Important: We are no longer accepting new registrations for the Play EMM API. Learn more.

Upgrade user accounts

Upgrading a user account on a device involves a migration from a managed Google Play Account to a managed Google Account. This process shifts the user's identity from a device-centric, non-personal account to one that is tied to their corporate Google identity. This link to a corporate identity is the foundation for an improved and more integrated user experience across all Google services.

Overview

The primary goal of this upgrade is to provide customers with enhanced features, such as improved user management through the Google Admin console, stronger security, and access to Google services and AI capabilities like Gemini.

Key benefits of upgrading user accounts:

Works with all Google services: Unlike managed Google Play Accounts, this new identity works seamlessly with all Google services, including Google Drive, Docs, and Meet. It also supports device backup when enabled by the IT admin.
Seamless user experience: Through single sign-on (SSO) integration, users are automatically signed in to their corporate environment and all their Google services, such as Gmail.
Direct identity control: The organization can directly control the identity lifecycle through manual, automated, or sync-based methods.
Familiar user identifier: For better visibility, the new account uses the same email address that the user already knows and uses.

Account upgrade

To upgrade a device previously enrolled with a managed Google Play Account to a managed Google Account, you can adopt a setup similar to the standard device enrollment flow, but with key differences in token creation and post-setup actions.

1. Create an enrollment token for account upgrade

This step involves creating an enrollment token specifically configured for account migration. The token will force Google authentication to link the device to a managed Google Account.

Call the EnrollmentTokens.create() method of the Play EMM API.
Set enrollmentTokenType to USER_DEVICE.
Within the googleAuthenticationOptions object:
Set authenticationRequirement to REQUIRED. This makes a Google account mandatory for enrollment.
Set requiredAccountEmail to the email address of the target managed Google Account. This guides the on-device flow to either prompt the user for this specific account or, if it already exists on the device, perform the upgrade silently without further user authentication.

2. Initiate account setup and handle authentication on the device

Once the enrollment token is available (e.g., pushed by your EMM solution or provided using a user interface), you can use the same AccountSetupClient.startAccountSetup() integration from standard device enrollment to add or associate the account.

If the managed Google Account specified in requiredAccountEmail already exists on the device, the user won't be prompted to authenticate, and the upgrade will proceed silently.
If the account does not exist, the user will be forced to sign in with the required email. Because authenticationRequirement is set to REQUIRED in the token, the option to skip Google authentication won't be available.

3. Finalize management and remove the old account

After the ADDED_ACCOUNT state is received using your AccountSetupListener and your EMM backend has successfully associated the device with the new managed Google Account, verify your policies are applied to the new user. We recommend applying the target user's device policies before initiating the upgrade using the Devices.update API for a smooth transition. You can retrieve the User ID of the managed Google Account, which is needed in order to call Devices.update, by calling Users.list.

Removing the old account from the device is a required step. The DPC Support Library provides dpcSupport.removeAllAndroidForWorkAccounts() for this purpose.

4. Enable Google services

For knowledge worker devices with a managed Google Account, remember to call Devices.setState() once the device is compliant with your enterprise policies. This is necessary to activate the device and grant the user full access to Google services.

Special use case

The account upgrade process is also beneficial in the following special use case:

Kitting and third-party enrollment services

The account upgrade flow simplifies kitting and third-party enrollment services by the following process:

Initial process: A device is enrolled as a userless device. This automatically adds a managed Google Play Account and applies a set of default policies.
Policy update: The EMM applies a new policy to the device. This policy requires a user login before the device can be used. The device is then delivered to the end user.
User upgrade: When the end user powers on the device, they are prompted to sign in. This action triggers the account upgrade flow, where their managed Google Account replaces the managed Google Play Account.
Final cleanup: The EMM removes the old managed Google Play Account from the device.

Upgrade user accounts Stay organized with collections Save and categorize content based on your preferences.