Google endpoint management (GEM) provides a convenient way to manage your organization’s devices in the same Google Admin console where you manage Google Workspace security, services, and accounts. The management options available to you for Android devices depend on the following:
- how the devices are set up
- if the device user is under basic or advanced mobile management
- if you add the devices to the company-owned inventory
- the Google Workspace license assigned to the device user
We’re going to introduce many device management terms here. If you get lost, there’s a word list at the end of this page.
Android Enterprise is a suite of APIs, developer tools, and administrator features that allow enterprise mobility management (EMM) providers to manage Android devices. Learn more about Android Enterprise.
GEM is an EMM provider that offers many of the features available through Android Enterprise. However, the two are separate. Android Enterprise may have more features available to implement by EMMs than what is available in GEM. To keep up-to-date with new features in GEM, see What's new in Google endpoint management.
The options you have in your EMM provider to manage Android devices, and the information you get about those devices, depend on how the devices are set up. The setup defines your management privilege. Your organization can have one of the following privileges on a device:
- Device owner–The device is set up as work-only and you have full control of the device. This mode gives you the most control over the data and apps on a device, and is best for organizations that have high security requirements.
Note about “device ownership”: A device you have device owner privileges on might be purchased by your organization and provided to the user, such as one set up with zero-touch enrollment as work-only. Or, it might be a user's personal device that they set up as work-only. In GEM, “company-owned devices” aren’t defined by your management privilege. Company-owned devices are any devices that you add the serial numbers of to the company-owned inventory. Usually, these are devices your organization purchased and has device owner privilege on.
- Profile owner–The device has a managed work profile that’s separate from the user's personal space (more on work profiles in the next section). You have control of the apps and data in the work profile, but not in the personal space. Use this mode if your organization wants a bring-your-own device (BYOD) environment.
Note: Android Enterprise now supports work profiles on company-owned devices, but GEM doesn't support this configuration.
- Device admin–(deprecated, not available for Android 10 and later, not supported for devices under GEM advanced mobile management) The user has a managed account in the personal space on their device.
Some GEM tools and settings depend on the privilege you have on the device. For example, if you have profile owner privilege for a device, you can wipe the work account from the device, but you can’t wipe the entire device.
To review the management privilege you have for a device, open the device’s details page in the Admin console. For details, see View mobile device details.
Android work profiles provide users with privacy for their personal data and apps on a personal device they also use for work. The work profile lets their managed account and apps exist in a separate space that device management doesn’t have access to. Your organization’s management privilege is profile owner.
When you turn on advanced mobile management in GEM, users are prompted to set up a work profile when they add their managed account to a personal (BYOD) Android device. For more information about how a user sets up a work profile, see Set up Google Workspace on an Android device and What is a work profile?.
Only one work profile is allowed on a device.
- If you don’t want to require work profiles for users, set basic mobile management for their organizational unit. If you already turned on advanced mobile management, you can switch to basic mobile management. You won’t have as many management features with basic mobile management. Learn more about the differences in the next section.
- If a user needs more than one managed account on a device, such as a user who has a “regular” work account and an admin account, put them in an organizational unit that’s set for basic mobile management.
Note: GEM doesn’t support devices with device owner privilege and a work profile, though this setup is now an option in Android Enterprise.
Google endpoint management has 3 levels of mobile management: basic, advanced, or unmanaged. You can set the mobile management level for users by organizational unit. You can also apply the setting to only certain types of devices used by users in the organizational unit, using the Custom option. For example, you could have their Android devices under advanced mobile management, iPhones and iPads (iOS) under basic mobile management, and any iOS devices that use Google Sync under basic mobile management.
Important: You configure the mobile management setting by user–the account that’s added to the device–and, optionally, device type. You can’t set the level of mobile management for a specific set of devices, independent of a user account.
Basic mobile management is turned on by default. It lets you set basic passcode requirements, manage apps (Android only), and get details about devices with work accounts on them. It doesn’t require the user to install a management app on their device or set up a work profile, and it can co-exist with some third-party EMM providers. If you want to use GEM as your EMM provider, basic mobile management has only limited security options. For details, see Compare mobile management features.
Advanced mobile management is required to use all features in the advanced endpoint features and enterprise endpoint features. To enforce security policies, the user must set up a management client on their device and, for personal devices, install a work profile.
Note: Advanced mobile management can’t co-exist with other EMMs, only GEM.
When mobile management is turned off for Android devices, you can still allow users to add their work account to the device and access their work data. However, you don’t have any management options. You can’t wipe the work account from the device if the device is lost or stolen, you can’t require a password, and you don’t see devices in the devices list in the Admin console.
Some GEM features apply only to devices that you set as company-owned in the Admin console. To set them as company-owned, you add devices to the company-owned inventory. For example, to have GEM and associated security features, like Context-Aware Access, recognize a device as company-owned, you have to add it to the company owned inventory.
This company ownership is separate from the device owner management privilege and from whether your organization purchased (physically owns) the device.
Zero-touch enrollment (ZTE) is an Android Enterprise feature that lets organizations automatically set up fully-managed devices for users. It’s separate from Google endpoint management, but you can use Google endpoint management to manage devices set up this way.
With ZTE, your organization buys devices from supported resellers and sets up a configuration that’s applied automatically when the user adds their account to the device.
To manage ZTE devices with GEM, users of these devices must be in organizational units with advanced mobile management turned on (at least for Android devices). Your organization will have device owner management privileges, but GEM won’t treat them as company-owned unless you add the devices to the company-owned inventory. For details, see Deploy Android devices with zero-touch enrollment.
For more information about ZTE in general, see Zero-touch enrollment for IT admins.
Google endpoint management terms
- Advanced mobile management–The mobile management setting that gives you more control over users’ devices, such as controlling access to networks and apps and security settings, and more information about those devices.
- Basic mobile management–The mobile management setting that gives you minimal control over users’ devices.
- Company-owned–A device that you add to the company-owned inventory in your Admin console.
- Google endpoint management (GEM)–The enterprise mobility management provider included in Google Workspace and Cloud Identity, available in your Google Admin console.
- Android Enterprise–The features and tools that enterprise mobility management (EMM) developers use to support Android device management with the EMM.
- Bring-your-own device (BYOD)–A personal device that a user adds their work account to.
- Device owner–The management privilege that gives the enterprise mobility management provider complete control over a device. The user can’t add a personal account.
- Enterprise Mobility Management (EMM) provider–A product that lets your organization set security policies, control data access, and manage apps on devices.
- Fully-managed device–An Android device that your organization has device owner privileges on.
- Management privilege–The scope of an enterprise mobility management provider’s control on a device, either the entire device (device owner) or the work profile (profile owner).
- Profile owner–The management privilege that gives the enterprise mobility management provider control over only the work profile on a device.
- Work profile–A separate space on a user’s personal Android device for their work apps and data. Your organization has profile owner privilege on the device. The user’s personal apps and data are separate and not accessible to your organization.
- Zero-Touch Enrollment–An Android Enterprise feature that lets organizations automatically set up fully-managed devices for users.
See also Android Enterprise Terminology.