FAQ: Android for Work (AFW)

What OS/devices support Android for Work?

For broad device support, Google has developed two versions of the Android for Work solution: Pre-Lollipop Android for Work and Lollipop+ Android for Work.

Android for Work on supported Lollipop devices offers a dedicated Work Profile with security, management and application support built-in. For all other devices, Ice Cream Sandwich and newer, users can enjoy similar functionality through a downloadable app.

A current list of recommended devices can be found here.

I have a device that is running Lollipop, but Android for Work isn’t getting setup.

The device should be enrolling into an Android for Work enabled Organization Group. Not all devices running Lollipop are supported for AFW and only specific devices are supported at this time. Another pointer to check is if the user account being enrolled as created on the Google Admin console. There might be other factors into play as well like the Agent version on the device, etc.


What console version is required?

8.0 Feature Pack 2


What Agent version is required?

AirWatch Agent v5.2+ is required


As an IT admin, where do I begin?

As an IT Admin, to register your Company's Domain with Google for Android for Work, one should begin Here https://www.google.com/a/signup/u/0/?enterprise_product=ANDROID_WORK


As an IT admin, where do I upload my EMM token?

As an IT Admin, You can upload your EMM token on the AirWatch Console at Groups & Settings>Devices & Users>Android>Android for Work


I have uploaded my EMM token, now what?

All Android for Work Supported devices enrolled under this OG will be enrolled under AFW. You can create Work Profiles and push out apps through the Google Play Work Console.


Can I upload this EMM token into another environment or OG? Like UAT?

No. The Register screen will make a prompt check to see if this domain is registered on any other consoles. To test out in an UAT based environment a subdomain (like qa.company.com) can be used.


Why am I prompted to add my corporate email account as a Google account on the device? What is it used for?

All Android for Work devices will need a Google account associated with them based on the corporate Account. Google pushes down the right settings of the company enabled from the EMM token registration to that company's domain through these accounts.


Is my Google account password the same as my enrollment password?

Not necessarily. Your Google account Password may be your Enrollment/AD password, or your admin could have created your account, and you might need to reset it by going to https://accounts.google.com.


What happens if I enroll non-AFW devices into an OG setup to use AFW?

You Non-AFW device will act as a regular enrolled device and the Device policies will take effect rather than the Work Profiles.


After enrollment completes, why is there a copy of the AirWatch Agent that is not-badged? 

There are two copies of the device. A badged version and a non-Badged version. The badged version is the Agent version with the enrollment details. Once the device's Corporate Profile Owner Account is removed all badged apps including the Agent will be removed and you can re-enroll with the Non badged Agent version.


How do I unenroll from the device?

On the device, navigate to Settings>Accounts  and remove the Work Google Account. This will unenroll the device and remove all badged Apps.


Why did I not get a prompt to set the AirWatch Agent as device administrator?

AirWatch is added as a Google account, which has access as a Profile / Device Owner. Therefore, you do not need to add it as a Device Admin.


Why doesn’t the telecom service app get installed when I have track telecom data turned on?

Telecom service is not currently supported with the Android for Work Profile since the Work Profile has BYOD focus.


Is Launcher supported?

Launcher is another system app that is currently not supported since the Work Profile has BYOD focus.


What happens if I try to publish a non-Android for Work profile to an Android for Work device?

If your devices are enrolled under AFW, they will not receive those profiles.


What happens if I try to publish an Android for Work profile to a non-Android for Work device?

If your devices are not enrolled under AFW but instead as regular enrollments, they will not receive those AFW profiles.


Why does the Managed Apps under the Badged Agent show no Apps List?

Public Apps are managed through Google Play and not through AirWatch. This will be displayed only on the Badged Play Store / App Catalog.


There is something known as Google Device ID and Google User ID which is used while pushing applications to devices. When is the Google Device ID and Google User ID generated and where is it stored? Is it generated by Google? 

Both are during enrollment and from Google but at different times. The user ID is obtained from Google when AW console asks Google server if the user exists in Google. This happens after the AirWatch console gets enrollment username from the Agent. The Device ID is obtained from the device OS after the user adds the Google account to the device during enrollment. The Agent asks the OS for the device ID and sends it up in beacon to AW console.


During the enrollment, how does the Google Account validation take place? Is the Device Services server talking to any Google server to validate this?

Account validation is done immediately after the enrollment username is sent to console by the Agent. No communication is by the device services server – all communication is through the Console server.


Which server does our AirWatch Console contact in order to validate the token that is entered while configuring the Android for Work?

Google Play Server. The following website needs to be accessible in your network: https://www.googleapis.com/ 


In a scenario where the top most OG is of customer type, and the Android for Work is enabled in the top most OG, all the child OG's inherit the settings. As per my knowledge, we cannot override this setting. Does this mean, any lollipop device with a 5.2 Agent enrolling to any of the child OG's will automatically be enrolled to Android for Work? Is there any way to overcome this?

We are making changes to this. In a future Feature Pack, you will be able to configure Android for Work at any OG type (not just customer), but all OG’s below it will be inherit only, and you cannot override.


Can there be multiple Google Admin accounts for a single domain?

Yes. You would log into Google and assign an account as an admin.


What happens in the below 3 scenarios: Note: Answers below assume that the device running/upgrading to 5.0 supports Android for Work. There are devices out in the market today currently running 5.0 that do NOT support Android for Work yet because the OEM is blocking it. Ex: Samsung devices running Lollipop.

  • Device is running on 4.4 and is currently enrolled to an OG where Android For Work is configured and is on a 5.2 Agent. The device upgrades to 5.0

    • Nothing, to use android for work, they will have to unenroll and re-enroll.

  • Device is running on 5.0 and is currently enrolled to an OG where Android For Work is configured and is on a 5.1 Agent. The Agent gets upgraded to 5.2

    • Nothing, to use android for work, they will have to unenroll and re-enroll.

  • Device is running on 5.0 and is currently enrolled through a 5.2 Agent and the environment upgrades to 8.0 FP2 and the admin configures Android For Work in the OG in which all devices are enrolled. What happens?

    • Nothing, to use android for work, they will have to unenroll and re-enroll.


In a case where there is one parent OG and two child OGs, the parent OG is of customer type and is configured with AFW. The settings get inherited to both the child OGs. We have an option to configure the Android For Work again in the child OGs with a different token and a different domain. We will configure the two child OGs with different domains and then disable Android for Work from the parent OG.

Will the child OGs be still configured to AFW, even though the child OGs are not of customer type. Answered earlier. IN upcoming FP, we will not allow a different token/domain at a sub-OG if parent OG is already configured for Android for Work.


Where in the device, is the data of the Work applications being stored? How is the device managing both Personal and Work applications?

It is completely separate from personal data. It exists is a seperate Data store which is encrypted by default used for AFW. But there is only one installation of the app. Not two installations of the same app. Big difference from KNOX. In BYOD mode – we are not managing the personal side AT ALL. Only in corporate owned mode can we manage the entire device.

Have more questions? Submit a request


Article is closed for comments.