AI-generated Key Takeaways
-
Dedicated device solutions are designed for company-owned devices used for a single purpose and allow IT admins to restrict device usage to a limited set of apps.
-
Key features include various methods for device provisioning such as NFC, QR code, and zero-touch enrollment, as well as robust device security management including security challenges, remote wipe and lock, and compliance enforcement.
-
Account and app management capabilities are provided, including silent app distribution, managed configuration management, and managing private and web apps.
-
The solution offers comprehensive device management features like controlling runtime permissions, configuring Wi-Fi and certificates, and managing factory reset protection.
-
Device usability features encompass customizing provisioning flows, setting lock screen messages, managing system updates, and controlling device features in lock task mode.
The dedicated devicesolution set is designed for company-owned devices that fulfill a single use case such as digital signage, ticket printing, or inventory management. This solution set allows IT admins to further lock down the usage of a device to a single app or small set of apps. IT admins can prevent other apps from starting and prevent other actions performed on the device.
Feature list
| required | optional | advanced | not supported |
1. Device provisioning
Android 6.0+
You can provision a fully managed device using a DPC identifier
("afw#").
Android 6.0+
IT admins can "bump" new or factory-reset devices with the EMMs NFC
provisioning app to provision a device.
Android 7.0+
IT admins can use a new or factory-reset device to scan a QR code generated
by the EMM's console to provision the device.
Android 8.0+ (Pixel: Android 7.1+)
IT admins can preconfigure devices purchased from authorized resellers
and manage them using your EMM console.
1.6. Advanced zero-touch provisioning
Android 8.0+ (Pixel: Android 7.1+)
IT admins can automate much of the device enrollment process by deploying
DPC registration details through zero-touch enrollment.
Android 7.0+
IT admins can use the EMM's console to set up zero-touch devices using the zero-touch iframe.
Android 8.0+
IT admins can enroll dedicated devices without the user being prompted to
authenticate with a Google Account.
2. Device security
Android 5.0+
IT admins can set and enforce a device security challenge
(such as PIN/pattern/password) of a certain type and complexity on managed
devices.
Android 5.0+
IT admins can set up advanced password settings on devices.
2.4. Smart Lock management
Android 6.0+
IT admins can manage what trust agents in Android's Smart Lock feature are permitted to unlock devices.
Android 5.0+
IT admins can use the EMM's console to remotely lock and
wipe work data from a managed device.
Android 5.0+
The EMM restricts access to work data and apps on devices that aren't in compliance with security policies.
Android 5.0+
EMMs must enforce the specified security policies on
devices by default, without requiring IT admins to set up or customize
any settings in the EMM's console.
Android 6.0+
Users cannot escape a locked down dedicated device to allow other actions.
N/A
The EMM uses the SafetyNet Attestation API to ensure devices are valid Android devices.
Android 7.0+
Direct Boot support ensures that the EMM's DPC is active and able
to enforce policy, even if an Android 7.0+ device has not been unlocked.
Android 5.1+
IT admins can lock down hardware elements of a device to ensure
data-loss prevention.
2.13. Enterprise security logging
Android 7.0+
IT admins can gather usage data from devices that can be parsed and
programmatically evaluated for malicious or risky behavior.
3. Account and app management
N/A
IT admins can bind the EMM to their organization, allowing the EMM to
use managed Google Play to distribute apps to devices.
Android 5.0+
The EMM can create and provision managed Google Play device accounts.
N/A
IT admins can silently distribute work apps to devices without
any user interaction.
Android 5.0+
IT admins can view and silently set managed configurations for any app
that supports managed configurations.
3.7. App catalog management
N/A
IT admins can import a list of the apps approved for their
enterprise from managed Google Play (play.google.com/work).
N/A
The EMM's console uses the managed Google Play iframe to support Google
Play's app discovery and approval capabilities
3.11. App license management
N/A
IT admins can view and manage app licenses purchased in the managed
Google Play from the EMM's console.
N/A
IT admins can update Google-hosted private apps through the EMM console
instead of through the Google Play Console.
N/A
IT admins can set up and publish self-hosted private apps.
3.14. EMM pull notifications
N/A
This requirement is not applicable to the Android Management API.
N/A
The EMM implements Google's APIs at scale, avoiding traffic patterns
that could negatively impact enterprises' ability to manage apps in
production environments.
Android 5.0+
The EMM supports managed configurations with up to four levels of nested
settings and can retrieve and display any feedback sent from a Play
app.
Android 5.0+
The EMM can create, update, and delete managed Google Play Accounts on behalf of IT admins.
Android 5.0+
IT Admins can set up a set of development tracks for particular applications.
Android 5.0+
IT Admins can allow apps to be updated immediately or postpone them from being updated for 90 days.
N/A
The EMM can generate provisioning configurations and present these to
the IT admin in a form ready for distribution to end users (such as QR code,
zero-touch configuration, Play Store URL).
N/A
IT admins can upgrade the enterprise binding type to a managed Google
domain enterprise, allowing the organization to access Google Account
services and features on enrolled devices.
N/A
IT admins can upgrade the user account type to a managed Google Account,
allowing the device to access Google Account services and features on
enrolled devices.
4. Device management
Android 6.0+
IT admins can silently set a default response to runtime permission
requests made by work apps.
Android 6.0+
After setting a default runtime permission policy, IT admins can
silently set responses for specific permissions from any work app built on
API 23 or higher.
Android 6.0+
IT admins can silently provision enterprise Wi-Fi configurations on
managed devices.
Android 6.0+
IT admins can provision enterprise Wi-Fi configurations on managed
devices.
Android 6.0+
IT admins can lock down Wi-Fi configurations on managed devices, to
prevent users from creating new configurations or modifying corporate
configurations.
Android 5.0+
IT admins can ensure that unauthorized corporate accounts can't
interact with corporate data for services such as SaaS storage and
productivity apps, or email.
Android 5.0+
Allows IT admins to deploy identity certificates and certificate
authorities to devices to allow access to corporate resources.
Android 7.0+
Allows IT admins to silently select the certificates that specific
managed apps should use.
Android 6.0+
IT admins can distribute a third-party certificate management app to
devices and grant that app privileged access to install certificates into
the managed keystore.
Android 7.0+
Allows IT admins to specify an Always On VPN to ensure that data from
specified managed apps will go through a set-up VPN.
Android 5.0+
IT admins can manage what accessibility services are allowed on devices.
Android 5.0+
IT admins can manage what accessibility services are allowed on devices.
Android 5.0+
IT admins can enforce a given Location Sharing setting on a managed
device.
Android 5.1+
Allows IT admins to protect company-owned devices from theft by
ensuring unauthorized individuals can't factory reset devices.
Android 5.0+
IT admins can prevent the user from uninstalling or otherwise modifying
managed apps through Settings.
Android 5.0+
IT admins can block users from taking screenshots when using managed
apps.
4.22. Advanced network statistics collection
Android 6.0+
IT admins can query network usage statistics for an entire managed
device.
Android 7.0+
Gives IT admins granular management of system network radios and
associated usage policies.
Android 5.0+
IT admins can manage device clock and time zone settings, and prevent
modifying automatic device settings.
Android 6.0+
Provides IT admins with the ability to manage more granular features of
dedicated devices to support various kiosk use cases.
Android 8.0+
IT admins are able to delegate extra privileges to individual packages.
Android 14.0+
IT admins can manage which credential manager applications are allowed or
blocked using the credential provider policy default
or the credential provider policy
.
Android 15.0+
Allows IT admins to provision a device with an eSIM profile and manage
its lifecycle on the device.
5. Device usability
Android 7.0+
IT admins can modify the default managed provisioning flow UX to
include enterprise-specific features.
Android 7.0+
IT admins can set a custom message that's displayed on the device
lock screen, and does not require device unlock to be viewed.
Android 7.0+
IT admins can customize the help text provided to users when they
attempt to modify managed settings on their device, or deploy an
EMM-supplied generic support message.
Android 6.0+
IT admins can set up and apply over-the-air (OTA) system updates for
devices.
Android 6.0+
IT admins can lock an app or set of apps to the screen, and ensure that
the app can't be exited.
Android 5.0+
Allows IT admins to set an app as the default intent handler for intents that match a certain intent filter.
Android 5.0+
IT admins can manage advanced device keyguard (lock screen)
features.
5.13. Remote debugging
Android 7.0+
IT admins can retrieve debugging resources from devices without
requiring extra steps.
Android 7.0+
EMMs can silently fetch a device's MAC address, to be used to identify
devices in other parts of the enterprise infrastructure.
Android 9.0+
With a dedicated device, IT admins can use the
EMM's console to turn on and turn off the home button, notifications, and
other features.
Android 9.0+
IT admins can block system updates on a device for a specified freeze
period.
6. Device admin deprecation
Android 5.0+
EMMs are required to post a plan by the end of 2022 ending customer support for Device Admin
on GMS devices by the end of Q1 2023.
7. API usage
Android 5.0+
By default devices must be managed using Android Device Policy for any
new bindings. EMMs may provide the option to manage devices using a custom
DPC in a settings area under a heading 'Advanced' or similar terminology.
New customers must not be exposed to an arbitrary choice between technology
stacks during any onboarding or setup workflows.
Android 5.0+
By default devices must be managed using Android Device Policy for all
new device enrollments, for both existing and new bindings. EMMs may provide
the option to manage devices using a custom DPC in a settings area under a
heading 'Advanced' or similar terminology.
