Android enterprise Overview

Android enterprise is Google’s program for supporting Android devices for enterprise. Android enterprise enables devices to have separate private and work profiles in BYOD deployments, and enables administrators to have broader control over enterprise owned and provisioned devices. MobileIron Core supports Android enterprise. This supports requires you to perform setup tasks with Google, MobileIron (help.mobileiron.com), and the MobileIron Core Admin Portal.

Modes for Android enterprise devices

Android enterprise devices that are registered with MobileIron Core are in one of the following Android enterprise modes:

  • Work Profile mode: An Android enterprise device is in Work Profile mode when it has a work profile. The device is typically privately owned (BYOD). Corporate data and apps are secured in the work profile, while the user’s private data and apps are in the separate personal profile. MobileIron Core has administrative control over the work profile. For more information see https://developers.google.com/android/work/requirements/work-profile.
  • Work Managed Device mode: An Android enterprise device that is in Work Managed Device mode is typically corporate-owned. The device has a single profile with corporate data and apps. This mode is only available on factory installed devices. If a device with this mode on it is wiped it will no longer be in Work Managed Device mode. MobileIron Core has administrative control over the device, with more lockdown features available than for device using a work profile. For more information see: https://developers.google.com/android/work/requirements/work-managed-device.
  • Managed Device with Work Profile mode: An Android enterprise device in this mode is an enterprise-owned device with personal data separate from the rest of the phone. It has a small client installed on it to separate personal data from the rest of the phone. This mode is only available on factory installed or factory reset devices. If a device in this mode is wiped it will no longer be in Work Managed Device mode. This mode requires:
    • Mobile@Work 9.7 for Android through the most recently released version as supported by MobileIron.
    • Android 8.0 through the most recently released version as supported by MobileIron.
    • A managed Google Play account
    • If the account is enrolled with Google Domain, the device will be registered in the Work Managed Device mode.
NOTE: In Android developer documentation, “work profile” is referred to as “profile owner” and “work managed device” is referred to as “device owner”.

Requirements for using Android enterprise

To enable Android enterprise for your enterprise and use it with MobileIron Core, you need:

  • A Google account that is not tied to Managed Google Accounts. That is, any Google account that is not managed by an enterprise can be used for enrolling with Android enterprise.
    • access to Google Play on Android devices and Core
    • access to these URLs through outbound HTTP proxy:
    • https://accounts.google.com/o/oauth2/token

    • https://www.googleapis.com

    See Outbound HTTP Proxy Set Up in the On-Premise Installation Guide.

Requirements for using an Android enterprise device in work profile mode

To enable an Android enterprise device in work profile mode, the following is required:

  • an Android enterprise-capable device, running Android 5.0 through the most recently released version as supported by MobileIron, with the Mobile@Work for Android app installed

    NOTE: The Mobile@Work app on Android devices shows whether the device is Android enterprise-capable in the Settings > About > Product Details tab. Google provides a list of Android enterprise-capable devices here: https://enterprise.google.com/android/.
  • if using managed Google Play Accounts, MobileIron Core automatically generates a Google User based on the UUID of the user.
  • an Android enterprise setting on MobileIron Core (Policies & Configs > Configurations) applied by label to the device

Requirements for using an Android enterprise device in work managed mode

To enable an Android enterprise device in work managed mode, all the Requirements for using an Android enterprise device in work profile mode are necessary. In addition, for work managed mode devices, you must enroll devices with either NFC, QR code, “afw#” tokens, or Google’s Zero-Touch. For more information, see Provisioning an Android enterprise device.

Requirements for using an Android enterprise device in Managed Device with Work Profile mode

To enable an Android enterprise device in Managed Device with Work Profile mode, all the Requirements for using an Android enterprise device in work profile mode and Requirements for using an Android enterprise device in work managed mode are necessary. In addition, for devices in this mode, you must select Enable Managed Device with Work Profile on the devices on the Android enterprise setting.