Android Enterprise is a Google-led initiative to enable the use of Androiddevices and apps in the workplace. The program offers APIs and other tools fordevelopers to integrate support for Android into their enterprise mobilitymanagement (EMM) solutions. This site provides developers with an overview ofthe program and the background information required to start building an AndroidEnterprise solution.
Android devices: management use cases
This section describes the management options available in Android to supportmanaged deployments. You can use Android Enterprise's tools and services tosupport any or all of the following options in your EMM solution.
Work profile for employee-owned devices (BYOD)
BYOD devices can be set up with a work profile—a featurebuilt into Android 5.1+ that allows work apps and data to be stored in aseparate, self-contained space within a device. An employee can continue to usetheir device as normal; all their personal apps and data remain on the device'sprimary profile.
An employee's organization has full management control of the apps, data, andsettings in their device's work profile, but has no visibility or access to thedevice's personal profile. This distinct separation gives organizations controlover corporate data and security without compromising employee privacy.
Work profile for mixed-used company-owned devices
Work profiles can also be used to enable mixed work and personal use on company-owned devices. Like with a personally-owned device, organizations have full management control of the apps, data, and settings in a work profile. With a device that's company-owned, organizations can also enforce many device-wide policies (e.g configure Wi-Fi settings, block USB file transfers) and restrictions that apply to a device's personal profile (e.g. disallow certain apps).
These additional management capabilities allow organizations to keep company-owned devices compliant with IT policies while maintaining employee privacy—the personal profile of a company-owned device, including its apps, data, and usage, aren't visible or accessible to organizations.
Full management for work-only company-owned devices
Fully managed deployments are for company-owned devices intended exclusively for work purposes. With a fully managed Android 5.0+ device, organizations can enforce Android's full range of management policies, including device-level policies that are unavailable to work profiles.
Full management for dedicated devices
Dedicated devices (formerly called corporate-owned single-use, or COSU) are a subset of fully managed devices that serve a specific purpose. Android comes with a broad set of management features that allow organizations to configure devices for everything from employee-facing factory and industrial environments, to customer-facing signage and kiosk purposes.
Dedicated devices are typically locked to a single app or set of apps. Android 6.0+ offers granular control over a device's lock screen, status bar, keyboard, and other key features, to prevent users from enabling other apps or performing other actions on dedicated devices.
Integrate Android into your EMM solution
An Android Enterprise solution is a combination of three components: your EMMconsole, Android Device Policy,and managed Google Play.
EMM console
EMM solutions typically take the form of an EMM console—a web application youdevelop that allows IT admins to manage their organization, devices, and apps.To support these functions for Android, you integrate your console with the APIsand UI components provided by Android Enterprise.
Android Device Policy
All Android devices that an organization manages through your EMM console mustinstall Android Device Policyduring setup. Android Device Policy is an app supplied by Android thatautomatically applies the management policies set in your EMM console to devices.
Managed Google Play
Managed Google Play facilitates app management capabilities for AndroidEnterprise solutions. It combines the familiar user experience and app storefeatures of Google Play with a set of management capabilities designedspecifically for organizations.
Managed Google Play can be embedded into your EMM console to provideIT admins with features such as:
- Public app search
- Private app publishing
- Web app publishing
- App organization
On managed devices, managed Google Play is the organization's app store.The interface is similar to Google Play—users can browse apps, view app details,and install them. Unlike the public version of Google Play, users can onlyinstall apps from managed Google Play that their organization approves for them.
Android EMM lifecycle features
This section provides an overview of the major features you can integrate intoyour EMM solution.
Onboard new organizations
Android Enterprise provides APIs and an online setup flow for you to onboard neworganizations. When an organization completes the onboarding process, you createan Enterprise resource for it.
There are two types of enterprise bindings:managed Google Play Accounts enterprises and managed Google domains.
Managed Google Play Accounts enterprise
This is a legacy enterprise binding type, used for organizations that signed-up before 2024. Organizations may be assigned a managed Google Play Accounts enterprise binding when they sign up now, to support certain unusual situations.
With this type of enterprise binding, you may only provision managed Google Play Accounts for devices and end users. Managed Google Play Accounts provide access to managed Google Play, allowing users to install and use work apps selected by IT admins. If the organization uses a 3rd-party identity service, you can link managed Google Play Accounts with the organization's existing identity accounts.
Managed Google Play Accounts have limited use, solely for managing apps with the Google Play Store. These accounts can't be used with any other Google or third-party services. Devices that only have a managed Google Play Account won't be able to use cross-device features.
Managed Google domain
With this type of enterprise binding, you can provision devices using eithermanaged Google Accounts or managed Google Play Accounts. In addition to managingAndroid devices, the IT admin can use the managed Google domain to manage otherdevices such as ChromeOS devices, and enable other Google services.
If the organization verifies their domain, they can sync their organization's identities into the managed Google domain. When setting up a device, each user will then be able to use the Google Account provisioning method. The account will give them access to managed Google Play in addition to any other Google services enabled through the Google Admin console, including cross- device experiences
Provision devices and work profiles
Provisioning is the process of setting up an Android device for management. Ittypically involves transferring setup details (for example, corporate WiFicredentials) to the device and installing Android Device Policy. For a full listof provisioning methods, see the Feature list.
Manage devices
After a device or work profile is provisioned, it's ready to be managed. Throughthe Android Management API, Android supports over 80 device and app managementpolicies. Android Device Policy, the management appinstalled during provisioning, applies policies set in the API to devices:
- When a device or work profile is provisioned, Android Management API assignsit a unique device ID.
- IT admins use an EMM console integrated with Android Management API toconfigure device and app management policies.
- IT admins assign these policies to specific devices or work profiles (i.e.specific device IDs).
- Android Management API sends the policies to the specified device IDs.
- On each device or work profile, Android Device Policy enforces the policiesit receives from Android Management API.
Android Management API and Android Device Policy handle steps 4 and 5automatically, meaning there's no development effort required to communicatepolicy settings to devices.
Manage apps
With the managed Google Play iframe,you can support app discovery, private app publishing, web app publishing, andapp organization into your EMM console with minimal integration effort.
Android Management API handles app distribution through the policy-basedapproach described in the Manage devices. The API supportstwo primary methods of app distribution: adding an app to a device's managedPlay store app or remotely push installing an app to a device.
Next: Develop your solution
