Android Enterprise provides a comprehensive suite of APIs and management modes that allow organizations to deploy, configure, and secure Android devices for various business use cases. The framework ensures strong separation of concerns and robust security boundaries.
DevicePolicyManager Enterprise Capabilities
The DevicePolicyManager (DPM) is the central API for enterprise management. A Device Policy Client (DPC) acts as the admin app and uses DPM to enforce rules. The capabilities available to the DPC depend heavily on its management role (Device Owner vs. Profile Owner).
Key capabilities include:
- Security Policies: Password complexity, camera disablement, keyguard restrictions.
- Network Management: Configuring Always-On VPN, Global HTTP Proxies, and Wi-Fi networks.
- Application Management: Silently installing/uninstalling apps, hiding packages, and setting default intents.
DevicePolicyManager dpm = (DevicePolicyManager) context.getSystemService(Context.DEVICE_POLICY_SERVICE);
ComponentName adminComponent = new ComponentName(context, MyAdminReceiver.class);
// Setting a global HTTP proxy (requires Device Owner)
ProxyInfo proxyInfo = ProxyInfo.buildDirectProxy("proxy.corp.com", 8080);
dpm.setRecommendedGlobalProxy(adminComponent, proxyInfo);
Android Enterprise Solutions: COPE, COBO, BYOD
Android Enterprise maps to several deployment models:
- BYOD (Bring Your Own Device): The employee owns the device. The organization creates a Work Profile. The DPC acts as a Profile Owner, managing only the work container. Personal data is invisible to the admin.
- COBO (Corporate-Owned, Business Only): The organization owns the device and it is strictly for work. The DPC acts as a Device Owner, having full control over the entire device, policies, and system settings.
- COPE (Corporate-Owned, Personally-Enabled): The organization owns the device but allows personal use. Historically managed with a Work Profile on a fully managed device, recent Android versions focus on privacy-centric COPE by provisioning a Work Profile and granting the admin device-level controls (like factory reset or network logging) without seeing personal apps.
Managed Configurations
Managed Configurations (formerly Application Restrictions) allow IT admins to remotely configure applications without needing app updates or user intervention.
Apps define their configurable parameters in an XML file (e.g., server URLs, feature toggles). The DPC retrieves these from the EMM console and applies them using DPM.
<!-- Example: app_restrictions.xml -->
<restrictions xmlns:android="http://schemas.android.com/apk/res/android">
<restriction
android:key="server_url"
android:title="@string/server_url_title"
android:restrictionType="string"
android:defaultValue="https://default.corp.com" />
</restrictions>
The app reads these configurations at runtime:
RestrictionsManager rm = (RestrictionsManager) context.getSystemService(Context.RESTRICTIONS_SERVICE);
Bundle appRestrictions = rm.getApplicationRestrictions();
String serverUrl = appRestrictions.getString("server_url", "https://default.corp.com");
Zero-Touch Enrollment
Zero-touch enrollment allows devices to be provisioned over-the-air upon first boot, bypassing standard consumer setup.
- Reseller Action: The device reseller registers the device's IMEI/Serial Number with the Android Zero-touch portal.
- Admin Configuration: The IT admin assigns an EMM configuration to the device via the portal.
- Boot Phase: Upon connecting to the internet during the initial setup wizard, the device checks in with Google's servers.
- Provisioning: The device downloads the specified DPC and sets it as the Device Owner, locking the device into corporate management automatically.
To check device policy state during development:
adb shell dumpsys device_policy