Android Device Management

Android Device Management in MDM enables IT administrators to centrally manage and secure Android devices across their organization. This document provides a comprehensive guide to the different management types available, such as Device Owner and Profile Owner modes, and outlines the supported enrollment methods for each. It also includes a detailed comparison of features based on the chosen management type, helping admins select the most suitable approach for their organizational needs.

Android Device Management Types

1. Company-Owned Device Management: For devices purchased and owned by the organization, ensuring full control and security.
   Company-Owned Fully Managed Devices with a Work Profile: Company-owned devices configured with separate work and personal profiles, enabling employees to securely use the same device for both professional and personal purposes while ensuring privacy and corporate data protection.
   Enrollment Methods:
   • Zero Touch Enrollment:
     When to Use:
     1. You are deploying Android 9.0 or later devices purchased from authorized Zero-touch reseller partners.
     2. Large-scale enterprise roll-outs require hands-free, one-time setup.
     3. You need mandatory MDM management, applied automatically at first boot.
     4. Resellers can directly add devices to the Zero-touch portal, reducing admin effort.
     5. Devices should receive pre-assigned apps, profiles, and configurations automatically.
        To learn more, visit our Zero Touch Enrollment guide.
   • Knox Mobile Enrollment:
     When to Use:
     1. Your organization manages Samsung devices (running Android 6.0 or later).
     2. Devices are purchased from Samsung or KME-authorized resellers.
     3. You want a Samsung-specific equivalent of Zero-touch enrollment with added Knox security.
     4. Admins need to enforce MDM enrollment automatically on Samsung devices during initial setup.
     5. Ideal for enterprises standardising on Samsung hardware.
        You can choose to enroll Samsung devices using Knox mobile enrollment, irrespective of the OS version if they are Knox-capable. You can view the list of Knox-capable devices. Additionally, you can also choose to enroll Samsung devices using QR code and NFC for bulk enrollment.
        To learn more, visit our Knox Mobile Enrollment guide.
   • QR Code(EMM Token) Enrollment:
     When to Use:
     1. Devices are not purchased from Zero-touch or Knox reseller partners.
     2. You are enrolling individual devices or small batches.
     3. The device supports Android 6.0 or later with a factory reset state.
     4. Enrollment needs to be done by scanning a QR code or entering an EMM token at the setup wizard.
        To learn more, visit our QR Code Enrollment guide.
   • NFC Enrollment:
     When to Use: This is the faster enrollment. It requires the NFC Admin app and an NFC tag to be procured. Once set up, the admin can enroll a device by simply tapping it, eliminating the need to manually scan a QR code or enter a token. To learn more, visit our NFC Enrollment guide.
   • Android Debug Bridge (ADB) Enrollment:
     When to Use: Use ADB enrollment for devices that are already set up and in use. These devices may already have apps, settings, or data on them, and this method allows you to enroll them into MDM without resetting or starting from scratch. It is also suitable for devices that do not have Google Play Services. To learn more, visit our ADB Enrollment guide.
2. Personal Device Management (BYOD - Bring Your Own Device): For employee-owned Personal devices accessing corporate resources.
   Enrollment Methods:
   • Direct QR Code Enrollment: IT Admin need to share the Enrollment URL or the QR Code with the user to enroll their personal devices.
   • User Invitation Enrollment:
     When to Use:
     1. Admins want to invite single/bulk users via email or SMS with enrollment details.
     2. Suitable for both BYOD and corporate-owned personal devices.
     3. Best for larger groups or scenarios where users need guided instructions.
     4. Ensures each user receives a personalized enrollment link.
        To learn more, visit our User Invitation Enrollment guide.
   • Self Enrollment:
     When to Use:
     1. Admin need to share the Self enrollment QR code or the Enrollment URL by Promoting Self Enrollment in the organization.
     2. Users need to download the MDM app from the Playstore and enroll their own devices using the Self Enrollment QR Code or the Enrollment URL.
     3. It Reduces IT admin overhead since users initiate the process themselves.
        To learn more, visit our Self Enrollment guide.

Comparison of Supported Functionality by Management Type

This section outlines the key functionality available for each Android device management type, helping IT admins choose the right approach based on security and functionality requirements.

Functionality	Fully Managed	Work Profile on a Company owned device	Personal Device
Policy
Passcode
Restrictions
Workspace Security
WiFi
VPN
Email	Applicable only for Samsung
Exchange ActiveSync
EFRP
Kiosk
Wallpaper
Asset Tag Information
Sound Settings
Global HTTP Proxy
Certificate
SCEP
Web Shortcut
Web Content Filter
Access Point Name
OEM Configurations
APPS & UPDATE MANAGEMENT
Silent Installation of Play Store Apps
Silent Installation of in-house Apps		Requires user permission every time an in-house app is pushed	Requires user permission every time an in-house app is pushed
Restricting side-loaded Apps
Automate OS Updates
Block listing Apps
Multiple versions of in-house Apps
Inventory
Device details such as model name, manufacturer name, UDID, etc.			Limited
Tracking Device Battery Level
Locate Device
Real Time Device Alerts
Restart Device
Tools
Announcements
Remote Troubleshooting (Remote Control and View)
Remote Control
Remote View
Security Management
Containerization
Complete Wipe of the device
Corporate Wipe of the device
Remote Lock
Lost Mode
Restrict users from resetting the device
Restrict users from revoking MDM management.
Clear/ Reset Passcode