Android powers roughly 70% of the global smartphone market. In enterprise environments, that translates to thousands of Samsung, Google Pixel, and other Android devices that IT teams need to configure, secure, and maintain. Android device management is the practice of controlling these devices remotely through an MDM solution connected to Android Enterprise.
This guide walks through how Android device management works, which enrollment modes to use, how to enforce security policies, and how to distribute apps across your fleet.
Benefits of Android MDM
Deploying an MDM solution across your Android fleet delivers measurable returns in four areas.
Security at Scale
Centralized policy enforcement means every device meets the same security baseline: encryption enabled, screen lock required, OS version current. When a device falls out of compliance, the MDM can automatically block access to corporate resources until the issue is resolved. This closes the gap between writing a security policy and actually enforcing it across thousands of devices.
Operational Efficiency
Silent app installs, remote configuration, and zero-touch enrollment eliminate manual setup work. An IT team that previously spent 20 minutes configuring each device can deploy hundreds of phones without touching a single one. That time goes back to higher-value work.
Employee Productivity
Users receive a fully configured device with all required apps, Wi-Fi settings, and email accounts ready on first boot. No setup wizards, no app store searches, no support tickets for missing configurations. Work Profile deployments let employees pause work notifications after hours, which improves satisfaction without compromising security.
Cost Reduction
Fewer support tickets, faster device provisioning, and automated compliance monitoring reduce the per-device management cost. Extending device lifecycles through proper patch management and remote diagnostics delays hardware refresh cycles, further lowering total cost of ownership.
How Android Device Management Works
Google built Android Enterprise as the official framework for managing Android devices in business environments. It replaced the older Device Admin API (deprecated since Android 10) with a more secure, consistent management layer.
The architecture is straightforward: your MDM server communicates with Google's EMM APIs. When an admin pushes a policy or app, the command reaches the device through Google Play services. The device applies the change without requiring a custom agent running in the background.
Android Enterprise works on any device running Android 6.0 or later that has Google Play services. For Samsung devices, you get additional controls through Samsung Knox, which adds hardware-backed security features and a richer set of management APIs on top of Android Enterprise.
Android Enterprise Enrollment Modes
The enrollment mode you choose depends on who owns the device and how much control you need.
Fully Managed Device
For corporate-owned devices where the organization controls everything. The entire device is under MDM management. There is no personal profile. IT can enforce any restriction, install or remove any app, and wipe the device at will.
This mode is ideal for shared devices (warehouse scanners, delivery tablets, retail kiosks) and for employees who receive a dedicated work phone. Enrollment happens during the initial device setup: the user taps the welcome screen six times to trigger QR code scanning, scans the enrollment QR code, and the device configures itself.
Work Profile on Company-Owned Device
Introduced in Android 11, this mode gives IT full device control while still creating a separate Work Profile for business apps. The user can use the device personally (install personal apps, use personal Google account) but the Work Profile keeps corporate data isolated. IT can wipe the Work Profile without touching personal data, or wipe the entire device if needed.
This is the best option when you issue company phones but want to allow some personal use. Employees get flexibility; IT gets the security controls of a fully managed device.
Work Profile on Personal Device (BYOD)
For bring-your-own-device scenarios. The Work Profile creates a separate container on the employee's personal phone. Corporate apps and data live inside this container, encrypted and managed by IT. Personal apps and data remain untouched. IT cannot see personal apps, photos, browsing history, or location.
The Work Profile appears as a tabbed section in the app drawer with a briefcase badge on managed apps. Users can pause the Work Profile outside of business hours, which suspends all work notifications and data sync.
Dedicated Device (Kiosk Mode)
For single-purpose devices: digital signage, point-of-sale terminals, warehouse scanners, or field equipment. Kiosk mode locks the device to one or a few approved apps. The user cannot access Settings, install apps, or exit the designated application.
Dedicated devices are enrolled as fully managed and then locked down with a kiosk policy. They typically run unattended and may be shared among multiple workers across shifts.
Choosing the Right Enrollment Mode
| Mode | Device Owner | IT Control | Personal Use | Best For |
|---|---|---|---|---|
| Fully Managed | Company | Full | None | Shared devices, kiosks, warehouse |
| Work Profile (COPE) | Company | Full + Work Profile | Allowed | Company phones with personal use |
| Work Profile (BYOD) | Employee | Work Profile only | Untouched | Personal phones with work access |
| Dedicated | Company | Full + locked | None | Single-app kiosks, signage, POS |
Security Policies for Android Fleets
Managing Android devices is primarily about enforcing security at scale. Here are the policies that every Android deployment should include.
Password and Screen Lock
Enforce a minimum password complexity (numeric, alphanumeric, or biometric). Set auto-lock timers and a maximum number of failed attempts before the device wipes. For Work Profile deployments, you can require a separate password for the work container, adding a second layer of protection for corporate data.
Encryption
All Android devices running 6.0+ support file-based encryption. MDM can verify that encryption is active and block access to corporate resources on unencrypted devices. Samsung Knox adds hardware-level encryption for the Knox container, which is certified for government use in several countries.
Compliance Policies
Define what makes a device compliant: minimum OS version, encryption enabled, no root access, approved device model. Non-compliant devices can be blocked from accessing corporate email, VPN, or apps until the issue is resolved. This automated enforcement replaces manual auditing and ensures your security posture stays consistent across thousands of devices.
Network Controls
Push Wi-Fi configurations with enterprise certificates. Configure always-on VPN so all work traffic routes through your network. Restrict USB debugging and file transfer to prevent data exfiltration through physical connections.
Lost Device Response
Remote lock displays a custom screen with contact information. Remote wipe erases all data (or just the Work Profile on BYOD devices). For Samsung Knox devices, you can also trigger a remote ring at full volume to locate a misplaced device in an office or warehouse.
App Distribution on Android
Managed Google Play is the official channel for distributing apps to managed Android devices. It replaces the need for sideloading APKs or maintaining your own app repository.
Public Apps
Select apps from the Play Store and approve them for your organization. Approved apps appear in the managed Work Profile. You can silently install required apps (on fully managed and company-owned devices) or make them available for optional download.
Private Apps
Upload your own APKs to Managed Google Play as private apps. They are visible only to your organization. This is how most companies distribute internal tools, custom field apps, or proprietary line-of-business applications.
For organizations that need a branded app catalog across both Android and iOS, Appaloosa provides an enterprise app store that unifies distribution in a single interface.
Managed Configurations
Many enterprise apps support managed configurations (also called app restrictions). This lets you pre-configure server URLs, authentication settings, and feature toggles before the app reaches the user. For example, you can push Microsoft Teams with your tenant ID pre-filled, or configure a custom field app to point to the correct API endpoint per region.
Zero-Touch Enrollment
Zero-touch enrollment is Android's equivalent of Apple's Automated Device Enrollment. When you buy devices from a zero-touch partner (Samsung, Google, Lenovo, and most major manufacturers), the devices are registered in the zero-touch portal. On first boot, the device automatically enrolls in your MDM server without any manual steps.
This is the recommended enrollment method for any corporate-owned Android deployment. IT ships the device to the employee, the employee powers it on, connects to Wi-Fi, and the device configures itself with all policies, apps, and settings.
Zero-touch enrollment also provides persistence: if someone factory resets the device, it re-enrolls automatically on the next setup. This prevents employees from removing management and protects against stolen devices being repurposed.
How to Configure an Android MDM App: Step by Step
Setting up MDM on Android follows a predictable sequence. Here is a walkthrough of each phase.
Step 1: Link Android Enterprise to Your MDM
Log into your MDM admin console and navigate to the Android Enterprise setup. You will be prompted to sign in with a Google account to create (or link) a managed Google Play enterprise. This binds your MDM to Google's management APIs and activates Managed Google Play for your organization. The process takes about two minutes.
Step 2: Create Your First Policy Profile
A policy profile defines what happens on the device once it enrolls. Start with a baseline profile that covers:
- Password requirements (complexity, minimum length, auto-lock timeout)
- Encryption enforcement
- Wi-Fi configuration with enterprise certificates
- Compliance rules (minimum OS version, security patch level)
Create separate profiles for each enrollment mode (fully managed, Work Profile, dedicated) since each mode supports a different set of restrictions.
Step 3: Configure App Deployment
Navigate to the application management section of your policy. Add apps from three possible sources:
- Managed Google Play: search for public apps, approve them, and add them to the policy
- Private apps: upload your own APKs as private apps visible only to your organization
- Web apps: create home screen shortcuts to web applications
For each app, choose an assignment type. Force-installed apps deploy silently and cannot be removed by users. Pre-installed apps deploy automatically but users can uninstall them. Required for setup apps must finish installing before the device becomes usable, ensuring critical security or productivity tools are present from the start.
Step 4: Enroll Your First Device
For a quick test, use QR code enrollment: factory-reset a device, tap the welcome screen six times, scan the QR code generated by your MDM, and watch the device configure itself. Confirm that your policies apply correctly, apps install, and Wi-Fi connects. Then move to zero-touch enrollment for production deployments.
Step 5: Scale with Zero-Touch
Register your MDM configuration in the zero-touch portal. When your reseller ships new devices, they are pre-assigned to your MDM. Each device enrolls automatically on first boot with no manual steps required. This is the recommended approach for any deployment larger than a handful of devices.
Managing Samsung Devices with Knox
Samsung devices represent a significant portion of enterprise Android fleets. Samsung Knox adds capabilities beyond standard Android Enterprise:
Knox Platform for Enterprise (KPE). Hardware-backed encryption, certificate management, and VPN configuration that goes deeper than stock Android. KPE enables features like dual DAR (Data at Rest) encryption for government compliance.
Knox Mobile Enrollment (KME). Samsung's own zero-touch system, which works alongside Google's zero-touch. If your devices are purchased through Samsung's channel, KME provides a similar auto-enrollment experience.
Knox E-FOTA. Enterprise Firmware Over The Air lets you control which firmware version your Samsung devices run. You can test a new Android version on a pilot group before approving it for the full fleet, preventing surprise OS updates from breaking critical apps.
Android Enterprise Recommended: Choosing the Right Devices
Google's Android Enterprise Recommended (AER) program certifies devices that meet specific enterprise standards. AER devices guarantee:
- Minimum hardware specs for business workloads
- Regular security patches within 90 days of release
- Consistent zero-touch enrollment support
- At least 3 years of security updates
Samsung Galaxy A and S series, Google Pixel, and select Motorola and Nokia devices are commonly AER-certified. If you are refreshing your fleet, stick to the AER device list to avoid management headaches down the road.
The AER program also certifies MDM providers and enterprise service partners, so you can verify that your entire toolchain meets Google's bar for enterprise readiness.
What Changed in Android 14 and 15 for Enterprise
Google continues to tighten the enterprise management framework. Android 14 introduced credential management APIs that let MDM solutions provision certificates directly into the system trust store, eliminating the need for users to manually install corporate CA certificates. It also added support for ultra-wideband (UWB) management policies for organizations using UWB-based asset tracking or access control.
Android 15 brought improvements to Work Profile isolation. Cross-profile data sharing controls became more granular: admins can now specify exactly which apps are allowed to share data between personal and work profiles, down to the content type (images, files, text). This addresses a long-standing concern where broad cross-profile policies either blocked too much or allowed too much.
Google also expanded the set of restrictions available on dedicated devices. Screen brightness, volume, and timeout settings can now be locked by policy, which matters for kiosk deployments where end users previously found creative ways to change display settings.
Android MDM vs. iOS MDM: Key Differences
IT teams managing mixed fleets often ask how Android management compares to Apple's approach. The architectures differ, but the result is similar.
Enrollment. Apple uses Automated Device Enrollment (ADE) through Apple Business Manager. Android uses zero-touch enrollment through device manufacturers. Both achieve the same goal: hands-free provisioning of corporate devices.
App distribution. Apple routes enterprise apps through Apple Business Manager with VPP licenses. Android uses Managed Google Play. Both support silent installation on fully managed devices. Appaloosa unifies both channels into a single app management layer.
BYOD isolation. Android's Work Profile creates a visible, pausable container. Apple uses managed apps and managed open-in restrictions, which are less visible to the user but achieve comparable data separation.
Update control. Samsung Knox E-FOTA gives Android admins firmware-level update control. Apple provides 90-day deferral periods for major OS updates. Neither platform gives admins complete control, but both offer enough to prevent surprise updates from breaking production apps.
Device variety. iOS runs on a handful of Apple-made devices. Android runs on hundreds of models. This makes Android management more complex to test but more flexible in terms of hardware options and price points.
Managing Android Alongside iOS
Most enterprise fleets include both Android and iOS devices. When implementing cross-platform MDM, keep these considerations in mind:
- Separate policies, consistent standards. Android and iOS have different management APIs and capabilities. Create platform-specific policies but align them on the same security requirements: encryption, minimum OS version, password complexity, and compliance actions.
- Understand platform differences. Android's Work Profile creates a visible container with a briefcase badge. Apple uses managed apps and managed open-in restrictions that are less visible to users. Both achieve data separation, but the user experience differs.
- Unified app distribution. Use an MDM that handles both Managed Google Play and Apple's Volume Purchase Program from a single console. Appaloosa's MAM platform unifies app distribution across both ecosystems, reducing the overhead of maintaining parallel workflows.
- Test on both platforms. An app that works perfectly on Android may behave differently under Apple's managed app framework, and vice versa. Always validate your critical business apps on both platforms before rolling out to production.
Common Android Management Challenges
Device Fragmentation
Android runs on hundreds of device models from dozens of manufacturers. Not every device supports every MDM feature. The solution is to maintain an approved device list and standardize on a few models per use case. Samsung and Google Pixel devices offer the most consistent management experience because they receive security patches promptly and support the full Android Enterprise feature set.
OS Version Gaps
Unlike iOS, Android updates depend on the manufacturer. Some devices lag months behind on security patches. Enforce a minimum security patch level through compliance policies and block non-compliant devices from corporate resources until they update.
BYOD User Adoption
Employees sometimes resist installing a Work Profile on their personal phone. Clear communication helps: explain that IT cannot see personal data, that the Work Profile can be paused, and that removing the Work Profile only deletes corporate data. A transparent privacy policy goes further than any technical measure.
Getting Started
If you are setting up Android device management for the first time:
1. Create an Android Enterprise account. Bind your organization's Google account to your MDM solution. This activates Managed Google Play and enables enterprise enrollment.
2. Choose your enrollment modes. Fully managed for corporate-owned, Work Profile for BYOD, dedicated for kiosks and shared devices.
3. Register devices for zero-touch. Contact your device reseller to add your devices to the zero-touch portal and assign them to your MDM server.
4. Define security policies. Start with password, encryption, and compliance requirements. Layer on network and app restrictions based on your security needs.
5. Approve and assign apps. Set up Managed Google Play, approve the apps your teams need, and configure silent installation for required apps.
6. Pilot and expand. Test with a small group across different device models and enrollment modes. Validate that policies apply correctly before rolling out to the full fleet.
Android device management has matured to the point where it matches iOS in enterprise readiness. Work Profiles, zero-touch enrollment, Managed Google Play, Samsung Knox, and ongoing improvements in each Android release give IT teams full control over corporate devices and data. The key is choosing the right enrollment mode for each use case and enforcing consistent security policies across your fleet.
If you are evaluating MDM solutions for Android, Appaloosa supports the full Android Enterprise feature set, including zero-touch, kiosk mode, and app distribution through a unified console.