1. Management Sets
Android’s EMM partners allow organizations to manage their mobile devices through a wide range of features. We’ve organized these features into four management sets—each providing comprehensive mobility management for a specific enterprise deployment, including BYOD, company-owned devices, and dedicated-use scenarios.
Standard and advanced features
Each management set offers Standard and Advanced features. EMM partners are verified by Google to support all the Standard features for the management set(s) listed in their solutions directory profile. Advanced features typically provide control over more granular enterprise settings.
1.2. Work Profile Management
Enables platform-level separation of work apps and data. Enterprises have control over all data and security policies within the work profile. Outside the work profile, the device remains suitable for personal use—ideal for BYOD deployments. Learn more.
1.3. Full device management
Provides full MDM and app management for granular control over company-owned devices. Choose from 80+ settings to enforce and benefit from Android’s full suite of app management features. This option is designed for devices intended primarily for corporate use
1.4. Dedicated device management
Transforms company-owned devices into purpose-built devices. Lock them down to a single app or suite of apps to serve specific employee or customer-facing scenarios. Enforce an extended range of security policies to prevent users from escaping apps and accessing the lock screen.
1.5. Mobile app management (MAM)
Benefit from Android's full suite of enterprise app management features combined with basic device security. Distribute public and private apps, curate the Play Store on user’s devices, and restrict access to work apps if a device doesn't meet minimum password policies.
2. Android Enterprise Recommended Requirements
Android Enterprise Recommended EMM solutions provide an advanced set of management features that address a broad set of use cases from employee-owned to corporate-owned deployments and are backed by certified personnel with expertise and experience deploying modern Android device and app management.
EMMs will be required to have their solution offering fulfill standard feature validation + advanced feature validation across two management sets to be eligible for Android Enterprise Recommended designation.
2.2. Advanced features across multiple management sets
Solution offering will be validated against Advanced features for at least two of the following Android Enterprise management sets:
- Work profile management
- Full device management
- Dedicated device management
2.3. Demonstrated technical leadership with Android Enterprise
- Product standardizes on Android Enterprise-based management methods as the primary method of setup for Android device management for new deployments of compatible Android devices to clearly help customers set up with modern management.
- Documentation and/or guidance that clearly outline for customers how to set up the various Android Enterprise management sets that partner supports including guidance for new deployments and migration to Android Enterprise.
2.4. Enterprise level support
Partner will have trained personnel available to assist with customer deployments with process to manage escalation of issues with path to engage Google as necessary.
2.5. Proven ability to deploy
Partner will have demonstrated experience in being able to deploy Android Enterprise with an established base of successful deployments.
Partner will ensure availability of field expertise on Android Enterprise regularly trained by Google across customer engagement teams to deliver relevant, up to date product and technical knowledge.
3. Device Setup Features
3.1. Download management app from Google Play
Download the EMM's management app from Google Play. Open the app and follow the enrollment instructions.
3.2. Enter a token in the setup wizard
Enter a token provided by your EMM in a device's setup wizard.
3.3. Push setup details via NFC bump
Push configurations to a new device with an NFC bump using an NFC app provided by the EMM.
3.4. Transfer setup details via QR code
Scan a QR code provided by the EMM to enroll a device from a device's setup wizard.
3.5. Preconfigure devices with advanced zero-touch enrollment
Preconfigure devices using the Zero-touch enrollment portal. Advanced options allow you to pre-populate all registration details and ensure that enrollment is limited to specific accounts or domains.
3.6. Set up a work profile with Google Cloud Identity credentials
Enter existing corporate Google Cloud Identity credentials to set up a work profile.
3.7. Set up full device mgmt with Google Cloud Identity credentials
Enter existing corporate Google Cloud Identity credentials to set up full device management.
3.8. Configure a company-owned device with a work profile
Enroll a company-owned device with a work profile allowing for enhanced control of the device while guaranteeing privacy and enabling personal usage.
3.9. Configure zero-touch devices from the EMM console
Configure devices registered in the zero-touch portal using the zero-touch iframe in the EMM console.
4. Device Security Features
4.1. Set lock screen restrictions
Set the type of passcode (e.g. PIN/pattern/password) required to unlock a device and/or work profile (if applicable).
4.2. Set lock screen restrictions for work profiles
Set the type of passcode (e.g. PIN/pattern/password) required to unlock a work profile.
4.3. Set advanced passcode restrictions
Set passcode quality, length, complexity, and timeout requirements for each lock screen on a device.
4.4. Configure Smart Lock settings
Enable or disable specific Smart Lock methods, such as trusted bluetooth devices, face recognition, or voice recognition.
4.5. Wipe and lock work data
Remotely lock and wipe work data and apps.
4.6. Compliance enforcement
Access to work data and apps is automatically restricted on devices that aren't in compliance with security policies.
4.7. Disable debugging
Access to debugging mode and other features in Developer Options > Debugging is disabled by default.
4.8. Disable app installs from locations other than Google Play
App installations from locations other than Google Play and OEM-approved sources are disabled by default.
4.9. Block users from escaping locked down devices
Block users from escaping locked down dedicated devices to enable other actions.
4.10. Check device integrity
Validate device integrity to help determine whether a device has been tampered with or otherwise modified. Set up automated rules (e.g. wipe corporate data) if validation fails.
4.11. Enforce Verify Apps by default
Enforce Google Play Protect's Verify Apps feature by default to ensure that all work apps are scanned for malware before and after they're installed.
4.12. Block external data transfers
Lock down hardware elements (e.g. NFC beam, external media, USB storage) to prevent users from sharing or transferring work data.
4.13. Access security logs
View and export security logs for a given device and time window.
4.14. Disable app installs from locations other than Google Play on work profile devices
For devices with work profiles, app installations from locations other than Google Play and OEM-approved sources are disabled by default across the entire devices (including the personal profile).
5. Google Play app management Features
5.1. Managed Google Play web console
Use the managed Google Play web console to approve apps for your organization.
5.2. Managed Google Play for Android 5.0+
Provides device or user-specific accounts to support managed Google Play on Android 5.0+ devices.
5.3. Managed Google Play for pre-Android 5.0
Provides managed Google Play support for pre-Android 5.0 devices.
5.4. Silently distribute work apps
Silently install work apps on a device or in a work profile without any user interaction.
5.5. Managed configuration support
Configure work apps for individual users or devices.
5.6. View approved apps
View a list of purchased apps, approved apps, and private apps.
5.7. Managed Google Play in EMM console
Access managed Google Play directly through the EMM's console to search for, approve, and manage work apps.
5.8. Managed Google Play Store on devices
Employees can install and update work apps from the managed Google Play Store app on their device.
5.9. Customize managed Google Play Store layout
Customize how apps are organized in the managed Google Play Store.
5.10. Manage app licenses
Publish and maintain private apps directly through the EMM's console.
5.11. Manage private apps
Configure and publish private apps directly through the EMM's console.
5.12. Publish self-hosted private apps
Updated self-hosted private apps directly through the EMM's console.
5.13. Advanced managed configuration support
Configure advanced settings for work apps and receive feedback from apps installed on devices.
5.14. Manage web apps
Create and publish web apps (website shortcuts) directly through the EMM's console.
5.15. Managed Google Play account management
Create, update, and delete accounts that provide users access to managed Google Play on their devices.
5.16. Manage closed app tracks
Manage the distribution of test applications by supporting app track management.
5.17. Manage personal apps installed to company-owned devices
Control the applications that are able to be installed or block applications from being installed on the personal side of the device.
6. Device Management Features
6.1. Set policies for permission requests
Set the default response (prompt, allow, or deny) to runtime permissions requested by work apps.
6.2. Manage specific permission requests
Set the default responses to specific runtime permission requests from any work apps.
6.3. Remotely configure WiFi settings
Remotely deploy WiFi login details, including SSID and password, to a device.
6.4. Remotely configure certificate authenticated WiFi
Remotely deploy WiFi settings to a device that include identity, certificates for client authorization, and CA certificates.
6.5. Block users from modifying WiFi settings
Prevent users from creating new WiFi configurations or modifying existing corporate configurations.
6.6. Restrict work access to authorized accounts
Ensure that only authorized corporate accounts can interact with corporate data by preventing users from adding or modifying accounts.
6.7. Restrict work access to authorized Cloud Identity accounts
Specify the G Suite account(s) authorized to interact with corporate data.
6.8. Standard certificate management
Deploy identity certificates and certificate authorities to a device to enable access to corporate resources.
6.9. Advanced certificate management
Select the certificates that should be used by specific work apps. Remove CAs and identity certs from an active device, and prevent users from modifying credentials stored in the managed keystore.
6.10. Delegate certificate management
Distribute a 3rd-party certificate management app to a device and grant the app privileged access to install certificates in the managed keystore.
6.11. Always On VPN support
Enable Always On VPN for specified work apps to ensure they always go through a configured VPN.
6.12. Manage input methods for work profiles
Configure the input methods (e.g. keyboards) that a user can configure on their device. Input methods are shared across both work and personal profiles
6.13. Manage input methods for devices
Configure the input methods (e.g. keyboards) that a user can configure on their device, including system input methods.
6.14. Control accessibility services settings
Control the accessibility services that can be enabled on a device.
6.15. Block location sharing with apps in a work profile
Prevent users from sharing location data with apps in their work profile.
6.16. Set location sharing preferences with work apps
Configure device location sharing settings (e.g. high accuracy, battery-saving, sensors only, off) for work apps.
6.17. Restrict factory-reset privileges to authorized accounts
Specify the account(s) authorized to factory reset a device.
6.18. Block users from uninstalling work apps
Prevent users from uninstalling work apps or modifying work apps through Settings.
6.19. Block screen captures
Prevent users from taking screenshots when using work apps.
6.20. Disable cameras for work apps
Prevent work apps from using device cameras.
6.21. Network usage statistics for work profiles
Query network usage statistics for a device's work profile.
6.22. Network usage statistics for devices
Query network usage statistics for a device.
6.23. Remotely reboot devices
Remotely reboot a device.
6.24. Manage system network radio settings
Control system network radio settings and usage policies (e.g. disable cell broadcasts, prevent users from modifying network settings, configure WiFI timeout settings).
6.25. Manage system audio settings
Control device audio features, including muting the device, preventing users from adjusting volume settings, and preventing users from unmuting the device microphone.
6.26. Manage system clock settings
Control device clock and timezone settings. Prevent users from modifying automatic device settings.
6.27. Manage advanced dedicated device features
Control granular dedicated device features, including disabling the device status bar, lock screen, and phone activity alerts (e.g. incoming calls, ongoing calls).
6.28. Pre-grant access to certificates
Pre-grant certificate access to applications or revoke this access from applications.
6.29. Work profile on company-owned device management
Control additional device-wide features on company-owned devices with a work profile.
7. Device Usability Features
7.1. Customize device setup UX
Set the color, logo, and terms and conditions displayed during device or work profile setup
7.2. Add corporate branding to work profiles
Customize a work profile's user icon, display name, and lockscreen background colour with corporate branding.
7.3. Add corporate branding to devices
Customize a device (e.g. wallpaper, primary user icon) with corporate branding.
7.4. Set custom lock screen messages
Set a custom message to display on a device's lock screens.
7.5. Set help text for modifying device settings
Customize the help text provided to a user when they attempt to modify managed settings on their device.
7.6. Contact information sharing for work profiles
Help enforce data loss protection (DLP) by setting policies to control what contact information can be shared from a device's work profile and to its personal profile.
7.7. Data loss prevention for work profiles
Help enforce data loss protection (DLP) by setting policies to control what data can be shared between a device's work profile and personal profile, beyond the default security settings.
7.8. Manage system updates
Control when system updates are installed on a device.
7.9. Lock apps to dedicated device screens
Lock an app (or apps) to the screen of a dedicated device, and ensure that users can't exit the app.
7.10. Set default apps for specific activities
Set the default app for specific activities. For example, choose the default browser for opening web links.
7.11. Manage lock screen features for work profile devices
Control the features accessible to users before unlocking a device's lock screen and work profile lock screen.
7.12. Manage lock screen features for fully managed and dedicated devices
Control the features accessible to users before unlocking a device's lock screen
7.13. Retrieve bug reports
Remotely retrieve bug reports from devices. Note: Bug reports may include sensitive data and thus require user consent.
7.14. Retrieve device MAC addresses
Remotely retrieve device MAC addresses.
7.15. Customize dedicated devices screens
Control whether system features such as the home button, status bar, and notifications are shown when a dedicated device is locked to a single app or set of apps.
7.16. Freeze system updates
Prevent system updates from installing on a device during specified freeze periods.
7.17. Set help text for work profile deletion
Customize the help text provided to a user if their work profile is removed from their device.
7.18. Support connected apps
Grant applications the ability to connect the work and personal versions of the app.
7.19. Support maximum time without work data on company-owned devices
Limit the amount of time users can turn off their work profile on a company-owned device.