Android Enterprise Overview

Android Enterprise is Google’s program for supporting Android devices for enterprise. Android Enterprise enables devices to have separate private and work profiles in BYOD deployments, and enables administrators to have broader control over enterprise owned and provisioned devices. Core supports Android Enterprise. This supports requires you to perform setup tasks with Google, Ivanti (help.mobileiron.com), and the Core Admin Portal.

Modes for Android Enterprise devices

Android Enterprise devices that are registered with Core are in one of the following Android Enterprise modes:

  • Work Profile mode: An Android Enterprise device is in Work Profile mode when it has a work profile. The device is typically privately owned (BYOD). Corporate data and apps are secured in the work profile, while the user’s private data and apps are in the separate personal profile. Core has administrative control over the work profile. For more information see https://developers.google.com/android/work/requirements/work-profile.
  • Work Managed Device mode: An Android Enterprise device that is in Work Managed Device mode is typically corporate-owned. The device has a single profile with corporate data and apps. This mode is only available on factory installed devices. If a device with this mode on it is wiped it will no longer be in Work Managed Device mode. Core has administrative control over the device, with more lockdown features available than for device using a work profile. For more information see: https://developers.google.com/android/work/requirements/work-managed-device.
  • Managed Device with Work Profile (COPE) mode: An Android Enterprise device in this mode is an enterprise-owned device with personal data separate from the rest of the phone. It has a small client installed on it to separate personal data from the rest of the phone. This mode is only available on factory installed or factory reset devices. If a device in this mode is wiped it will no longer be in Work Managed Device mode. This mode requires:
    • Mobile@Work 9.7 or supported newer versions.
    • Only works on Android versions 8-10.
    • A managed Google Play account
    • If the account is enrolled with Google Domain, the device will be registered in the Work Managed Device mode.
    Work Profile on Company Owned Devices mode: This is similar to the Work Profile mode with a few additional device level configurations controlled from Work profile. Applies to Android versions 11 or supported newer versions.

In Android developer documentation, “work profile” is referred to as “profile owner” and “work managed device” is referred to as “device owner”.

Requirements for using Android Enterprise

To enable Android Enterprise for your enterprise and use it with Core, you need:

  • A Google account that is not tied to Managed Google Accounts. That is, any Google account that is not managed by an enterprise can be used for enrolling with Android Enterprise.
    • access to Google Play on Android devices and Core
    • access to these URLs through outbound HTTP proxy:
    • https://accounts.google.com/o/oauth2/token

    • https://www.googleapis.com

    See Outbound HTTP Proxy Set Up in the On-Premise Installation Guide.

Requirements for using an Android Enterprise device in work profile mode

To enable an Android Enterprise device in work profile mode, the following is required:

  • an Android Enterprise-capable device, running Android 5.0 or supported newer versions, with the Mobile@Work for Android app installed

    The Mobile@Work app on Android devices shows whether the device is Android Enterprise-capable in the Settings > About > Product Details tab. Google provides a list of Android Enterprise-capable devices here: https://enterprise.google.com/android/.

  • if using managed Google Play Accounts, Core automatically generates a Google User based on the UUID of the user.
  • an Android Enterprise setting on Core (Policies & Configs > Configurations) applied by label to the device

Requirements for using an Android Enterprise device in work managed mode

To enable an Android Enterprise device in work managed mode, all the Requirements for using an Android Enterprise device in work profile mode are necessary. In addition, for work managed mode devices, you must enroll devices with either NFC, QR code, “afw#” tokens, Knox Mobile Enrollment (KME), or Google’s Zero-Touch. For more information, see Provisioning an Android Enterprise device.

Requirements for using an Android Enterprise device in Managed Device with Work Profile mode and Work Profile on Company Owned Device mode

To enable an Android Enterprise device in Managed Device with Work Profile mode and Work Profile on Company Owned Device mode, all the Requirements for using an Android Enterprise device in work profile mode and Requirements for using an Android Enterprise device in work managed mode are necessary. In addition, for devices in this mode, you must select Enable Managed Device with Work Profile on the devices on the Android Enterprise setting. This setting applies to Android 8, 9, and 10 devices. For Work Profile on Company Owned Device mode, this setting applies to Android 11.0 devices.