Device management modes
Last updated July 26th, 2023
With Android 11, Google continues to protect user privacy, extending these protections to company-owned devices. Specifically, Google has replaced the device management mode called fully managed device with a work profile with work profile on company-owned device.
Here is a summary of different device management modes and their use cases:
Corporate Owned Business Only (COBO)
-
Summary: An enterprise owns the device, and doesn’t allow personal apps on the device.
-
Control scope: Through a UEM app, the enterprise serves as the device owner which has full control over the entire device.
-
Use case: Enterprises use this model if they need strict control over the entire device and can’t compromise corporate assets by allowing users to install their own apps.
Fully managed device with a work profile (FMDWP)
Deprecated in Android 11.
-
Summary: An enterprise owns the device, allows users to install personal apps, and secures work apps in a work profile.
-
Control scope: The enterprise uses one UEM app to serve as device owner which has control over the entire device, and a second UEM app to serve as profile owner which has control over the work profile.
-
Use case: Enterprises used this model to give users freedom over the apps they installed, were able to fully view and manage personal as well as work apps.
Separated Apps
Exclusive to Samsung Knox devices, and set up only through the Knox Service Plugin (KSP).
-
Summary: An enterprise owns the device, and allows users to install authorized third-party business apps (for example, airline, hotel, or ride-sharing apps) in a securely separated folder.
-
Control scope: Through a UEM app, the enterprise serves as the device owner which has full control over the entire device. Through KSP, the enterprise can set up a Separated Apps folder and identify the apps allowed to be installed inside the folder.
-
Use case: Enterprises use this model if they need strict control over the entire device, but want to enable staff productivity using a separate, lightly managed app folder.
For more detail about using this mode, see Separated Apps.
Work profile on company-owned device (WP-C)
New in Android 11.
-
Summary: An enterprise owns the device, secures work apps in a work profile, and allows users to install personal apps.
-
Control scope: The enterprise uses one UEM app to serve as profile owner with control over the work profile. If the enterprise deploys the work profile from the setup wizard using the provisioning tools added in Android 10, the device is recognized as company-owned and a wider range of asset management and device security policies is made available than that granted to personally-owned devices. Enterprises can still apply policies at the device level as long as they don’t infringe on personal privacy; for details, see Android policies in the personal profile and Knox policies in the personal profile.
-
Use case: Enterprises use this model if they want to give users freedom over the apps they use on company devices without infringing on their user privacy.
For more detail about using this mode, see Google’s EMM migration guidelines (which requires a partner login) or Work profile on company owned devices.
Bring Your Own Device (BYOD)
-
Summary: An employee owns the device, and installs work apps on their device to enable productivity.
-
Control scope: The enterprise uses one UEM app to serve as profile owner with control over work apps in the work profile.
-
Use case: Smaller enterprises might use this model to save on the capital costs associated with buying devices.
Google deprecated the legacy device admin (DA) management mode in Android 10. By November 2, 2020, Google requires app updates to target API level 29 or Android 10. From this date onwards, app updates start throwing exceptions if they call the four deprecated DA policies. For more information, see Device admin deprecation.
On this page
Is this page helpful?