Managing Android devices has never been easier. With the Android Management API, you can build a policy and provision a device in minutes. This Codelab will show you everything you need to know to get started, and will help you set up a device from scratch in minutes.

What you'll learn

What you'll need

To access the Android Management API you will use a quickstart Python notebook run with Colab. Click the link below to open it in a new tab.

Open the quickstart notebook in Colab

The source code of the quickstart notebook is available on GitHub (here).

Before being able to call the API you need to setup authentication in the notebook.

The base resource of your Android Management solution is a Google Cloud Platform project. All other resources (Enterprises, Devices, Policies, etc) belong to the project and the project controls access to these resources. A solution is typically associated with a single project, but you can create multiple projects if you want to restrict access to resources.

For this Codelab we have already created a project for you (project ID: android-management-io-codelab).

To create and access resources, you need to authenticate with an account that has edit rights over the project. The account running this Codelab has been given rights over the project used in this Codelab. To start the authentication flow, run the first cell (click the ▶ button or press Shift + Enter).

You will be asked to authorize access by following a link. If asked to select an account, choose the account preloaded on the Codelab kiosk. Then click Allow.

The OAuth flow finishes by displaying an authentication code.

To complete the authentication flow:

  1. Copy the authentication code.
  2. Go back to the quickstart notebook.
  3. Paste the code in the input box.
  4. Hit Enter.

At this stage the notebook is successfully authenticated with the API and you can start creating and managing resources.

An Enterprise resource binds an organization to your Android Management solution. Devices and Policies both belong to an enterprise. Typically, a single enterprise resource is associated with a single organization. However, you can create multiple enterprises for the same organization based on their needs. For example, an organization may want separate enterprises for its different departments or regions.

For this Codelab we have already created a project for you. Run the next cell to select it.

A Policy is a group of settings that determine the behavior of a managed device and the apps installed on it. Each Policy resource can be applied to one or more devices. Once a device is linked to a policy, any updates to the policy are automatically applied to the device.

To create your first policy run the next cell of the notebook.

In the rest of this Codelab we will represent a policy in its JSON form. Here the first policy is:

{
  "applications": [
    {
      "packageName": "com.google.samples.apps.iosched",
      "installType": "FORCE_INSTALLED"
    }
  ],
  "debuggingFeaturesAllowed": true
}

You'll see how to create more advanced policies later in this Codelab.

Provisioning refers to the process of enrolling a device with an enterprise, applying the appropriate policies to the device, and guiding the user to complete the set up of their device in accordance with those policies. Before attempting to provision a device, ensure that the device is running Android 6.0 or above.

The method for provisioning a device varies depending on the management mode you want to use, this Codelab demonstrates how to provision a work profile using a QR code. Please refer to the instructions in the notebook for other modes and provisioning methods.

You need an enrollment token for each device that you want to provision (you can use the same token for multiple devices). When creating a token you can specify a policy that will be applied to the device. You can then embed the enrollment token in a QR code.

To create your first enrollment token run the next cell of the quickstart notebook. This cell generates an enrollment token and stores it in the variable enrollment_token.

Then run the next cell to generate the QR code, and click on the generated URL to display the QR code.

You can then use this QR code to provision an Android. To do so:

  1. Unlock the Android device in front of you.
  2. Go to Settings > Google.
  3. Tap "Set up your work profile".
  4. Scan the QR code.

Once the setup flow completes your work profile is provisioned and is linked to the policy created in the previous step.

After a device is linked to a policy, any updates to the policy are automatically applied to the device.

To update the policy move back to the cell that you used to create the policy, change the policy JSON to match the new policy below, and run the cell.

{
  "applications": [
    {
      "packageName": "com.google.samples.apps.iosched",
      "installType": "FORCE_INSTALLED"
    },
    {
      "packageName": "com.google.android.apps.androidify",
      "installType": "FORCE_INSTALLED"
    }
  ],
  "debuggingFeaturesAllowed": true
}

The new policy force installs the Androidify app on the device, and you should see this change applied on the device within a few seconds.

In the next step of the Codelab we show you how to build a more advanced policy with extra security features.

Let's try enforcing some additional security: we'll set up a policy that requires a password, and forbids taking a screenshot when using the work profile.

To update the policy move back to the cell that you used to create the policy, change the policy JSON to match the new policy below, and run the cell.

{
  "applications": [
    {
      "packageName": "com.google.samples.apps.iosched",
      "installType": "FORCE_INSTALLED"
    },
    {
      "packageName": "com.google.android.apps.androidify",
      "installType": "FORCE_INSTALLED"
    }
  ],
  "passwordRequirements": {
    "passwordMinimumLength": 6,
    "passwordQuality": "NUMERIC"
  },
  "screenCaptureDisabled": true,
  "debuggingFeaturesAllowed": true,
  "policyEnforcementRules": [
    {
      "settingName": "passwordPolicies",
      "blockAction": {
        "blockAfterDays": 1
      },
      "wipeAction": {
        "wipeAfterDays": 5
      } 
    }
  ]
}

In a few seconds you should see a screen that will ask you to set a password, stopping you from using apps in the work profile (they will be greyed out) until you do so.

Try taking a screenshot when using an app in the work profile by pressing Volume Down + Power key combination: you should see a message saying that taking screenshots is disabled.

You've finished the Android Management API Codelab and got a glimpse at some of the available policies.

We recommend that you explore and try other examples of policies:

And you can find the full range of available policies in the API references.

You can also develop your own server-based management solution leveraging the Android Management, to do so you will need to: