This page provides an overview of the new enterprise APIs, features, and behavior changes introduced in Android 12.
The following new features are available in Android 12 for work profiles.
Security and privacy enhancements for work profile
The following features are available in Android 12 for personal devices with a work profile:
- The password complexity feature sets device-wide password requirements in the form of predefined complexity buckets (High, Medium, Low, and None). If required, strict password requirements can instead be placed on the work profile security challenge.
- Work profile security challenge onboarding has been streamlined. Setup now takes into account whether device passcode meets admin requirements, and makes it easy for the user to choose whether to increase the strength of their device passcode or to use the work profile security challenge.
- An enrollment-specific ID provides a unique ID that identifies the work profile enrollment in a particular organization, and will remain stable across factory resets. Access to other hardware identifiers of the device (IMEI, MEID, serial number) are removed for personal devices with a work profile in Android 12.
- Company-owned devices, with and without work profiles, can adopt the features listed in the preceding list items, but are not required to adopt them in Android 12.
- You can set and retrieve work profile network logging. You can delegate network logging on the work profile to another work application. You can't use network logging to monitor traffic in the personal profile.
An IT administrator can disable USB, except for charging functions, on company-owned devices. This feature includes the capability to check if this feature is supported on the device and to check if it is currently enabled.
Company-owned devices with a work profile can limit the input methods used in the personal profile to allow only system input methods.
The following section describes changes in enterprise APIs that are not specific to work profiles or company-owned devices.
Unmanaged device certificate management
Devices without management are now able to take advantage of Android’s on-device key generation to manage certificates:
- The user can grant permission to a certificate management app to manage their credentials (not including CA certificates).
- The certificate management app can use Android’s on-device key generation.
- The certificate management app can declare a list of apps and URIs where the credentials can be used for authentication.
New APIs provide new functionality:
- Check if the the existing device-wide password is compliant against explicit device password requirements.
- Check whether a certificate and private key are installed under a given alias.
Android 12 includes the following notable API deprecations:
getPasswordQuality()are deprecated for setting device-wide passcode on work profile devices that are personal devices rather than company-owned. DPCs should use
getOrganizationColor()are fully deprecated in Android 12.