Skip to content

Most visited

Recently visited

navigation

Android in the Enterprise

Android enterprise includes many new features and APIs, as well as some behavior changes, that apply to devices running Android O.

New APIs and features

We've made the profile owner and device owner management modes more powerful, productive, and easier to provision than ever before. We've also enabled a whole new deployment scenario. These and other features are described in the following sections.

User affiliation

User affiliation allows for communication between device owners and affiliated profile owners or secondary users on the same device. Device owners and profile owners can use setAffiliationIds() to provide a list of opaque identifiers that indicates the entities that can control the device.

If all the secondary users and profiles on a device are affiliated with the device owner, as is the case when all users are managed by the same organization, then the following features are now available:

These features were previously only available to single-user devices, or devices with only one profile and one user.

Lock task mode is available to secondary users and managed profiles that are affiliated with the device owner. For more information on using this mode, see the reference documentation for setLockTaskPackages().

Corporate Owned Managed Profile (COMP)

A COMP (Corporate Owned Managed Profile) allows a fully managed device to support a managed profile. With COMP, either the device owner or a different DPC (device policy controller) can create a managed profile. This gives enterprises the ability to separate apps and policies while maintaining control and visibility across both profiles.

During provisioning, a device owner's DPC can use EXTRA_PROVISIONING_KEEP_ACCOUNT_ON_MIGRATION to copy an account from a personal profile to a work profile without removing the account from the personal profile. If the device owner initiates the managed profile, they can use EXTRA_PROVISIONING_SKIP_USER_CONSENT to create the managed profiled without user interaction.

Device owners can receive notifications when new secondary users or managed profiles are created or removed using onUserAdded() and onUserRemoved(), respectively.

Device owners can prevent other DPCs from creating managed profiles using DISALLOW_ADD_MANAGED_PROFILE. This restriction is enabled automatically when provisioning a device owner, and it's enabled when device owners upgrade existing devices to Android O. Additionally, device owners can prevent users from removing existing managed profiles using DISALLOW_REMOVE_MANAGED_PROFILE.

Device owners and profile owners of a managed profile or a secondary user can bind to each other's services using bindDeviceAdminServiceAsUser(). The binding works only if the two owners belong to the same package name and are affiliated. For more information, see setAffiliationIds().

Note: Device owners and profile owners can use getBindDeviceAdminTargetUsers() to retrieve a list of users that they can bind to.

Customized disclaimers

It's now possible for DPCs to supply their own disclaimers using EXTRA_PROVISIONING_DISCLAIMERS, EXTRA_PROVISIONING_DISCLAIMER_HEADER, and EXTRA_PROVISIONING_DISCLAIMER_CONTENT. During device owner or managed profile provisioning, users see the customized disclaimers in a consolidated list.

Security

Profile owners and device owners can use setRequiredStrongAuthTimeout() to configure a timeout period for unlocking a device or a profile with a secondary authentication method, such as fingerprints or trust agents. After the timeout period expires, the user must unlock the device or profile using a strong authentication method, such as a password, PIN, or pattern.

Device owners and profile owners can securely reset device and work profile passwords using resetPasswordWithToken(). For devices that support file-based encryption, this API is available before a user unlocks their device or profile, provided the DPC is encryption-aware.

When locking a work profile on a device that supports file-based encryption, lockNow() evicts the work profile's master encryption keys. The encryption keys are also evicted if the user turns their work profile off.

Also, device owners can use setNetworkLoggingEnabled() to turn on network logging of DNS queries and TCP connections initiated from corporate-owned devices. When network logging is enabled, the DPC receives batched network events from onNetworkLogsAvailable(). To retrieve the logs, the DPC should call retrieveNetworkLogs().

Finally, profile owners and device owners can retrieve information about the pending system updates that are available on a device using getPendingSystemUpdate().

App management API delegation

The DevicePolicyManager class provides several methods to manage the delegation scopes that device and profile owners can grant to a package:

The following table shows how various methods in DevicePolicyManager are organized into the different scopes:

Table 1. Correspondence between scopes and device policy methods

Group Methods
DELEGATION_CERT_INSTALL
DELEGATION_APP_RESTRICTIONS
DELEGATION_BLOCK_UNINSTALL setUninstallBlocked()
DELEGATION_PERMISSION_GRANT
DELEGATION_PACKAGE_ACCESS
DELEGATION_ENABLE_SYSTEM_APP enableSystemApp()

Backup service for device owners

Device owners can use several new methods in the DevicePolicyManager class to set and query whether or not Android Backup Service is enabled. These methods are setBackupServiceEnabled() and isBackupServiceEnabled(), respectively.

Behavior changes

If you're building apps for businesses, including DPCs (device policy controllers), you should review the following behavior changes in Android O and modify your app accordingly.

User restrictions

Device owners can remove secondary users and managed profiles using removeUser(), even if DISALLOW_REMOVE_USER is enabled.

Security

Authentication

The following changes have taken effect in the DevicePolicyManager class:

Data and information

The following changes have taken effect in the DevicePolicyManager class:

Device integrity

App management API delegation

The following methods in the DevicePolicyManager class are now deprecated:

Also, it's now possible to delegate a single scope to multiple packages. In other words, device owners and profile owners can grant two different packages access to the same set of APIs simultaneously.

This site uses cookies to store your preferences for site-specific language and display options.

Hooray!

This class requires API level or higher

This doc is hidden because your selected API level for the documentation is . You can change the documentation API level with the selector above the left navigation.

For more information about specifying the API level your app requires, read Supporting Different Platform Versions.

Take a one-minute survey?
Help us improve Android tools and documentation.