As an admin using advanced mobile management, how and what you can control on a user's Android device depends on the management app on the device. The management app is an agent, which gives your organization access to device information and settings. As of September 2019, Google endpoint management is rolling out Android Device Policy, a management app that replaces the Google Apps Device Policy app. Android Device Policy offers new features and also changes how some existing features behave.
Frequently asked questions
What features are available only for Android Device Policy?- Zero-touch enrollment—Deploy company-owned devices in bulk without manually setting up each device. Learn more
- Advanced password management—Set advanced password requirements. For example, disallow repeating or sequential characters. Learn more
- Advanced VPN management—Specify an app to be an Always On VPN. Learn more
- Lock screen feature management—Disable notifications, trust agents, fingerprint unlocks, and keyguard features on fully managed devices. Learn more
- Google can automatically add new security features.
To use Android Device Policy, the device must meet the following requirements:
- Android 6.0 Marshmallow or later
- The device supports a work profile and company-owned (fully managed) device mode.
- The user account is under advanced mobile device management.
Also, Android Device Policy must be available to your organization. Your Google Workspace or Cloud Identity admin will get an email a few weeks before Android Device Policy becomes available.
After all these conditions are met, when users set up new devices, they are automatically prompted to set up Android Device Policy on their devices.
Users are prompted to set up the Google Apps Device Policy app for new devices that are under advanced management in the following situations:
- Their device doesn't meet the requirements for Android Device Policy.
- Your organization doesn't have Android Device Policy available yet.
Note: To require users set up work profiles, their devices must have Android 5.0 Lollipop and later. To let users set up personal devices as owned by the organization, their devices must have Android 6.0 Marshmallow and later.
Devices that already have the Google Apps Device Policy app are still managed by that app. If required and supported, you can transition a device to Android Device Policy.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
From the Admin console Home page, go to Devices.
- Click Mobile devices.
- Click the row of the device you want to view details for.
- Click Device security.
The device’s management is listed under User agent.
Google Apps Device Policy app—The device user is prompted to install the app when they first add their managed Google Account to the device.
Android Device Policy—The device user doesn't need to install anything, but they will be prompted to set up a work profile on personal devices. Because Android Device Policy is still rolling out, users might not have Android Device Policy available on their device yet. You'll receive an email when Android Device Policy is available to your organization.
If the Google Apps Device Policy app is installed on a device after Android Device Policy is set up, the app alerts the user to remove the work profile created by Android Device Policy. To resolve the conflict, the user should uninstall or disable the Google Apps Device Policy app.
The transition process depends on how the device is set up:
Personal device with a work profile
Your organization's management privilege is Profile owner
On the device, the user removes their work profile and then adds their work account again. They're prompted to set up Android Device Policy.
Note: If the device doesn't support Android Device Policy, the user is prompted to set up Google Apps Device Policy app instead.
Personal device without a work profile
Your organization's management privilege is Device admin
On the device, the user takes the following steps:
- Open the Google Apps Device Policy app.
- Tap Unregister. The work account is removed from the device.
- Open the Settings app and tap Accounts.
- Add the work account again and set up Android Device Policy. During enrollment, the user must set up a work profile because it's required for Android Device Policy.
Note: If the device doesn't support Android Device Policy, the user is prompted to set up Google Apps Device Policy app instead.
Company-owned device or a personal device the users sets as work-only
Your organization's management privilege is Device owner
To trigger the switch, the device must be reset by an admin or, if allowed, by the user. The user can then add the work account again and set up Android Device Policy. Note: If the device doesn't support Android Device Policy, the user is prompted to set up Google Apps Device Policy app instead.
To reset the device from the Admin console:
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
From the Admin console Home page, go to Devices.
- Click Mobile devices.
- Point to the device and click More
Wipe Device.
If you allow users to reset their devices, the user can reset the device.
Android Device Policy is integrated directly into the operating system of the device, so it doesn't appear as a separate app on the device. If needed, you can access the app in Google Play. On the device, tap Play Store and search for Android Device Policy.
The data that's removed from a device depends on your organization's management privilege:
|
Device type |
Wipe device | Wipe account |
|---|---|---|
|
Personal device with a work profile Your organization's management privilege is Profile owner |
The user’s work profile is removed, which includes the work account and all apps and data associated with it. Personal data and apps remain on the device. |
Same as Wipe device |
|
Personal device without a work profile Your organization's management privilege is Device admin This management option is available only for devices with Android 9.0 or earlier with the Google Apps Device Policy app |
The device is reset to its factory settings. All work and personal apps and data are removed. If the device has an SD card, data is removed from the SD card, too. Note: The removal is a Quick Erase and not a Secure Erase of the SD card. Only mounted primary SD cards are wiped. Read-only cards aren't wiped. |
The work account is removed. Personal data and apps remain on the device. However, if the device is in fully managed mode and the work account is added back, all apps are removed from the device. Note: For Android 5.1 Lollipop and later, an account can’t be removed if it’s the only account on the device. When you wipe the account, new work data stops syncing but existing data and the work account remains on the device. To remove the account and existing data, wipe all data from the device. |
|
Company-owned device (or a personal device the users sets as work only) Your organization's management privilege is Device owner |
The device is reset to its factory settings. All work and personal data is removed. |
Android Device Policy devices—The device is reset to its factory settings. All work and personal data is removed. Note: For Android Device Policy devices, if the device is currently under basic mobile management but was previously under advanced mobile management, wiping the account isn’t supported and the only option is to wipe the device. Google Apps Device Policy devices—The work account is removed. Personal data and apps remain on the device. However, if the device is in fully managed mode and the work account is added back, all apps are removed from the device. |
No. Personal Android devices managed with advanced mobile management and set up as user-owned (user selects Use for work & personal during setup) must install a work profile to access work data.
Note: The user is required to create a work profile even when you disable work profile creation or make it optional (In the Admin console, go to DevicesSettings
Android settings
Work Profile
Work Profile Setup).
A work profile isn't required when users select Use for work only when they set up their personal device. However, the device is fully managed by their organization and the user can't add any personal accounts to the device. If the account is wiped remotely, the device is reset to its factory settings and all data is removed.