IT admins can deploy devices to corporate users using cloud services, QR code, or Near Field Communication (NFC) provisioning. To get started, download the NfcProvisioning APK and the Android-DeviceOwner APK. For a complete list of requirements, see Implementing Device Management.
Android 12 updates
ACTION_PROVISION_MANAGED_PROFILEis supported only for DPC-first work profile provisioning, in which end users can provision a work profile after downloading the DPC.
DPC developers that want to support QR code or other provisioning methods must implement handlers for the
DevicePolicyManager#ACTION_ADMIN_POLICY_COMPLIANCEintent actions. If the DPC doesn't implement these handlers, provisioning will fail.
ACTION_GET_PROVISIONING_MODEhandler includes a new
EXTRA_PROVISIONING_ALLOWED_PROVISIONING_MODESextra. The DPC must set the
EXTRA_PROVISIONING_MODEextra to its resulting intent with a value that belongs to that list. If the DPC returns a value that isn't on that list, provisioning will fail.
To further increase the stability, maintainability, and simplicity of flows that happen during the setup wizard, DPC setup can't be started after the end of the setup wizard. DPCs that use the
android.intent.category.PROVISIONING_FINALIZATIONcategory with the
ADMIN_POLICY_COMPLIANCEintent action to explicitly request being setup prior the end of the setup wizard can remove that category as this is now done by default.
Managed provisioning is a framework UI flow that ensures users are adequately informed of the implications of setting a device owner or managed profile. Devices that enable default encryption offer a considerably simpler and quicker device management provisioning flow.
During managed provisioning, the managed provisioning component performs the following activities:
- Encrypts the device.
- Creates the managed profile.
- Disables non-required apps.
- Sets the enterprise mobility management (EMM) app as profile or device owner.
In turn, the enterprise mobility management (EMM) app performs the following activities:
- Adds user accounts.
- Enforces device compliance.
- Enables any additional system apps.
During managed provisioning, the framework copies the EMM app into the managed
profile. After provisioning completes, the EMM app's
intent handler is called in the work profile user (for work profile
provisioning) or in the device owner user (for device owner provisioning). The
EMM then adds accounts and enforce policies, after which it calls
setProfileEnabled() to make the launcher icons visible.
Profile owner provisioning
Profile owner provisioning enables the user to have both a work profile (managed profile) and a personal profile on a device. To enable profile owner provisioning, you must send an intent with appropriate extras. For an example, install the TestDPC app (download from Google Play or build from GitHub) on the device, launch the app from the launcher, then follow the app instructions. Provisioning is complete when badged icons appear in the launcher drawer.
The EMM DPC app triggers the creation of the managed profile by sending an
intent with the
action. The following command is a sample intent that triggers the creation of
the managed profile and sets the
DeviceAdminSample as the profile owner:
adb shell am start \ -a android.app.action.PROVISION_MANAGED_PROFILE \ -c android.intent.category.DEFAULT \ -e wifiSsid $(printf '%q' \"WifiSSID\") \ -e deviceAdminPackage "com.google.android.deviceadminsample" \ -e android.app.extra.deviceAdminPackageName $(printf '%q'.DeviceAdminSample\$DeviceAdminSampleReceiver) \ -e android.app.extra.DEFAULT_MANAGED_PROFILE_NAME "My Organisation"
Device owner provisioning with NFC
You can use NFC or cloud services to set up device owner (DO) provisioning during the out-of-box setup process for a device.
When using NFC, you provision devices in DO mode using NFC bump during the initial device setup step. This method requires more bootstrapping, but is low-touch and handles configuring Wi-Fi, installing the DPC, and setting the DPC as device owner.
A typical NFC bundle includes the following:
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_LOCATION EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM EXTRA_PROVISIONING_WIFI_SSID EXTRA_PROVISIONING_WIFI_SECURITY_TYPE
Devices must have NFC configured to accept the managed provisioning mimetype
from the setup experience. To configure, ensure
/packages/apps/Nfc/res/values/provisioning.xml contains the following lines:
<bool name="enable\_nfc\_provisioning">true</bool> <item>application/com.android.managedprovisioning</item>
Provisioning using cloud services
You can provision devices with a device owner or profile owner (work profile) using cloud services. The device collects and uses credentials (or tokens) to perform a lookup to a cloud service, which can then be used to initiate the provisioning process.
Enterprise mobility management benefits
An enterprise mobility management (EMM) app can help by conducting the following tasks:
- Provisioning managed profile.
- Applying security policies.
- Set password complexity.
- Lockdowns: disable screenshots, sharing from managed profile, etc.
- Configuring enterprise connectivity.
WifiEnterpriseConfigto configure corporate Wi-Fi.
- Configure VPN on the device.
DPM.setApplicationRestrictions()to configure corporate VPN.
- Enabling corporate app Single Sign-On (SSO).
- Install desired corporate apps.
DPM.installKeyPair()to silently install corp client certs.
DPM.setApplicationRestrictions()to configure hostnames, cert alias’ of corporate apps.
Managed provisioning is just one part of the EMM end-to-end workflow, with the end goal of making corporate data accessible to apps in the managed profile or managed device. For testing guidance, see Setting up Device Testing.