So Android is Android right? Well not exactly. There are technically four modes where you can utilise Android on a managed device, but one doesn’t really count anymore because its been deprecated by Google.

Android has come along way in the last few years and has some very interesting and unique features. Some of these features are only available in the different modes, where those modes can only enabled on a device during enrollment.

This may be a little confusing to start with but I’ll explain a bit more in the rest of this article.


So I mentioned that there were four modes for Android. Three of these are available under the term ‘Android Enterprise’ and the fourth is Device Administrator mode, which has been deprecated as of Android 10.

Let’s cover off Android Enterprise.

Work Profile Mode:

In my opinion (and from what I’ve seen) this is the most common implementation of Android Enterprise. It is most suited towards BYOD deployments as you have a fully functional Android device with minimal restrictions on one side, however have a Work Profile (or container) where all your Work Applications are deployed and configured.

From an end-user perspective, they can install all of their personal applications and accounts on the device as per normal. However to access Work Applications they are required to enroll the device into Workspace ONE UEM and instantiate a Work Profile where a curated list of applications can be installed. You as administrator can configure Data Loss Prevention between the Personal and Work side so that data cannot be transferred between, and from an application perspective you have to whitelist applications that can be installed in the Work Profile. Applications can be easily distinguished with the Work Profile applications having a briefcase icon (red/blue/orange depending on the OS version and OEM).

Enrolling a device in Work Profile mode is done by downloading the Workspace ONE Intelligent Hub app (on the Personal side) and completing the enrollment steps. 

Work Managed Device Mode:

Work Managed Device mode implies it is owned by the Organisation. As such, the administrator should have a lot more control of the device, what can be installed and how its configured. When a Work Managed Device device is enrolled there is no personal side, or Work Profile as its fully configured as an enterprise device. An end user cannot install any applications that aren’t whitelisted.

To enroll a device into Work Managed Device mode, this needs to be done during the out of box setup. When the device is first powered on or reset and before you enter a Google Account is the only time that you can get a device into Work Managed Device mode.

To enroll the device into this mode you have 4 options:

  • Option 1: Enter the MDM identifier afw#hub into the Google Account email address field during enrollment. This will download the Intelligent Hub application, install it and then allow for device enrollment.

  • Option 2: Use the NFC Bump method where you have a phone (with NFC) with the Workspace ONE Relay application installed that you “bump” on the back of the target device (also with NFC) that receives the enrollment details and starts the enrollment process. Note that NFC bump isn’t available on Android 10 (where Workspace ONE Relay is installed) as Android Beam functionality is deprecated. You could also write the enrollment details to an NFC tag and enroll the target device by tapping the tag on it.

  • Option 3: QR code enrollment allows the administrator (or end user if that’s how you want to do it) to simply tap 6 times on the ‘Welcome Screen’ which forces the device to download and install a QR Reader app. On certain devices you may find they’ve included a QR Reader in the setup assistant (like below on my Samsung S8+). If there isn’t the functionality already, then youjust need to connect to any available Wifi network or use cellular and the device will download and install the Workspace ONE Intelligent Hub application and complete the enrollment.

 
  • Option 4: Zero Touch Enrollment. This is where a device is purchased by the Organisation through an approved reseller partner. The devices are registered through a Google Zero Touch Enrollment portal and when the devices are first powered and connected to Wifi or the LTE network they are forced to enroll in to Workspace ONE UEM.

There is also Knox Mobile Enrollment which is an alternative to Zero Touch Enrollment for Samsung Devices. I won’t go into detail specifically here, but you can read more about it on the Samsung site.

Fully Managed Device with Work Profile:

As the name suggests, this is kind of a combination of the above two Android Enterprise modes. You still have a fully managed device but a Work Profile is also provisioned on to the device for Work Applications.

You still need to enroll device as if it was going to be used in Work Managed Device, but there is an option in the Workspace ONE UEM Console that if configured puts it into this variant.

This setting can be found at Settings-> System-> Devices & Users -> Android -> Android EMM Registration-> Enrollment Settings

and lastly, the last Android mode…

Android Device Administrator (Android Legacy): As I mentioned above, Google deprecated this mode with Android 10 (released September 2019). At VMware we also refer to as Android Legacy.


We still support this method and if you don’t configure Android Enterprise in the Workspace ONE UEM Console this is what the device will attempt to use.

I believe that all the capabilities of Android Legacy are now in Android Enterprise so I personally don’t recommend using it.

So there you have it. Android Enrollment!