What is Android device owner mode?

IT admins currently manage various device classes, including BYOD, COPE, and COBO, each requiring separate management. School-owned devices in Android device owner mode enable admins to block functionalities like factory reset and Wi-Fi modifications. With Android Enterprise, admins can configure the device in two ways – device owner mode and profile owner mode.

Provisioning corporate owned devices through Android device owner mode grants the organization full control. The functions that a device owner can perform includes:  

In company owned deployment scenarios, the enterprise will own and have full control over the device it uses. The management application used is known as the Device Policy Controller (DPC). The DPC is responsible for enforcing policies on to the Android devices. When the DPC acts a device owner it will look after the entire management of the device. Furthermore, it can also perform a wide range of device-oriented actions such as configuring the connectivity, setting up global settings and do factory reset.  

Features of Android device owner mode

Provisioning methods

Different provisioning methods such as DPC Identifier, NFC, QR Code, Zero touch enrollment, Samsung KME, G Suite and Android Debug Bridge are available to enroll your devices. Let’s have a look at what each means:

During the initial setup of a new device or after a factory reset on devices running an older Android version, provision Android device owner mode. Two provisioning methods exist, depending on the use case:

• If device-driven, IT admins can use NFC to provision a large number of devices. This method applies to organizations using Managed Google Play Accounts or G Suite.
• If user-driven, the provisioning options vary based on whether the organization uses G Suite. Users of organizations using G Suite will have to add their Google Account during the initial device setup process. This process would help end users to set up the device and is an alternative for those devices that don’t support NFC. Organizations not using G Suite could follow the managed Google Play Accounts method. 

Apart from Android device owner mode, there are other solution sets such as the profile owner mode, also known as work profile mode or managed profile mode, where by the means of DPC, the organization can enable the personal devices of employees for work use by adding a work profile to the primary user account on the device. The work profile will be associated with the primary user but as a separate profile. Container level security policies will be set up to prevent users from accidentally pasting sensitive corporate information into unauthorized apps.  

There also exists a dedicated Android device owner mode which comes as a subset of the device owner solution set. The dedicated device solution set are designed for company owned devices that are used for a single purpose such as kiosks and digital signages.  This provides admins with the convenience to restrict the usage of the device to a single app or a set of whitelisted applications. It also prevents users from accessing other apps or enforce other actions onto the device.  

Enable device owner mode in your organization’s devices

As previously mentioned, assign a device owner during the initial setup process of devices. It’s advisable to enroll corporate owned devices with a device owner solution set and employee devices with a profile owner solution set to maintain user privacy. To activate Android device owner mode, your organization should enroll in the Android Enterprise program. Devices running on older Android versions should undergo a factory reset prior to its enrollment. For devices running on Android 7 and above, a QR code can be used to enroll the devices.

Step to enroll based on the Android versions

Set up appropriate restrictions 

Hexnode MDM policies can be used to allow or restrict access on the devices enrolled via Android Enterprise. In order to configure restrictions on an Android Enterprise enabled device, you would have to go to policies to select a new one or edit an existing one and choose Restrictions from Android to setup the basic device restrictions.  

In addition to restricting basic device functionalities, admins can also restrict:  

Set up configurations and permission for the managed apps

With Hexnode it will be easy to limit the features that a managed app can have, it also provides IT with the convenience to pre-configure the app before it gets pushed on to the targeted devices. App permission allow organizations to pre-configure the permissions for Managed Google Play apps to access Android device features. By default, apps requiring access permissions will display a prompt to users to accept or deny permissions. Furthermore, by defining the right app permissions, organizations can ensure that the apps don’t access unnecessary features thus making sure that the corporate data stays protected.

Featured resource

Android Enterprise: Accommodating mobility in the Enterprise

Managing devices in the enterprise have always been a challenge for IT. Check out how Hexnode with Android Enterprise makes the process a whole lot easier.

Download the White paper

Additionally, app configurations allow admins to remotely configure features for the Managed Google Play apps. Once you install the apps, they will automatically supply all the settings. To determine if the app you want to use supports configuration settings, it’s advisable to consult with an app developer beforehand. For supported apps, the developer will specify the configurable options. Furthermore, the IT can use the options displayed in the Hexnode console to define the custom configurations. This not only saves IT a lot of time but it also provides them with the benefit to pre-configure and distribute the apps to multiple users in a single go.   

OEMConfig

Introduced at the Android Enterprise Summit 2018, OEMConfig is an Android standard defined by Google that brought in changes in Android device management. With the help of OEMConfig Hexnode can offer its customers a wide range of hardware and security features for Android Enterprise devices without having to build every individual OEM specific setting into the product.   

Device manufacturers that support OEMConfig build their own OEMConfig apps and host them on the Google Play platform. The organization then approves and adds the OEMConfig app to the UEM console. Hexnode allows administrators to customize the settings by the means of managed apps configurations. Additionally, the apps can also be pushed silently to the Android Enterprise enabled devices via the Hexnode console. Furthermore, the customized OEMConfig app will get installed onto the device and will use the configured settings to manage the devices. Once a new feature has been added the OEM will update the app and Hexnode will automatically add support to the new feature.   

Lock down the devices to a kiosk mode

Fully managed devices are required to achieve kiosk mode. Android device owner mode offers enhanced features, ideal for kiosk deployments, including silent deployment of apps. Also, Android Enterprise presents a distinct deployment scenario for dedicated devices. Dedicated devices (formerly Corporate Owned Single Use) serve specific purposes and are fully managed. Devices that cater to customer specific needs include kiosks and digital signages. In order to ensure a complete lockdown, additional user restrictions such as disabling SAFE boot, factory reset and prevent the adding of a new user can be applied. 

Additionally, Android offers a set of APIs specifically designed to lock down fully managed devices into kiosk mode. Some of the key highlights of these Android Enterprise dedicated devices includes running the system in a kiosk mode by the means of a lock task mode, sharing the device between multiple users, cache the APKs required for multi-user sessions and suspend system updates.

Though Android developers can create dedicated applications that can easily set up a kiosk mode on Android devices, it would be more convenient to rely on the services of a powerful MDM solution like Hexnode to take care of your kiosk configurations. The MDM comes with a set of tools that help various organizations to set up the right kiosk that would neatly adhere to their business requirements. Furthermore, Hexnode by pairing up with no-touch enrollment programs such as Android Zero Touch Enrollment and Samsung Knox Mobile Enrollment offers a quick deployment and provisioning of Android devices.

Industry Use Cases

Education:

By whitelisting necessary apps, admins ensure students using managed devices focus on studies without distractions. When organizations need strict control over employee device management, they choose corporate-owned devices.  

Corporate: 

In Android device owner mode, IT admins safeguard sensitive corporate data on these devices consistently. Regardless of ownership, organizations must protect business apps and sensitive data on the device. Unlike the profile owner mode, the fully managed device come with a set of additional functionalities to enhance the security of the company such as remotely rebooting the device and locking it down in an immersive kiosk mode. Also, organizations managing a large number of devices would do better in enrolling their devices in Android device owner mode as it would provide them with quick enrollment options and flexibility in configuring more network restrictions.  

Healthcare:

Hospitals and healthcare clinics that use Android Enterprise enabled devices can harness additional security capabilities in a way that is easier for both the IT department and end users. Admins can ensure that the essential policies are being universally applied onto the targeted devices without asking the medical personnel to update their device manually each time a policy gets pushed, thus giving them ample time to interact with their patients.  

Logistics:

Android has a set of APIs to help people who use dedicated devices to get their tasks done. For example, Lock task mode enables employees to operate devices in kiosk-like mode, accessing whitelisted applications for productivity. Sharing a single device among multiple shift workers provides cost savings for businesses.

Conclusion

Android device owner mode allows IT administrators to securely manage different types of devices, such as COPE, and COBO. Also, it provides features such as personalized lock screen messages, network settings, app restrictions, and kiosk mode, enabling organizations to enforce rules and manage devices efficiently. Furthermore, the Zero-touch enrollment method makes it flexible and convenient to set up devices. Additionally, this mode also improves security and productivity in industries such as education, corporate, healthcare, and logistics. By using Android Enterprise and a dependable MDM solution like Hexnode, organizations can simplify device management and effectively safeguard sensitive data.