Skip to main content

Mastering Android Device Management

android device management

Android powers roughly 70% of the global smartphone market. In enterprise environments, that translates to thousands of Samsung, Google Pixel, and other Android devices that IT teams need to configure, secure, and maintain. Android device management is the practice of controlling these devices remotely through an MDM solution connected to Android Enterprise.

This guide walks through how Android device management works, which enrollment modes to use, how to enforce security policies, and how to distribute apps across your fleet.

How Android Device Management Works

Google built Android Enterprise as the official framework for managing Android devices in business environments. It replaced the older Device Admin API (deprecated since Android 10) with a more secure, consistent management layer.

The architecture is straightforward: your MDM server communicates with Google's EMM APIs. When an admin pushes a policy or app, the command reaches the device through Google Play services. The device applies the change without requiring a custom agent running in the background.

Android Enterprise works on any device running Android 6.0 or later that has Google Play services. For Samsung devices, you get additional controls through Samsung Knox, which adds hardware-backed security features and a richer set of management APIs on top of Android Enterprise.

Android Enterprise Enrollment Modes

The enrollment mode you choose depends on who owns the device and how much control you need.

Fully Managed Device

For corporate-owned devices where the organization controls everything. The entire device is under MDM management. There is no personal profile. IT can enforce any restriction, install or remove any app, and wipe the device at will.

This mode is ideal for shared devices (warehouse scanners, delivery tablets, retail kiosks) and for employees who receive a dedicated work phone. Enrollment happens during the initial device setup: the user taps the welcome screen six times to trigger QR code scanning, scans the enrollment QR code, and the device configures itself.

Work Profile on Company-Owned Device

Introduced in Android 11, this mode gives IT full device control while still creating a separate Work Profile for business apps. The user can use the device personally (install personal apps, use personal Google account) but the Work Profile keeps corporate data isolated. IT can wipe the Work Profile without touching personal data, or wipe the entire device if needed.

This is the best option when you issue company phones but want to allow some personal use. Employees get flexibility; IT gets the security controls of a fully managed device.

Work Profile on Personal Device (BYOD)

For bring-your-own-device scenarios. The Work Profile creates a separate container on the employee's personal phone. Corporate apps and data live inside this container, encrypted and managed by IT. Personal apps and data remain untouched. IT cannot see personal apps, photos, browsing history, or location.

The Work Profile appears as a tabbed section in the app drawer with a briefcase badge on managed apps. Users can pause the Work Profile outside of business hours, which suspends all work notifications and data sync.

Dedicated Device (Kiosk Mode)

For single-purpose devices: digital signage, point-of-sale terminals, warehouse scanners, or field equipment. Kiosk mode locks the device to one or a few approved apps. The user cannot access Settings, install apps, or exit the designated application.

Dedicated devices are enrolled as fully managed and then locked down with a kiosk policy. They typically run unattended and may be shared among multiple workers across shifts.

Security Policies for Android Fleets

Managing Android devices is primarily about enforcing security at scale. Here are the policies that every Android deployment should include.

Password and Screen Lock

Enforce a minimum password complexity (numeric, alphanumeric, or biometric). Set auto-lock timers and a maximum number of failed attempts before the device wipes. For Work Profile deployments, you can require a separate password for the work container, adding a second layer of protection for corporate data.

Encryption

All Android devices running 6.0+ support file-based encryption. MDM can verify that encryption is active and block access to corporate resources on unencrypted devices. Samsung Knox adds hardware-level encryption for the Knox container, which is certified for government use in several countries.

Compliance Policies

Define what makes a device compliant: minimum OS version, encryption enabled, no root access, approved device model. Non-compliant devices can be blocked from accessing corporate email, VPN, or apps until the issue is resolved. This automated enforcement replaces manual auditing and ensures your security posture stays consistent across thousands of devices.

Network Controls

Push Wi-Fi configurations with enterprise certificates. Configure always-on VPN so all work traffic routes through your network. Restrict USB debugging and file transfer to prevent data exfiltration through physical connections.

Lost Device Response

Remote lock displays a custom screen with contact information. Remote wipe erases all data (or just the Work Profile on BYOD devices). For Samsung Knox devices, you can also trigger a remote ring at full volume to locate a misplaced device in an office or warehouse.

App Distribution on Android

Managed Google Play is the official channel for distributing apps to managed Android devices. It replaces the need for sideloading APKs or maintaining your own app repository.

Public Apps

Select apps from the Play Store and approve them for your organization. Approved apps appear in the managed Work Profile. You can silently install required apps (on fully managed and company-owned devices) or make them available for optional download.

Private Apps

Upload your own APKs to Managed Google Play as private apps. They are visible only to your organization. This is how most companies distribute internal tools, custom field apps, or proprietary line-of-business applications.

For organizations that need a branded app catalog across both Android and iOS, Appaloosa provides an enterprise app store that unifies distribution in a single interface.

Managed Configurations

Many enterprise apps support managed configurations (also called app restrictions). This lets you pre-configure server URLs, authentication settings, and feature toggles before the app reaches the user. For example, you can push Microsoft Teams with your tenant ID pre-filled, or configure a custom field app to point to the correct API endpoint per region.

Zero-Touch Enrollment

Zero-touch enrollment is Android's equivalent of Apple's Automated Device Enrollment. When you buy devices from a zero-touch partner (Samsung, Google, Lenovo, and most major manufacturers), the devices are registered in the zero-touch portal. On first boot, the device automatically enrolls in your MDM server without any manual steps.

This is the recommended enrollment method for any corporate-owned Android deployment. IT ships the device to the employee, the employee powers it on, connects to Wi-Fi, and the device configures itself with all policies, apps, and settings.

Zero-touch enrollment also provides persistence: if someone factory resets the device, it re-enrolls automatically on the next setup. This prevents employees from removing management and protects against stolen devices being repurposed.

Managing Samsung Devices with Knox

Samsung devices represent a significant portion of enterprise Android fleets. Samsung Knox adds capabilities beyond standard Android Enterprise:

Knox Platform for Enterprise (KPE). Hardware-backed encryption, certificate management, and VPN configuration that goes deeper than stock Android. KPE enables features like dual DAR (Data at Rest) encryption for government compliance.

Knox Mobile Enrollment (KME). Samsung's own zero-touch system, which works alongside Google's zero-touch. If your devices are purchased through Samsung's channel, KME provides a similar auto-enrollment experience.

Knox E-FOTA. Enterprise Firmware Over The Air lets you control which firmware version your Samsung devices run. You can test a new Android version on a pilot group before approving it for the full fleet, preventing surprise OS updates from breaking critical apps.

Common Android Management Challenges

Device Fragmentation

Android runs on hundreds of device models from dozens of manufacturers. Not every device supports every MDM feature. The solution is to maintain an approved device list and standardize on a few models per use case. Samsung and Google Pixel devices offer the most consistent management experience because they receive security patches promptly and support the full Android Enterprise feature set.

OS Version Gaps

Unlike iOS, Android updates depend on the manufacturer. Some devices lag months behind on security patches. Enforce a minimum security patch level through compliance policies and block non-compliant devices from corporate resources until they update.

BYOD User Adoption

Employees sometimes resist installing a Work Profile on their personal phone. Clear communication helps: explain that IT cannot see personal data, that the Work Profile can be paused, and that removing the Work Profile only deletes corporate data. A transparent privacy policy goes further than any technical measure.

Getting Started

If you are setting up Android device management for the first time:

1. Create an Android Enterprise account. Bind your organization's Google account to your MDM solution. This activates Managed Google Play and enables enterprise enrollment.

2. Choose your enrollment modes. Fully managed for corporate-owned, Work Profile for BYOD, dedicated for kiosks and shared devices.

3. Register devices for zero-touch. Contact your device reseller to add your devices to the zero-touch portal and assign them to your MDM server.

4. Define security policies. Start with password, encryption, and compliance requirements. Layer on network and app restrictions based on your security needs.

5. Approve and assign apps. Set up Managed Google Play, approve the apps your teams need, and configure silent installation for required apps.

6. Pilot and expand. Test with a small group across different device models and enrollment modes. Validate that policies apply correctly before rolling out to the full fleet.

Android device management has matured significantly with Android Enterprise. The combination of Work Profiles, zero-touch enrollment, Managed Google Play, and hardware-backed security (especially on Samsung Knox devices) gives IT teams the tools to manage Android fleets with the same confidence as iOS deployments.
Julien Ott
May 25, 2024

Ready to deploy MDM?

Get started today with unrestricted access to our platform and help from our product experts.

Get Started

Alternatively, contact sales.

Free 14-day trial
Cancel anytime, no questions asked.
Expert Support
Get customized and expert onboarding to get started.