Page Summary
-
Work profiles on company-owned devices keep corporate apps, data, and management policies separate from personal use on the same device.
-
This solution set is distinct from work profiles on personally-owned devices.
-
The feature list details various aspects of device provisioning, security, account and app management, device management, and device usability.
The work profile on company-owned devicesolution set is intended for company-owned devices for work and personal use . Corporate apps, data, and management policies are restricted to the work profile. With a work profile, the same device can be used securely and privately for work and personal purposes.
Feature list
| required | optional | advanced | not supported |
1. Device provisioning
Android 5.1+
You can provision a work profile after downloading the EMM's DPC from
Google Play.
Android 12.0+
Entering ("afw") in the device's setup wizard provisions a fully managed
or dedicated device.
Android 12.0+
NFC tags can be used by IT admins to provision new or factory-reset
devices according to the implementation guidelines defined in the Play EMM API developer documentation.
Android 7.0+
The EMM's console can generate a QR code that IT admins can scan to
provision a fully-managed or dedicated device, according to implementation
guidelines defined in the Android Management API developer documentation.
Android 8.0+ (Pixel: Android 7.1+)
IT admins can preconfigure devices purchased from authorized resellers
and manage them using your EMM console.
1.6. Advanced zero-touch provisioning
Android 8.0+ (Pixel: Android 7.1+)
IT admins can automate much of the device enrollment process by
deploying DPC registration details through zero-touch enrollment.
1.7 Google Account work profile provisioning
Android 5.0+
For enterprises that use a managed Google domain, this feature guides
users through the setup of a work profile after entering their corporate
Workspace credentials during device setup or on a device that is already
activated. In both cases, the corporate Workspace identity will be migrated
into the work profile.
Android 5.0+
The Android Management API doesn't support this feature.
Android 7.0+
IT admins can use the EMM's console to set up zero-touch devices using the zero-touch iframe.
Android 8.0+
EMMs can enroll company-owned devices that have a work profile.
2. Device security
Android 5.0+
IT admins can set and enforce a device security challenge
(such as PIN/pattern/password) of a certain type and complexity on managed
devices.
Android 7.0+
IT admins can set and enforce a security challenge for
apps and data in the work profile that is separate and has different
requirements from the device security challenge.
Android 5.0+
IT admins can set up advanced password settings on devices.
2.4. Smart Lock management
Android 6.0+
IT admins can manage what trust agents in Android's Smart Lock feature are permitted to unlock devices.
Android 5.0+
IT admins can use the EMM's console to remotely lock and
wipe work data from a managed device.
Android 5.0+
The EMM restricts use of work data and apps on devices that aren't
in compliance with security policies.
Android 5.0+
EMMs must enforce the specified security policies on
devices by default, without requiring IT admins to set up or customize
any settings in the EMM's console.
N/A
The EMM uses the SafetyNet Attestation API to ensure devices are valid Android devices.
Android 7.0+
Direct Boot support ensures that the EMM's DPC is active and able
to enforce policy, even if an Android 7.0+ device has not been unlocked.
Android 5.1+
IT admins can lock down hardware elements of a device to ensure
data-loss prevention.
3. Account and app management
N/A
IT admins can bind the EMM to their organization, allowing the EMM to
use managed Google Play to distribute apps to devices.
Android 5.0+
The EMM can silently provision enterprise user accounts, called
managed Google Play Accounts.
N/A
IT admins can silently distribute work apps to devices without
any user interaction.
Android 5.0+
IT admins can view and silently set managed configurations for any app
that supports managed configurations.
3.7. App catalog management
N/A
IT admins can import a list of apps approved for their
enterprise from managed Google Play (play.google.com/work).
N/A
The EMM's console uses the managed Google Play iframe to support Google
Play's app discovery and approval capabilities
N/A
The managed Google Play Store app can be used on devices to install
and update work apps.
3.10. Advanced store layout configuration
N/A
IT admins can customize the store layout seen in the managed
Google Play Store app on their devices.
3.11. App license management
N/A
IT admins can view and manage app licenses purchased in the managed
Google Play from the EMM's console.
N/A
IT admins can update Google-hosted private apps through the EMM console
instead of through the Google Play Console.
N/A
IT admins can set up and publish self-hosted private apps.
3.14. EMM pull notifications
N/A
The EMM uses pull notifications to receive Play event notifications
in real-time
N/A
The EMM implements Google's APIs at scale, avoiding traffic patterns
that could negatively impact enterprises' ability to manage apps in
production environments.
Android 5.0+
The EMM supports managed configurations with up to four levels of nested
settings and can retrieve and display any feedback sent from a Play
app.
Android 5.0+
The EMM can create, update, and delete managed Google Play Accounts on
behalf of IT admins.
Android 5.0+
IT Admins can set up a set of development tracks for particular
applications.
Android 5.0+
IT Admins can allow apps to be updated immediately or postpone them from
being updated for 90 days.
N/A
The EMM can generate provisioning configurations and present these to
the IT admin in a form ready for distribution to end users (such as QR code,
zero-touch configuration, Play Store URL).
N/A
IT admins can upgrade the enterprise binding type to a managed Google
domain enterprise, allowing the organization to access Google Account
services and features on enrolled devices.
N/A
The EMM can provision devices with managed Google Accounts to identify
users, control apps, and manage access to Google services.
N/A
IT admins can upgrade the user account type to a managed Google Account,
allowing the device to access Google Account services and features on
enrolled devices.
4. Device management
Android 6.0+
IT admins can silently set a default response to runtime permission
requests made by work apps.
Android 6.0+
After setting a default runtime permission policy, IT admins can
silently set responses for specific permissions from any work app built on
API 23 or higher.
Android 6.0+
IT admins can silently provision enterprise Wi-Fi configurations on managed devices.
Android 6.0+
IT admins can provision enterprise Wi-Fi configurations on managed devices.
Android 6.0+
IT admins can lock down Wi-Fi configurations on managed devices, to
prevent users from creating configurations or modifying corporate
configurations.
Android 5.0+
IT admins can ensure that unauthorized corporate accounts can't
interact with corporate data for services such as SaaS storage and
productivity apps, or email.
Android 5.0+
Android 5.0+
Allows IT admins to deploy identity certificates and certificate
authorities to devices to allow access to corporate resources.
Android 7.0+
Allows IT admins to silently select the certificates that specific
managed apps should use.
Android 6.0+
IT admins can distribute a third-party certificate management app to
devices and grant that app privileged access to install certificates into
the managed keystore.
Android 7.0+
Allows IT admins to specify an Always On VPN to ensure that data from
specified managed apps will go through a set-up VPN.
Android 5.0+
IT admins can manage what input methods (IMEs) are allowed on devices.
Android 5.0+
IT admins can manage what accessibility services are allowed on devices.
Android 5.0+
IT admins can prevent sharing location data with apps in the work
profile.
Android 5.1+
Allows IT admins to protect company-owned devices from theft by
ensuring unauthorized individuals can't factory reset devices.
Android 5.0+
IT admins can block users from taking screenshots when using managed
apps.
4.21. Network statistics collection
Android 6.0+
IT admins can query network usage statistics from a device's work profile.
Android 7.0+
Provides IT admins with granular management over system network radios
and associated use policies using policy.
Android 11.0+
IT admins can manage device clock and time zone settings, and prevent
users from modifying automatic device settings.
Android 8.0+
IT admins are able to delegate extra privileges to individual packages.
Android 12.0+
IT admins can set an enrollment-specific ID that persists through factory resets for a work profile.
Android 14.0+
IT admins can manage which credential manager applications are allowed or
blocked using the credential provider policy default
or the credential provider policy
.
Android 15.0+
Allows IT admins to provision a device with an eSIM profile and manage
its lifecycle on the device.
5. Device usability
Android 7.0+
IT admins can modify the default setup flow UX to include enterprise-specific features.
5.2. Enterprise customization
Android 7.0+
IT admins can customize aspects of the work profile with corporate
branding, for example by setting the work profile user icon to the
corporate logo, or setting up the background color of the work
challenge.
Android 7.0+
IT admins can set a custom message that's always displayed on the device
lock screen, and does not require device unlock to be viewed.
Android 7.0+
IT admins can customize the help text provided to users when they
attempt to modify managed settings on their device, or deploy an
EMM-supplied generic support message. Both short and long support messages
can be customized, and are displayed in instances such as attempting to
uninstall a managed app for which an IT admin has already blocked
uninstallation.
5.6. Cross-profile contact management
Android 7.0+
IT admins can manage what contact data can leave the work profile.
5.7. Cross-profile data management
Android 6.0+
Grants IT admins control over what data can leave the work profile, beyond the default security features of the work profile.
Android 6.0+
It admins can set up and apply over-the-air (OTA) system updates to
devices.
Android 5.0+
Allows IT admins to set an app as the default intent handler for intents that match a certain intent filter.
Android 7.0+
IT admins can manage the features available before unlocking
the device keyguard (lock screen) and the work challenge keyguard
(lock screen).
Android 5.0+
IT admins can manage advanced device keyguard (lock screen)
features.
Android 7.0+
EMMs can silently fetch a device's MAC address, to be used to identify
devices in other parts of the enterprise infrastructure (for example when
identifying devices for network access control).
Android 9.0+
IT admins can customize the message displayed when removing the
work profile from a device.
Android 9.0+
IT admins can set a list of packages that can communicate across the work profile boundary.
6. Device admin deprecation
Android 5.0+
EMMs are required to post a plan by the end of 2022 ending customer support for Device Admin
on GMS devices by the end of Q1 2023.
7. API usage
Android 5.0+
By default devices must be managed using Android Device Policy for any
new bindings. EMMs may provide the option to manage devices using a custom
DPC in a settings area under a heading 'Advanced' or similar terminology.
New customers must not be exposed to an arbitrary choice between technology
stacks during any onboarding or setup workflows.
Android 5.0+
By default devices must be managed using Android Device Policy for all
new device enrollments, for both existing and new bindings. EMMs may provide
the option to manage devices using a custom DPC in a settings area under a
heading 'Advanced' or similar terminology.
