Android enterprise provides organizations with a secure, flexible, and unified Android mobility platform—combining devices, applications, and management. Android apps are compatible with Android enterprise by default. However, there are additional features you can use to make your app work best on managed Android devices:
- Managed profile compatibility—Modify your Android app so it functions best on a managed device.
- Managed configurations—Modify your app to allow IT administrators the option to specify custom settings for your apps.
- Corporate-owned, single-use (COSU)—Optimize your app so that it can be deployed on an Android device as a kiosk.
- Single Sign-On (SSO)—Simplify the sign-on process for users signing in to different apps on their managed Android device.
- You’ve created an Android app.
- You’re ready to modify your app so that it works best with Android in the enterprise.
- Minimum version: Android 5.0 Lollipop recommended version: Android 6.0 Marshmallow and later.
Note: Android's enterprise features function natively on most Android 5.0 devices; however, Android 6.0 and later offers additional features, especially with regard to COSU.
You can manage a user’s business data and applications through a work profile. A work profile is a managed corporate profile associated with the primary user account on an Android device. A work profile securely isolates work apps and data from personal apps and data. This work profile is in a separate container from the personal profile, which your user controls. These separate profiles allow organizations to manage the business data they care about, but leave everything else on a user’s device under the user’s control. For a deep dive into best practices, see the Set up Managed Profiles guide. For an overview of those best practices, see below.
Key features of a managed profile
- Separate and secure profile
- Managed Google Play for application distribution
- Separate badged work applications
- Profile-only management capabilities controlled by an administrator
Managed profile benefits on Android 5.0+
- Full device encryption
- One Android application package (APK) for both profiles when there’s a personal profile and a work profile present on the device
- Device policy controller (DPC) is limited to the managed profile
- Device administration via the DevicePolicyManager class
Considerations for managed profiles
- The Android system prevents intents from crossing profiles and IT administrators can enable or disable system apps.
- A file path (Uniform Resource Identifier [URI]) that’s valid on one profile may not be valid on the other.
Prevent intents from failing between profiles
It’s difficult to know which intents can cross between profiles, and
which ones are blocked. The only way to know for sure is by testing.
Before your app starts an activity, you should verify that the
request is resolved by calling
- If it returns
null, the request doesn’t resolve.
- If it returns something, it shows that the intent resolves, and it’s safe to send the intent.
Note: For detailed testing instructions, see Prevent Failed Intents.
Share files across profiles
Some developers use URIs to mark file paths in Android. However, because there are separate profiles in Android enterprise, we recommend:
Next steps: Once your app supports managed profiles, test it in a work profile. See Test your App with Android in the enterprise.
Implementing Managed Configurations
Managed configurations are a set of instructions that IT administrators can use to manage their users’ mobile devices in a specific way. These instructions are universal and work across any EMM, allowing administrators to remotely configure applications on their users’ phones.
If you’re developing apps for business or government, you may need to satisfy your industry’s specific set of requirements. Using managed configurations, the IT administrator can remotely specify settings and enforce policies for their users’ Android apps; for example:
- Configure if an app can sync data via cellular/3G, or only Wi-Fi
- Whitelist or blacklist URLs on a web browser
- Configure an app's email settings
- Enable or disable printing
- Manage bookmarks
Best practices for implementing managed configurations
The Set up Managed Configurations guide is the key source for information on how to build and deploy managed configurations. After you’ve reviewed this documentation, see recommendations below for additional guidance.
When first launching the app
As soon as you launch an application, you can see if managed
configurations are already set for this app in
onResume(). Additionally, you can find out if your
application is managed or unmanaged. For example, if
- A set of application-specific restrictions—You can configure the managed configurations silently (without requiring user input).
- An empty bundle—Your application acts like it’s unmanaged (for example, how the app behaves in a personal profile).
- A bundle with a single key value pair with
KEY_RESTRICTIONS_PENDINGset to true—your application is being managed, but the DPC isn’t configured correctly. You should block this user from your app, and direct them to their IT administrator.
Listen for changes to managed configurations
IT administrators can change managed configurations and what policies they want to enforce on their users at any time. Because of this, we recommend you ensure that your app can accept new restrictions for your managed configuration as follows:
- Fetch restrictions on launch—Your app should
onResume(), and compare against old restrictions to see if changes are required.
- Listen while running—Dynamically register
ACTION_APPLICATION_RESTRICTIONS_CHANGEDin your running activities or services, after you’ve checked for new restrictions. This intent is sent only to listeners that are dynamically registered, and not to listeners declared in the app manifest.
- Unregister while not running—In
onPause(), you should unregister for the broadcast of
Corporate-owned, single-use devices (COSU) are kiosk devices used for a single purpose, such as digital signage displays, ticket printing kiosks, or checkout registers.
When an Android device is configured as a COSU device, the user sees an application locked to the screen with no Home or Recent Apps buttons to escape the app. COSU can also be configured to show a set of applications, such as a library kiosk with an app for the library catalog and a web browser.
For instructions, see Set up Single-Purpose Devices.
Set up Single Sign-on with Chrome Custom Tabs
Enterprise users often have multiple apps on their device, and they prefer to sign in once to access all of their work applications. Typically, users sign in through a WebView; however, there are a couple reasons why this isn’t ideal:
- Users often need to sign in multiple times with the same credentials. The WebView solution often isn’t a true Single Sign-On (SSO) experience.
A solution to both problems is to authenticate users using browser Custom Tabs, instead of WebView. This ensures that authentication:
- Occurs in a secure context (the system browser) where the host app cannot inspect contents.
- Has a shared cookie state, ensuring the user has to sign in only once.
How do I implement SSO with Custom Tabs?
Google has open sourced an OAuth client library that uses Custom Tabs, contributing it to the OpenID Connect working group of the OpenID Foundation. To set up Custom Tabs for SSO with the AppAuth library, see the documentation and sample code on GitHub, or try the codelab.
Test your App with Android in the enterprise
Once you’ve developed your app, you’ll want to test it in a work profile—both as a profile owner and device owner. See the instructions below.
Use TestDPC to test your Android app
TestDPC is a tool you can use to test your Android app in a variety of enterprise environments. You can configure it as a profile owner or a device owner to launch management APIs on your device, using one of these methods:
For more information on how to configure TestDPC, see the instructions below and the TestDPC User Guide.
REQUIRED: Your test Android device needs to run Android 5.0 or later and be able to natively support Android enterprise.
Provision a profile owner
To test your app in a work profile, you need to first provision a profile owner on the TestDPC app:
- Launch the TestDPC app and click Set up profile.
- When prompted, click Set up, ensuring the TestDPC’s logo is highlighted on the screen.
- If your device isn’t encrypted, you need to encrypt your device.
Follow the briefcase notification after reboot to continue
Once you’ve provisioned the profile owner correctly, badged applications appear at the end of your app tray. Install your app on the device and test to see how it runs in the work profile.
- Install your app on the device and test to see how it runs in the work profile.
Caution: When running your app with Instant Run in
Android Studio, attempting to open your app with a work profile or secondary
profile will crash your app. To use your app with the work profile, we
recommend you create a new run
configuration that includes the
--user user_id flag,
specifying the work profile user ID. You can find the user ID by executing
adb shell pm list users from command line. For more information,
see the Instant Run
Provision a device owner
Testing your app as a device owner requires more steps than testing as a profile owner. You first need to provision the device owner on your test device using the NfcProvisioning sample app. For complete instructions to provision TestDPC in device owner mode using the NfcProvisioning app, see the TestDPC User Guide.
- Download the NfcProvisioning app sample files to your development environment.
- Unpack the project, open your shell, and
cdto the project directory.
- Add a file to the directory with the
local.propertiesname and the following content:
- While in the project directory, enter these commands to build the NfcProvisioning APK:
./gradlew init ./gradlew buildThe NfcProvisioning APK you need is now located in
- Install the APK on your programmer device, which you can use to provision other devices.
- Create a text file called
nfcprovisioning.txtand include the following information:
android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME=com.afwsamples.testdpc android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION=https://testdpc-latest-apk.appspot.com android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM=gJD2YwtOiWJHkSMkkIfLRlj-quNqG1fb6v100QmzM9w= # note: checksum must be URL-safe android.app.extra.PROVISIONING_LOCALE=en_US android.app.extra.PROVISIONING_TIME_ZONE=America/New_York
Note: If you’re developing for Android 5.0 Lollipop, see the instructions in the TestDPC User Guide.
- Push that text file to your programmer device by entering:
adb push <path-to-nfcprovisioning.txt> /sdcard/
Ensure that the programmer device is connected to Wi-Fi on either
an unsecured or WPA2 secured network.
The NFC Provisioning app will automatically pass those Wi-Fi credentials onto the target device.
- Open the NFC Provisioning app and ensure
- Bump the devices to transfer the data.
- Follow the onscreen instructions to set up your target device.
- Once you’ve completed provisioning the device owner, you can test your app on that device. You should specifically test how managed configurations, URIs, and intents work on that device.
After you’ve finished testing your app in the environments above, you’ll likely want to test your app in an end-to-end production environment. This process includes the steps a customer needs to take to deploy your app in their organization, including:
- App distribution through Play
- Server-side managed configuration
- Server-side profile policy control
You need to access an EMM console to complete the end-to-end testing. The easiest way to get one is to request a testing console from your EMM. Once you have access, complete these tasks:
- Create a test version of your application with a new ApplicationId.
- Claim a managed Google domain and bind it to your EMM. If you already have a testing domain that’s bound to an EMM, you may need to unbind it to test it with your preferred EMM. Please consult your EMM for the specific unbinding steps.
- Publish your application to the private channel for their managed Google domain.
- Use the EMM console and EMM application to:
- Set up work devices.
- Distribute your application.
- Set managed configuration.
- Set device policies.
This process will differ based on your EMM. Please consult your EMM’s documentation for further details. Congrats! You’ve completed these steps and verified that your app works well with Android in the enterprise.