Store. Application management (install, uninstall, managed configuration) can be done only through the managed Google Play account, if it is set up.

Ending Management

As the device is personally owned, the user can delete the work profile at any time directly from the device. An organisation manager can remove device management from the EMM service, which will delete the work profile.

To re-create the work profile, the user must first enable the EMM client app in the Play Store.

Work Managed Device (Device Owner Mode)

The work managed device solution set is intended for corporate-owned devices that are used exclusively for work purposes. Additional device management policies are available. An alternative name to this solution set is the Device Owner Mode. This technical term indicates how the EMM client app is the "device owner".

See Work managed device in the Android EMM Developer's Overview for detailed feature requirements.

Server-Side Setup

The device profile is configured with the Android platform.

The following policies require that the client is installed as the device owner (or in some cases profile owner):

• User restriction policy
• App restriction policy
• Application policy (see below)
• Device policy:
  • System update policy
  • Dynamic permission policy
  • Screen capture disabled
  • Master volume muted
  • Auto time required
  • Always-on VPN package
  • Always-on VPN lockdown
  • 3rd party certificate installer package
  • Account management disabled
• Kiosk policy
• Managed Google Play policy

Enabling Built-In Applications

By default, all built-in apps are hidden in work managed devices, except for the few most essential ones. Less essential apps, such as Calendar, Clock, Camera, Photos, Play Books, and so forth, are hidden. You need to make them visible in the device settings, typically in a device template.

See Enabling Hidden Applications in Android for instructions for enabling them.

Provisioning devices

See Provisioning Android Devices.

Management

TODO

Ending Management

The device must be wiped to remove management. This can be done remotely or from the device unless user access to device reset/wipe is restricted.

Google Play

Using the Google Play EMM API and managed Google Play accounts the management of apps and app configurations can be simplified. In practice, the user will see an automatically generated managed Google account on their device and is able to use this account in the Play Store app to browse, install and uninstall only apps approved by the admin. The admin is able to configure what apps are available, how they are organised in the Play Store app, and some configuration options in any apps that support managed configuration.

Users with similar app management needs are grouped into a Google Play Enterprise, and all Google Play configurations are made for a specific Enterprise.

An enterprise belongs to a specific administrator's Google account. One administrative Google account can manage only one enterprise.

Requirements

A supervisor must first enable the Google Play EMM API by installing the API key. After that managers and vendors can see main menu options to manage Google Play enterprises. The first task is to create a new Enterprise.

Managing Google Play Enterprises and Apps

See Google Play for more information.

• See Enterprises for enrolling organisations to Google Play