Skip to content

Most visited

Recently visited


What's new in Android 8.0

This page provides an overview of the new APIs, features, and behavior changes introduced in Android 8.0 (API level 26) that affect Android in the enterprise.

New APIs and features

We've made the profile owner and device owner management modes more powerful, productive, and easier to provision than ever before. We've also enabled a whole new deployment scenario—work profiles on fully managed devices. These and other features are described in the following sections.

Work profiles on fully managed devices

In Android 8.0, fully managed devices can also have work profiles. This gives enterprises the ability to separate apps and policies while maintaining control and visibility across both profiles. The existing device owner, or a different device policy controller (DPC), can create the managed profile.

With work profiles on fully managed devices, device owners can:

Device owners and profile owners can communicate with each other if they're from the same APK and the owners are affiliated (see User affiliation below).

For more detailed information on supporting this new deployment scenario, see the dedicated page for work profiles on fully managed devices.

User affiliation

When a device owner and a profile owner represent the same organization:

Affiliation IDs, attached to a profile or user, identify organizations. When affiliation IDs match, the users become affiliated. Device owners and profile owners use setAffiliationIds() to set their affiliation IDs. Represent organizations using long, difficult to guess, string IDs.

New access for affiliated users

If all the secondary users and profiles on a device are affiliated with the device owner, then the following features are available:

Security logging and bug reporting were previously only available to single-user devices, or devices with only one profile and one user.

Lock task mode is available to secondary users and managed profiles when affiliated with the device owner through setLockTaskPackages(). For more detailed information on user affiliation, see Affiliated users.

Customized provisioning disclaimers

DPCs can now show their own disclaimers to users during provisioning. Use EXTRA_PROVISIONING_DISCLAIMERS, EXTRA_PROVISIONING_DISCLAIMER_HEADER, and EXTRA_PROVISIONING_DISCLAIMER_CONTENT to supply styled text disclaimers. A DPC's custom disclaimers appear in the collapsible Terms list.


Profile owners and device owners can use setRequiredStrongAuthTimeout() to configure a timeout period for unlocking a device or a profile with a secondary authentication method, such as fingerprints or trust agents. After the timeout period expires, the user must unlock the device or profile using a strong authentication method, such as a password, PIN, or pattern.

Device owners and profile owners can securely reset device and work profile passwords using resetPasswordWithToken(). For devices that support file-based encryption, this API is available before a user unlocks their device or profile, provided the DPC is encryption-aware.

When locking a work profile on a device that supports file-based encryption, lockNow(int) can optionally evict the work profile's master encryption keys using FLAG_EVICT_CREDENTIAL_ENCRYPTION_KEY. The encryption keys are also evicted if the user turns their work profile off.

Also, device owners can use setNetworkLoggingEnabled() to turn on network logging of DNS queries and TCP connections initiated from corporate-owned devices. For more information, see Network Activity Logging.

Profile owners can restrict which of the primary user's packages can observe work profile notifications. Call setPermittedCrossProfileNotificationListeners() to set the whitelisted packages that receive events through a NotificationListenerService. Setting the permitted listeners to null (the default) disables the whitelisting and all packages can listen for notifications. To limit events to system packages, pass an empty Set. To view apps that can't access work profile notifications, users can tap Settings > Apps & notifications > Special app access > Notification access.

Finally, profile owners and device owners can retrieve information about the pending system updates that are available on a device using getPendingSystemUpdate().

App management API delegation

API delegation enables device owners and profile owners to fully offload app management to other applications. The DevicePolicyManager class provides methods to manage the delegation scopes that device and profile owners can grant to a package:

The following table shows how various methods in DevicePolicyManager are organized into the different scopes:

Table 1. Correspondence between scopes and device policy methods

Group Methods

Long-running background services

Device and profile owners can subclass DeviceAdminService to create background services. The Android system attempts to keep the service running while the user is running. If you want to run periodic tasks, consider using JobScheduler before creating a background service.

Controlling the backup service

Device owners can toggle the Android Backup Service using new methods in DevicePolicyManager. Enable and disable the backup service using setBackupServiceEnabled(). Check the backup service status using isBackupServiceEnabled().

Wi-Fi proxy configuration

Device owners and profile owners can configure HTTP proxy servers for Wi-Fi networks. Use a PAC file or manual settings to configure a proxy server for each Wi-Fi network. To set or remove the proxy for a WifiConfiguration, call its setHttpProxy() method. To get the proxy settings call getHttpProxy().

Explanation dialogs for admin-disabled features

Your app should show a useful explanation to users trying to use an admin-disabled feature. All apps can now use createAdminSupportIntent() to create an intent that displays an explanation dialog when passed to startActivity(Intent). Intents include customized, localized explanations for disabled cameras, disabled screen captures, and all the UserManager restrictions.

Restricting Bluetooth

Device owners can disable Bluetooth—affecting all users and profiles on the device. To turn off Bluetooth, add the user restriction DISALLOW_BLUETOOTH.

Device owners and profile owners can prevent users sending files over Bluetooth using DISALLOW_BLUETOOTH_SHARING. Receiving files isn't affected. When set by a device owner, DISALLOW_BLUETOOTH_SHARING applies to all users on the device. This setting is the default in Android 8.0 for new profiles and existing profiles on devices upgraded to Android 8.0.

Behavior changes

If you're building apps for businesses, including DPCs, you should review the following behavior changes in Android 8.0 and modify your app accordingly.

Removing users

Device owners can remove secondary users and managed profiles using removeUser(), even if DISALLOW_REMOVE_USER is enabled.



The following changes have taken effect in the DevicePolicyManager class:

Data from locked work profiles

Android 8.0 includes user interface changes to separate data from a locked work profile.

Device integrity

Always-on VPN

Android 8.0 includes user interface changes to help users understand the status of always-on VPN connections:

The VpnService of VPN apps must now call its startForeground() method after launch. Because the Android system starts a VPN app's service directly, transitioning to the foreground is the app's responsibility. Android 8.0 shuts down VPN apps that don't transition the VPN service to the foreground.

Password callbacks

The password change callbacks of DeviceAdminReceiver now include a user parameter to identify the user or profile the password belongs to. The new method signatures are:

The default implementation of each new method calls the previous version—dropping the user argument. Android 8.0 deprecates the previous methods.

App management API delegation

The following methods in the DevicePolicyManager class are now deprecated:

Also, it's now possible to delegate a single scope to multiple packages. In other words, device owners and profile owners can grant two different packages access to the same set of APIs simultaneously.

This site uses cookies to store your preferences for site-specific language and display options.

Get the latest Android developer news and tips that will help you find success on Google Play.

* Required Fields


Follow Google Developers on WeChat

Browse this site in ?

You requested a page in , but your language preference for this site is .

Would you like to change your language preference and browse this site in ? If you want to change your language preference later, use the language menu at the bottom of each page.

This class requires API level or higher

This doc is hidden because your selected API level for the documentation is . You can change the documentation API level with the selector above the left navigation.

For more information about specifying the API level your app requires, read Supporting Different Platform Versions.

Take a short survey?
Help us improve the Android developer experience. (Dec 2017 Android Platform & Tools Survey)