Android Enterprise Overview
Android Enterprise is Google’s program for supporting Android devices for enterprise. Android Enterprise enables devices to have separate private and work profile deployments, and enables administrators to have broader control over enterprise owned and provisioned devices. Ivanti EPMM supports Android Enterprise. This support requires you to perform setup tasks with Google, Ivanti (help.ivanti.com), and the Admin Portal.
Modes for Android Enterprise devices
Android Enterprise devices that are registered with Ivanti EPMM are in one of the following Android Enterprise modes:
-
Work Profile mode: An Android Enterprise device is in Work Profile mode when it has a work profile. Corporate data and apps are secured in the work profile, while the user’s private data and apps are in the separate personal profile. Ivanti EPMM has administrative control over the work profile. For more information see https://developers.google.com/android/work/requirements/work-profile.
-
Work Managed Device mode: An Android Enterprise device that is in Work Managed Device mode is typically corporate-owned. The device has a single profile with corporate data and apps. This mode is only available on factory installed devices. If a device with this mode on it is wiped it will no longer be in Work Managed Device mode. Ivanti EPMM has administrative control over the device, with more lockdown features available than for device using a work profile. For more information see Google's "Fully managed device" article.
-
Managed Device with Work Profile (COPE) mode: An Android Enterprise device in this mode is an enterprise-owned device with personal data separate from the rest of the phone. It has a small client installed on it to separate personal data from the rest of the phone. This mode is only available on factory installed or factory reset devices. If a device in this mode is wiped it will no longer be in Work Managed Device mode. This mode requires:
- Work Profile on Company Owned Devices mode: This is similar to the Work Profile mode with a few additional device level configurations controlled from Work profile. Applies to Android versions 11 or supported newer versions.
Ivanti Mobile@Work 9.7 or supported newer versions.
Only works on Android versions 8-10.
A managed Google Play account
If the account is enrolled with Google Domain, the device will be registered in the Work Managed Device mode.
In Android developer documentation, “work profile” is referred to as “profile owner” and “work managed device” is referred to as “device owner”.
Requirements for using Android Enterprise
To enable Android Enterprise for your enterprise and use it with Ivanti EPMM, you need:
-
A Google account that is not tied to Managed Google Accounts. That is, any Google account that is not managed by an enterprise can be used for enrolling with Android Enterprise.
-
Access to Google Play on Android devices and Ivanti EPMM.
-
Access to these URLs through outbound HTTP proxy:
-
https://accounts.google.com/o/oauth2/token
-
https://www.googleapis.com
-
-
-
See Outbound HTTP Proxy Set Up in the On-Premise Installation Guide for Ivanti EPMM and Enterprise Connector.
Requirements for using an Android Enterprise device in work profile mode
To enable an Android Enterprise device in work profile mode, the following is required:
-
An Android Enterprise-capable device, running Android 6.0 or supported newer versions, with the Ivanti Mobile@Work for Android app installed
The Ivanti Mobile@Work app on Android devices shows whether the device is Android Enterprise-capable in the Settings > About > Product Details tab. Google provides a list of Android Enterprise-capable devices here: https://enterprise.google.com/android/.
-
If using managed Google Play Accounts, Ivanti EPMM automatically generates a Google User based on the UUID of the user.
-
An Android Enterprise setting on Ivanti EPMM (Policies & Configs > Configurations) applied by label to the device
Requirements for using an Android Enterprise device in work managed mode
To enable an Android Enterprise device in work managed mode, all the Requirements for using an Android Enterprise device in work profile mode are necessary. In addition, for work managed mode devices, you must enroll devices with either NFC, QR code, “afw#” tokens, Knox Mobile Enrollment (KME), or Google’s Zero-Touch. For more information, see Provisioning an Android Enterprise device.
Requirements for using an Android Enterprise device in Managed Device with Work Profile mode and Work Profile on Company Owned Device mode
To enable an Android Enterprise device in Managed Device with Work Profile mode and Work Profile on Company Owned Device mode, all the Requirements for using an Android Enterprise device in work profile mode and Requirements for using an Android Enterprise device in work managed mode are necessary. In addition, for devices in this mode, you must select Enable Managed Device with Work Profile on the devices on the Android Enterprise setting. This setting applies to Android 8, 9, and 10 devices. For Work Profile on Company Owned Device mode, this setting applies to Android 11.0 devices.