What's new for enterprise in Android 11

This page provides an overview of the new enterprise APIs, features, and behavior changes introduced in Android 11.

Work profile

The following new features are available in Android 11 for work profiles.

Work profile enhancements for company-owned devices

Android 11 introduces improved support for work profiles on company-owned devices. If a work profile is added from the setup wizard using the provisioning tools added in Android 10, the device is recognized as company-owned and a wider range of asset management and device security policies is made available to the device policy controller (DPC). These capabilities enable easier management of both work and personal use on company-owned devices, while maintaining the privacy protections of the work profile.

If a work profile is added to a device using any other method, Android 11 recognizes the device as personally-owned. The behavior and features available to work profiles on personally-owned devices remains unchanged.

Devices upgrading to Android 11

Work profiles on fully managed devices will be upgraded to the enhanced work profile experience on Android 11. For customers, this means devices will receive the improved privacy benefits and consistency of a single work profile experience across both personally-owned and company-owned devices, without the need to re-enroll legacy work profile on fully managed devices. Or if you prefer, by removing the work profile before upgrade you can maintain a fully managed device experience across the upgrade.

Customers can contact their EMM to ensure their devices are prepared to upgrade to Android 11. EMMs can find more detailed migration guidance in the Android Enterprise EMM Provider community (login required).

UX improvements

The separate work and personal tabs introduced to the default launcher in Android 9 have been extended to more device features. In Android 11, device manufacturers can present work and personal tabs:

In the Settings app, specifically for Location, Storage, Accounts, and App info.
When a user taps Share .
When a user is presented with the option to open a selected item with another app (Open with menu).
When selecting documents.

Figure 1. (Left) Personal tab and work tab in Settings > App info. (Right) Work apps icons when the work profile is paused.

Android 11 also introduces UX enhancements that make it clearer to users when their work profile is paused. And when a user turns on their work profile, they no longer have to enter their work passcode if it's the same as their device passcode.

Reset work profile passcode button

When a work profile is paused, the work profile lock screen now supports a forgot my password button for Android 11 devices that have separate device and work profile passwords. If your DPC is direct boot aware, you can set and activate a token to enable the button.

When a user presses the button, they're shown text that instructs them to contact their IT admin. Pressing the button also starts the work profile in direct boot (locked) mode, allowing your DPC to complete the steps to perform a secure work profile passcode reset.

Company-owned devices

The following new features are available for company-owned devices. The term company-owned device refers to both fully managed devices and work profile devices that are company-owned.

Common Criteria Mode

This mode addresses Common Criteria Mobile Device Fundamentals Protection Profile (MDFPP) specific requirements. Admins of company-owned devices can now enable Common Criteria Mode (and check if it's enabled) on a device. When enabled, Common Criteria Mode increases security in certain security components on a device, including AES-GCM encryption of Bluetooth Long Term Keys, and Wi-Fi configuration stores.

Individual key attestation support

In Android 11, admins of company-owned devices can request device attestation using individual attestation certificates:

Ensure KeyGenParameterSpec is built with StrongBox specified.
Pass ID_TYPE_INDIVIDUAL_ATTESTATION for the idAttestationFlags argument.

A new method is also available to check if a device supports unique device ID attestation.

Other

Users are now notified when an admin:
- Enables location services on their company-owned device. If the admin sets a global policy to auto-accept all permissions, the user is notified when an app requests, and is granted, location permission because of this policy.
- Grants an app the permission to use the location of a personally-owned device.
Pre-grant certificate access to work apps: DPCs targeting Android 11 now have the option to grant individual apps access to specific KeyChain keys, allowing these apps to call getCertificateChain() and getPrivateKey() without having to first call choosePrivateKeyAlias().

For example, VPN apps that run as a background service can use this feature to gain access to the certificates they need without requiring any user interaction. A new method is also available to revoke access.

Note: Apps installed on unmanaged devices or in a device's personal profile can no longer install CA certificates using createInstallIntent(). Instead, users must manually install CA certificates in Settings.
All methods related to setting password minimums require an appropriate password quality before they can be enforced.
- setPasswordMinimumLength() requires at least PASSWORD_QUALITY_NUMERIC.
- All other password minimum methods require at least PASSWORD_QUALITY_COMPLEX.
Always-on VPN enhancements: Users can no longer disable always-on VPN when it's configured by an admin.
Updates to ADMIN_POLICY_COMPLIANCE:
- When provisioning an Android 11 device, the system now sends ADMIN_POLICY_COMPLIANCE before setting DEVICE_PROVISIONED to true.
- ADMIN_POLICY_COMPLIANCE can also be optionally used when adding a Google Account to provision a device. In the 2021 Android release, it will be required for this provisioning method.
New APIs are also available to:
- Check and set whether auto time is enabled on a device. If enabled, the time automatically obtained from the network. Replaces setAutoTimeRequired() and getAutoTimeRequired() (see Deprecations for more information).
- Check and set whether auto time zone is enabled on a device. If enabled, the time zone is automatically obtained from the network.
- Check and set the factory reset protection (FRP) policy on a company-owned device.
- Check and set whether a user can change admin-configured network settings on a company-owned device.
- Check and set the protected packages on a fully managed device. Users can't clear app data or force-stop protected packages.
- Set the primary location settings on a device.

Deprecations

Android 11 includes the following notable API deprecations:

The Settings.Secure.LOCATION_MODE setting is deprecated. Apps shouldn't use this value as the setting argument for the setSecureSetting() method. Device owners should instead call setLocationEnabled().
resetPassword() is now fully deprecated. All DPCs should use secure passcode reset instead.
setAutoTimeRequired() and getAutoTimeRequired(). Use setAutoTime() and getAutoTime() instead.
setStorageEncryption and getStorageEncryption(). Use getStorageEncryptionStatus() instead.
setGlobalSetting() and setSecureSetting() are mostly deprecated—dedicated setter methods and user restrictions are available to replace most settings (see reference for more details).
setOrganizationColor() is fully deprecated.

Learn more

To learn about other changes that might affect your app, read the Android 11 behavior changes pages (for apps targeting Android 11 and for all apps).