Android is a mobile operating system developed by Google. It is a free and open-source platform that can be customized and modified, enabling a diverse range of features on Android devices.
Android Enterprise is a set of built-in enterprise features available in the standard Android operating system from Android 5.0 or later. It enables organizations to manage enterprise apps and data, typically through an enterprise mobility management console.
These built-in enterprise features are accessible without any additional costs from Google.
For more on Android Enterprise, you can check out the community video guide here.
Android Enterprise offers a variety of features and benefits aimed at increasing efficiency and security for organizations of all sizes.
Organizations and their employees can access a wide range of enterprise features and benefits that include:
- Flexible device setup: Supports different deployment methods such as BYOD (bring your own device), COBO (company-owned, business-only), and COPE (corporate-owned, personally-enabled).
- Work Profiles: Separate work apps and data from personal apps and data.
- Multi-layer, built-in security: Android Enterprise has built-in security features like encryption, secure boot, and verified boot that organizations can use to secure their devices and data.
- Lost or stolen device management: Remotely wipe data or lock lost devices to prevent unauthorized access.
- App distribution: Through Google Play, organizations can remotely manage public and private apps on user's devices.
Devices and solutions that are Android Enterprise Recommended (AER) meet higher enterprise requirements and ensure their consistent performance across organizations. Google conducts this initiative by establishing best practices and common requirements, which are validated through rigorous testing processes.
AER devices can be found on the Android Enterprise Solutions Directory and are identified by the Android Enterprise Recommended badge.
As long as your Android device is Play Protect certified and running on Android 5.0 or later, it can still use Android Enterprise even if it is not Android Enterprise Recommended. However, Google recommends AER devices as they meet higher enterprise specifications. For example, the table below shows the minimum device specifications for knowledge worker AER devices.
AER minimum device specifications | |
---|---|
RAM | 2 GB |
Storage | 32 GB |
Speed | 1.4 GHz |
Battery life | 8+ hours active |
Camera (front/rear) | 2 MP/8 MP |
Architecture | 64-bit |
Android supports multiple options for setting up devices. Support for each setup method below varies by EMM provider. We recommend checking with your EMM provider to verify which device setup methods they support.
- Managed Google Accounts: If your organization uses managed Google accounts , users just need to add their account to the device.
- EMM token: The user inputs a token provided by the EMM during the device's initial configuration process.
- QR code: The user scans a QR code provided by the EMM during the device's initial configuration process.
- NFC: The user bumps a new or factory-reset device with an NFC tag that contains setup details provided by the EMM during the device's initial configuration process.
- Zero-touch enrollment: Registered zero-touch devices check whether an enterprise configuration has been assigned to them and automatically carry out the setup process upon initial boot.
- Management app: A user can download the EMM provider's management app from Google Play.
Read Device setup methods.
Android's enterprise capabilities are categorized into management sets, providing a structured approach to enterprise management.
Android Work Profile is a management set suitable for BYOD (bring your own device) and COPE (company-owned devices enabled for personal use). It allows separation of work apps and data, giving organizations full control of the data, apps, and security policies within a Work Profile. Users maintain privacy control over their personal apps, data, and usage as well.
Organizations can implement a variety of security features through device lock screen restriction, Work Profile lock screen restriction, remote wipe and lock work data, and automatic compliance enforcement.
The other management sets include:
- Full device management: This is suitable for corporate owned-business only devices. This option gives you precise control over device data, security, and access to the complete range of app management features offered by Android.
- Dedicated device management: This is suitable for corporate owned, single-use devices. This option allows you to restrict dedicated devices to a limited number of apps, enabling those devices to perform specific tasks intended for employees or customers.
You can check if your device has a Work Profile by navigating to Settings Passwords and accounts. If you have a Work Profile, you will see a work tab with Work Profile settings listed underneath. Work Profile settings are also searchable in your device’s main Settings on Android 14.0 or later.
If your organization uses Google Workspace or Cloud Identity, you can set up a Work Profile by adding your managed Google account to the device.
If your organization does not use Google Workspace or Cloud Identity you can follow these steps to set up a Work Profile:
- Check with your IT admin to know which EMM solution your organization uses.
- Download the EMM app from Google Play Store.
- Open the EMM app and initiate enrollment.
- Once configured, you can access your work profile from the app drawer or home screen.
No, you can only have one active Work Profile per Android device. However, if your IT admin allows it, you can add another email account to the existing Work Profile.
All validated Android Enterprise EMM providers support the following key device security features for any management sets that they offer:
- Set work profile or device lock screen restrictions
- Wipe and lock work data
- Compliance enforcement
- Disable debugging
- Disable app installs from locations other than Google Play
- Block screen captures
AER EMM providers also support additional advanced features. You can find the full list of standard and advanced features on the Enterprise Solutions Directory.
Note: Some non-AER EMM providers may support some advanced features. We recommend contacting your EMM provider to understand which advanced features they support.
Devices running Android 5.0 or later already have built-in enterprise features. Work Profile is supported on devices with 2GB or more of RAM. Additionally, some Android devices that meet higher enterprise specifications are identified by Google as Android Enterprise Recommended.
The Enterprise Solutions Directory serves as a comprehensive list of devices that are compatible with Android Enterprise, including those in the Enterprise Recommended program. You can use it to ensure that devices in your existing fleet will be able to run Android Enterprise. It also enables you to search for devices with specific features that suit your organization’s needs.
Enterprise mobility management (EMM) solutions help businesses manage, secure, and configure devices within their organization. It offers features such as visualizing device inventory, enforcing security policies, remotely wiping data, and distributing apps.
With EMMs, businesses can ensure the security of every device, safeguarding employee and customer data. EMMs also provide specific functionality to optimize devices for their intended use, resulting in smoother operation and enhanced security.
Android zero-touch enrollment is a streamlined process for provisioning Android devices from enterprise management right from the initial boot.
One of its key benefits is the streamlined deployment method for corporate-owned devices. This key benefit can remotely configure corporate-owned devices without having to actually manually set-up each device. Devices can be configured online and delivered straight to the user with all the necessary security requirements enforced from boot up. This simplifies the process and means that employees can use their devices right out of the box.
Another key benefit of zero-touch is enhanced security as the device is forced to provision for enterprise management right from initial boot.
OEMConfig is a standard that EMM providers and OEMs (original equipment manufacturers) follow to make custom, OEM-specific management policies available to IT admins. This means customized features are still consistent making it easier to manage devices across different manufacturers.
On company-owned devices, IT admins have the ability to disable and/or enable enterprise factory reset protection.
To manage enterprise factory reset protection, the IT admin can set a policy to specify which Google accounts can be used to unlock a device that has been locked by FRP. This policy will be enforced even if the reset is performed through the Settings app, preventing unauthorized access.
If the account is still active but you no longer have the credentials you can try to recover the account.
If you are unable to recover the account or the account was deleted, create a new Google account and contact your EMM to associate the new account with your organization immediately.
After contacting your EMM, they will initiate a request with Google to rebind your new Google account with your organization.
As a best practice, we recommend adding a second owner account. Find more best practices on the Android Enterprise Customer Community.
Organizations using Android devices should migrate from Device Admin API to modern management solutions built on the comprehensive Android Enterprise framework through an EMM provider. The discontinuation of Device Admin API marked the shift towards Android Enterprise as the recommended approach for device management.
We recommend five key steps to successfully migrate to Android Enterprise:
- Analysis: This involves identifying your current setup and policies, creating a device inventory, and developing documentation for your migration strategy.
- Requirements Mapping: Your analysis documentation helps identify feature needs like management modes, identity models, and provisioning methods. It also guides the selection of the supported Android OS level.
- Proof of Concept: Through a proof of concept, you gain insights and mitigate potential risks before migrating to modern management with Android Enterprise.
- Walkthrough & Setup Documentation: Documenting reference points with screenshots allows for smooth execution and ensures consistent setup documentation.
- Deploy: To determine the ideal rollout strategy, consider your environment. An initial test group approach allows you to guide participants through enrollment, push policies and apps, monitor usage, and offer support. You should be able to complete the user documentation through the initial test group.
Read the Android Enterprise Device Admin Deprecation Data Sheet.
Data on Android devices is securely encrypted. A factory reset securely deletes the keys needed to read this data, making it unreadable. New keys are then created for any new data written after the reset.
We are working on a method to allow managed Google Play accounts enterprises which were previously created with Gmail admin accounts, to upgrade to managed Google domains. Stayed tuned for further announcements in this area in 2025.
It’s highly recommended to use a managed Google domain because of the cross platform user experience enhancements, additional manageability, and security benefits it provides for your organization. However, if you don’t believe your organization will be able to use a managed Google domain, you can create a Managed Google Play accounts enterprise as a fall back option by signing up using a gmail.com address.
While verifying your domain is highly recommended, it is not mandatory for Android Enterprise. However, without domain verification, your organization will not have access to additional features including syncing your directory, single sign-on (SSO), and improved on-device access to Google services. See Verify your domain to unlock features for more details.
With managed Google domains, IT admins can manage a number of Google products for their organization (e.g. Workspace, ChromeOS, Chrome browser) in one consolidated location.
Yes, syncing your identities allows for easy user account creation, seamless access to allowed Google products, and lets employees log into their work devices with their existing credentials. See Sign up for Android management using managed Google domains for more details.