12 deliveries of AE-mas (What shipped in Android Enterprise in 2025)
2025 was a big year for Android Enterprise. This was the year several long-missed features finally landed, Device Trust became a thing, zero-touch got a compliance and audit boost, provisioning saw a revamp, and the Android Management API quietly kept adding the sort of controls that make admins' lives easier. So, in the spirit of celebrating a strong year for the platform, here are 12 Features of AE-mas (let's not worry about the title.. I was strugglin'), in no particular order, chosen somewhat at random as - would you believe - the list could have been longer should I have chosen not to follow the 12 days of Christmas as the theme.. 12. APN overrides via AMAPI APN management finally arrived. In May 2025, AMAPI gained apnPolicy, allowing admins to define and enforce APNs directly through policy. This closes a long-standing gap for cellular deployments where “just set the APN” has historically been anything but. It's great to see this functionality pulled out of OEM config and into the AMAPI layer, giving admins access to on-device APIs that have been effectively off-limits for years. Read about APN here. 11. Developer verification for Android Developer verification isn't coming until next year, but we're talking about it already, and work is in progress to bring it to fruition now. Developer verification raises the bar for Play publishers by requiring stronger identity verification. For enterprise, it’s a supply-chain win: fewer convincing lookalikes, higher friction for malicious publishers, and a clearer answer when security teams ask “who made this app, exactly?”. There’s pushback in the community, there's a lot of misunderstandings about the requirements and ramifications, but hopefully as time goes on this will settle on both sides through further transparency and discussion. Organisations deploying private apps to their own tenants are currently exempt, but it remains a big change nonetheless, and organisations benefit from the wider boost in authenticity of apps and developers. I covered off more about developer approval here. 10. Device Trust from Android Enterprise This was the year Device Trust arrived. Device Trust enables real-time posture and integrity signals (Play Integrity verdicts, boot state, security patch recency, lock-screen presence, strong auth age, OS tamper signals) that can be evaluated continuously rather than only at enrolment, and on both managed and unmanaged devices. It's a huge boost for MAM-type deployments, security solutions, and allows traditionally EMM-dependent vendors the freedom to operate independently. This isn’t a small feature. It fundamentally changes how Android Enterprise fits into modern security architectures. I wrote more about Device Trust here. 9. Custom app management via AMAPI (CUSTOM install type) One of the most consequential releases of the year, perhaps even since AMAPI began half a decade ago. AMAPI introduced first-class support for installing and managing custom applications using installType: CUSTOM, backed by signing certificate validation (appSigningKeyFingerprints) and explicit install and uninstall commands. It allows organisations reliant on line-of-business (LOB) internal applications to ditch any and all wild-west sideloading for a policy-driven, verifiable deployment, which is exactly what enterprise actually needs. All without the need for uploading apps to Google Play. I wrote more about custom apps here. 8. Zero-touch portal audit logs and admin roles The zero-touch portal became auditable and permission-scoped in 2025. Google rolled out audit logs to the zero-touch customer portal, capturing all admin actions needed to ensure the platform is no longer a black hole of who did what. Alongside this came clearer admin role separation, reducing the blast radius of operational mistakes. For regulated environments, this turned zero-touch from a black box into something governance teams could actually trust. 7. Android 16 provisioning improvements One of the greatest improvements to the enrolment flow happened in 2025, and it was so long overdue! Android 16 brought a clear push toward more reliable setup flows, fewer steps, and the ability to update it on the fly, as opposed to being stuck adjusting it only on major version releases. I put out a video nearer the start of the year, while 16 was still in beta, which you can see on LinkedIn here. With this newer approach, Google is beginning to leave behind the old managed provisioning flows baked into AOSP, though they're still there as a fallback today. It'll be interesting to see how this evolves. 6. Application roles in Android Management API This was unexpected. Application Roles formalised entire classes of enterprise apps, including: COMPANION_APP KIOSK MOBILE_THREAT_DEFENSE_ENDPOINT_DETECTION_RESPONSE SYSTEM_HEALTH_MONITORING Apps assigned these roles can be exempt from background execution limits, power management, suspension, and hibernation on modern Android versions, with user control restricted by default. This isn’t just about companion apps - it’s about enterprise software finally being treated as first-class by the OS, and adds much-needed flexibility with far less configuration and overhead. 5. Default application management policy Admins finally gained control over default apps. AMAPI added a policy allowing admins to define a prioritised list of default applications per app type (browser, dialler, etc), setting the first qualifying app as default and preventing user changes. For compliance-sensitive fleets - browsers, diallers, PDF viewers - this is the sort of boring control that saves hours. It's predominantly Android 16+, but there's a few that go back a few versions of Android. Read more about default applications here. 4. RCS archival RCS has long been the compliance blind spot for Android Enterprise fleets, with SMS/MMS archiving handled by legacy tools while RCS was left out in the cold. In December, Google release a supported way to archive RCS/SMS/MMS on fully managed devices, with Google Messages as the mandated client. Once those prerequisites are met, admins can configure Messages to forward message bodies, metadata, and attachments to a SIEM/service/archival tool on a schedule or trigger with no needed workarounds or limitations of legacy solutions. It’s - to reiterate - Google Messages only for now (OEM messaging apps remain out of scope unless they add their own support), but it gives regulated orgs a sanctioned retention path for rich messaging at last. It has been met with quite a bit of mixed feelings, and even more FUD. I go into more detail about RCS archiving here. 3. App functions and cross-profile controls Android 16 brought app-to-app interaction under policy control. New settings allow admins to govern whether apps can expose app functions, and whether personal-profile apps can invoke functions exposed by work-profile apps, bringing finer control to cross-profile linking scenarios. Niche, but powerful for when this functionality takes off in enterprise workflows. 2. Android App Bundle (AAB) support in the Managed Play iframe This finally removed a long-standing enterprise limitation. In March 2025, Android App Bundle uploads became supported in the Managed Google Play iframe. Private apps finally gained parity with public Play distribution, including split APK delivery and more efficient installs. I wrote more about AAB here. 1. Android’s accelerated platform release cadence The change that underpins everything above. Android is shifting toward more frequent platform releases, with Android 16 landing far earlier than usual and signalling a broader move away from a single annual cadence. Harder to track? Maybe. I'm having a lot more fun poking around the Android Canary builds looking for unreleased functionality than I do sleuthing around AOSP code, though! Better for shipping enterprise capability without waiting a full year? Also yes. Signing off Android Enterprise levelled up across the board in 2025. From trust and supply-chain integrity to app management and provisioning improvements, the team set the bar really high this year. Let's hope the momentum continues in 2026! Which of these made the biggest difference for you this year, and what are you hoping lands in 2026? Happy holidays and here’s to a wonderful New Year!
Zero-Touch + Intune enrollment fails after Microsoft sign-in (redirects to portal.manager.microsoft.com)
Hi everyone, I’m experiencing an issue during Android Zero-Touch enrollment with Microsoft Intune. The process begins normally and progresses through all the expected steps: 1. Getting your phone ready 2. Checking info 3. “This device belongs to your organisation” 4. Setup your phone 5. Setting up your device 6. “This device isn’t private” 7. Google services 8. Updating device 9. Welcome to Chrome 10. Microsoft sign-in page The problem occurs AFTER I successfully sign in with my work account. Instead of continuing with Android Enterprise (intune) setup, the device opens this URL: **portal.manager.microsoft.com** This page shows “Page not found.” Immediately after that, the device shows: **“Can’t set up device. To finish setup, sign in to your work account.”** At this point the enrollment cannot continue. The device is assigned to a Zero-Touch configuration with the DPC: `com.google.android.apps.work.clouddpc` We also have a JSON configuration supplied from the Intune portal. Has anyone seen this behaviour before where enrollment fails right after Microsoft authentication and redirects to an incorrect URL? Is this likely related to the Zero-Touch configuration JSON, the DPC, or a known issue with Intune handover? Any guidance would be greatly appreciated. Thank you!
Aluminium OS - bringing Android to PC's
If people have not heard. Google is working on bringing AndroidOS to PC's. Google's new 'Aluminium OS' project brings Android to PC Just hope the AE management stays the same or even will expand on its capabilities. ChromeOS needs Google Workspace for management and not everybody is familiar with this. but I look forward testing it when its ready for public or maybe private testing 🤐.
Tech Newbie interested in mobile cyber security, after multiple hacking events, seeking suggestions, tips, advice etc, to get involved.
Hello All, I am looking for advice, tips, suggestions, or helpful info, to begin a career/ journey into the world of Mobile Cyber Security and Tech. My interest was sparked after multiple hacking events that were very damaging to my life, my digital life, my work life, my relationships, my mental, physical, and emotional health, my data, information, and intellectual property of my business, and more. Now I am being pulled to learn how to protect myself first, and second so that I may be able to help others. I guess Ethical Hacking is the term. Any info helps. Thank you, Androidc3po
Unable to upload bulk CSV file to ZeroTouch
Hi Team, Is there currently an issue uploading a bulk .csv file to ZeroTouch? It's giving me an error. See below. Steps below: I downloaded the sample .csv file then updated it with my data, then uploading it again to the portal as is without changing the name or file extension as seeing above, yet its giving me an error. This was working not long ago, just wondering if there is currently an issue. Thanks
No accounts found Zero touch
as per : ZTE Portal - no account found | Android Enterprise and ChromeOS Customer Communities - 4093 I'm an admin of a Google workspace instance, let's call it Acme, LLC. This is Google Workspace Business Plus I'm an admin (not owner) of a Android Zero Touch instance, with the ability to make changes to: Configs Devices Users Resellers, etc I've logged into Workspace.google.com for Acme, Inc. Gone to Devices, Mobile & Endpoints, Settings, Enrollment, Manage Zero Touch devices, Link, log in using AZTE user and get the rather lovely: MDM is set to advanced, by the way
WPCO Enrollment into Google Workspace using Zero Touch
Hi there! I am implementing Zero Touch enrollment for our newly purchased Android devices. It is working well and our testing devices end up in "Fully Managed" state after enrollment. I have been wondering if the enrollment could be adjusted so the device ends up in "Work profile on corporate-owned" (WPCO) state instead. I have done a little research and Android spec should allow a device to end up in WPCO state after it is enrolled via Zero Touch. Is this end result achievable with following combination? Device: Samsung with Android 14 Enrollment: Zero Touch during device setup EMM: Google Workspace Google Workspace AFAIK does not have any switch for this in UI. Could the management mode be configured during Zero Touch by using DPC extras set in Zero Touch portal? Developer oriented documentation suggests this is governed by EXTRA_PROVISIONING_MODE. I have tried following Custom Configurations in Google Zero Touch portal so far (all targeting com.google.android.apps.work.clouddpc) : { "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": { "com.google.android.apps.work.clouddpc.EXTRA_FORCED_DOMAINS": "[\"mycompany.com\"]", "PROVISIONING_MODE": "MANAGED_PROFILE" } } and { "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": { "com.google.android.apps.work.clouddpc.EXTRA_FORCED_DOMAINS": "[\"company.com\"]" }, "android.app.extra.PROVISIONING_MODE": "2" } and { "android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME": "com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver", "android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM": "<SIG-CHECK>", "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION": "https://play.google.com/managed/downloadManagingApp?identifier=setup", "android.app.extra.PROVISIONING_ROLE_HOLDER_SIGNATURE_CHECKSUM": "<SIG-CHECK>", "android.app.extra.PROVISIONING_ROLE_HOLDER_PACKAGE_DOWNLOAD_LOCATION": "https://play.google.com/managed/downloadManagingApp?identifier=setup", "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": { "com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN": "<TOKEN>", "com.google.android.apps.work.clouddpc.EXTRA_FORCED_DOMAINS": "[\"company.com\"]", "PROVISIONING_MODE": "MANAGED_PROFILE" } } In all three case the devices goes trough Zero Touch enrollment. Device Policy is installed. User is required to log in with a Google Account with company.com account. The device ended up in "Fully Managed" state in all three cases...
