1. Management Sets

1.1. Overview

Android’s EMM partners allow organizations to manage their mobile devices through a wide range of features. We’ve organized these features into four management sets—each providing comprehensive mobility management for a specific enterprise deployment, including BYOD, company-owned devices, and dedicated-use scenarios.

Standard and advanced features
Each management set offers Standard and Advanced features. EMM partners are verified by Google to support all the Standard features for the management set(s) listed in their solutions directory profile. Advanced features typically provide control over more granular enterprise settings.

1.2. Work Profile Management

Enables platform-level separation of work apps and data. Enterprises have control over all data and security policies within the work profile. Outside the work profile, the device remains suitable for personal use—ideal for BYOD deployments. Learn more.

1.3. Full device management

Provides full MDM and app management for granular control over company-owned devices. Choose from 80+ settings to enforce and benefit from Android’s full suite of app management features. This option is designed for devices intended primarily for corporate use

1.4. Dedicated device management

Transforms company-owned devices into purpose-built devices. Lock them down to a single app or suite of apps to serve specific employee or customer-facing scenarios. Enforce an extended range of security policies to prevent users from escaping apps and accessing the lock screen.

2. Android Enterprise Recommended Requirements

2.1. Overview

Android Enterprise Recommended EMM solutions provide an advanced set of management features that address a broad set of use cases from employee-owned to corporate-owned deployments and are backed by certified personnel with expertise and experience deploying modern Android device and app management.

EMMs will be required to have their solution offering fulfill standard feature validation + advanced feature validation across two management sets to be eligible for Android Enterprise Recommended designation.

2.2. Advanced features across multiple management sets

Management sets

Solution offering will be validated against Advanced features for at least two of the following Android Enterprise management sets:

  • Work profile management
  • Full device management
  • Dedicated device management

2.3. Demonstrated technical leadership with Android Enterprise

Guidance on setup with Android Enterprise
  • Product standardizes on Android Enterprise-based management methods as the primary method of setup for Android device management for new deployments of compatible Android devices to clearly help customers set up with modern management.
  • Documentation and/or guidance that clearly outline for customers how to set up the various Android Enterprise management sets that partner supports including guidance for new deployments and migration to Android Enterprise.

2.4. Enterprise level support

Established support structure with Google

Partner will have trained personnel available to assist with customer deployments with process to manage escalation of issues with path to engage Google as necessary.

2.5. Proven ability to deploy

Proven experience

Partner will have demonstrated experience in being able to deploy Android Enterprise with an established base of successful deployments.

Field sales readiness

Partner will ensure availability of field expertise on Android Enterprise regularly trained by Google across customer engagement teams to deliver relevant, up to date product and technical knowledge.

3. Device Setup Features

3.1. Download management app from Google Play

Download the EMM's management app from Google Play. Open the app and follow the enrollment instructions.

3.2. Enter a token in the setup wizard

Enter a token provided by your EMM in a device's setup wizard.

3.3. Push setup details via NFC bump

Push configurations to a new device with an NFC bump using an NFC app provided by the EMM.

3.4. Transfer setup details via QR code

Scan a QR code provided by the EMM to enroll a device from a device's setup wizard.

3.5. Preconfigure devices with advanced zero-touch enrollment

Preconfigure devices using the Zero-touch enrollment portal. Advanced options allow you to pre-populate all registration details and ensure that enrollment is limited to specific accounts or domains.

3.6. Set up a work profile with Google Cloud Identity credentials

Enter existing corporate Google Cloud Identity credentials to set up a work profile.

3.7. Set up full device mgmt with Google Cloud Identity credentials

Enter existing corporate Google Cloud Identity credentials to set up full device management.

3.8. Configure a company-owned device with a work profile

Enroll a company-owned device with a work profile allowing for enhanced control of the device while guaranteeing privacy and enabling personal usage.

3.9. Configure zero-touch devices from the EMM console

Configure devices registered in the zero-touch portal using the zero-touch iframe in the EMM console.

4. Device Security Features

4.1. Set lock screen restrictions

Set the type of passcode (e.g. PIN/pattern/password) required to unlock a device and/or work profile (if applicable).

4.2. Set lock screen restrictions for work profiles

Set the type of passcode (e.g. PIN/pattern/password) required to unlock a work profile.

4.3. Set advanced passcode restrictions

Set passcode quality, length, complexity, and timeout requirements for each lock screen on a device.

4.4. Configure Smart Lock settings

Enable or disable specific Smart Lock methods, such as trusted bluetooth devices, face recognition, or voice recognition.

4.5. Wipe and lock work data

Remotely lock and wipe work data and apps.

4.6. Compliance enforcement

Access to work data and apps is automatically restricted on devices that aren't in compliance with security policies.

4.7. Disable debugging

Access to debugging mode and other features in Developer Options > Debugging is disabled by default.

4.8. Disable app installs from locations other than Google Play

App installations from locations other than Google Play and OEM-approved sources are disabled by default.

4.9. Block users from escaping locked down devices

Block users from escaping locked down dedicated devices to enable other actions.

4.10. Check device integrity

Validate device integrity to help determine whether a device has been tampered with or otherwise modified. Set up automated rules (e.g. wipe corporate data) if validation fails.

4.11. Enforce Verify Apps by default

Enforce Google Play Protect's Verify Apps feature by default to ensure that all work apps are scanned for malware before and after they're installed.

4.12. Block external data transfers

Lock down hardware elements (e.g. NFC beam, external media, USB storage) to prevent users from sharing or transferring work data.

4.13. Access security logs

View and export security logs for a given device and time window.

4.14. Disable app installs from locations other than Google Play on work profile devices

For devices with work profiles, app installations from locations other than Google Play and OEM-approved sources are disabled by default across the entire devices (including the personal profile).

5. Google Play app management Features

5.1. Managed Google Play web console

Use the managed Google Play web console to approve apps for your organization.

5.2. Managed Google Play for Android 5.0+

Provides device or user-specific accounts to support managed Google Play on Android 5.0+ devices.

5.3. Managed Google Play for pre-Android 5.0

Provides managed Google Play support for pre-Android 5.0 devices.

5.4. Silently distribute work apps

Silently install work apps on a device or in a work profile without any user interaction.

5.5. Managed configuration support

Configure work apps for individual users or devices.

5.6. View approved apps

View a list of purchased apps, approved apps, and private apps.

5.7. Managed Google Play in EMM console

Access managed Google Play directly through the EMM's console to search for, approve, and manage work apps.

5.8. Managed Google Play Store on devices

Employees can install and update work apps from the managed Google Play Store app on their device.

5.9. Customize managed Google Play Store layout

Customize how apps are organized in the managed Google Play Store.

5.10. Manage app licenses

Publish and maintain private apps directly through the EMM's console.

5.11. Manage private apps

Configure and publish private apps directly through the EMM's console.

5.12. Publish self-hosted private apps

Updated self-hosted private apps directly through the EMM's console.

5.13. Advanced managed configuration support

Configure advanced settings for work apps and receive feedback from apps installed on devices.

5.14. Manage web apps

Create and publish web apps (website shortcuts) directly through the EMM's console.

5.15. Managed Google Play account management

Create, update, and delete accounts that provide users access to managed Google Play on their devices.

5.16. Manage closed app tracks

Manage the distribution of test applications by supporting app track management.

5.17. Manage personal apps installed to company-owned devices

Control the applications that are able to be installed or block applications from being installed on the personal side of the device.

6. Device Management Features

6.1. Set policies for permission requests

Set the default response (prompt, allow, or deny) to runtime permissions requested by work apps.

6.2. Manage specific permission requests

Set the default responses to specific runtime permission requests from any work apps.

6.3. Remotely configure WiFi settings

Remotely deploy WiFi login details, including SSID and password, to a device.

6.4. Remotely configure certificate authenticated WiFi

Remotely deploy WiFi settings to a device that include identity, certificates for client authorization, and CA certificates.

6.5. Block users from modifying WiFi settings

Prevent users from creating new WiFi configurations or modifying existing corporate configurations.

6.6. Restrict work access to authorized accounts

Ensure that only authorized corporate accounts can interact with corporate data by preventing users from adding or modifying accounts.

6.7. Restrict work access to authorized Cloud Identity accounts

Specify the G Suite account(s) authorized to interact with corporate data.

6.8. Standard certificate management

Deploy identity certificates and certificate authorities to a device to enable access to corporate resources.

6.9. Advanced certificate management

Select the certificates that should be used by specific work apps. Remove CAs and identity certs from an active device, and prevent users from modifying credentials stored in the managed keystore.

6.10. Delegate certificate management

Distribute a 3rd-party certificate management app to a device and grant the app privileged access to install certificates in the managed keystore.

6.11. Always On VPN support

Enable Always On VPN for specified work apps to ensure they always go through a configured VPN.

6.12. Manage input methods for work profiles

Configure the input methods (e.g. keyboards) that a user can configure on their device. Input methods are shared across both work and personal profiles

6.13. Manage input methods for devices

Configure the input methods (e.g. keyboards) that a user can configure on their device, including system input methods.

6.14. Control accessibility services settings

Control the accessibility services that can be enabled on a device.

6.15. Block location sharing with apps in a work profile

Prevent users from sharing location data with apps in their work profile.

6.16. Set location sharing preferences with work apps

Configure device location sharing settings (e.g. high accuracy, battery-saving, sensors only, off) for work apps.

6.17. Restrict factory-reset privileges to authorized accounts

Specify the account(s) authorized to factory reset a device.

6.18. Block users from uninstalling work apps

Prevent users from uninstalling work apps or modifying work apps through Settings.

6.19. Block screen captures

Prevent users from taking screenshots when using work apps.

6.20. Disable cameras for work apps

Prevent work apps from using device cameras.

6.21. Network usage statistics for work profiles

Query network usage statistics for a device's work profile.

6.22. Network usage statistics for devices

Query network usage statistics for a device.

6.23. Remotely reboot devices

Remotely reboot a device.

6.24. Manage system network radio settings

Control system network radio settings and usage policies (e.g. disable cell broadcasts, prevent users from modifying network settings, configure WiFI timeout settings).

6.25. Manage system audio settings

Control device audio features, including muting the device, preventing users from adjusting volume settings, and preventing users from unmuting the device microphone.

6.26. Manage system clock settings

Control device clock and timezone settings. Prevent users from modifying automatic device settings.

6.27. Manage advanced dedicated device features

Control granular dedicated device features, including disabling the device status bar, lock screen, and phone activity alerts (e.g. incoming calls, ongoing calls).

6.28. Pre-grant access to certificates

Pre-grant certificate access to applications or revoke this access from applications.

6.29. Work profile on company-owned device management

Control additional device-wide features on company-owned devices with a work profile.

7. Device Usability Features

7.1. Customize device setup UX

Set the color, logo, and terms and conditions displayed during device or work profile setup

7.2. Add corporate branding to work profiles

Customize a work profile's user icon, display name, and lockscreen background colour with corporate branding.

7.3. Add corporate branding to devices

Customize a device (e.g. wallpaper, primary user icon) with corporate branding.

7.4. Set custom lock screen messages

Set a custom message to display on a device's lock screens.

7.5. Set help text for modifying device settings

Customize the help text provided to a user when they attempt to modify managed settings on their device.

7.6. Contact information sharing for work profiles

Help enforce data loss protection (DLP) by setting policies to control what contact information can be shared from a device's work profile and to its personal profile.

7.7. Data loss prevention for work profiles

Help enforce data loss protection (DLP) by setting policies to control what data can be shared between a device's work profile and personal profile, beyond the default security settings.

7.8. Manage system updates

Control when system updates are installed on a device.

7.9. Lock apps to dedicated device screens

Lock an app (or apps) to the screen of a dedicated device, and ensure that users can't exit the app.

7.10. Set default apps for specific activities

Set the default app for specific activities. For example, choose the default browser for opening web links.

7.11. Manage lock screen features for work profile devices

Control the features accessible to users before unlocking a device's lock screen and work profile lock screen.

7.12. Manage lock screen features for fully managed and dedicated devices

Control the features accessible to users before unlocking a device's lock screen

7.13. Retrieve bug reports

Remotely retrieve bug reports from devices. Note: Bug reports may include sensitive data and thus require user consent.

7.14. Retrieve device MAC addresses

Remotely retrieve device MAC addresses.

7.15. Customize dedicated devices screens

Control whether system features such as the home button, status bar, and notifications are shown when a dedicated device is locked to a single app or set of apps.

7.16. Freeze system updates

Prevent system updates from installing on a device during specified freeze periods.

7.17. Set help text for work profile deletion

Customize the help text provided to a user if their work profile is removed from their device.

7.18. Support connected apps

Grant applications the ability to connect the work and personal versions of the app.

7.19. Support maximum time without work data on company-owned devices

Limit the amount of time users can turn off their work profile on a company-owned device.