Why should you migrate from legacy management to Android Enterprise?

Heather Gray

Jul 7, 2020

20 min read

Google’s Device Admin (DA) API made available in Android 2.2 in 2010 provided enterprise users with a management solution for their devices. However, with the release of Android 9.0 Google announced the deprecation of some device admin policies.

With the increased use of mobile devices in the workplace and the increased handling of confidential resources, DA’s approach of seeking administrative permissions to manage the device posed great security risks. Since the requirements of enterprises have evolved greatly in the past decade, DA is now considered a legacy management approach since it fails to meet these new requirements head on.

The three steps in managing devices with DA includes the following:

  • Firstly the EMM agent will create an MDM app, which is the Device Policy Controller
  • Then the user will install the app and provide the Admin permissions
  • Device Admin policies will start taking effect on the device

As mentioned before, going for a legacy management approach can bring in several drawbacks such as:

  • The DA will ask permission to manage the entire device whether it is corporate owned or owned by the user, if permission is denied, the device cannot be managed at all
  • The user must manually download the device admin app for provisioning
  • Since there can be more than one admin app in the device, it can lead to app conflicts
  • Cumbersome app management approach

The deprecated policies include:

In Android 10, if these policies are invoked they will be marked as a SecurityException.

Since managing devices through DA is not viable anymore, how would you go about ensuring that the android devices in your organization has an efficient management solution in place? This is where Android Enterprise comes in.

Android Enterprise (AE) formerly known as Android for Work, is an initiative put forward by Google to enable the use of Android devices in the workplace. It consists of a set of APIs that makes it easy for enterprises to manage and secure all Android devices running on OS version 5.0 and above. In 2014, Android Enterprise was launched as an optional solution which manufacturers could integrate with 5.0 Lollipop. From 6.0 Marshmallow, AE was used as a mandatory component for all manufacturers.  

In switching over to Android Enterprise from legacy management, your organization can experience quite a handful of advantages, some of which includes:  

  • Containerization of corporate and personal data in BYO devices  
  • A Play for Work console that offers a Play Store just for corporate usage, only apps approved by your organization will be present inside  
  • Deploy appropriate configurations and permissions on the apps even before it gets pushed to the targeted devices  
  • A mandated device encryption  
  • Zero touch enrollment for Android 8.0+ devices 

Based on their use cases, the AE enrolled devices can be classified into:  

  • Device owner mode (fully managed devices) – gives the organization full control on the managed devices. This is used in devices owned by the company.   
  • Profile owner mode (fully managed devices with work profile) – used in BYO devices, a work container containing the corporate data will be created on the personal device of the employees. Containerization ensures the separation of work profile and personal space of the user’s device  
  • Dedicated devices – a subset of company owned devices that serves a specific purpose. These devices are locked to a single app or a set of whitelisted applications. It is mainly used for digital signage and kiosk purposes. 

Efficiently manage Android devices with Hexnode MDM

Differences between Android Enterprise and Native Android Management  

Functionalities  Android Enterprise   Native Management  
Support  It offers a consistent set of APIs to control and manage the applications and devices of the end users  It only has a limited set of device admin APIs to manage and control the devices  
Updates OS upgrades and security patches from device manufacturers are delivered within 90 days  Patch delivery may take more than 180 days  
Containerization Has containerized support for the separation of both corporate and personal data   No containerization of corporate and personal data  
Compliance Mandatory device encryption  


More advanced restrictions can be placed on the device functionalities, network, connectivity etc  

No mandatory device encryption  




Limited restrictions  

User Experience Better app management capabilities  


GDPR ready  

Limited app management capabilities 


Out of box GDPR readiness not available  

Zero Touch Enrollment Available from Android 8.0 and above   Traditional on-boarding

Management of Android Enterprise devices with Hexnode MDM  

The integration of Hexnode with Android Enterprise provides enhanced management capabilities and zero touch enrollment for Android devices running on OS version 8.0 and above.  

Advanced restrictions, not found in native Android management can be set to secure the managed devices and prevent the leakage of corporate data.  Here’s how switching over to Android Enterprise can help your organization:  

Multiple enrollment options

Android Enterprise provides multiple enrollment options for the devices
Android Enterprise provides multiple enrollment options for the devices

To enroll the devices, you must first enroll your organization in the Android Enterprise program and depending on the business requirements, the devices can be enrolled in either profile owner or device owner modeHexnode MDM’s support for AE creates a separate work container on BYOD’s or a completely corporate owned work profile on fully managed devices with no user intervention. Apart from zero touch enrollment, the devices can also be enrolled via GSuite and QR Code. With Hexnode, Android Enterprise can be configured using GSuite

GSuite provides access to many Google applications and manages the applications distributed to a specific user by the means of an account created by the administrator. Configuring Android Enterprise via GSuite can only be done if you have a GSuite account. Other provisioning methods include DPC Identifier, NFC, Samsung KME, and Android Debug Bridge.  

Better app management capabilities 

Install applications with no user intervention

One of the greatest perks of Android Enterprise is its enhanced app management capabilities. All the enterprise applications needed by your organization can be silently installed on the Android Enterprise enabled devices enrolled as Device Owner with the Hexnode for Work app (v7.8.2+) installed. Enterprise apps are private apps developed by an organization, since they are used just within the company, these apps cannot be hosted on a public platform like Google Play. The enterprise apps can be added in two ways – you could either upload the APK file of the app in Hexnode’s app inventory or publish the app as a private app in Managed Google Play.

This will then be added to the portal. If your firm requires the latest version of the app to be installed on the users end devices, you can easily update the enterprise app by replacing its old APK file with a new one. Login to the Google Play console, click on ‘All Applications’ and select the app that needs an update. Next choose ‘Release Management’ from App Releases and click on ‘Edit Releases’. Upload the new APK files and add in the release notes. Click on ‘Save’ to complete the process. The Review option will give you a summary of all the app releases. Select ‘Confirm Rollout’ to release the updated appIt will now appear in the list of updated apps published by the developer.  

You can distribute the updated app to the devices via the mandatory apps policy or by selecting Action > Install Application from the Manage tab. In AE enabled devices enrolled as device owner, the silent app installation will work for store apps as well. By converting the store app into Managed Google app, it can be silently installed on the devices.   

Boost productivity by blacklisting/whitelisting applications 

One of the perks of device management with Android Enterprise is that it helps organizations to boost the productivity of their employees by whitelisting a set of applications. This works on both profile owner and device owner enrolled devices. In profile owner, only the applications within the work container can be blacklisted or whitelisted. Once the apps are blacklisted, they will be hidden from the user.

This would also block them from installing or updating the blacklisted apps, if they proceed to do so a notification will be displayed on the screen specifying that the action has been restricted. When a set of apps are whitelisted, the rest of the apps present within the work container will be considered as blacklisted, only the whitelisted applications and the Hexnode for Work app will be displayed. The user will not be able to install any other apps from Play for Work.  

When apps are blacklisted on devices enrolled as device owner, it will be hidden. Users will be restricted from installing or updating the blacklisted applications. When a set of apps are whitelisted only those and the Hexnode for Work app will be shown in the entire device. The rest of the applications will be considered as blacklisted and hence will be hidden from the device. Just as in profile owner mode, the user will be restricted from installing any other app from the Play Store. If you try to blacklist and whitelist the same appit will remain blacklisted.     

Approve and add applications 

Managed Google Play provides enterprises with the convenience to deploy and manage the apps within their organization with ease. 

With Hexnode admins can easily approve and add the Google Play apps to the app inventory and manage their updates. You can even create a custom App Store with these apps and customize it in any way you like by adding pages and app categories.  

Configure applications and set permissions 

The ease with which you can set configurations and permissions to an app even before it gets pushed to the targeted devices is yet another reason why organizations should switch from native Android management to Android enterprise. You can configure the app from the portal via the policy route.

In order to see the app in the list of configured apps you must add in at least one configuration.  App permissions can be set the same way. They can include location, network access and camera. The permissions are not limited to just these three, they can differ based on the app you choose. While setting the permission from the portal, you can choose from any of these three options – default, allow and deny. Default means that the app will follow its default permission.   

Customize the play store layout 

With device management with Android Enterprise, you can customize Play for Work with the chosen play store apps and custom built the app clusters and pages. Firstly, you will need to approve and add the apps to the list and then design a layout for the store. Once that’s done, you can start adding the apps. Since we have already talked about adding and approving the applications, we’ll jump right into the process of designing a store layout and adding the apps to it.  

The store layout will consist of clusters and pages, you can create separate pages for different departments (say marketing or finance) and add clusters (I.e. sections) within the page. The app that you wish to deploy can then be added inside those clusters.  If you don’t want a cluster, you click on the trash icon on top to delete it. The ‘Remove All’ button will clear all the apps present within the cluster.   

Another cool feature you can get to access is the creation of app catalogs. An app catalog once created can later be pushed to devices either directly or via the policy route. Only Managed Google apps included in the app catalog can be seen in Hexnode for Work.   

Publish private apps in Managed Google Play 

This secure feature of Android Enterprise management gives organizations the ease with which they can securely distribute essential applications within their firm without facing the risk of giving users access to these apps outside the organization. You can publish an app as a private app in Google Play.

The private app can be published directly to the MDM console and distributed to the devices of the end users. In order to publish an app privately in Managed Google Play, the organization or developer should have a Google Play developer account. The title of the app and its package name should be unique to the developer account. A total of 15 apps can be uploaded in a day and 20 organizations can be entered per app 

Set more restrictions

Secure management of devices can be easily accomplished with Android Enterprise, additional restrictions on the device functionalities, network, connectivity and app settings can be set.

You can create a policy with the required restrictions from the MDM console and push it on to the targeted devices.    

Basic Restrictions

Device Functionalities:  

Camera  Enable/ disable the use of camera on the devices, by disabling the camera icon will be hidden from the menu and home screen


Enabled by default

Device Owner, Profile Owner 
Safe Mode  Allows the user to boot their devices to safe mode. On Android devices running on versions 7.0+ the safe mode feature cannot be disabled. Device Owner 
Screen Orientation  Choose the screen orientation of the device. The following options are available: users can choose, Auto Rotate, Portrait, Left, Right, Invert   Device Owner 
Screen Timeout  Configure the screen timeout for the devices. You could either choose to keep the current settings or select a time period from 1,2,3,4,5,10 and 15 minutes.    Device Owner 

Allow Network Settings:

Wifi  Restrict or permit users from turning on the wifi.  

By default, the option to turn on will be enabled.  

Device Owner, Profile Owner 
Force Wifi  Prevents users from turning off the wifi  Device Owner, Profile Owner 
Bluetooth  Allow or deny users from switching on bluetooth.  

By default, users will be allowed to use bluetooth on their devices  

Device Owner, Profile Owner 
Force Bluetooth  Prevents users from turning off the bluetooth   Device Owner, Profile Owner 
Tethering  Permit users to share their data connection with other devices.   Device Owner 
Portable Wifi  Allow users to control their portable wifi hotspot settings. The available restrictions include: Always on, Always off, Users can choose   Device Owner 
Data Roaming  By enabling this option, users can get to turn on data roaming and use the mobile data outside of their home networks.  

Data roaming will be allowed by default

Device Owner 

Advanced Restrictions

Device Functionalities:

Microphone  When left unchecked, the microphone will be disabled except when making phone calls   Device Owner, Profile Owner 
Screen Capture  Permit or restrict users from capturing a screen shot either from their device or from Android Studio. In profile owner, screen capture is restricted only for applications within the work container    Device Owner, Profile Owner 
Copy contents between normal and work profile  Permit users to copy contents between user and work profiles   Profile Owner 
Users can adjust volume  Allow users to adjust the volume of their devices   Device Owner, Profile Owner (Android 6.0+) 
Make a call  Permit users to make calls from their devices   Device Owner 

Display Settings:

Hide Status Bar  Hide the status bar at the top of the screen. By hiding the status bar, access to the notification bar and quick settings tray will be denied.  

The status bar will be displayed by default  

Device Owner 
Display dialogs/windows  Blocks the dialogs/windows prompts on the device. It will block the system overlays, alerts, toast messages, incoming/outgoing calls, application overlays, Hexnode’s password prompts, broadcast message alerts, and floating kiosk peripheral settings icon   Device Owner 

Connectivity Settings:

Beam from device  You can specify if the user can use NFC to beam out data from the applications   Device owner, Profile owner 
Transfer data via Bluetooth  Permit the device to transfer data over bluetooth.  

Note: Since Android Beam transfers data over bluetooth, turning this option off will affect the Android Beam transfers 

It is allowed by default  

Device Owner, Profile Owner 
Configure Bluetooth  Permit or deny users from configuring the Bluetooth   Device Owner 
Configure cell broadcast  Allow or disallow users from configuring the cellular network settings on the device   Device Owner 
Users can reset network settings  Allow users to reset the network settings on their device, by enabling this options users will be permitted to reset the current cellular and wifi settings, VPN settings and wifi passwords.  

This only works in Android devices running on OS version 6.0 and above  

Device Owner 
Configure Wifi  Allow users to configure wifi on their devices   Device Owner, Profile Owner 
Configure Hotspot and Tethering  When enabled, users would be able to configure portable hotspot and tethering on their devices   Device Owner 

Account Settings:

SMS Receive messages, send messages  Blocking this feature will restrict users from receiving or sending messages from their devices   Device Owner 
Modify Accounts/Users  Permit users to add, delete and switch between Google accounts   Device Owner, Profile Owner 
Configure User Credentials  Allows the user to configure their user credentials   Device Owner, Profile Owner 

Restricting other device settings:

USB Debugging  If this option is enabled, the Android device will be allowed to communicate with a PC running Android SDK via USB  Device Owner 
Users can enable location sharing  Permits users to enable real time location sharing with others   Device Owner, Profile Owner 
Factory Reset  Allow user to reset their device to factory settings   Device Owner 
Read any connected physical external media  Permit users to connect their device to an external physical media    Device Owner, Profile Owner 
Update data and time automatically  Allow the automatic update of date and time on the device   Device Owner 
Set the time zone automatically  Automatically update the time zone in which the device is in    Device Owner 
Configure VPN  Permit or deny users from configuring VPN on their device   Device Owner, Profile Owner (Android 6.0+) 

App Settings:

Install apps  By disabling this option, you can block the installation of apps on the device   Device Owner, Profile Owner 
Uninstall apps  Disallow users from uninstalling any apps from the device   Device Owner, Profile Owner 
Control apps  Allow users to modify the apps in settings or launchers. When the option is enabled, users will be able to uninstall and disable apps, clear the app data and cache, force stop app and clear the app defaults   Device Owner, Profile Owner 
Verify apps before install  Allow Google to verify the content of the apps for any harmful behavior prior to its installation   Device Owner, Profile Owner 
Install apps from unknown sources  Allow or deny the installation of apps from unknown sources.   Device Owner, Profile Owner 
App runtime permissions  Set runtime permissions for the apps, you could either grant, deny specific permissions or set the default permissions for the apps   Device Owner, Profile Owner 
Parent profile app linking  Permit apps in the parent profile to handle web links from the managed profile.  

This works only on Android devices running on OS version 6 and above  

Device Owner, Profile Owner 


With the assimilation of BYOD in the workplace, containerization can help keep the work apps and personal apps of the users separate from each other. It establishes a separate, encrypted area on the device where the business data are kept secure. Admins will only be able to manage the work container thus restricting their access to the personal data of the user.  

Android devices enrolled as Profile Owner will have a work container where all the work apps will be stored. You can easily differentiate these apps from the normal ones as they will have a work badge icon. Applications present within the work container will not communicate with the personal apps. If you have an app that is being used in both the work container and personal space, it will run separately on the device, only the app with the work badge icon will be managed.  

You can configure compliance settings on Android Enterprise devices. Once a device becomes non-compliant, the work container will be deactivated if the deactivation settings have been enabled. The container will get re-activated once again as soon as the device becomes compliant. Work container deactivation is applicable on both device owner and profile owner enrolled devices. Once deactivation is initiated, all the applications present within the work container will disappear. While deactivating the work container via policy, you can specify the time in which the work container should be deactivated on non-compliant devices.    

Factory reset protection

Enable Factory Reset Protection on the managed device
Enable Factory Reset Protection on the managed device

Factory reset protection (FRP), an essential security feature in device management with Android Enterprise, prevents an unauthorized person from accessing the phone of your employees after it gets reset to factory settings. In order to login to the device once again, the user will have to enter their Google username and password. Factory reset protection can be applied on Device owner enrolled Android devices (v5.1+).

However, some situations may warrant the bypassing of FRP. You can use your G Suite email ID and google+ profile ID to log in to the device and bypass it.    

Schedule OS updates

In devices enrolled as device owner OS updates can be scheduled. You could choose from any of these four options from the MDM console to manage the updates – Default, Update automatically, Update during inactive hours and Postpone update.

When you select ‘Update during inactive hours’ time can be set in which the OS needs to be updated. In ‘Postpone update’ the OS updates will get postponed for up to 30 days.  

Configure Android Enterprise enrolled devices with OEMConfig

With OEMConfig, OEM specific settings can be configured on devices enrolled via the Android Enterprise program. It is an application built by OEM and published on the Managed Google Play Store. OEMConfig apps make use of managed configurations to configure the multiple device features provided by the OEM. With Hexnode, you can access these OEM specific features from the portal. 

You can customize the OEM specific settings of any managed Android 5.0+ device that has its corresponding OEMConfig app installed.  The OEMConfig apps will only work on its corresponding OEM devices. When the OEMConfig app is installed on the device, it uses the settings that has been configured in the portal to manage the device. To configure the device owner or profile owner enrolled device with its corresponding OEMConfig app, you must first approve and add the OEMConfig apps in the app inventory and then set up the OEM specific configurations.  

Enable kiosk mode

In Android Enterprise, Kiosk mode works only on devices enrolled as device owner. The device can be locked down to a single or multi app kiosk. To enable kiosk on AE devices go to Kiosk Lockdown > Android Kiosk Lockdown > and chose from any of the three options – Single App Kiosk, Multi App Kiosk, Website Kiosk Settings.

You can exit from the kiosk mode by tapping on the screen 10 times and enter the default exit passcode under Admin > General Settings > Global Exit Settings (Android) > Exit Passcode.  You can also set a password in the kiosk policy and push it to the targeted devices.  


Some organizations generally go for native management to manage their Android devices, however by switching over to Android Enterprise, you can avail additional functions and keep the critical enterprise applications more secure. 

Companies can choose from the Android Enterprise Recommended list of devices to find the right device that will neatly adhere to their business requirements.


Heather Gray

Technical Blogger @ Hexnode. Reading and writing helps me to stay sane.

Share your thoughts