Understanding Android device management modes

Learn about various Android Enterprise management modes and choose the approach that suits the requirements of your organization.

Android offers multiple management options to support various enterprise use cases. You can choose a management option that depends on the ownership of devices (corporate or personal), security requirements, and user preferences.

Supported management modes

Corporate-owned fully managed devices

This mode is suitable for company-owned devices that are exclusively used for work purposes. It restricts personal app installation and access to personal data, ensuring that the device remains solely for work-related activities. IT administrators can enforce management, perform remote wipe, preload policies, and apps on the devices before they are issued to the employees. When the devices are reset, the MaaS360 agent is automatically installed on the devices. For more information, see Device Owner (DO) mode.

Corporate-owned dedicated devices (COSU)

This mode is designed for corporate-owned devices that serve a specific purpose, such as running a single application or providing a kiosk-like experience. Organizations can configure these devices to meet the needs of various use cases, including employee-facing tasks in factory and industrial settings, customer-facing signage and kiosks, and even point-of-sale (POS) terminals. Android provides granular control over various device features, including the lock screen, status bar, keyboard, and other key elements. This control prevents users from enabling unauthorized applications or performing actions that might interfere with intended purpose of the device.

Personally-owned devices (BYOD)

Work Profile mode, also known as Profile Owner (PO), is designed for personal devices that are used for both personal and work purposes. This mode creates a secure container on personal devices for work-related apps and data. MaaS360® has complete management control over the work profile, but does not have visibility and control over personal apps, data, and activities. Users retain control over their personal apps outside the work profile. Corporate apps that are installed through MaaS360 reside within the profile with separate storage. If the same app is already installed in the personal profile, the device displays two instances of the same app, but they cannot communicate with each other. The corporate apps are marked with an orange briefcase symbol.

This approach offers the following benefits.

When an employee leaves the organization, you can wipe corporate apps and data, leaving personal apps and data intact.
Containerization ensures that corporate data does not mix with personal data; as a result, corporate data cannot be leaked through private apps.
Users can disable work apps and hide work notifications to minimize interruptions. This option is only supported on Android 7.0 Nougat and later.

For more information about Profile Owner mode, see Work Profile or Profile Owner (PO) mode.

Work profile on corporate-owned devices (WPCO)

This mode is designed for corporate-owned devices that are used for both personal and work purposes. This allows organizations to create a separate work profile to segregate work data from personal data. Organizations have complete control over apps, data, and settings within the work profile. Additionally, they can enforce device-wide policies (example: Wi-Fi configuration and USB file transfers), and restrictions on the personal profile (example: disallow certain apps). Employees can safely use company-owned devices for personal use without sacrificing privacy. Organizations cannot see or access the personal profile, including its apps, data, and usage. For more information about WPCO, see Work profile on corporate-owned devices (WPCO)

Corporate-owned devices without Google Mobile Services

This mode caters specifically to corporate-owned Android devices running a custom Android build without Google Mobile Services (GMS). The scope of device management capabilities is restricted due to the unavailability of Google Mobile Services (GMS). While app deployment, remote device administration, and security policy implementation are supported, certain advanced management features might not be unavailable. For more information about non-GMS devices, see Corporate-owned devices without Google Mobile Services.

Google recommends to use an email address associated with your organization for onboarding. This ensures smooth and secure operations and enhance your integration with Google services.