Need Help with QR Enrollment for Multiple Devices in Educational Environment – Is External MDM Required?
Hi everyone, I'm managing a large number of Android tablets in an educational environment. I'm trying to enroll the devices using Android Enterprise with QR code enrollment, but I'm having trouble getting the QR method to appear. So far, only Zero-Touch shows as an option, but most of our devices were not purchased through Zero-Touch resellers, so we can't use that method. My main question is: Is it strictly necessary to use an external MDM (like Miradore, Intune, etc.) to generate the QR code, or is there a way to create and use it directly from the Google Admin console or natively through Android Enterprise? We want to deploy the tablets efficiently and avoid entering accounts manually. Ideally, each device would automatically enroll with our managed Google Play account by scanning a QR code after a factory reset. This is especially important in a school context, where we have many students and limited time for configuration. We are already registered in Google Workspace, and the tablets are in a dedicated organizational unit for students. The admin account is managed, and we are using the Android Enterprise platform linked to our domain. For reference, here are two YouTube videos showing the configuration steps I followed (which reflect our current setup): https://www.youtube.com/watch?v=jI-C_y1u8jE https://www.youtube.com/watch?v=h__pvfp559Q Any advice or clarification would be greatly appreciated. Especially if there’s a native way to enable QR enrollment without needing a full external MDM platform. Thanks in advance!
OEM Unlock toggle not available
Hi all, Recently joined the community, first time poster here. TL;DR at the bottom. Hopefully my question has a simple solution but I've looked everywhere (except here of course). I'll try to keep this as simple as possible. Everything is in UAT if that matters. The important bits: Pixel 8a Build BP1A.250505.005.B1 No SIM or eSIM Android Enterprise registered to my UAT Tenant I'm testing some scenarios for automating device compliance with Omnissa using Workspace ONE Intelligence. To test this successfully I'm going to need to flash back to an older Build and probably more than once for demo purposes. The OEM Unlock toggle is not available however, and I this is preventing me from doing my testing. I've read conflicting posts elsewhere regarding carrier unlock, SIM and/or eSIM etc. ADB is working fine but flashing older images is just not working. Any help from the community on how to get OEM unlock enabled would be greatly appreciated. TL;DR: Need to flash a pre 250505 build to my Pixel 8a. Can't toggle OEM unlock as it's greyed out.Introducing The Secure Element podcast - Episode #1 is LIVE!
Hey friends, I'm pleased to announce the launch of our brand new security podcast: "The Secure Element"! This podcast is dedicated to all things security, covering topics relevant to our community and beyond. Plus, I am joined by some incredible people across the ecosystem along the way. We're kicking things off with our first episode, featuring special guest Bhavesh Kumar, Senior Director of Product Management at Omnissa. In Episode 1, we dive into: UEM controls to manage security Ecosystem of malware protection New capabilities for Device Trust principles You can listen to the first episode below: We'd love to carry on the conversation after you have listened/watched the video, so please do share your thoughts on any of the topics discussed in the comments below and/or any suggestions you might have for future topics. Stay secure, Burr
Play Protect Blocking Custom DPC Apps — How to Get Approval or Alternatives?
Hi everyone, I'm a developer who helps enterprises build custom DPC (Device Policy Controller) Reference Documentation apps to manage Android devices based on their unique requirements. Recently, Play Protect has started blocking the installation of custom DPC apps, even when these apps are signed and used internally. The warning claims the app may pose a risk due to access to sensitive data - even though it's strictly for enterprise use. To make things more difficult: Google is no longer accepting registration of custom DPC apps with Android Enterprise, which limits official distribution and management options. Android Management APIs don’t support all use cases, and also have quote limit. I’ve applied twice to join the Android Enterprise portal to build a SaaS-based device management platform, but both requests were rejected without a clear reason. My questions for the community: Is there any official way to get a custom DPC app approved or whitelisted by Play Protect? Are there any alternative ways to manage Android devices at scale (outside of AMAPI or legacy EMM)? How can new developers or startups gain access to Android Enterprise features when onboarding is currently restricted? Any help, direction, or shared experience would be greatly appreciated. Thanks, Kulwinder
Issue with Copy/Paste Restriction in Intune MDM on Android Devices (Clipboard Editor Interaction)
Hi all, I’m currently experiencing an issue while setting up Intune MDM on Android devices related to restricting copy and paste to unmanaged apps. Specifically, the issue occurs when users copy text from the Teams app and try to paste within teams app. Here's what happens: After copying text, a message "Your organisation's data cannot be pasted here" immediately appears in the clipboard hud. The copied data seems blocked from being viewed, as the error message appears even before a paste attempt. Despite this, users can manually paste the copied content by long-pressing or selecting "Paste" from the text box. However, when trying to use the "paste from clipboard" feature, the warning message above is pasted instead of the copied content. We’ve set the Intune policy to allow copy/paste within managed apps, but the clipboard interaction seems to be problematic, especially with Gboard. It appears that Gboard, possibly due to Android 13 and 14’s Clipboard Editor, is treated as an unmanaged app, causing Intune’s data protection policies to block its access to the clipboard in a read-only state. Just to clarify: I want users to be able to copy and paste txt within managed apps only. So the allowed behavior of pasting with long press is fine, but I want to get rid of the block that we're getting. Here’s what we’ve tried: Added various exclusions to the Intune policy, including Gboard, Clipboard Editor, and other related apps (full list below), but the issue persists. Testing different configurations hasn’t led to a final solution, and there seems to be limited documentation specifically addressing this clipboard component in relation to Intune's data policies. We’ve escalated the issue internally but wanted to see if anyone in the community has encountered a similar problem or found a solution. Here’s the list of exclusions we’ve already added to the policy: Clipboard: com.android.clipboard SMS: com.google.android.apps.messaging SMS: com.android.mms SMS: com.samsung.android.messaging Native phone app: com.android.phone Google Play Store: com.android.vending Android system settings: com.android.providers.settings Android system settings: com.android.settings Google Maps: com.google.android.apps.maps Gboard: com.google.android.inputmethod.english Samsung: com.sec.android.inputmethod Gboard: com.google.android.inputmethod.latin Gboard: com.google.android.apps.inputmethod.hindi Gboard: com.google.android.inputmethod.pinyin Gboard: com.google.android.inputmethod.japanese Gboard: com.google.android.inputmethod.korean Gboard: com.google.android.apps.handwriting.ime Gboard: com.google.android.googlequicksearchbox Gboard: com.samsung.android.svoiceime Gboard: com.samsung.android.honeyboard Gboard: com.android.inputmethod.latin Teams app: com.microsoft.teams Any insights or suggestions would be greatly appreciated! This is my first time posting so apologies if this is the wrong space.
Google services
We have a cloud customer on SoTI mobicontrol who wants to block all outbound traffic in their firewall and only allow what is strictly required. I’ve provided the customer with the official system requirements for SOTI MobiControl and Android Enterprise. However, the customer is only familiar with managing Apple devices and is looking to open the absolute minimum necessary for Android Enterprise to function — particularly avoiding wildcard domains (*) where possible. Can anyone help clarify which Android Enterprise network requirements are actually essential, especially when it comes to Google services, and which ones we can safely leave out? No file sharings, and remote control will be allowed by the customer.
Device Attestation: Auto-Select Client Cert + User Login on Android
Hi everyone, I’m trying to use client certificate authentication (mTLS) with Chrome Custom Tabs on Android. We want to automatically select the client certificate without prompting the user, and also ask for their username and password as part of the login process. This way, we can combine both certificate-based authentication and user credentials for device attestation. On desktop Chrome, this can be done using a policy like AutoselectCertificateForUrls, but it seems this doesn’t work on Android. If this is a known limitation, is there a way to request this feature from the Android or Chrome team?[Guide] Learn more about Generative AI controls from Android Enterprise
Hey everyone, As generative AI increasingly integrates into the workplace, we recognize that your teams may already be exploring these experiences. Android Enterprise is here to help provide the effective control and secure deployment for the generative AI experiences your teams use every day, ensuring you can leverage this technology securely. We’ve heard your questions here in the Customer Community about controlling business data and managing AI tools on Android, and so I’m pleased to share with you this Guide to Generative AI controls, which covers key business concerns, from ensuring the security and integrity of company data to exploring Android Enterprise and Google controls for generative AI experiences. We hope this guide will provide insights into the ways you can leverage the power of generative AI in your business, while implementing the necessary controls to protect your data. Get the insights today → Android Enterprise Guide: Generative AI controls For more details, please also view this Help Center article. AI is ever evolving, so we’d love to keep the conversation going here in the community. Are there any other things related to AI that you would like to hear more about? Are you finding that employees in your company are keen to use AI in the workplace? Thanks, Lizzie *Help Center article added May 15, 2025[Product Update] Introducing Device Trust from Android Enterprise
In today's world, our smartphones and tablets have become essential tools for getting work done, wherever we are. This "mobile-first" reality means that keeping company data secure on these devices is more critical than ever. Traditional security methods, like just having a firewall around the office network, aren't enough anymore. That's why Android Enterprise supports a Zero Trust security model. Think of it like this: instead of automatically trusting everyone inside the network, Zero Trust assumes nothing and verifies everything before granting access to sensitive information. With 63% of organizations worldwide having partially or fully implemented a Zero Touch strategy, and 96% of organizations favoring this approach, Zero Trust has become the standard for security across organizations. Android is making it easier than ever to bring this Zero Trust framework to your mobile workforce with Device Trust from Android Enterprise.* What exactly is Device Trust from Android Enterprise? Simply put, Device Trust from Android Enterprise helps organizations verify the security status of Android phones and tablets before allowing access to work apps and data. It works across all device ownership models (company-owned or BYOD), and at any level of device management (enrolled to an EMM or completely unmanaged), acting as a constant security validation for all Android devices used for work. How does it work? Device Trust from Android Enterprise uses a comprehensive set of over 20 different trust signals to assess a device's security posture. These signals look at things like: The security patch level The security status of the network the device is connected to Whether the OS version is up to date By bundling all these checks together, Device Trust from Android Enterprise provides a reliable way to understand how trustworthy a device is. This makes it simpler for your IT team to manage mobile security while providing a smooth experience for your employees. Plus, it's designed to protect both user and company privacy. What does this mean? 1. Security you can trust: Protect your data with intelligent and adaptable device security. Device Trust from Android Enterprise works effectively whether company owned and managed by an EMM, employee personal devices are managed by an EMM, using an Android Work Profile, or are unmanaged but utilize a partner security app. Device Trust from Android Enterprise allows businesses to secure the full management spectrum of Android devices used for work. Align with the latest industry standards and best practices around Zero Trust and mobile security, including including ISO/IEC 27001, 27002, 27005, to stay ahead of evolving threats. Ensure ongoing protection with continuous, real-time evaluation and validation of device health at multiple access points. 2. Flexible solutions for diverse use cases: Embrace a security approach that adapts to the diverse ways your employees work. Get direct access to reliable trust signals, empowering you to make informed access decisions and react swiftly to potential risks. Unify and simplify your security management by integrating Android mobile devices into your existing mobile threat defense (MTD), endpoint detection response (EDR), identity provider (IdP), and security information and event management (SIEM) workflows. Leverage our rich ecosystem of security partners, whose solutions integrate seamlessly with Device Trust from Android Enterprise, to create layered protection across different access needs and tailor security to specific use cases. 3. An uninterrupted employee experience: Empower your team to work effectively without unnecessary security hurdles. Enable instant productivity without needing to formally enroll the device - ideal for flexible and casual work arrangements that don’t require full EMM management. Deploy a security solution built with user privacy in mind, utilizing vetted partners and secure data interfaces. Maintain seamless access with continuous, behind-the-scenes security checks that won't disrupt workflows or require constant user interaction. Who can benefit from Device Trust? Built to be flexible, Device Trust from Android Enterprise benefits businesses of all sizes. For Large Enterprises: Strengthen your Zero Trust approach with continuous validation of device security, that accommodates varied access requirements, including full-time staff, contractors, and those in casual work scenarios. By seamlessly integrating with your existing security ecosystem (MTD / EDR, IdP, SIEM), you gain comprehensive visibility and can enforce consistent security policies across your diverse fleet of managed and unmanaged Android devices, enhancing your overall security posture at scale. For Small to Medium Businesses (SMBs): Achieve robust, enterprise-grade security without the typical complexity or extensive IT resources. You don't need a full EMM solution to benefit from Device Trust from Android Enterprise. This allows you to cost-effectively protect sensitive business data on employee devices and enable secure remote work, even on personal devices. In a world where mobile devices are our primary work hubs, Device Trust from Android Enterprise offers a robust and reliable way to unify security tools on mobile, and fortify your defenses. Ready to learn more? For a more detailed overview, explore our Keyword blog. Don't miss our upcoming digital episode, ‘Android Talks Device Trust,’ where we'll take a deep dive into Device Trust from Android Enterprise and our partner solutions. Register here. Let’s keep the conversation going, we’d love to hear your initial thoughts in the comments below. 👇 How does your organization currently approach securing mobile devices, and where do you see Device Trust potentially fitting in? *Device Trust from Android Enterprise solutions are built and offered by third-party providers integrating into the Android Management API. Exact features may vary depending on third-party integrations. Access on unmanaged devices requires user consent to use the Android Device Policy app. Device Trust from Android Enterprise is supported on Android 10 and above.
