Learn the fundamentals of Android Enterprise, including how to enroll an Android device into Workspace ONE UEM and manage enrolled devices by configuring restrictions and pushing apps. Learn how Android Enterprise and Workspace ONE UEM secure your Android devices by using modern device management APIs.
1. What is Android Enterprise?
What is Android Enterprise?
Android enterprise debuted with 5.0 Lollipop in 2014 as an optional solution manufacturers could add to their OS images in order to integrate a common set of device management and Enterprise Mobility Management (EMM) APIs. From 6.0 Marshmallow, it was no longer optional and has since been a mandatory component for all Google Mobile Service (GMS) certified manufacturers.
2. What does Android Enterprise Offer?
Android Enterprise offers a wide variety of rich features that cover numerous device management scenarios:
- A rich Enterprise Mobility Management (EMM) experience. This allows device administrators to send configurations, applications, and policies down to any Android Enterprise (AE) device, providing a secure method of managing devices and corporate data no matter where your devices are.
- Work Profile mode for BYOD (Bring Your Own Device) scenarios, which allows for a device to have a separate work container from their personal apps and data.
- Work-Managed mode (previously called device owner), which provides corporations a larger suite of options for securing corporate owned devices that are not intended for personal use.
- Corporately Owned, Single Use (COSU) mode, which provides corporations with a kiosk-like experience. The Work-Managed device is locked down in a Kiosk-like state, granting access to a few applications or resources instead of the entire underlying device operating system.
- Corporate Owned, Personally Enabled (COPE) joins the Work Profile and Work-Managed modes to provide a fully managed device with personal space.
- Zero-Touch Enrollment for out of the box Android 8.0 and higher devices, providing a streamlined enrollment experience for end users.
- A corporate-managed Managed Google Play portal, allowing administrators to explicitly approve applications to an application store that can be accessed by end users.
- Silent Application Installation without requiring a user provided Google account on the device.
- App Configuration, enabling device administrators to deploy key-value pairs to managed applications to modify the end user experience.
- Mandatory Device Encryption to ensure that your corporate resources are secured and protected on the device.
3. Understanding Device Management Scenarios
The above graphic shows the big picture differences between various device management scenarios.
Bring Your Own Device (BYOD):
- Commonly used where employees or end users have their own personal devices that need access to corporate resources.
- To avoid managing the end user's personal data or apps, a Work Profile can be deployed to keep the corporate apps and data separate from their personal apps and data.
- This grants device administrators the ability to securely control access to corporate resources from a personal device without managing the full personal device.
- Commonly used where corporations own devices that are given to employees or end users to fulfill their role or task.
- Work-Managed mode allows for the entire device to be managed and controlled, allowing for a wider range of configurations.
- Work-Managed mode does not provide an un-managed personal space and should only be used for corporate owned devices.
Corporate Owned Single Use (COSU):
- Commonly used where corporations own devices that are used as Kiosks or have Kiosk-like applications running on them.
- Corporate Owned Single Use leverages Work-Managed mode to manage the entire device, but does not grant the end user access to the full underlying device operating system.
Corporate Owned, Personally Enabled (COPE):
- Commonly used where corporations own devices that are given to employees or end users that permits some level of personal usage while still being corporately controlled.
- Corporate Owned, Personally Enabled leverages a Work-Managed personal space for varying amounts of personal usage while employing a Work Profile to control corporate resources, data, and apps.
- This joins the ideas of Work Profile and Work-Managed modes into a single device.
4. Different Enrollment Methods
In addition to providing different device management scenarios, there are also multiple ways in which devices can be enrolled into Android Enterprise.
4.1. Near-Field Communication (NFC) Enrollment
With the Near-Field Communication (NFC) bump method, a NFC programmer app is setup on a designated programmer device. Subsequent devices are "bumped" into the programmer device to pass the necessary initial policies (such as Wi-Fi, device configurations, etc.) to the bumped device via NFC.
The process will vary slightly in terms of pre-applied settings, what agent is downloaded in order to enroll the device on the relevant platform, etc. Workspace ONE UEM allows for the additional configuration of a named account to directly enroll the device against.
4.2. Hashtag (#) Enrollment or Device Policy Controller (DPC) Identifier Enrollment
This method was introduced in Android 6.0 Marshmallow. When prompted to add or create an account on a freshly wiped (or directly from the box) device, rather than enter in a Google account, the administrator would type in
afw#hub and then the device would download the Workspace ONE Intelligent Hub app and begin the enrollment process with the correct configurations.
4.3. QR Enrollment
By tapping on Welcome 6 times when the device boots into the setup Wizard, it will prompt the device to connect to Wi-Fi and start QR enrollment.
In Android 9.0 P, the QR payload is bundled into the system and therefore doesn’t require a download. This offers faster provisioning as the device no longer needs to connect to the internet to download the QR package and the ability to add Wi-Fi credentials to the QR code.
4.4. Zero-Touch Enrollment
Devices are purchased through authorized resellers, assigned to Workspace ONE UEM and then later, when the end-user first takes the device freshly out of the box, will be ready to enroll as a work-managed device straight away. With Zero-Touch enrollment, administrators can send enrolled and configured devices directly to end-users to authenticate with.