Google has been steadily adding enterprise management capabilities to the Android OS, but it's not always clear how tools and technologies differ from one another or how IT can effectively administer Android devices and apps with them.
This cheat sheet aims to clarify some of the differences in Android features specific to the enterprise to help administrators better understand the options for Android enterprise device management.
Android device management APIs and services
Device Administration API. Google introduced this API in Android 2.2 to provide developers with device administration features at the system level. It is now considered a legacy option because it is no longer comprehensive enough to meet today's security and management requirements. For example, the API cannot securely reset device passwords on encrypted devices or establish administrator-defined passcodes to lock a user out of a device. Instead, IT should transition to newer Android technologies, such as Android Enterprise, when interfacing with the Android OS. With the release of Android Q (10) in September 2019, Google deprecated Device Administration policies that enabled IT to disable lock screen features and cameras, among other controls.
Android Enterprise. Google renamed Android for Work to Android Enterprise and expanded the platform to include more comprehensive enterprise features. Android Enterprise is an umbrella term that covers the wide range of security and management features available to the latest Android OS releases. Android Enterprise can integrate with many vendors' enterprise mobility management (EMM) platforms to support various BYOD scenarios and several methods to provision Android devices into an organization.
Modern management APIs. Android provides several APIs for working with the Android and Google Play ecosystems. One of the most important is the Android Management API, which vendors can incorporate into their EMM platforms to provide customers with tools to provision, secure and manage Android devices and apps. The Android Management API is integrated within Android Enterprise. For strong Android enterprise device management, IT teams should look for EMM products that take full advantage of these APIs, such as VMware AirWatch by Workspace One, MobileIron, IBM MaaS360 or other products.
Demonstrate your knowledge of enterprise mobile device security issues
As the mobile enterprise grows, so do cyberthreats. See how well you know the top mobile security risks, and learn how to better protect employees and organizations from them.
Android Things API. Android Enterprise also supports management for IoT devices through the Android Things program. First, admins must develop a specialized version of the Android OS that works on IoT devices through the Android SDK and Android Things API. Then, IT must develop a device policy controller to interface with an existing EMM platform and the custom OS.
Google Cloud Identity. Administrators can use Google's identity management-as-a-service platform to manage, secure and monitor Android devices. Google Cloud Identity is included with all G Suite editions and Google Cloud Platform products; in 2018, Google released it as a stand-alone product as well. It supports Apple iOS, Windows 10 and macOS, in addition to Android.
Android Enterprise Recommended. Google created the Recommended program to ensure that Android devices and related services adhere to established requirements and best practices for Android enterprise device management. The program defines an elevated set of specifications for validating EMM products, cellular services and Android devices. Google provides a list of validated products and services on its Android Enterprise site.
Enterprise provisioning. Google supports several provisioning and enrollment options for Android devices, such as using QR codes or near-field communication provisioning apps. With the release of Android 8.0 Oreo, administrators can also configure company-owned devices for zero-touch enrollment, which enables a device to automatically enroll itself into EMM when the device is first turned on. Android Enterprise offers even more enrollment options, such as using an EMM token or an enterprise Google account with G Suite.
Project Mainline. With the release of Android Q, Google introduced Project Mainline, an initiative to increase and standardize security updates across enterprise Android devices. Prior to Project Mainline, Google issued security updates through the OEM. The goal of Project Mainline is for Google to send security updates through Google Play Store without getting OEMs involved. This enables IT to automatically or manually push out security updates to devices running Android Q and later versions as soon as they are released.
OEMConfig. Google released the OEMConfig program to standardize Android enterprise device management. Due to the open source nature of Android, OEMs had the ability to make changes to the OS, which resulted in a fragmented Android ecosystem and complications as EMM vendors struggled to keep up with these changes. With OEMConfig, OEMs create an OEMConfig file and upload it to Google Play Store whenever they release a new device or software update. Then, IT admins can access the file and add it to an EMM platform that supports OEMConfig.
Device deployment scenarios
Work-managed. Work-managed deployments apply to corporate-owned devices that employees use exclusively for conducting business. Administrators control the entire device -- including data and applications -- and can restrict the device's usage to approved work-related operations. End users should not use work-managed devices for personal use.
Work profile. Administrators can use work profiles to support BYOD scenarios. A work profile is a self-contained, fully encrypted workspace installed on the user's device. The work profile limits administrative control to the workspace rather than to the entire device. It also contains corporate apps, data and policy settings within the profile, separate from personal apps, information and operations.
Corporate-owned, single-use (COSU). The COSU approach targets corporate-owned devices used for single use cases, such as kiosks, package delivery services or inventory management systems. Under this model, administrators can lock down an Android device to a limited number of apps and functions, while preventing users from enabling specific features or taking other actions.
Managed devices with work profiles. In Android 8.0, Google added the ability to use work profiles in conjunction with work-managed devices to separate corporate data and apps from personal apps and data. Under this model, administrators control the entire device, which enables them to protect corporate resources, while providing users with a less restrictive workspace for personal use.
Android application management
Managed Google Play. The managed version of Google Play combines basic app store functionality with management capabilities to provide IT with a corporate app store option. Administrators can deploy and approve apps, purchase app licenses, manage permissions and carry out other management tasks. End users can browse apps, view app details, install apps on their devices and take other actions, similar to how they might use the public Google Play Store.
Google Play EMM API. When the Google Play API is incorporated into an EMM product, administrators can specify which apps users can download, control app installations, manage bulk licensing and perform a variety of other tasks. The API works in conjunction with managed Google Play to support the entire app management lifecycle.
EMM application management. The Android Management API includes a number of features specific to app management. An EMM platform that incorporates the API makes it possible for administrators to provision work profiles, apply app-level management policies, secure apps and data, automatically install apps, prevent apps from being uninstalled, distribute public and private apps, and perform other administrative tasks.
EMM device policy controller. A device policy controller is an application installed on an Android device that enables administrators to manage access to corporate apps and data. The controller works in conjunction with EMM to provision work profiles on personal devices and enforce an organization's security policies.