Android Enterprise management modes

Enrolling a device with Android Enterprise allows you to encrypt the device drive, manage settings and apps on the device, and enforce various levels of security. You can also sync, wipe, or lock the device from the console without an agent on the device. Android Enterprise can operate in work profile mode, fully managed mode, or kiosk mode.

NOTE: If you are looking for information about legacy Android for Work features, see Using Android for Work.

Work profile mode

Work profile mode is typically used for employee-owned devices (BYOD), since it creates a work profile that is distinct from the rest of the device. Work profiles protect employee privacy by only allowing the enterprise to access data within the work profile, keeping the device user's personal data separate and secure. At the same time, work profiles protect corporate resources by making corporate accounts and data only accessible through the work profile. To remove access to those resources, simply unenroll the device. (Requires Android 5.1+.)

ClosedWork profile mode user experience

The device user creates a work profile with a code provided by an administrator.

This management mode creates a work profile that separates enterprise data from personal data. Certain apps run within that work profile and store data there. The user will have access to an enterprise managed Play Store where they can install apps made available by the administrator. Apps downloaded from the managed Play Store will be installed within the work profile. These same apps can also run outside the work profile. To distinguish which data the app is using, Android creates two icons for the same app: the normal app icon and the work profile app icon, which is “badged” with a briefcase icon.

Fully managed mode

Fully managed mode is typically used for company-owned devices, since it has full control over the device and its data. Fully managed device mode offers extensive control over device policies, settings, and applications. (Requires Android 6.0+.)

ClosedFully managed mode user experience

An administrator sets up the device and enrolls it with Endpoint Manager before the user receives it.

The user experience for this management mode is largely dictated by the administrator and is more restrictive than the experience for work profile mode. The administrator will have complete control over the device, its apps, and its data. The administrator can silently push apps to the device, set restrictions and permissions, and perform remote actions on the device. The user will have access to an enterprise managed Play Store where they can install apps made available by the administrator.

Kiosk mode

Kiosk mode is for devices intended for a single use or an extremely limited scope of use. Kiosk mode (also known as dedicated device mode) locks fully managed devices to a single app or set of apps. To put a device into kiosk mode, enroll it as a fully managed device then use a Mobile Android Configuration to enable kiosk mode. (Requires Android 6.0+.) For more information, see Kiosk mode for Android Enterprise.

ClosedKiosk mode user experience

An administrator sets up the device, enrolls it with Endpoint Manager, and selects available applications before the user receives it.

The user experience for this management mode is extremely focused. The device is locked to either a single app or a small set of apps, and the user can only perform specific tasks enabled by those apps. Device settings are often blocked on kiosk devices. Kiosk mode is often used for retail devices, self check-in stations, restaurant self-service kiosks, etc.

Using Android Enterprise

For information about Android Enterprise enrollment and features, see the following sections:

Getting started with Android device management

Android Enterprise accounts

Enrolling devices in Android Enterprise

Distributing Android Enterprise apps

Agent settings: Mobile Android Configuration

Device actions from the console

Kiosk mode for Android Enterprise