适用于现有 EMM 的指南
使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
已在使用 Google Play EMM API 的 EMM 可以使用 Android Management API 来支持以下解决方案集:
Android Management API 是一个自包含 API,让您无需创建自己的设备政策控制器 (DPC)。而是使用 Android Device Policy 来强制执行通过 API 发送的应用和设备管理政策。
身份验证方法概览
您可以选择以下任一身份验证方法来调用 Android Management API 和 Google Play EMM API:
对于新客户和现有客户,您可以随时更改身份验证方法,并且这两种方法可以同时使用。
使用此身份验证方法时,您可以使用使用 Cloud IAM 在 Cloud 项目中注册的唯一服务账号调用 API。
优点
- 您可以使用这两个 API 中的任一 API 创建企业绑定。
- 您可以监控和调整 API 配额(适用于这两个 API)。
限制
设置
如需使用此身份验证方法,您需要设置 Cloud 项目和服务账号:
设置 Cloud 项目:
选择或创建一个项目。
前往“项目”页面
登录 Android Enterprise EMM 提供商社区。您必须是已注册的 EMM,才能访问此网站。
打开 EMM 商品修改表单。
输入所需信息,包括关联的 DPC 身份和 Cloud 项目 ID。
提交表单,然后等待 Google 确认您的项目已注册完毕。
按照创建服务账号的说明操作。您可以随时更改服务账号,前提是该服务账号在通过 Android Enterprise EMM 提供商社区配置的 Cloud 项目中具有 Android Management User 角色。
创建企业绑定
如需在使用使用 Cloud IAM 配置的服务账号时创建企业绑定,您可以使用 Android Management API 或 Google Play EMM API:
请注意,使用 Android Management API 创建的企业绑定绝不能使用程序化创建的 ESA 进行管理,而应始终使用使用 Cloud IAM 配置的服务账号进行管理。使用 Google Play EMM API 创建的企业绑定可以使用任何身份验证方法进行管理。
使用程序化创建的 ESA
限制
设置
如需使用此身份验证方法,您需要设置 Cloud 项目:
选择或创建一个项目。
前往“项目”页面
登录 Android Enterprise EMM 提供商社区。您必须是已注册的 EMM,才能访问此网站。
打开 EMM 商品修改表单。
输入所需信息,包括关联的 DPC 身份和 Cloud 项目 ID。
提交表单,然后等待 Google 确认您的项目已注册。
使用此 Cloud 项目设置 Pub/Sub 通知。
创建企业绑定
如需在使用以编程方式创建的 ESA 时创建企业绑定,您需要使用 Google Play EMM API。
请注意,使用 Android Management API 创建的企业绑定绝不能通过以编程方式创建的 ESA 进行管理。
从以编程方式创建的 ESA 迁移到 Cloud IAM
如需从使用程序化创建的 ESA 迁移到使用使用 Cloud IAM 配置的服务账号,请按以下顺序操作:
按照相关说明创建和设置服务账号。您也可以重复使用现有的 MSA,而不是创建新的服务账号。如果这样做,请确保您已在社区中注册了 Cloud 项目,并向 MSA 授予了 Android Management User 角色。
使用此新服务账号调用 Play EMM API,而不是程序化创建的 ESA。
停止以编程方式为新绑定创建 ESA。这意味着,您不应再调用 Google Play EMM API 的 enterprises.getServiceAccount
和 enterprises.setAccount
方法。
如未另行说明,那么本页面中的内容已根据知识共享署名 4.0 许可获得了许可,并且代码示例已根据 Apache 2.0 许可获得了许可。有关详情,请参阅 Google 开发者网站政策。Java 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2025-07-26。
[null,null,["最后更新时间 (UTC):2025-07-26。"],[[["\u003cp\u003eEMMs can utilize the Android Management API to manage work profiles and fully managed devices without needing a custom DPC.\u003c/p\u003e\n"],["\u003cp\u003eThe API supports authentication via service account (recommended) or programmatically created ESAs, offering flexibility for integration.\u003c/p\u003e\n"],["\u003cp\u003eService account authentication provides advantages like enterprise binding creation and API quota management, but has limitations for on-premise deployments and Play EMM API notifications.\u003c/p\u003e\n"],["\u003cp\u003eProgrammatically created ESAs have limitations regarding API quota management and are incompatible with enterprise binding creation using the Android Management API.\u003c/p\u003e\n"],["\u003cp\u003eMigration from ESAs to service accounts involves setting up a service account, using it for Play EMM API calls, and discontinuing ESA creation for new bindings.\u003c/p\u003e\n"]]],["EMMs using the Google Play EMM API can leverage the Android Management API for work profiles on various devices. Authentication methods include using a service account with Cloud IAM (recommended) or programmatically created ESAs. Service accounts offer advantages like enterprise binding creation with either API and quota monitoring, while ESAs don't offer quota monitoring. Migration from ESAs to Cloud IAM involves setting up a service account and utilizing it with the Play EMM API.\n"],null,["# Guide for existing EMMs\n\nEMMs already using the Google Play EMM API can use the Android\nManagement API to support the following solution sets:\n\n- [Work profile on personally-owned device](/android/work/requirements/work-profile)\n- [Work profile on company-owned device](/android/work/requirements/work-profile-corporate)\n- [Fully managed device](/android/work/requirements/fully-managed-device)\n- [Dedicated device](/android/work/requirements/dedicated-device)\n\nThe Android Management API is a self-contained API that eliminates the need for\nyou to create your own Device Policy Controller (DPC). Instead, managed devices\nuse Android Device Policy to enforce app and device management policies\nsent through the API.\n\nOverview of authentication methods\n----------------------------------\n\nYou can choose one of the following authentication methods for calling the\nAndroid Management API and the Google Play EMM API:\n\n- Service account configured using Cloud IAM (recommended), the same way as\n new partners.\n\n- Programmatically created ESAs, the old approach.\n\nYou can change authentication methods at any time, for both new and existing\ncustomers, and the two methods can be used simultaneously.\n\nUse a service account configured using Cloud IAM (recommended)\n--------------------------------------------------------------\n\nWith this authentication method, you call the APIs with a unique service account\nregistered with your Cloud project using Cloud IAM.\n\n### Advantages\n\n- You can create enterprise bindings using either of the two APIs.\n- You can monitor and adjust API quotas (for both APIs).\n\n### Limitations\n\n- This method is incompatible with on-premise deployments because the service account is unique for the EMM.\n- The [Play EMM API notifications](https://developers.google.com/android/work/play/emm-api/about-notifications) are unavailable with this method (notifications are used by very few EMM partners).\n\n### Setup\n\nTo use this authentication method you need to set up your Cloud project and\nservice account:\n\n1. Set up your Cloud project:\n\n 1. Select or create a project.\n\n [Go to the Projects Page](https://console.cloud.google.com/project)\n 2. Sign into the [Android Enterprise EMM Provider community](https://emm.androidenterprise.dev/s/). You must\n be a registered EMM to have access to this site.\n\n 3. Open the [EMM product modification form](https://emm.androidenterprise.dev/s/emm-product-modification-google-play).\n\n 4. Enter the required information, including your associated DPC identity\n and Cloud Project ID.\n\n 5. Submit the form and wait for confirmation from Google that your project\n has been registered.\n\n2. Follow the instructions for [creating a service account](https://developers.google.com/android/management/service-account). You can change\n your service account at any time as long as it has the role\n **Android Management User** on the Cloud project configured through the\n Android Enterprise EMM Provider community.\n\n### Create an enterprise binding\n\nTo create an enterprise binding when using a service account configured using\nCloud IAM, you can use either the Android Management API or the Google Play EMM\nAPI:\n\n- If using the Android Management API, call `enterprises.create` and specify\n the Cloud project configured earlier.\n\n- If using the Google Play EMM API, **use your MSA** (which may be the same\n service account as the one configured above) to call\n `enterprises.generateSignupUrl` and `enterprises.completeSignup`.\n\nNote that enterprise bindings created using the Android Management API can never\nbe managed using a programmatically created ESA, and should always be managed\nusing a service account configured using Cloud IAM. Enterprise bindings created\nusing the Google Play EMM API can be managed using any authentication methods.\n\nUse programmatically created ESAs\n---------------------------------\n\n### Limitations\n\n- You cannot monitor and adjust API quotas.\n\n### Setup\n\nTo use this authentication method you need to set up your Cloud project:\n\n1. Select or create a project.\n\n [Go to the Projects Page](https://console.cloud.google.com/project)\n2. Sign into the [Android Enterprise EMM Provider community](https://emm.androidenterprise.dev/s/). You must be a\n registered EMM to have access to this site.\n\n3. Open the\n [EMM product modification form](https://emm.androidenterprise.dev/s/emm-product-modification-google-play).\n\n4. Enter the required information, including your associated DPC identity and\n Cloud Project ID.\n\n5. Submit the form and wait for confirmation from Google that your project has\n been registered.\n\nUse this Cloud project to [set up Pub/Sub notifications](https://developers.google.com/android/management/notifications#2_create_a_topic).\n\n### Create an enterprise binding\n\nTo create an enterprise binding when using programmatically created ESAs, you\nneed to use the Google Play EMM API.\n\nNote that enterprise bindings created using the Android Management API can never\nbe managed with a programmatically created ESA.\n\nMigrate from programmatically created ESAs to Cloud IAM\n-------------------------------------------------------\n\nTo migrate from using programmatically created ESAs to using a service account\nconfigured using Cloud IAM, proceed in the following order:\n\n1. Follow the instructions to\n [create and set up your service account](#cloud-iam-setup). You can\n alternatively reuse your existing MSA instead of creating a new service\n account, if doing so ensure that you have registered your Cloud project in\n the community and granted the role **Android Management User** to your MSA.\n\n2. Use this new service account to call the Play EMM API instead of the\n programmatically created ESAs.\n\n3. Stop programmatically creating ESAs for new bindings. This means you should\n no longer call the methods `enterprises.getServiceAccount` and\n `enterprises.setAccount` of the Google Play EMM API."]]