Getting Started with Device Owner Android Devices
This guide provides a streamlined checklist to deploy MaaS360 for company-owned Android devices using Android Enterprise in Device Owner mode—ideal for organizations that require full control over the device for corporate use. Devices must be either brand new or factory reset before enrollment. This mode provides the highest level of management, enabling the enforcement of security policies, app restrictions, and Kiosk mode. Device Owner mode is intended for fully managed devices, ensuring complete separation from personal use and allowing robust enterprise-level control.
Use this setup when:
Your organization is providing employees with company-owned Android devices that are intended strictly for work use. These devices must be either brand new or reset to factory settings before enrollment into Device Owner mode. This setup gives your organization full control over the device through MaaS360, allowing you to manage which apps are installed, apply security settings, and enforce company policies. Device Owner mode ensures the device is managed exclusively for business, with no personal use allowed. It also prevents users from removing management and enables stronger compliance, security, and app control compared to other Android management options
Deployment tip:
MaaS360 has many features, settings, and configuration options to meet your needs. This checklist’s purpose is to get you started with common tasks. We recommend you try this with a few devices and evaluate your configuration and alter as needed, then roll out to all your devices.
Before you begin:
- Complete the MaaS360 Getting Started checklist
- Review the Android Enterprise Enrollment Overview
- Check that your devices are AE compatible. If you’re unsure, check with your OEM and try enrollment of a test device.
- Choose a Device Owner enrollment method. Click each link for more information on each method and complete the prerequisites for each enrollment method.
Enrollment Methods:
|
Enrollment Workflow
|
Minimum OS Version Required
|
Description
|
|
QR Code
|
Android 7+
|
Admin creates a QR code in MaaS360 portal and downloads it to enroll devices or provides it to users to enroll.
|
|
Zero Touch
|
Android 8+
|
Devices must be purchased from a reseller who sets up the zero touch account and loads devices for your company. Provides bulk enrollment, devices are automatically enrolled when powered on.
Note: Samsung devices not supported in ZT
|
|
Samsung KME
|
Knox 3.0+
|
Devices must be purchased from an authorized reseller partner and transmitted to the Samsung Knox portal that you create. Provides bulk enrollment, devices are automatically enrolled when powered on.
Note: Non-Samsung devices not supported in KME portal.
|
|
AFW
|
Android 7+
|
Enter a token afw#maas360 in the Google Account during device setup to initiate the AE Device Owner enrollment
|
|
Task
|
Path
|
Best Practice
|
|
Integrate Android Enterprise with MaaS360
|
In MaaS360, navigate to Setup> Services > Mobile Device Management > Enable Android > connect
You can use a managed Google Play Account or G-suite to bind.
|
Use a company-managed Google account that multiple admins can access.
|
|
Configure Directory and User Authentication Setup
|
In MaaS360, navigate to Setup > Settings > Directory and Enrollments > User Authentication Setup > Select Default Authentication
|
By default, user authentication for enrollment is based on the authentication type specified in the user record (Local or Corporate). If you're using SAML, the default is configured in the User Authentication Setup settings.
|
|
Configure User Settings
|
In MaaS360, navigate to Setup > Settings > User Settings > Basic > User Password Settings
|
- By default, MaaS360 doesn’t generate passwords for local users. Manually set them for admin-driven setup, or auto-generate them for user enrollment.
- Corporate users authenticate through your directory using Cloud Extender or Entra ID.
|
|
Configure Android Security Policy Settings
|
In MaaS360, navigate to Security > Policies > View the Android MDM policy
|
Within the Android MDM Policy, each setting will have a grey blurb underneath showing the type of enrollment mode these settings apply to.
DO means it applies to Device Owner enrollments.
|
|
Manage Devices in the Portal
|
In MaaS360, navigate to Devices > Inventory > Locate the device > View to open the device summary > Select More to access all available actions
|
Once your devices are enrolled, you can manage and monitor them all in the MaaS360 portal.
|
To learn more, explore the IBM Documentation or visit our YouTube channel Big Blue Helps for step-by-step MaaS360 tutorials.