Work profile

The work profile solution set is intended for employee-owned devices and company-owned devices for work and personal use. Corporate apps, data, and management policies are restricted to the work profile. With a work profile, the same device can be used securely and privately for work and personal purposes.

Feature list

required optional advanced not supported


1. Device provisioning

1.1. DPC-first work profile provisioning Android 5.1+
You can provision a work profile after downloading the EMM's DPC from Google Play.
1.5. Zero-touch enrollment Android 8.0+ (Pixel 7.1+)
IT admins can preconfigure devices purchased from authorized resellers and manage them using your EMM console.
1.6. Advanced zero-touch provisioning Android 7.0+
IT admins can automate much of the device enrollment process by deploying DPC registration details through zero-touch enrollment.
1.7 Google Account work profile provisioning Android 5.0+
Enterprises using Google accounts or cloud Identity can set up a work profile with their corporate accounts.
1.9. Direct zero-touch configuration Android 7.0+
IT admins can use the EMM’s console to set up zero-touch devices using the zero-touch iframe.
1.10. Work profile on company-owned devices Android 8.0+
EMMs can enroll company-owned devices that have a work profile.

2. Device security

2.1. Device security challenge Android 5.0+
IT admins can set and enforce a device security challenge (such as PIN/pattern/password) of a certain type and complexity on managed devices.
2.2. Work security challenge Android 7.0+
IT admins can set and enforce a security challenge for apps and data in the work profile that is separate and has different requirements from the device security challenge.
2.3. Advanced passcode management Android 5.0+
IT admins can set up advanced password settings on devices.
2.4. Smart Lock management Android 6.0+
IT admins can manage what trust agents in Android's Smart Lock feature are permitted to unlock devices.
2.5. Wipe and lock Android 5.0+
IT admins can use the EMM’s console to remotely lock and wipe work data from a managed device.
2.6. Compliance enforcement Android 5.0+
The EMM restricts use of work data and apps on devices that aren't in compliance with security policies.
2.7. Default security policies Android 5.0+
EMMs must enforce the specified security policies on devices by default, without requiring IT admins to set up or customize any settings in the EMM's console.
2.9. SafetyNet support N/A
The EMM uses the SafetyNet Attestation API to ensure devices are valid Android devices.
2.10. Verify Apps enforcement Android 5.0+
IT admins can turn on Verify Apps on devices.
2.11. Direct Boot support Android 7.0+
Direct Boot support ensures that the EMM's DPC is active and able to enforce policy, even if an Android 7.0+ device has not been unlocked.
2.12. Hardware security management Android 5.1+
IT admins can lock down hardware elements of a device to ensure data-loss prevention.

3. Account and app management

3.1. Managed Google Play Accounts enterprise enrollment N/A
IT admins can create a managed Google Play Accounts enterprise—an entity that allows managed Google Play to distribute apps to devices.
3.2. Managed Google Play Account provisioning Android 5.0+
The EMM can silently provision enterprise user accounts, called managed Google Play Accounts.
3.5. Silent app distribution N/A
IT admins can silently distribute work apps to devices without any user interaction.
3.6. Managed configuration management Android 5.0+
IT admins can view and silently set managed configurations for any app that supports managed configurations.
3.7. App catalog management N/A
IT admins can import a list of apps approved for their enterprise from managed Google Play (play.google.com/work).
3.8. Programmatic app approval N/A
The EMM's console uses the managed Google Play iframe to support Google Play's app discovery and approval capabilities
3.9. Basic store layout management N/A
The managed Google Play Store app can be used on devices to install and update work apps.
3.10. Advanced store layout configuration N/A
IT admins can customize the store layout seen in the managed Google Play Store app on their devices.
3.11. App license management N/A
IT admins can view and manage app licenses purchased in the managed Google Play from the EMM's console.
3.12. Google-hosted private app management N/A
IT admins can update Google-hosted private apps through the EMM console instead of through the Google Play Console.
3.13. Self-hosted private app management N/A
IT admins can set up and publish self-hosted private apps.
3.14. EMM pull notifications N/A
The EMM uses pull notifications to receive Play event notifications in real-time
3.15. API usage requirements N/A
The EMM implements Google's APIs at scale, avoiding traffic patterns that could negatively impact enterprises' ability to manage apps in production environments.
3.16. Advanced managed configuration management Android 5.0+
The EMM supports managed configurations with up to four levels of nested settings and can retrieve and display any feedback sent from a Play app.
3.17. Web app management N/A
IT admins can create and distribute web apps in the EMM console.
3.18. Managed Google Play Account lifecycle management Android 5.0+
The EMM can create, update, and delete managed Google Play Accounts on behalf of IT admins.
3.19. Application track management Android 5.0+
IT Admins can set up a set of development tracks for particular applications.

4. Device management

4.1. Runtime permission policy management Android 6.0+
IT admins can silently set a default response to runtime permission requests made by work apps.
4.2. Runtime permission grant state management Android 6.0+
After setting a default runtime permission policy, IT admins can silently set responses for specific permissions from any work app built on API 23 or above.
4.3. Wi-Fi configuration management Android 6.0+
IT admins can silently provision enterprise Wi-Fi configurations on managed devices.
4.4. Wi-Fi security management Android 6.0+
IT admins can provision enterprise Wi-Fi configurations on managed devices.
4.6. Account management Android 5.0+
IT admins can ensure that unauthorized corporate accounts can't interact with corporate data for services such as SaaS storage and productivity apps, or email.
4.7. Workspace account management Android 5.0+
IT admins can ensure that unauthorized Workspace accounts can't interact with corporate data.
4.8. Certificate management Android 5.0+
Allows IT admins to deploy identity certificates and certificate authorities to devices to allow access to corporate resources.
4.9. Advanced certificate management Android 7.0+
Allows IT admins to silently select the certificates that specific managed apps should use.
4.10. Delegated certificate management Android 6.0+
IT admins can distribute a third-party certificate management app to devices and grant that app privileged access to install certificates into the managed keystore.
4.11. Advanced VPN management Android 7.0+
Allows IT admins to specify an Always On VPN to ensure that data from specified managed apps will go through a set-up VPN.
4.12. IME management Android 5.0+
IT admins can manage what input methods (IMEs) are allowed on devices.
4.14. Accessibility services management Android 5.0+
IT admins can manage what accessibility services are allowed on devices.
4.15. Location Sharing management Android 5.0+
IT admins can prevent sharing location data with apps in the work profile.
4.17. Factory reset protection management Android 5.1+
Allows IT admins to protect company-owned devices from theft by ensuring unauthorized individuals can't factory reset devices.
4.19. Screen capture management Android 5.0+
IT admins can block users from taking screenshots when using managed apps.
4.21. Network statistics collection Android 6.0+
IT admins can query network usage statistics from a device's work profile.

5. Device usability

5.1. Managed provisioning customization Android 7.0+
IT admins can modify the default setup flow UX to include enterprise-specific features.
5.2. Enterprise customization Android 7.0+
IT admins can customize aspects of the work profile with corporate branding, for instance by setting the work profile user icon to the corporate logo, or setting up the background color of the work challenge.
5.6. Cross-profile contact management Android 7.0+
IT admins can manage what contact data can leave the work profile.
5.7. Cross-profile data management Android 6.0+
Grants IT admins control over what data can leave the work profile, beyond the default security features of the work profile.
5.10. Persistent preferred activity management Android 5.0+
Allows IT admins to set an app as the default intent handler for intents that match a certain intent filter.
5.11. Keyguard feature management Android 7.0+
IT admins can manage the features available before unlocking the device keyguard (lock screen) and the work challenge keyguard (lock screen).
5.12. Advanced keyguard feature management Android 5.0+
IT admins can manage advanced device keyguard (lock screen) features.
5.17. Work profile policy transparency management Android 9.0+
IT admins can customize the message displayed when removing the work profile from a device.
5.18. Connected app support Android 9.0+
IT admins can set a list of packages that can communicate across the work profile boundary.

6. Device admin deprecation

6. Device admin deprecation Android 5.0+
EMMs are required to post a plan by the end of 2021 ending support for Device Admin on GMS devices by the end of 2022.