Android Enterprise
Android Enterprise, is the feature developed by Google to make Android devices(running 5.0 or later versions) corporate-ready. Android Enterprise provides several features and configurations, which secure the device and make the device cater to the needs of an organization.
Some of the features supported by Android Enterprise are mentioned below:
- Host your enterprise apps in Playstore
- Install apps(both Play Store and enterprise apps) silently without user intervention as explained here.
- Manage license of paid apps.
- Modify app-specific configurations and permissions.
- Customize Play Store.
- Enhance data security using Android Enterprise restrictions and configurations.
- A significant advantage in silent installation of apps is that, for devices provisioned as Device Owner, Profile Owner, and for Samsung devices, the users cannot uninstall these silently installed apps from the managed devices.
- Additional users can be added on Android devices provisioned as Profile Owner. Android restricts this option for devices provisioned as Device Owner.
- To provision Samsung devices as Device Owner, internet connectivity is required, and the port 443 must be open. If not, the device can only be provisioned as Profile Owner.
In case of Android Enterprise, it is recommended to provision personal devices as Profile Owner and corporate devices as Device Owner. You can know more Profile Owner and Device Owner as explained below:
Device Owner - for Corporate Devices
In case of Corporate-owned devices, provisioning the devices as Device Owner ensures the organization has full control of the device as it "owns the device" and provides more features to ensure the device and the confidential data in the device are secure and away from any unauthorized access. Device Owner supports all the Profile Owner-supported features as well as additional features.
Provisioning devices as Device Owner
There are different methods for provisioning devices as Device Owner, as explained below.
ENROLLMENT TYPE | APPLICABLE FOR | COMMENTS |
---|---|---|
Samsung Knox Mobile Enrollment (KME) | Applicable for Samsung devices supporting Knox and running 8.0 or later versions | Useful for large-scale out-of-the-box enrollment, similar to Apple Business Manager (ABM). |
Google Zero Touch Enrollment/Provisioning (ZTE/ZTP) | Applicable for devices running 9.0 or later versions | Useful for large-scale out-of-the-box enrollment similar to Apple Business Manager (ABM) but applicable only on certain devices as listed here. |
EMM Token Enrollment | Applicable for devices running 6.0 or later versions | Useful in case the number of devices to be managed are less in number, as the devices need to be unboxed to initiate enrollment |
Near Field Communication (NFC) Enrollment | Applicable for devices supporting NFC and running 5.0 or later versions | Useful in case the number of devices to be managed are less in number, as the devices need to be unboxed to initiate enrollment. Also, if you want to enroll devices without Google services as Device Owner. |
Android Debug Bridge (ADB) | Applicable for devices running Android 5.0 or later versions and not supporting NFC | Useful in case the number of devices to be managed are less in number, as the devices need to be unboxed to initiate provisioning after which enrollment needs to be carried out separately. Also, if you want to enroll devices without Google services as Device Owner. |
The devices are factory reset before setting up Android Enterprise to prevent malware from potentially acting as a device owner and taking over the device. and to ensure there are no privacy-related issues due to the existence of apps and/or user data in the devices.
Some of the main features supported by Device Owner:
- Additional restrictions such as restricting device reset, modifying Settings etc.,
- Configuring Exchange ActiveSync
- Blocklisting/Allowlisting apps
The complete set of restrictions supported by Device Owner can be viewed here.
Profile Owner - for Personal Devices
In case of personal devices, Android Enterprise creates a "Work profile", a logical container which demarcates the personal space and the corporate space in a device. Organizations can fully control the work profile but have zero control over the personal profile, as organization "owns only the profile". Unlike Device Owner which supports several features, Profile Owner supports fewer features when compared to Device Owner. If the device is enrolled in MDM through any method (Self-Enrollment, Enrollment through invitation) other than NFC and QR code, it gets provisioned as Profile Owner by default.
NOTE:Profile Owner provisioning is not supported for Android GO devices.
Some of the main features supported by Profile Owner:
- Preventing sharing of data from workspace profile to personal profile.
- Restricting installation/uninstallation of apps.
- Restricting screen capture in workspace profile.
The complete set of restrictions supported by Profile Owner can be viewed here.
Legacy provisioning
All non-Samsung devices running Android 5.0 or below, will be provisioned as Legacy devices. In case of Corporate Samsung devices enrolled using Enrollment via Invite method, the devices will be provisioned as Legacy devices and creating Knox Container or Work Profile will not be supported.
Some of the main features supported by Samsung Legacy devices:
- All Samsung specific features.
- Silent installation of Enterprise apps
- Blocklisting apps
Refer to this link for the non-exhaustive list of devices supporting Android Enterprise.