Android Enterprise Mobile Device Management

Android Enterprise (previously known as Android for Work) was introduced in Android 5.0 as a bridge to make Android devices enterprise usage ready by integrating with mobile device management solutions. Employees having previously used Android devices personally had virtually no learning curve, as they’re working on OS they’ve previously had experience with. Android Enterprise device management provides mobile device management solutions with an extensive set of features which improve both productivity and security in the enterprise.

Let’s look at the various features provided by Android Enterprise device management across various stages of mobile device management:

    • Simple on-boarding

Android Enterprise management provides you with various methods to enroll devices in bulk without any user intervention and minimal admin action. These enrollment methods help in quicker onboarding and faster deployment to the production environment.

      • Zero-touch Enrollment

This enrollment method is ideal since the devices are corporate-owned, aiding in large scale deployment of devices in bulk while requiring minimal admin/user intervention. All that is needed is a one-time setup where you add details of the devices to be enrolled onto the Zero Touch portal which then gets enrolled out-of-the-box on device activation. You can also automate the process of adding devices by providing reseller details on the portal. This ensures any device purchased from the reseller gets automatically added to the portal providing a complete automated enrollment experience. Zero-touch enrollment is supported for specific devices purchased from specific resellers. Click to know more about Zero-touch enrollment

      • EMM token Enrollment

This enrollment method is ideal if the devices are in the hands of the users. This method also requires minimal admin intervention as the enrollment is carried out by the users. All that the admin needs to do is to share the EMM token and a QR code. The DPC token is provided by Google to uniquely identify the MDM solution while the QR code is used for identifying the server. This method can be used as an alternate for Zero-touch enrollment as unlike Zero-touch enrollment, EMM token enrollment can be used to enroll any device running Android 6.0 or later for Android Enterprise management. Click to know more about EMM Token Enrollment.

Also, enrolling a device via EMM Token or Zero-touch provisions it as work-managed device (previously known as Device Owner) implying complete Android Enterprise management, whereby the entire device can be managed by the enterprise. This is ideal for corporate devices. MDM also supports multiple methods of provisioning devices as Device Owner.

In case of employee owned devices, you can enroll them via Invite or Self Enrollment, which provisions devices as managed work profile (previously known as Profile Owner). This was ideal for BYOD/employee owned devices. Work Profile separates the corporate data and the personal data on the device via containerization. A logical container is created on the employee owned devices, which acts as the corporate workspace over which the enterprise has complete control (hence the name Profile Owner). While the enterprise has complete control over the corporate workspace, it has zero control over the personal space, thereby maintaining data privacy. The logical container essentially sandboxes the corporate data preventing unauthorized data access/sharing. There is the option of running an enterprise and personal version of the same app (with the enterprise version indicated by a red or blue briefcase) and no data sharing possible despite both versions of app co-existing in the same device.

    • Efficient policy deployment

In addition to quick and easy onboarding, one major benefit with setting up Android Enterprise management is the extensive support for policies and additional restrictions in policies. There is support for additional policies such as Kiosk, Enterprise Factory Reset Protection, etc, with support for additional restrictions such as disabling microphone, camera, clipboard sharing etc, ensuring devices adhere to organization’s security and compliance standards. Similarly, with Android Enterprise management, you can also configure a dedicated passcode only for the container further bolstering security. Click here to know the list of all policies available for Android Enterprise devices

    • Comprehensive management of corporate apps

Managing apps is one of the most common tasks for an IT admin - right from installation to update to deletion, the entire lifecycle of apps be it store or enterprise apps, needs to be handled by the organization and Android Enterprise MDM lets you perform these tasks with ease.

In case of silent app installation/update/deletion, integrating Android Enterprise (formerly known as Play for Work) with MDM ensures you can install apps without requiring Play Store to be configured. Google automatically creates arbitrary Google accounts, to which the apps get associated while ensuring you need not create individual accounts for each user/device or even configure Play Store. Once distributed from MDM, both store or enterprise apps can be automatically installed without any user intervention. Similarly, the apps can be updated/deleted without any user intervention.

The advantage with Android Enterprise MDM is that it lets you build your own enterprise approved app catalog with both store and enterprise apps, that are approved by the organization and preventing users from installing other apps. Further, it also lets you customize the Play Store layout making it easier for employees.

In case of personal devices, provisioning them as Profile Owner creates two versions of the Play Store - one is configured with the arbitrary Google account with only enterprise approved apps while the other is the personal Play Store configured with the device user’s personal account. It is the enterprise version of the Play Store which exists within the container, thereby ensuring no unapproved apps can be installed within the container nor can there by any unauthorized data sharing between the two versions of the app or other apps.

    • Security Policies for enhanced data and device security

In order to ensure data security, encryption is enabled on devices running Android 7.0 and above, while for devices running Android 4.0 and above, encryption can be enabled using Mobile Device Manager Plus. In case of Samsung devices, Mobile Device Manager Plus supports encryption for both the SD card and device storage. Learn more about Android Encryption.

In addition to mandating encryption on devices, MDM supports various other security policies to ensure data and device security. Some of the major security policies supported are:

Learn more about the supported security policies

With Android Enterprise management, Google also devised solution sets for MDM solutions:

      • Work profile management: This management set contains features an MDM solution must support in order to manage personal devices/BYOD, by isolating personal and corporate data.
      • Mobile Application Management (MAM): This contains features an MDM solution must support to leverage Android’s complete app management capabilities. To know more about ME MDM’s app management capabilities, refer to this.
      • Dedicated device management: This set contains features that can transform a corporate device into a single-purpose/purpose-built device. Ideal for COSU environment.
      • Full device management: This set as the name suggests, ensures the enterprise has complete and granular control over the device. This is ideal for COBO environment.

ManageEngine Mobile Device Manager Plus is one of the only two solutions to support all these four management sets under Android Enterprise MDM.