What businesses need to know about Android enterprise device management 

Heather Gray

Jul 14, 2022

10 min read

The depreciation of Device Admin paved the way for businesses to adopt Android Enterprise. Why? For starters, it gave admins a much better control over the managed devices such as zero touch enrollment, pre-configure essential settings, deploy private applications and lock down devices to function as kiosks.

Chances are high that you’re already managing a fair amount of Android devices, this is not surprising considering Android continues to be the most dominant OS contributing to about 69.47% of the global market share. Before we begin unraveling the benefits Android Enterprise can bring to your organization, let’s clear up some confusion by looking to into some of the terms associated with it.

Glossary of Android Enterprise terms

Device owner

This refers to the application responsible for deploying and managing the required configurations, security settings and applications on the fully managed company owned devices.A device can have only one device owner. This would usually be the EMM provider. It runs on devices with Android 5.0 and above.

Device Policy Controller (DPC)

DPC is an application that communicates with the EMM and help admins implement policies and check the device compliancy. It is used to manage corporate owned and personal device of employees. The DPC once installed on personal devices creates a work container that safeguards the storage of enterprise applications and manages the encrypted work profile on the device.

Fully managed device

These are company owned devices fully managed by the organization. They are only intended for work related purposes. Users would not have any control over the device.

Profile owner

The DPC used to manage the work profile is known as the profile owner.

Work profile

An encrypted space within the device that separates work data from the personal data of the user.

Fully managed device with a work profile

These are company owned devices used for both corporate and personal use. A work profile would be created within these devices to containerize business data from personal data. Employees would only have control over the personal space of the device.


This refers to the process in which an encrypted container is created on devices with a work profile.

Managed configurations

It allows admins to specify restrictions and deploy various settings on applications specific to their organization’s requirements.

Managed Google Play

Google Playstore for enterprise users where admins can publish in-house applications and make them available to users. It gives authorized users instant access to the applications they need to use within the organization.


Gives admins the flexibility to add OEM specific configurations and settings on the device. It helps to enhance the device management capabilities of the device.

Featured resource

Android Enterprise: Accommodating Mobility in the Enterprise

Get a clear picture of how Android Enterprise and UEM helps in bringing about a holistic management of Android devices.

Download whitepaper

How does Android Enterprise makes management of devices easier?

Before you begin leveraging the management capabilities of Android Enterprise your organization needs to be enrolled within the Android Enterprise program. Once the enrollment process is complete, the devices could either be enrolled in a device or profile owner mode depending on whether it is a corporate device or personally owned by the user. You can make the UEM provider as the device or profile owner to easily deploy all the restrictions and configurations your organization needs from the UEM console.

Secure endpoints and data

With insider threats and other data breaches costing organizations millions of dollars, one of the core responsibilities of being an IT admin is to make sure the devices and applications are continually protected from these threats. By managing the device via Android Enterprise, admins can use the UEM console to deploy a number of restrictions on the devices to prevent it from being an easy gateway for hackers to gain access to your organization’s resources. These include:

Defining password for work container

Ensuring the safety of work containers is essential as it houses multiple enterprise applications and sensitive data. You can restrict access to the work container by locking it down with a password. This puts in an additional layer of security by making sure only authorized users have access to the work container. The complexity requirements of the passwords can be defined from the UEM console.

Deactivation of work container

The work container can be deactivated if the managed device falls out of compliance. This is an extra security measure admins can take up to reduce the chances of any data leakage.

Limit device functionalities

Define the way in which users can operate the managed devices by setting restrictions on camera usage, USB file transfer, screen capture, enabling location sharing and factory reset protection. You can disable the clipboard feature to prevent users from copying contents from the work profile to the personal space of their device.

Set adequate network restrictions

The better protected your networks are, the more secure your resources will be. Hackers are always on the lookout for any vulnerable spots within networks, therefore you should always be on guard to implement adequate security measures to keep it protected. Some of the measures you could implement include configuring the settings on your Wi-Fi and VPN networks.

Bypass Factory Reset Protection (FRP)

Factory reset protection is a security mechanism that protects unauthorized individuals from using the device when it is reset to factory settings. Users would be required to enter their Google credentials to log in to the device. There may be situations where you would have to bypass the factory reset protection, especially if the device needs to be assigned to a new owner. This can be a quite a problem if the device is still locked with the unknown credentials of the previous owner. You can bypass the Factory Reset Protection by using the G Suite email ID and google+ profile ID to login to the device once again.

Manage applications

Distribute and update essential applications

Install applications on devices without any user intervention. Either upload the APK file of the application or publish the app as private within the Google Play console.

Deploy multiple app-based restrictions

Setting a proper number of restrictions on the applications is important as it harbors sensitive data. You can ensure data security by disabling users from installing applications not approved by the organization and prevent them from modifying any of the application settings.

Blacklist and whitelist applications

Your organization may want to blacklist specific applications for multiple reasons ranging from productivity to security. Blacklisting an application prevents employees from accessing them as it stays hidden from the user. Whitelisting only displays the applications employees are required to use. It prevents them from accessing any application not whitelisted by the admin.

Add app permissions and configurations

Pre-defining app configurations ensures applications continue to work in alignment with your organization’s requirements. It also helps to secure the application from any threats or vulnerabilities. Certain apps may require permissions from users to function. These permissions can be remotely enabled by the admin before they are handed out to users.

Publish private apps

Managed Google Playstore gives organizations the convenience to publish enterprise applications as private apps. Publishing an app privately restricts access to only authorized employees. This safeguards enterprise data and limits the chances for data leakage to occur by letting admins set the restrictions they need in keeping the application safe.

Customize the Playstore layout

Admins can customize the playstore layout to make it easier for users to locate the applications they need to use. Add the approved applications and create pages and clusters within the customized Playstore to categorize the applications.

Hassle free app management with Android Enterprise & Hexnode

Device management with OEMConfig

Better control over the device

OEMConfig makes it easier for admins to integrate OEM specific device management capabilities with the UEM provider. The OEM vendor would first develop an application with required configurations and publish it on Managed Google Playstore. Organizations then download the OEMConfig app and add it to the app inventory within the UEM console. An OEMConfig policy would be created and the app would be configured with the necessary configurations. Once the process is complete, the policy would be associated with the devices.

Zero-day support for new features

One of the biggest advantages of managing your device with OEMConfig is admins don’t have to wait for the UEM provider to begin integrating new features. By enabling automatic updates on the application, you can immediately begin using the new features to manage the devices.

OEMConfig – Breaking the boundaries of Android device management

Managing and securing kiosk devices

“Increased usage of self service kiosks
Increased usage of self service kiosks

Multi app support

Whitelist essential applications and files and lock devices to work in a single app or multi app kiosk mode.

Background apps

These are hidden applications that function in the background. For example, you may require the use of a camera but wish to keep it hidden from users. You can deploy the app as a background app to make sure users don’t access it.

Configure various settings

Define the way in which kiosk devices can be used by employees. Make the devices more secure by configuring various network settings and enable the lock task feature to restrict users from accessing the home button and recent apps button. Configure the kiosk launcher settings to define the time period before which the app can be launched. The application will launch as soon as the kiosk mode is enabled or the device becomes idle.

Enhancing the security of kiosk devices

There are multiple advantages to using Hexnode’s built-in kiosk browser such as offering a more secure browsing experience and customizing various aspects of the browser such as its appearance, privacy and security settings and browsing history. Admins could choose to turn off the kiosk mode either by remotely turning it off from the UEM console or manually exiting it from the device by entering the kiosk password. This improves the security of the kiosk devices and restricts users from disabling the kiosk mode on their own. Kiosk mode can only be enabled on device enrolled in device owner mode.

Configure digital signage settings

Digital signages can be a great medium for businesses to reach out to potential customers and advertise themselves creatively. They can also be used as way finders and information boards in corporate offices, retail stores and healthcare centers. Android devices can be locked down to function as digital signages where images, files and videos can be displayed on the screen in multiple file formats.

Summing up

Since its introduction in 2018, Android Enterprise has expanded its feature list to give admins better control over the devices they manage. Some of the latest updates to Android Enterprise include:

  • Improvements in the UI of Managed Google Play iFrame
  • Deactivation of Android Management Experience
  • Adaptability of icon shapes in private web apps
  • Publish private apps to multiple organizations with the Google Play Custom App Publishing API
  • Availability of Android work profile to unmanaged Google Workspace users

It’s difficult to ensure the devices stay completely protected on a continual basis. Using a UEM solution with integrations with Android Enterprise, not only cuts down time in automating a number of manual and time-consuming tasks but it also makes it easier for admins to set the devices with pre-defined configurations necessary to secure the devices against a number of threats. 


Heather Gray

Technical Blogger @ Hexnode. Reading and writing helps me to stay sane.

Share your thoughts