Device Management MDM

Android Device Management feature list

This page lists the complete set of Android Enterprise features supported by Applivery. Since Applivery fully compliant with all Android Enterprise Management modes, all Android Enterprise features are available by default. However, you can find full Android Enterprise feature list here.

Device Provisioning #

  • Work profile provisioning: End users can provision a work profile after downloading the Android Device Policy from Google Play.
  • Fully managed mode provisioning: End users can provision a fully managed or dedicated device by entering afw#setup in the device’s setup wizard.
  • NFC device provisioning: IT admins can “bump” new or factory-reset devices with the Applivery NFC provisioning app to provision a device (WIP).
  • QR code device provisioning: IT admins can use the new or factory-reset device to scan a QR code generated by the Applivery MDM Console to provision the device.
  • Zero-touch enrollment: Zero-touch enrollment is a streamlined process for Android devices to be provisioned for enterprise management. On first boot, devices check to see if they’ve been assigned an enterprise configuration. If so, the device initiates the fully managed device provisioning method and downloads the correct device policy controller app, which then completes the setup of the managed device.

Device security #

  • Device security challenge: IT admins can set and enforce a device security challenge (e.g. PIN/pattern/password) of a certain type and complexity on managed devices.
  • Work security challenge: IT admins can set and enforce a security challenge for apps and data in the work profile that is separate and has different requirements from the device security challenge.
  • Advanced passcode management: IT admins can configure advanced password settings on devices.
  • Remote wipe and lock: IT admins can use the Applivery’s MDM console to remotely lock and wipe work data from a managed device.
  • Compliance enforcement: If a device is not compliant with security policies, compliance rules put in place automatically restrict access to work data.
  • Default security policies: enforce the specified security policies on devices by default, without requiring IT admins to configure or customize any settings in the Applivery MDM console. Some examples are access to debugging features blocked by default or installing apps from unknown sources blocked by default.
  • Security policies for dedicated devices: Users can’t escape a locked-down dedicated device to enable other actions.
  • Verify Apps enforcement: IT admins can enable Verify Apps on devices. Verify Apps scans apps installed on Android devices for malware before and after they’re installed, helping to ensure that corporate data can’t be compromised by malicious apps.
  • Hardware security management: IT admins can lock down hardware elements of a device to ensure data loss prevention. Some examples are: IT admins can block users from mounting physical external media, block users from sharing data from their device using NFC beam, or block users from transferring files over USB.

App Management #

  • Silent app distribution: IT admins can silently distribute work apps on users’ devices without any user interaction. It includes installing, updating, and uninstalling apps on managed devices.
  • Managed configuration management: IT admins can view and silently set managed configurations for any app that supports managed configurations.
  • App catalog management and whitelisting: IT admins can configure the work apps catalog from the Applivery MDM Console by whitelisting or blacklisting apps.
  • Programmatic app approval: IT admins can search for apps, approve apps, and approve new app permissions without leaving the EMM’s console.
  • Basic store layout management: End users can use the managed Google Play store app on their devices to install and update work apps. By default, the managed Google Play store displays all apps approved for a user in a single list. This layout is referred to as the basic store layout.
  • Google-hosted private app management: IT admins can update Google-hosted private apps through the EMM console instead of through the Google Play console.
  • Self-hosted private app management: IT admins can configure and publish self-hosted private apps. Unlike Google-hosted private apps, the APKs / AABs are not hosted by Google Play. Instead, the Applivery helps IT admins host APKs in Applivery serves, and helps protect self-hosted apps by ensuring they can only be installed when authorized by managed Google Play. You can read more here.
  • Web app management: IT admins can create and distribute web apps in the Applivery MDM console.

Device Management #

  • Runtime permission policy management: IT admins can silently set a default response to all runtime permission requests made by work apps. IT admins must be able to choose from the following options when setting a default runtime permission policy for their organization: prompt (allows users to choose), allow, or deny.
  • Runtime permission grant state management: After setting a default runtime permission policy, IT admins can silently set responses for specific permissions from any working app built on API 23 or above.
  • WiFi configuration management: IT admins can silently provision enterprise WiFi configurations on managed devices, including SSID, Password, and multiple other advanced configurations.
  • WiFi security management: IT admins can provision enterprise WiFi configurations on devices that include the following advanced security features: Identity, Certificates for client authorization, and CA certificates.
  • Advanced WiFi management: IT admins can lock down WiFi configurations on managed devices, to prevent users from creating new configurations or modifying corporate configurations. Users cannot modify any Wi-Fi configurations.
    Account management: IT admins can ensure that only authorized corporate accounts can interact with corporate data, for services such as SaaS storage and productivity apps, or email. Without this feature, users can add personal accounts to those corporate apps that also support consumer accounts, enabling them to share corporate data with those personal accounts. IT admins can prevent users from adding or modifying accounts.
    Accessibility services management: IT admins can control what accessibility services can be enabled on users’ devices. While accessibility services are powerful tools for users with disabilities or who are temporarily unable to fully interact with their device, they may interact with corporate data in ways that are non-compliant with corporate policy. This feature allows admins to disable any non-system accessibility service.
  • Location sharing management: IT admins can prevent users from sharing location data with apps in the work profile. Otherwise, the work profile location setting is user-configurable in Settings.
  • Advanced location-sharing management: IT admins can enforce a given location-sharing setting on a managed device. This feature can ensure, for example, that corporate apps always have access to high-accuracy location data, or that users don’t consume extra battery by restricting location settings to battery-saving mode. IT admins can set the device location services to each of the following modes: high accuracy, sensors only (for instance GPS, but not including network-provided location), battery saving (which limits the update frequency), and Off.
  • Factory reset protection management: Enables IT admins to protect company-owned devices from theft by ensuring only authorized users can factory reset devices. Admins can also disable factory reset protection entirely if it introduces operational complexities when devices are returned to IT.
  • Advanced app control: IT admins can prevent the user from uninstalling or otherwise modifying managed apps through Settings, for instance force closing the app or clearing an app’s data cache.
  • Screen capture management: IT admins can block users from taking screenshots when using managed apps. This includes blocking screen-sharing apps and similar apps (such as Google Assistant) that leverage the system screenshot capabilities.
  • Disable cameras: IT admins can disable use of device cameras by managed apps.
  • Reboot device remotely: IT admins can remotely reboot managed devices remotely.
  • System radio management: IT admins can prevent users from modifying mobile network settings, configure if the device permits cellular data while roaming, configure whether the device can make outgoing phone calls, excluding emergency calls, configure whether the device can send and receive SMS messages, prevent users from using their device as a portable hotspot by tethering, set the WiFI timeout to default, only while plugged in, or never and prevent users from configuring or modifying existing Bluetooth connections.
  • System audio management: IT admins can silently control device audio features, including muting the device, preventing users from adjusting volume settings, and preventing users from unmuting the device microphone. IT admins can silently mute managed devices, prevent users from modifying device volume settings, and prevent users from unmuting the device microphone.
  • System clock management: IT admins can control device clock and timezone settings, and prevent users from modifying automatic device settings.
  • Advanced dedicated device features: disable the device keyguard, disable the device status bar, block notifications, and quick settings, force the device screen to remain on while the device is plugged in, and prevent the following system UIs from being displayed (Toasts, Phone activities, system alerts, system errors, and system overlays), enable the system recommendation for apps to skip their user tutorial and other introductory hints on first start-up (skip first use hints).

Device usability #

  • Managed provisioning customization: IT admins can modify the default managed provisioning flow UX to include enterprise-specific features. Optionally, admins can display EMM-provided branding during provisioning. T admins can customize the provisioning process by specifying the following enterprise-specific details: enterprise color (see primaryColor), enterprise logo (see logo), enterprise terms of service, and other disclaimers (see termsAndConditions).
  • Lock screen messages: IT admins can set a custom message that’s always displayed on the device lock screen and does not require device unlock to be viewed.
  • Policy transparency management: IT admins can customize the help text provided to users when they attempt to modify managed settings on their device or deploy an EMM-supplied generic support message. Both short and long support messages can be customized, and are displayed in instances such as attempting to uninstall a managed app for which an admin has already blocked uninstallation.
  • System update policy: IT admins can configure and apply over-the-air (OTA) system updates for devices.
  • Lock task mode management (Kiosk App): IT admins can lock an app or set of apps to the screen, and ensure that users can’t exit the app.
  • Persistent preferred activity management: Allows admins to set an app as the default intent handler for intents that match a certain intent filter. For example, this would allow admins to choose which browser app automatically opens all web links, or which launcher app is used when the user hits the home button.
  • Keyguard feature management: IT admins can control the features available to users before unlocking the device keyguard (lock screen) and the work challenge keyguard (lock screen).
  • Advanced keyguard feature management: IT admins can control advanced device keyguard (lock screen) features. 5.12.1. IT admins can disable the following device keyguard features: secure camera, all notifications, unredacted, trust agents, fingerprint unlock, and all keyguard features.
  • Remote debugging: The Android Management API doesn’t currently support this feature.
  • MAC address retrieval: Applivery MDM can silently fetch a device’s MAC address, to be used to identify devices in other parts of the enterprise infrastructure (for example when identifying devices for network access control).
  • Advanced lock task mode management: When a lock task mode is enabled on a device, IT admins can use the EMM’s console to perform the following tasks: home button, overview, global actions, notifications, system info /status bar, and keyguard (lock screen).
  • Advanced system update policy: IT admins can set a specified freeze period for blocking system updates on a device.
  • Work profile policy transparency management: IT admins can customize the message displayed to users when removing the work profile from a device.
Was this article helpful?

— talk to an expert —

Schedule a demo