The fully managed devicesolution set is intended for company-owned devices. Fully managed features give IT admins management of an extended range of device settings and extra policy controls not available in the work profile on personally-owned device .
Feature list
| required | optional | advanced | not supported |
1. Device provisioning
Android 6.0+
You can provision a fully managed device using a DPC identifier
("afw#").
Android 6.0+
IT admins can "bump" new or factory-reset devices with the EMMs NFC
provisioning app to provision a device.
Android 7.0+
IT admins can use new or factory-reset device to scan a QR code generated
by the EMM's console to provision the device.
Android 8.0+ (Pixel: Android 7.1+)
IT admins can preconfigure devices purchased from authorized resellers
and manage them using your EMM console.
1.6. Advanced zero-touch provisioning
Android 8.0+ (Pixel: Android 7.1+)
IT admins can automate much of the device enrollment process by
deploying DPC registration details through zero-touch enrollment.
1.8. Google Account device provisioning
Android 5.0+
For enterprises using Workspace, this feature guides users through the
installation of their EMM's DPC after entering corporate Workspace
credentials during device setup.
Android 7.0+
IT admins can use the EMM's console to set up zero-touch devices using
the zero-touch iframe.
2. Device security
Android 5.0+
IT admins can set and enforce a device security challenge
(such as PIN/pattern/password) of a certain type and complexity on managed
devices.
Android 5.0+
IT admins can set up advanced password settings on devices.
2.4. Smart Lock management
Android 6.0+
IT admins can manage what trust agents in Android's Smart Lock feature are permitted to unlock devices.
Android 5.0+
IT admins can use the EMM's console to remotely lock and
wipe work data from a managed device.
Android 5.0+
The EMM restricts access to work data and apps on devices that aren't in compliance with security policies.
Android 5.0+
EMMs must enforce the specified security policies on
devices by default, without requiring IT admins to set up or customize
any settings in the EMM's console.
N/A
The EMM uses the SafetyNet Attestation API to ensure devices are valid Android devices.
Android 7.0+
Direct Boot support ensures that the EMM's DPC is active and able
to enforce policy, even if an Android 7.0+ device has not been unlocked.
Android 5.1+
IT admins can lock down hardware elements of a device to ensure
data-loss prevention.
2.13. Enterprise security logging
Android 7.0+
IT admins can gather usage data from devices that can be parsed and
programmatically evaluated for malicious or risky behavior.
3. Account and app management
N/A
IT admins can bind the EMM to their organization, allowing the EMM to
use managed Google Play to distribute apps to devices.
Android 5.0+
The EMM can silently provision enterprise user accounts, called
managed Google Play Accounts.
N/A
IT admins can silently distribute work apps to devices without
any user interaction.
Android 5.0+
IT admins can view and silently set managed configurations for any app
that supports managed configurations.
3.7. App catalog management
N/A
IT admins can import a list of the apps approved for their
enterprise from managed Google Play (play.google.com/work).
N/A
The EMM's console uses the managed Google Play iframe to support Google
Play's app discovery and approval capabilities
N/A
The managed Google Play Store app can be used on devices to
install and update work apps.
3.10. Advanced store layout configuration
N/A
IT admins can customize the store layout seen in the managed
Google Play Store app on devices.
3.11. App license management
N/A
IT admins can view and manage app licenses purchased in the managed
Google Play from the EMM's console.
N/A
IT admins can update Google-hosted private apps through the EMM console
instead of through the Google Play Console.
N/A
IT admins can set up and publish self-hosted private apps.
3.14. EMM pull notifications
N/A
This requirement is not applicable to the Android Management API.
N/A
The EMM implements Google's APIs at scale, avoiding traffic patterns
that could negatively impact enterprises' ability to manage apps in
production environments.
Android 5.0+
The EMM supports managed configurations with up to four levels of nested
settings and can retrieve and display any feedback sent from a Play
app.
Android 5.0+
The EMM can create, update, and delete managed Google Play Accounts on behalf of IT admins.
Android 5.0+
IT Admins can configure a set of development tracks for particular applications.
Android 5.0+
IT Admins can allow apps to be updated immediately or postpone them from being updated for 90 days.
N/A
The EMM can generate provisioning configurations and present these to
the IT admin in a form ready for distribution to end users (such as QR code,
zero-touch configuration, Play Store URL).
N/A
IT admins can upgrade the enterprise binding type to a managed Google
domain enterprise, allowing the organization to access Google Account
services and features on enrolled devices.
N/A
The EMM can provision devices with managed Google Accounts to identify
users, control apps, and manage access to Google services.
N/A
IT admins can upgrade the user account type to a managed Google Account,
allowing the device to access Google Account services and features on
enrolled devices.
4. Device management
Android 6.0+
IT admins can silently set a default response to runtime permission
requests made by work apps.
Android 6.0+
After setting a default runtime permission policy, IT admins can
silently set responses for specific permissions from any work app built on
API 23 or higher.
Android 6.0+
IT admins can silently provision enterprise Wi-Fi configurations on managed devices.
Android 6.0+
IT admins can provision enterprise Wi-Fi configurations on managed devices.
Android 6.0+
IT admins can lock down Wi-Fi configurations on managed devices, to
prevent users from creating new configurations or modifying corporate
configurations.
Android 5.0+
IT admins can ensure that unauthorized corporate accounts can't
interact with corporate data for services such as SaaS storage and
productivity apps, or email.
Android 5.0+
Android 5.0+
Allows IT admins to deploy identity certificates and certificate
authorities to devices to allow access to corporate resources.
Android 7.0+
Allows IT admins to silently select the certificates that specific
managed apps should use
Android 6.0+
IT admins can distribute a third-party certificate management app to
devices and grant that app privileged access to install certificates into
the managed keystore.
Android 7.0+
Allows IT admins to specify an Always On VPN to ensure that data from
specified managed apps will go through a set-up VPN.
Android 5.0+
IT admins can manage what input methods (IMEs) are allowed on devices.
Android 5.0+
IT admins can manage what accessibility services are allowed on devices.
Android 5.0+
IT admins can enforce a given Location Sharing setting on a managed device.
Android 5.1+
Allows IT admins to protect company-owned devices from theft by
ensuring unauthorized individuals can't factory reset devices.
Android 5.0+
IT admins can prevent the user from uninstalling or otherwise modifying
managed apps through Settings.
Android 5.0+
IT admins can block users from taking screenshots when using managed apps.
4.22. Advanced network statistics collection
Android 6.0+
IT admins can query network usage statistics for an entire managed
device.
Android 7.0+
Enables IT admins granular management of system network radios and
associated usage policies.
Android 5.0+
IT admins can manage device clock and time zone settings, and prevent
modifying automatic device settings..
Android 8.0+
IT admins are able to delegate extra privileges to individual packages.
Android 14.0+
IT admins can manage which credential manager applications are allowed or
blocked using the credential provider policy default
or the credential provider policy
.
Android 15.0+
Allows IT admins to provision a device with an eSIM profile and manage
its lifecycle on the device.
5. Device usability
Android 7.0+
IT admins can modify the default managed provisioning flow UX to include enterprise-specific features.
5.3. Advanced enterprise customization
Android 7.0+
IT admins can customize managed devices with corporate branding.
Android 7.0+
IT admins can set a custom message that's displayed on the device
lock screen, and does not require device unlock to be viewed.
Android 7.0+
IT admins can customize the help text provided to users when they
attempt to modify managed settings on their device, or deploy an
EMM-supplied generic support message.
Android 6.0+
IT admins can set up and apply over-the-air (OTA) system updates for
devices.
Android 5.0+
Allows IT admins to set an app as the default intent handler for intents that match a certain intent filter.
Android 5.0+
IT admins can control advanced device keyguard (lock screen)
features.
5.13. Remote debugging
Android 7.0+
IT admins can retrieve debugging resources from devices without
requiring extra steps.
Android 7.0+
EMMs can silently fetch a device's MAC address, to be used to identify
devices in other parts of the enterprise infrastructure.
6. Device admin deprecation
Android 5.0+
EMMs are required to post a plan by the end of 2021 ending customer support for Device Admin
on GMS devices by the end of 2022.
7. API usage
Android 5.0+
By default devices must be managed using Android Device Policy for any
new bindings. EMMs may provide the option to manage devices using a custom
DPC in a settings area under a heading 'Advanced' or similar terminology.
New customers must not be exposed to an arbitrary choice between technology
stacks during any onboarding or setup workflows.
Android 5.0+
By default devices must be managed using Android Device Policy for all
new device enrollments, for both existing and new bindings. EMMs may provide
the option to manage devices using a custom DPC in a settings area under a
heading 'Advanced' or similar terminology.
