This document will provide answers to frequently asked Android Enterprise questions.
Updated January 2020
What is the difference between EMM (Enterprise Mobility Management) and MDM (Mobile Device Management)?
In the simplest of terms, MDM and EMM are mostly interchangeable acronyms used to describe the remote management of devices. For a detailed explanation of what these terms mean, please view this blog post.
Which devices support Android Enterprise?
Android Enterprise currently supports ~8,000+ devices from hundreds of manufacturers. To see a complete list of supported devices, please click here.
Are Amazon Kindle devices supported on Android Enterprise?
AOSP (Android Open Source Project) devices are running vanilla Android ROMs and are not compatible with Android Enterprise. Even though Android Enterprise was designed to ultimately replace the Device Admin, Moki does still support it. Devices that don’t work on Android Enterprise might be supported on Moki’s Device Admin solution. Please reach out to Moki Sales to confirm.
Are unbranded, Chinese OEM devices supported on Android Enterprise?
No. Most OEM Android devices are running a version of Android called AOSP (Android Open Source Project), which is a vanilla Android ROM. These devices are not compatible with Android Enterprise. Even though Android Enterprise was designed to ultimately replace the Device Admin, Moki does still support it. Devices that don’t work on Android Enterprise might be supported on Moki’s Device Admin solution. Please reach out to Moki Sales to confirm.
What are the major differences between Device Admin and Android Enterprise?
The Device Admin API was introduced on Android 2.2. It was initially designed as a means of granting admin permissions to third-party applications. In order for a Device Admin MDM application to work correctly, it has to be signed by the Android device manufacturer that the application was being installed on. This meant that Samsung had a different version of the Device Admin app than Lenovo, Lenovo had a different version than LG, and so on. EMMs (MDM companies) had to work with device manufacturers in order to have the Device Admin applications signed for their respective devices, thus allowing the necessary permissions to be granted to manage the devices. These Device Admin applications often have a lot more custom features like Remote Control, file management control, etc., but are painful for EMMs to support.
Android Enterprise, on the other hand, removes the need for the OEM app signing process. All Android Enterprise devices support the same functionality, regardless of the Android manufacturer. In addition, AE supports features that just were not possible with the Device Admin solution.
There are pros and cons to each solution, but going forward, Android Enterprise will continue to receive new features, and the Device Admin will ultimately go away. Currently, Moki supports both solutions.
Are Samsung devices supported on Android Enterprise?
Yes. Samsung devices do support Android Enterprise on most Android 5.0+ devices. With the release of Android 8.0 and Knox version 3.0, Samsung has further integrated Android Enterprise via the Samsung Android Enterprise Profile Owner APIs. Customers also have the option to activate the Knox Platform for Enterprise license to enable premium features on their devices.
Are all Android Enterprise features available on all Android versions?
No. Depending on what version of Android your devices have installed, feature/functionality will be slightly different. For a full list of which features are available for which versions, please click here.
Do I have to have a G Suite email account to use Android Enterprise?
No. Depending on your EMM (MDM company), they might require it for authentication of their users, but Android Enterprise does not require it. In order to register and configure an Android Enterprise account, they do require a GMail email address, however. Unfortunately, G Suite emails are not currently supported. Once you register your EMM with Android Enterprise, you will need to stay logged in to your Gmail account in order to configure or make changes to your Google Play Store applications. If you are not logged in, you will be redirected away from your EMM every time you wish to make a change or add an app.
Which devices are the best devices to use on Android Enterprise?
Depending on your use case and what you intend to use the devices for will ultimately determine which devices are best for your project. For example, a cell phone might be better for employees needing devices to deliver packages, while a tablet might be better suited as a kiosk device. Once you have figured this out, an excellent first step would be to look at the Android Enterprise Recommended device list. Once you have narrowed down your selection, you can begin looking at the pricing and sourcing of the devices.
Is it possible to install more than one EMM policy at a time?
No. You can only install one Android Enterprise policy from your EMM at any given time. In order to remove one EMM and replace it with another, the device will need to be factory reset.
What is "Android Enterprise Recommended"?
Android Enterprise Recommended is a program recommending the best devices, EMMs, and solutions providers.
There is a strict list of requirements that each of these categories must meet in order to receive the certification. Moki is currently working with Google to become an EMM Recommended Android Enterprise provider.
What is zero-touch enrollment?
Zero-touch enrollment is a streamlined process for Android devices to be provisioned for enterprise management. On first boot, devices check to see if they have been assigned an enterprise configuration. If so, the device initiates the fully managed device provisioning method and downloads the correct device policy controller app, which then completes the setup of the managed device. In order for a customer to take advantage of AE’s zero-touch solution, three main criteria must be met:
- The device must be running Android Oreo (8.0) or must be a Pixel phone with Android Nougat (7.0). A full list of supported devices can be found here.
- The devices must be purchased from a certified reseller. We have worked with SHI International Corp in the past on several projects and recommend them, but you are free to use whomever you’d like. Here is a full list of all the approved Managed Service Providers (MSPs).
- You have to use an EMM provider that supports zero-touch functionality. Moki fully supports zero-touch enrollment on Android Enterprise devices as long as the two above points are met.
For a full breakdown of the requirements, please view this Google support document.
Can a device be removed from the zero-touch program?
Yes. This action results in the device being removed from the zero-touch program. Unlike Apple’s DEP program, devices can be readded to the program in the future.
Can previously purchased devices be retroactively added to the zero-touch program?
Resellers have the ability to do this, but it is up to the reseller to decide if they want to allow it. Resellers are required to verify that the device identifiers (IMEI or serial number) are 100% correct and that the organization owns the devices. The reseller takes all of the risk and will be held responsible if the program is abused.
Are Samsung devices zero-touch enabled?
No. There are solutions, however, via the Samsung Knox portal that allow for a zero-touch like experience.
What enrollment options do I have with Moki's AE solution?
- NFC (Android 5.0+) - with the use of a provisioning app provided by your EMM of choice on a spare device, simply input basic environment details and bump NFC radios with a fresh factory reset (or brand new out of the box) device to begin provisioning. The device must have an NFC radio in order for this to work.
- Managed Google account (Android 6.0+) - start by setting up a device as usual, including connecting to a network. At the Google account prompt screen, enter the managed Google account information and authenticate as normal.
- DPC identifier (Android 6.0+) - start by setting up a device as usual, including connecting to a network. When prompted to enter a Google account, enter your DPC identifier instead. Please review Moki’s Android Enterprise Documentation for details on how to do this.
- QR code (Android 8.0+) - with a QR code provided by your EMM solution, tap six times on the welcome screen. You will need to connect to a network, and then a QR code scanner app will be download (if needed). Once it is downloaded, you will be prompted to scan the code with your device. Once scanned, the device will install the policy, including applications that have been configured.
- Zero-touch (Android 8.0+) - devices purchased through an authorized reseller may be assigned to a zero-touch customer account, and with a configuration created and assigned, the device will automatically begin zero-touch provisioning as soon as network connectivity is established.
Which AE provisioning method does Moki recommend?
Zero-touch offers the best and easiest enrollment experience and has some protections that are very important for factory reset protection. Once zero-touch is configured, users turn the devices on and connect them to a network. The zero-touch enrollment process will then take over and install any applications and the management policy. If the device is ever factory reset, the zero-touch process will take over again, preventing end-users from using the devices for anything other than what the organization intended.
If zero-touch is not an option, then enrolling devices via the QR code is the next best thing. It allows for a quick and easy enrollment without having to type in long, sophisticated enrollment codes into a device. Moki fully supports both of these enrollment methods.
Which Android Enterprise API platform is Moki’s AE solution built off of?
There are two Android Enterprise API solutions. First, is the older Google Play EMM API, and the second is the new Android Management API. The primary reason for Android making the change to the new API is that it removes the requirement of EMMs (MDMs) to develop their own custom device policy controller (DPC) application. The Android Management API comes with its own DPC provided by Google. This Android Management API will be the primary Android Enterprise API going forward, and any new Android Enterprise features will be added here vs. the Google Play EMM API.
Moki's Android Enterprise solution built off of the newer Android Management API, which means that Moki's Android Enterprise solution will continually get updated as Google releases new features and enhancements.
Which Android Enterprise solution set does Moki support?
There are three Enterprise use cases supported on Android Enterprise. The first is BYOD (bring your own device). Employees own these devices, but organizations can manage specific applications or settings on employee's devices. These are applications or settings configurations that employees need to either do their jobs or to maintain compliance with company security policies.
The second use case is company-owned devices for knowledge workers. These devices are devices that companies provide to their employees to perform their jobs. These devices can either be locked down to specific company applications or can be configured with company-specific containers that separate work and personal applications.
The last use case is company-owned devices for dedicated use. These devices can either be employee-facing devices or customer-facing devices. These dedicated devices (formerly called corporate-owned single-use, or COSU) are a subset of company-owned devices that serve a specific purpose. Android comes with a broad set of management features that allow organizations to configure devices for everything from employee-facing factory and industrial environments, to customer-facing signage and kiosk purposes. Dedicated devices are typically locked to a single app or set of apps. Android 6.0+ offers granular control over a device's lock screen, status bar, keyboard, and other key features, to prevent users from enabling other apps or performing other actions on dedicated devices.
Moki's solution is currently built to manage company-owned devices for dedicated use. Moki will continue to build out Android Enterprise to eventually be able to support all use cases that our customers have very soon.
My device failed to enroll in Moki, but the policy installed on the device. How do I fix it?
This is a common issue on Android Enterprise. Although the reason is unknown most of the time, the error can occur if the device times out or if there is an interruption in the internet connection. There are a few options to fix this issue:
- Reboot and reenroll - sometimes a simple reboot will do the trick. Hold down the power button and reboot the device. This should prompt the reinstallation of the policy and should fix the issue.
- Delete the policy manually - if the Settings app is available, go to Settings > Accounts. The policy should be listed there, and you should be able to remove it.
- Factory reset - You can reboot the device into the Recovery Menu and factory reset the device. For instructions on how to reboot your device into the Recovery Menu, please do a Google search with your exact device make and model.
Is Factory Reset Protection available on Moki?
Moki does provide an option that will require users to authenticate via an email address if the device is ever factory reset. FRP will kick in after rebooting from the factory reset.
For devices enrolled via zero-touch, FRP is not needed as the device will automatically reconfigure itself.
Does Android Enterprise support Android Go devices?
No. Android Go was designed for emerging markets and lacks the hardware and software required to run Android Enterprise.
Does Android Enterprise support the distribution of my private applications?
Yes. The Google Play iFrame now supports the simple process of uploading a private APK for distribution to your devices.