An IT admin’s guide to managing company owned devices

Emily Brown

May 27, 2021

9 min read

Do you use a company-owned device for work? Chances are that you probably do, just like the majority of employees throughout the world. The distinction between work and personal devices is also blurring, as we use personal devices for work or company-owned devices for personal purposes. With company-owned devices, the IT manager has more power to manage, control, and secure them with a solution like HexnodeAndroid is a winner as a device option with many industries for its flexibility, hardware options, and the staggering number of features it has. Android Enterprise is an excellent feature by Google for making the Android devices corporate-ready.  For company-owned devices that are managed with Android Enterprise, the admin gets three management options to choose from: 

  1. Corporate Owned Fully managed (previously COBO) 
  2. Corporate Owned Personally Enabled (COPE) 
  3. Corporate Owned Dedicated Device (previously COSU) 

Features you can’t miss for Corporate Owned Fully managed devices 

Corporate owned fully managed devices 
For the end-user, Company Owned Fully managed devices are meant for a single purpose and that is work. There are no personal apps on these devices. All apps and data are managed by the organization. Hexnode provides the IT manager with a lot of features for managing, securing, and monitoring these devices enrolled with Android Enterprise: 
Zero-touch enrollment

Android’s Zero-Touch Enrollment (ZTE) allows the admin to deploy the company-owned devices in bulk instead of manually setting up each device. For Samsung Knox devices, Samsung Knox Mobile Enrollment (KME) is also a viable method.  These enrollment methods allow the admin to pre-configure the management settings to manage the device as soon as the user turns the device on for the first time. 

Install or uninstall applications silently

For devices enrolled as device owner in the Android Enterprise program, Hexnode allows the admin to install or uninstall apps or app groups silently without any user intervention. Silent app installation is a very popular feature amongst admins. 

Blacklist or Whitelist apps

The admin can blacklist or whitelist required apps for devices enrolled with the Android Enterprise program. For fully managed devices, all apps are downloaded from Managed Google Play. The admin should whitelist the Managed Google Play for installing new apps or updating existing ones. 

Configure apps and app permissions before deployment

Before pushing the Android Enterprise apps to the devices, the admin can pre-configure the app configurations and permissions in a policy. The apps would then get installed with these pre-configured configurations and settings when the policy is applied.  

Clear password for locked devices

Forgetting the device password lock is very common. And the first thing that the user does usually is to contact the IT admin of the organization. Hexnode allows the admin to clear the device password from the web console remotely, and the user can set a new password abiding by the password rules.

Device Encryption

Enforce the whole device encryption at the time of enrollment for enhanced security. The storage encryption is turned on by default.

VPN for secure communication

VPN lets the users access the company network remotely. Hexnode allows the admin to configure and deploy the VPN profiles that help in securing communication and app data over the private network.  

Silently install security certificates

A certificate is a popular security tool that contains data that can secure and authenticate the users to access corporate resources. Certificates can be used to secure network connections like VPN and WiFi, validate email communications and authenticate users to access data. Hexnode admins can remotely deploy certificates to the enrolled devices. The fully managed devices install these certificates silently. The admin can also remove all the user-installed credentials from the devices. 

Schedule OS updates

For Android Enterprise devices enrolled as device owner (fully managed), the IT manager can choose to install the OS updates automatically, install the updates during inactive hours or postpone the updates for up to thirty days. 

Wipe or lock the lost devices

Lost or stolen devices are a source of headaches for the company. Security risks are high, and it is important to take measures against them. Hexnode allows the admin to lock the lost device with a custom message for the finder. If the device is stolen, it would be better for the admin to wipe the entire device from the Hexnode web console. 

Features you can’t miss for COPE devices 

Company owned devices COPE 
Corporate Owner Personally Enabled (COPE) devices allow businesses to supply their employees with mobile devices and allow them to personalize them while maintaining control over the devices. It balances the need for security with employee satisfaction.  
A separate container for work apps and data

This feature is the cornerstone of COPE devices. Hexnode devices enrolled with Android Enterprise as Profile Owner have a separate logical container that clearly containerizes the work apps and data from the user’s personal space. Admins have complete control over the work container, but little to no control over the personal space. The admins can remotely install/uninstall/update apps, blacklist/whitelist apps, deploy security policies, and more, but only for the work container.  

Lock settings for work container

The first step to device security is setting a strong password, and organizations cannot rely on the users to configure a strong one on their own. Hexnode allows the admins to configure the password rules for the work profile. The user would then need to configure a separate password according to the password rules for the work container. 

Wipe or remove the work apps and data

What happens if the user leaves the organization with the COPE device? Or a device with sensitive corporate data gets lost or stolen? A viable solution is to remotely wipe the work container data and apps with Hexnode. The admin can also entirely remove the work profile from the misplaced device.  


We have discussed the different features for COPE devices, and you must have noticed that it shares many in common with Bring Your Own Device (BYOD) policies. Are BYOD and COPE one and the same? 

The answer is no.  

BYOD allows the employees to purchase and bring their own devices to work. COPE enables businesses to purchase the devices and allows the users to use them for both work and personal purposes. The main difference lies in the ownership of the devices. So, you may wonder, which one is better? BYOD or COPE? 

Like every model, both have their pros and cons. A major benefit of BYOD is the lower hardware costs since the employees are paying out of their pockets. A major drawback is that the users may not be comfortable with the employers using a UEM to manage their personal devices. COPE solves this dilemma and ensures both security and user satisfaction. 

Features you can’t miss for dedicated devices 

Dedicated devices, formerly known as Corporate Owned Single Use (COSU), are company-owned devices that are meant to serve a dedicated purpose, such as a mall kiosk or digital signage. These devices are fully managed by the organization. While there are different methods in the market for deploying dedicated devices, the easiest and most secure method is to use an enterprise mobility management solution that supports different kiosk modes like Hexnode 

How can you convert a fully managed Android Enterprise device to a dedicated device?  

  1. Enroll the device as a fully managed device with Hexnode. 
  2. Configure a kiosk policy that locks the device into a single app or a digital signage display. 
  3. Assign the policy to the device. 

Single App Mode 

Hexnode’s single app mode allows the admin to lock the devices into a single app of their choice, converting the Android devices into a single-purpose device. The app can be a Managed Google Play app, enterprise or in-house app, or even a web app. The users would not be able to access any other application or device settings on the locked device. Single app mode is used in malls for information kiosks, restaurants for ordering, hospitals for patient monitoring, and more. Combined with rugged devices, single app mode is also useful for workers at construction or mining sites, where they can work without distractions. 

Digital Signage Display 

Digital signage display company owned devices 
Advertisements have always been a huge priority for businesses. Digital signage displays are when an image or video is displayed on a huge screen. These are very popular among organizations for advertising. New York Times Square is a famous place where you can see digital signage displays everywhere. Hexnode’s Digital Signage Display allows the admin to lock the Android device screen to an image or a video and play it in a loop. It can be used for either advertising or informational purposes. 

Multi App Mode 

Hexnode has an additional kiosk mode – Multi app mode. The devices are locked into a set of apps as specified by the admin. The user can access only the selected apps and the device settings allowed by the admin. Multi app kiosk mode allows the users to work without any distractions from other apps or notifications. 

To sum up 

Android Enterprise is a boon to the enterprise world. The management options for the company-owned devices are numerous, and they are continuously evolving every year. To take full advantage of all the features, it is necessary to use a Unified Endpoint Management (UEM) solution like Hexnode. The UEM should have regular updates and be able to keep up with the always-changing times. 

Emily Brown

Reading is therapy and writing is healing...sincerely, a cool nerd.

Share your thoughts