This page provides an overview of the new enterprise APIs, features, and behavior changes introduced in Android 11.

## Work profile

The following new features are available in Android 11 for work profiles.

### Work profile enhancements for company-owned devices

Android 11 introduces improved support for work profiles on company-owned devices. If a work profile is added from the setup wizard using the[provisioning tools added in Android 10](https://developer.android.com/work/versions/android-10#improved_provisioning_tools_for_work_profiles), the device is recognized as company-owned and a wider range of asset management and device security policies is made available to the device policy controller (DPC). These capabilities enable easier management of both work and personal use on company-owned devices, while maintaining the privacy protections of the work profile.

If a work profile is added to a device using any other method, Android 11 recognizes the device as personally-owned. The behavior and features available to work profiles on personally-owned devices remains unchanged.

#### Devices upgrading to Android 11

[Work profiles on fully managed devices](https://developer.android.com/work/managed-profiles)will be upgraded to the enhanced work profile experience on Android 11. For customers, this means devices will receive the improved privacy benefits and consistency of a single work profile experience across both personally-owned and company-owned devices, without the need to re-enroll legacy work profile on fully managed devices. Or if you prefer, by removing the work profile before upgrade you can maintain a fully managed device experience across the upgrade.

Customers can contact their EMM to ensure their devices are prepared to upgrade to Android 11. EMMs can find more detailed migration guidance in the[Android Enterprise EMM Provider community](https://emm.androidenterprise.dev/s/)(login required).

### UX improvements

The separate[work and personal tabs](https://developer.android.com/work/versions/android-9.0#work-profile-ui)introduced to the default launcher in Android 9 have been extended to more device features. In Android 11, device manufacturers can present work and personal tabs:

- In the Settings app, specifically for Location, Storage, Accounts, and App info.
- When a user taps Shareshare.
- When a user is presented with the option to open a selected item with another app (*Open with*menu).
- When selecting documents.

![](https://developer.android.com/static/images/about/versions/11/work-profile-ux.png)**Figure 1.** (Left) Personal tab and work tab in*Settings \> App info*. (Right) Work apps icons when the work profile is paused.

Android 11 also introduces UX enhancements that make it clearer to users when their work profile is paused. And when a user turns on their work profile, they no longer have to enter their work passcode if it's the same as their device passcode.

### Reset work profile passcode button

When a work profile is paused, the work profile lock screen now supports a*forgot my password* button for Android 11 devices that have separate device and work profile passwords. If your[DPC is direct boot aware](https://developer.android.com/training/articles/direct-boot), you can[set and activate a token](https://developer.android.com/work/dpc/security#set_and_activate_a_token)to enable the button.

When a user presses the button, they're shown text that instructs them to contact their IT admin. Pressing the button also starts the work profile in direct boot (locked) mode, allowing your DPC to complete the steps to perform a[secure work profile passcode reset](https://developer.android.com/work/dpc/security#secure-passcode-reset).

## Company-owned devices

The following new features are available for company-owned devices. The term*company-owned device* refers to both fully managed devices and[work profile devices that are company-owned](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#isOrganizationOwnedDeviceWithManagedProfile()).

### Common Criteria Mode

This mode addresses[Common Criteria](https://www.commoncriteriaportal.org/)[Mobile Device Fundamentals Protection Profile](https://www.commoncriteriaportal.org/files/ppfiles/pp_md_v3.1.pdf)(MDFPP) specific requirements. Admins of company-owned devices can now[enable Common Criteria Mode](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setCommonCriteriaModeEnabled(android.content.ComponentName,%20boolean))(and[check if it's enabled](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#isCommonCriteriaModeEnabled(android.content.ComponentName))) on a device. When enabled, Common Criteria Mode increases security in certain security components on a device, including AES-GCM encryption of Bluetooth Long Term Keys, and Wi-Fi configuration stores.

### Individual key attestation support

| **Note:** This feature is only available for devices with a[StrongBox security chip](https://developer.android.com/training/articles/keystore#HardwareSecurityModule).

In Android 11, admins of company-owned devices can[request device attestation](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#generateKeyPair(android.content.ComponentName,%20java.lang.String,%20android.security.keystore.KeyGenParameterSpec,%20int))using individual attestation certificates:

- Ensure[`KeyGenParameterSpec`is built with StrongBox specified](https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder#setIsStrongBoxBacked(boolean)).
- Pass[`ID_TYPE_INDIVIDUAL_ATTESTATION`](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#ID_TYPE_INDIVIDUAL_ATTESTATION)for the`idAttestationFlags`argument.

A new method is also available to[check if a device supports unique device ID attestation](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#isUniqueDeviceAttestationSupported()).

## Other

- Users are now notified when an admin:

  - [Enables location services](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setLocationEnabled(android.content.ComponentName,%20boolean))on their company-owned device. If the admin sets a global policy to auto-accept all permissions, the user is notified when an app requests, and is granted, location permission because of this policy.
  - [Grants an app the permission](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setPermissionGrantState(android.content.ComponentName,%20java.lang.String,%20java.lang.String,%20int))to use the location of a personally-owned device.
- Pre-grant certificate access to work apps: DPCs targeting Android 11 now have the option to[grant individual apps access to specific`KeyChain`keys](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#grantKeyPairToApp(android.content.ComponentName,%20java.lang.String,%20java.lang.String)), allowing these apps to call[`getCertificateChain()`](https://developer.android.com/reference/android/security/KeyChain#getCertificateChain(android.content.Context,%20java.lang.String))and[`getPrivateKey()`](https://developer.android.com/reference/android/security/KeyChain#getPrivateKey(android.content.Context,%20java.lang.String))without having to first call[`choosePrivateKeyAlias()`](https://developer.android.com/reference/android/security/KeyChain#choosePrivateKeyAlias(android.app.Activity,%20android.security.KeyChainAliasCallback,%20java.lang.String%5B%5D,%20java.security.Principal%5B%5D,%20java.lang.String,%20int,%20java.lang.String)).

  For example, VPN apps that run as a background service can use this feature to gain access to the certificates they need without requiring any user interaction. A new method is also available to revoke access.
  | **Note:** Apps installed on unmanaged devices or in a device's personal profile can no longer install CA certificates using[`createInstallIntent()`](https://developer.android.com/reference/android/security/KeyChain#createInstallIntent()). Instead, users must manually install CA certificates in**Settings**.
- [All methods related to setting password minimums](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setPasswordMinimumLength(android.content.ComponentName,%20int))require an appropriate[password quality](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setPasswordQuality(android.content.ComponentName,%20int))before they can be enforced.

  - [`setPasswordMinimumLength()`](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setPasswordMinimumLength(android.content.ComponentName,%20int))requires at least[`PASSWORD_QUALITY_NUMERIC`](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#PASSWORD_QUALITY_NUMERIC).
  - All other password minimum methods require at least[`PASSWORD_QUALITY_COMPLEX`](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#PASSWORD_QUALITY_COMPLEX).
- Always-on VPN enhancements: Users can no longer disable always-on VPN when it's[configured by an admin](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setAlwaysOnVpnPackage(android.content.ComponentName,%20java.lang.String,%20boolean)).

- Updates to[`ADMIN_POLICY_COMPLIANCE`](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#ACTION_ADMIN_POLICY_COMPLIANCE):

  - When provisioning an Android 11 device, the system now sends[`ADMIN_POLICY_COMPLIANCE`](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#ACTION_ADMIN_POLICY_COMPLIANCE)before setting[`DEVICE_PROVISIONED`](https://developer.android.com/reference/android/provider/Settings.Global#DEVICE_PROVISIONED)to`true`.
  - [`ADMIN_POLICY_COMPLIANCE`](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#ACTION_ADMIN_POLICY_COMPLIANCE)can also be optionally used when[adding a Google Account](https://developers.google.com/android/work/play/emm-api/prov-devices#google_account_method)to provision a device. In the 2021 Android release, it will be required for this provisioning method.
- New APIs are also available to:

  - [Check](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#getAutoTimeEnabled(android.content.ComponentName))and[set](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setAutoTimeEnabled(android.content.ComponentName,%20boolean))whether auto time is enabled on a device. If enabled, the time automatically obtained from the network. Replaces`setAutoTimeRequired()`and`getAutoTimeRequired()`(see[Deprecations](https://developer.android.com/work/versions/android-11#deprecations)for more information).
  - [Check](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#getAutoTimeZoneEnabled(android.content.ComponentName))and[set](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setAutoTimeZoneEnabled(android.content.ComponentName,%20boolean))whether auto time zone is enabled on a device. If enabled, the time zone is automatically obtained from the network.
  - [Check](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#getFactoryResetProtectionPolicy(android.content.ComponentName))and[set](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setFactoryResetProtectionPolicy(android.content.ComponentName,%20android.app.admin.FactoryResetProtectionPolicy))the factory reset protection (FRP) policy on a company-owned device.
  - [Check](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#hasLockdownAdminConfiguredNetworks(android.content.ComponentName))and[set](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setConfiguredNetworksLockdownState(android.content.ComponentName,%20boolean))whether a user can change admin-configured network settings on a company-owned device.
  - [Check](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#getUserControlDisabledPackages(android.content.ComponentName))and[set](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setUserControlDisabledPackages(android.content.ComponentName,%20java.util.List%3Cjava.lang.String%3E))the protected packages on a fully managed device. Users can't clear app data or force-stop protected packages.
  - [Set](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setLocationEnabled(android.content.ComponentName,%20boolean))the primary location settings on a device.

## Deprecations

Android 11 includes the following notable API deprecations:

- The`Settings.Secure.LOCATION_MODE`setting is deprecated. Apps shouldn't use this value as the`setting`argument for the[`setSecureSetting()`](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setSecureSetting(android.content.ComponentName,%20java.lang.String,%20java.lang.String))method. Device owners should instead call[`setLocationEnabled()`](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setLocationEnabled(android.content.ComponentName,%20boolean)).

- [`resetPassword()`](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#resetPassword(java.lang.String,%20int))is now fully deprecated. All DPCs should use[secure passcode reset](https://developer.android.com/work/dpc/security#secure-passcode-reset)instead.

- [`setAutoTimeRequired()`](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setAutoTimeRequired(android.content.ComponentName,%20boolean))and[`getAutoTimeRequired()`](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#getAutoTimeRequired()). Use[`setAutoTime()`](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setAutoTime(android.content.ComponentName,%20boolean))and[`getAutoTime()`](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#getAutoTime(android.content.ComponentName))instead.

- [`setStorageEncryption`](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setStorageEncryption(android.content.ComponentName,%20boolean))and[`getStorageEncryption()`](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#getStorageEncryption(android.content.ComponentName)). Use[`getStorageEncryptionStatus()`](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#getStorageEncryptionStatus())instead.

- [`setGlobalSetting()`](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setGlobalSetting(android.content.ComponentName,%20java.lang.String,%20java.lang.String))and[`setSecureSetting()`](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setSecureSetting(android.content.ComponentName,%20java.lang.String,%20java.lang.String))are mostly deprecated---dedicated setter methods and user restrictions are available to replace most settings (see reference for more details).

- [`setOrganizationColor()`](https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setOrganizationColor(android.content.ComponentName,%20int))is fully deprecated.

## Learn more

To learn about other changes that might affect your app, read the Android 11 behavior changes pages (for[apps targeting Android 11](https://developer.android.com/about/versions/11/behavior-changes-11)and[for all apps](https://developer.android.com/about/versions/11/behavior-changes-all)).