how to enroll a device with personal OWNED device

Question

what params needed to have a PERSONALLY_OWNED device so user don't see a dummy account in his playstore with organisation on it. i have searched every thing but nothing is working as far.

I have main 2 concerns here 1.) i Want to hide that account in the playstore 2.) I want to revoke organisation controll over the device when ever i want without resetting the device.

here is my policy

{
    "factoryResetDisabled": false,
    "installAppsDisabled": false,
    "modifyAccountsDisabled": false,
    "uninstallAppsDisabled": false,
    "statusBarDisabled": false,
    "keyguardDisabled": false,
    "adjustVolumeDisabled": false,
    
    "applications": [
        {
            "packageName": "com.xxxxx.xxxxxx",
            "installType": "FORCE_INSTALLED",
            "defaultPermissionPolicy": "GRANT"
        }
    ],
    "mountPhysicalMediaDisabled": false,
    "blockApplicationsEnabled": false,
    "installUnknownSourcesAllowed": true,
    "defaultPermissionPolicy": "PROMPT",
    "playStoreMode": "BLACKLIST",
    "autoDateAndTimeZone": "AUTO_DATE_AND_TIME_ZONE_USER_CHOICE",
    "cameraAccess": "CAMERA_ACCESS_USER_CHOICE",
    "microphoneAccess": "MICROPHONE_ACCESS_USER_CHOICE",
    "statusReportingSettings": {
        "applicationReportsEnabled": true,
        "deviceSettingsEnabled": true,
        "softwareInfoEnabled": true,
        "memoryInfoEnabled": true,
        "networkInfoEnabled": true,
        "displayInfoEnabled": true,
        "powerManagementEventsEnabled": true,
        "hardwareStatusEnabled": true,
        "systemPropertiesEnabled": true,
        "applicationReportingSettings": {
            "includeRemovedApps": true
        },
        "commonCriteriaModeEnabled": true
    },
    "bluetoothContactSharingDisabled": false,
    "bluetoothConfigDisabled": false,
    "cellBroadcastsConfigDisabled": false,
    "credentialsConfigDisabled": false,
    "mobileNetworksConfigDisabled": false,
    "tetheringConfigDisabled": false,
    "vpnConfigDisabled": false,
    "wifiConfigDisabled": false,
    "createWindowsDisabled": false,
    "networkResetDisabled": false,
    "outgoingBeamDisabled": false,
    "removeUserDisabled": false,
    "shareLocationDisabled": false,
    "smsDisabled": false,
    "unmuteMicrophoneDisabled": false,
    "usbFileTransferDisabled": false,
    "setUserIconDisabled": false,
    "outgoingCallsDisabled": false,
    "setWallpaperDisabled": false,
    "networkEscapeHatchEnabled": true,
    "bluetoothDisabled": false,
    "debuggingFeaturesAllowed": true,
    "funDisabled": false,
    "usbMassStorageEnabled": true,
    "dataRoamingDisabled": false,
    "appAutoUpdatePolicy": "CHOICE_TO_THE_USER",
    "privateKeySelectionEnabled": false,
    "advancedSecurityOverrides": {
        "untrustedAppsPolicy": "ALLOW_INSTALL_DEVICE_WIDE",
        "googlePlayProtectVerifyApps": "VERIFY_APPS_USER_CHOICE",
        "developerSettings": "DEVELOPER_SETTINGS_ALLOWED",
        "commonCriteriaMode": "COMMON_CRITERIA_MODE_ENABLED"
    },
    "crossProfilePolicies": {
        "showWorkContactsInPersonalProfile": "SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_ALLOWED",
        "crossProfileCopyPaste": "CROSS_PROFILE_COPY_PASTE_ALLOWED",
        "crossProfileDataSharing": "CROSS_PROFILE_DATA_SHARING_ALLOWED",
        "workProfileWidgetsDefault": "WORK_PROFILE_WIDGETS_DEFAULT_ALLOWED"
    },
    "addUserDisabled": false,
    "personalUsagePolicies": {
        "personalApplications": [
            {
                "packageName": "*",
                "installType": "AVAILABLE"
            }
        ],
        "accountTypesWithManagementDisabled": [
            "google"
        ],
        "personalPlayStoreMode": "BLOCKLIST"
    },
    "safeBootDisabled": true,
    "screenCaptureDisabled": false,
    "cameraDisabled": false,
    "systemUpdate": {
        "type": "WINDOWED",
        "startMinutes": 120,
        "endMinutes": 240
    }
}

Or is it i'm missing something when i'm creating QR code please anyone help me out with this.

after using that policy user unable to see an extra account in his playstore and want to revoke the organisation controll over the device

Answer 1

Regarding your concern about hiding the Work Profile Account in the Play Store, unfortunately, this feature is not supported by the Android Management API. You can refer to the following link on Stack Overflow for more information: how to hide work profile id from playstore in EMM

Regarding your concern about revoking organization control over the device without resetting it, there is a solution if the device is owned by the employee. You can set up the device with a Work Profile which provides a self-contained space for work apps and data, separate from personal apps and data. Most app, data, and other management policies apply to the work profile only, while the employee's personal apps and data remain private. This way, the device-owner (employee) or the work profile owner (organization) can revoke admin control without performing a factory reset by just removing the work profile. This will dissociate the device from the organization's management. However, please note that removing the work profile will also remove any work-related apps and data associated with it.

To set up a work profile on a personally-owned device, create an enrollment token using the enterprises.enrollmentTokens.create API. Make sure to set the allowPersonalUsage parameter to PERSONAL_USAGE_ALLOWED in the request payload. Upon a successful request, you will receive an enrollmentToken object containing an enrollmentTokenId and a QR code. IT admins or end users can utilize this QR code or the enrollment token for device provisioning.

Once you have the enrollment token, you can choose one of the following provisioning methods available to personally-owned devices:

• Add work profile from "Settings"
  1. Go to Settings > Google > Set up & restore.
  2. Tap Set up your work profile.
  3. User will be prompted to scan a QR code or manually enter an enrollment token to complete the work profile setup
• Download Android Device Policy
  1. From the Play Store, download Android Device Policy
  2. Open the app.
  3. When prompted, scan the QR code or manually enter an enrollment token to complete the work profile setup.
• Enrollment token link
  1. Using the enrollment token returned from enrollmentTokens.create or the enterprise's signinEnrollmentToken (see Sign-in URL below), generate a URL with the following format: https://enterprise.google.com/android/enroll?et=<enrollmentToken>
  2. When an end user opens the link from their device, they will be guided through the work profile setup.
• Sign-in URL

  1. Specify your sign-in URL in enterprises.signInDetails[]

  2. Set allowPersonalUsage to PERSONAL_USAGE_ALLOWED

  3. Add the resulting signinEnrollmentToken as provisioning extra to a QR code

  4. Choose an option:

     • Ask users to add a work profile from “Settings”. When prompted, the user scans a QR code containing the signinEnrollmentToken or enters the token manually. The device will open the sign-in URL specified in Step 1.
     • Provide users with an enrollment token link, where the enrollment token is the signinEnrollmentToken. The device will open the sign-in URL specified in Step 1.

  5. Your sign-in URL should prompt users to enter their credentials. Based on their identity, you can determine the appropriate policy.

  6. Call enrollmentTokens.create, specifying the appropriate policyId based on the user's credentials.

  7. Return the enrollment token generated in Step 4 via URL redirect, in the form https://enterprise.google.com/android/enroll?et=<token>.