Endpoint manager – First look at Test DPC afw#testdpc for Android Enterprise

The Test DPC (Device Policy control) app is a tool from google that works without any integration with a MDM/EMM system that lets us demo and configure settings and policies on a device locally. Meaning that you don’t need access or have your Intune or Endpoint Manager environment up and running yet. This comes in handy if you as an MEM administrator need to do troubleshooting or just trying to figure out if there’s a policy for a specific setting or change as part of the policy set of Android Enterprise and that is not OEM specific. Any OEM specific policy or setting are configured with the OEMConfig.

The 2 most common ways of installing Test DPC app is either by Installing It from the Google Play Store on a phone that is already in use but not managed already or doing it during the initial setup of a device once its been factory reset. I’ll cover both of those scenarios next.

Install Test DPC from the Google Play Store

  • Open up the google play store. Search for TEST DPC and install the app.
  • Open the app and continue with the setup
  • During the setup the work profile will be created
  • Once done with the setup you now have a personal and work profile on your device

Enrolling device using afw#testdpc

Factory reset your device or unbox your device and turn it on for the first time. We need go through the intial setup of the device where we select Language, wifi etc to be able to continue.

For this step I’m using a Samsung Xcover 5 running Android 11. The out-of-box experience usually differs somewhat from device to device but its often just end user agreements and things that the OEM puts in their for their services. All the google services are often the same.

  • Start with selecting your preferred language and connect to a wifi
  • Once you reach the sign in screen to sign in to a google account, type in the following in the email or phone field:

    afw#testdpc

  • Agree to any agreements and Install the Test DPC App.
  • Once you reach the “Set up management” you get a choice betweem “Set up managed profile” or “Set up device owner”
    The difference between these two is that the first one will create a Work Profile and the second one will created a managed device (Dedicated or Fully managed)
  • Continue with the setup and select if you want google service to be active or not and if there’s any system apps (default apps on the device) that you want to enable or disable.

Using TEST DPC app on different handsets

Open the Test DPC app from the work profile (Test DPC with the briefcase icon). Once the app is open you can see most the settings that is available for this specific device (excluding OEMconfig) and its corresponding API level support for different settings.

Security Patch refers to the current installed patch level on the device. As for this specific device, its a Huawei P Smart from 2017 and it has not received any Android security patches from Huawei since March of 2018.

This device is running Android Oreo (8.0) and is on API Level 26 which results in that there are several policies that is not available for this device. You can see the greyed out policies and which API level that is required to be able to use that specific policy.

Compare that to my Samsung Xcover 5 that at the time of writing this runs Android 11 which is API level 30

The API levels and different Android version are important things to keep in mind when you want to configure different policies and make sure that all devices actually support the policy you want to enforce or change. Being able to establish the lowest Android version that support the feature you like and making sure that your devices are actually running on that version or higher.

Android versionAPI Level
Android 1231
Android 1130
Android 10 29
Android 9 (Pie)28
Android 8.1 (Oreo)27
Android 8 (Oreo)26

For more info

API levels from Google https://source.android.com/setup/start/build-numbers

Specific policies and requirements https://developers.google.com/android/work/requirements

Lets look at one specific configuration on the P smart device. I want to test and see If I can enable a system app on this device to work with my work profile. In the Test DPC app I go down to the “Enable system apps” section

I select the app I want to enable, in this case its the Calendar app that came with the phone.

Once enabled I can now see it on my home screen with the work profile briefcase on it and that’s exactly what I would expect this policy to do. If I go back and select the “Hide Apps” policy set I can now select and Hide the Calendar app if I want to.

Final thought and take away

As an administrator the Test DPC is a great tool when working with Android devices in general and when we want to manage them with Intune.

  • Everything configures locally on the device
  • No need for a MDM / EMM system to use it
  • Great for troubleshooting scenarios (why does this configuration not work as expected on this specific device)
  • Good way to test a policy before it gets configured and assigned from Endpoint Manager.
  • Works best with physical access to the a device (most issues I see when working with organizations is that they think that all android devices and versions are the same)
  • Helps administrators to understand the importance of Android version and API level requirements when configurating a policy.

Let me know if you have played around with Test DPC and what you think about it, have you had any good or bad experiences with it ?

Don’t forget to follow me on twitter @timmyitdotcom

Leave a Reply