Android 12 中的企业功能新变化
使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
此页面将简要介绍 Android 12(API 级别 31)中引入的新企业 API、功能和行为变更。
工作资料
Android 12 中提供了可供工作资料使用的以下新功能。
工作资料的安全和隐私权增强功能
对于具有工作资料的个人设备,Android 12 提供了以下功能:
- 密码复杂度功能以预定义复杂存储分区(高、中、低和无)的形式设定设备级密码要求。如有必要,可对工作资料安全验证应用严格的密码要求。
- 工作资料安全验证新手入门流程已简化。现在,设置会考虑设备密码是否符合管理员要求,让用户可以轻松选择是增强设备密码的强度还是使用工作资料安全验证。
- 注册特定 ID 提供了一个唯一 ID,用于标识特定组织的工作资料注册,并且可在恢复出厂设置后保持稳定。在 Android 12 中,对于具有工作资料的个人设备,系统会移除对该设备的其他硬件标识符(IMEI、MEID、序列号)的访问权限。
- 公司自有设备(无论是否具有工作资料)可以采用上述列表项中列出的功能,但不需要在 Android 12 中采用。
- 您可以设置和检索工作资料网络日志记录。您可以将工作资料的网络日志记录委托给其他工作应用。您无法使用网络日志记录监控个人资料中的流量。
- 用户可以对工作资料应用进行额外的隐私控制。用户可以向工作资料应用授予以下权限,除非被 IT 管理员拒绝。对于工作资料中的每个应用,用户可以允许或拒绝以下权限:
公司自有设备
以下新功能适用于公司自有设备。“公司自有设备”一词指的是完全托管设备和归公司所有的工作资料设备。
其他
以下部分将介绍并非特定于工作资料或公司自有设备的企业 API 的变更。
非受管设备证书管理
没有管理功能的设备现在可以利用 Android 的设备密钥生成功能管理证书:
- 用户可以授予证书管理应用管理其凭据(不包括 CA 证书)的权限。
- 证书管理应用可以使用 Android 的设备密钥生成功能。
- 证书管理应用可以声明支持使用凭据进行身份验证的应用和 URI 的列表。
新 API 可提供新功能:
完全托管设备的隐私和透明度增强功能
IT 管理员可以在配置期间管理权限授予,也可以选择退出管理传感器相关的权限授予。如果管理员选择管理权限,则用户会在设置向导操作期间看到一条明确的消息。如果管理员选择退出管理,则首次使用应用时会在应用内提示用户接受或拒绝权限。管理员可以随时拒绝权限。
网络配置
设备政策控制器 (DPC) 可以使用新的 API getCallerConfiguredNetworks 获取设备的已配置网络列表,而无需具有位置信息权限,而不是使用现有的 API getConfiguredNetworks(需要位置信息权限)。返回的网络列表仅限于工作网络。
完全托管设备上的 DPC 可确保只在设备上配置管理员提供的网络,同样无需具有位置信息权限。
管理员可以使用在安全硬件中生成的密钥进行 Wi-Fi 身份验证,方法是向用于身份验证的 Wi-Fi 子系统授予一个 KeyChain 密钥,并使用该密钥配置一个企业 Wi-Fi 网络。
关联的应用自动授予权限
为了提供更好的用户体验,部分预加载的应用已自动授予共享个人数据和工作数据的配置。
在 Android 11 及更高版本中:
- 预加载的辅助应用或预加载的默认 IME
- Google 应用(如果已预加载)。
- Gboard 应用(如果已预加载且是开箱默认 IME 应用)。
在 Android 12 及更高版本中:
应用的完整列表取决于设备 OEM。
废弃
Android 12 弃用了以下 API,值得引起注意:
- 不再使用
setPasswordQuality()
和 getPasswordQuality()
在具有工作资料的个人设备而非公司自有设备上设置设备级密码。DPC 应改用 setRequiredPasswordComplexity()
。
setOrganizationColor()
和 getOrganizationColor()
在 Android 12 中已完全废弃。
- Android 12 不再支持
android.app.action.PROVISION_MANAGED_DEVICE
。DPC 必须实现具有 ACTION_GET_PROVISIONING_MODE
和 ACTION_ADMIN_POLICY_COMPLIANCE
intent 操作的 intent 过滤器的 activity。使用 ACTION_PROVISION_MANAGED_DEVICE
启动配置会导致配置失败。如需继续支持 Android 11 及更低版本,EMM 应继续支持 PROVISION_MANAGED_DEVICE
常量。
- 对于以 Android 12 及更高版本为目标平台的所有工作资料设备,废弃了用于授予传感器相关权限的
setPermissionPolicy()
和 setPermissionGrantState()
。废弃这些方法会导致以下变更:
- 在从 Android 11 升级到 Android 12 的设备上,现有的权限授予会保留,但无法进行新的权限授予。
- 拒绝权限的能力会保留。
- 如果您开发和分发依赖于管理员授予的权限的应用,您必须确保这些应用遵循建议的权限请求方法。
- 遵循建议的权限请求方法的应用将继续按预期运行。系统会提示用户授予权限;应用必须能够处理任何结果。
- 如果应用依赖于管理员授予的权限并且明确访问受权限保护的资源,但未遵循相关准则,那么可能会崩溃。
了解详情
如需了解可能会影响您的应用的其他变更,请参阅 Android 12 行为变更页面(针对以 Android 12 为目标平台的应用和所有应用)。
本页面上的内容和代码示例受内容许可部分所述许可的限制。Java 和 OpenJDK 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2025-08-21。
[null,null,["最后更新时间 (UTC):2025-08-21。"],[],[],null,["This page provides an overview of the new enterprise APIs, features, and\nbehavior changes introduced in Android 12 (API level 31).\n\nWork profile\n\nThe following new features are available in Android 12 for work\nprofiles.\n\nSecurity and privacy enhancements for work profile\n\nThe following features are available in Android 12 for personal\ndevices with a work profile:\n\n- The [password\n complexity](/reference/android/app/admin/DevicePolicyManager#setRequiredPasswordComplexity(int)) feature sets device-wide password requirements in the form of predefined complexity buckets (High, Medium, Low, and None). If required, strict password requirements can instead be placed on the [work profile security\n challenge](/work/dpc/security#work_profile_security_challenge).\n- Work profile security challenge onboarding has been streamlined. Setup now takes into account whether device passcode meets admin requirements, and makes it easy for the user to choose whether to increase the strength of their device passcode or to use the work profile security challenge.\n- [An enrollment-specific\n ID](/reference/android/app/admin/DevicePolicyManager#setOrganizationId(java.lang.String)) provides a unique ID that identifies the work profile enrollment in a particular organization, and will remain stable across factory resets. Access to other hardware identifiers of the device (IMEI, MEID, serial number) are removed for personal devices with a work profile in Android 12.\n- [Company-owned devices](#company-owned), with and without work profiles, can adopt the features listed in the preceding list items, but are not required to adopt them in Android 12.\n- You can [set](/reference/android/app/admin/DevicePolicyManager#setNetworkLoggingEnabled(android.content.ComponentName,%20boolean)) and [retrieve](/reference/android/app/admin/DevicePolicyManager#retrieveNetworkLogs(android.content.ComponentName,%20long)) work profile network logging. You can [delegate](/reference/android/app/admin/DevicePolicyManager#DELEGATION_NETWORK_LOGGING) network logging on the work profile to another work application. You can't use network logging to monitor traffic in the personal profile.\n- Users have additional privacy controls for work profile apps. Users can grant the following permissions to work profile apps unless denied by their IT administrator. For each app in the work profile, the user can allow or deny the following permissions:\n - Location\n - Camera\n - Microphone\n - Body sensor\n - Physical activity\n\nCompany-owned devices\n\nThe following new features are available for company-owned devices. The term\n*company-owned device* refers to both [fully managed\ndevices](https://developers.google.com/android/work/requirements/fully-managed-device)\nand [work profile devices that are\ncompany-owned](/reference/android/app/admin/DevicePolicyManager#isOrganizationOwnedDeviceWithManagedProfile()).\n\n- An IT administrator can [disable\n USB](/reference/android/app/admin/DevicePolicyManager#setUsbDataSignalingEnabled(boolean)),\n except for charging functions, on company-owned devices. This feature includes\n the capability to [check if this feature is\n supported](/reference/android/app/admin/DevicePolicyManager#canUsbDataSignalingBeDisabled())\n on the device and to [check if it is currently\n enabled](/reference/android/app/admin/DevicePolicyManager#isUsbDataSignalingEnabled()).\n\n- Company-owned devices with a work profile can [limit the input methods used in\n the personal\n profile](/reference/android/app/admin/DevicePolicyManager#setPermittedInputMethods(android.content.ComponentName,%20java.util.List%3Cjava.lang.String%3E))\n to allow only system input methods.\n\n- In Android 12 you can create a delegation scope. Enable and collect security\n log events by calling\n [`setDelegatedScopes()`](/reference/android/app/admin/DevicePolicyManager#setDelegatedScopes(android.content.ComponentName,%20java.lang.String,%20java.util.List%3Cjava.lang.String%3E))\n and passing\n [`DELEGATION_SECURITY_LOGGING`](/reference/android/app/admin/DevicePolicyManager#DELEGATION_SECURITY_LOGGING).\n Security logging helps organizations gather usage data from devices that can be parsed and programmatically evaluated for malicious or risky behavior. Delegate apps can [enable security\n logging](/reference/android/app/admin/DevicePolicyManager#setSecurityLoggingEnabled(android.content.ComponentName,%20boolean)),\n [verify that logging is\n enabled](/reference/android/app/admin/DevicePolicyManager#isSecurityLoggingEnabled(android.content.ComponentName)),\n and [retrieve the security\n logs](/reference/android/app/admin/DevicePolicyManager#retrieveSecurityLogs(android.content.ComponentName)).\n\nOther\n\nThe following section describes changes in enterprise APIs that are not specific\nto work profiles or company-owned devices.\n\nUnmanaged device certificate management\n\nDevices without management are now able to take advantage of Android's on-device\nkey generation to manage certificates:\n\n- The user can grant permission to a certificate management app to manage their credentials (not including CA certificates).\n- The certificate management app can use Android's on-device key generation.\n- The certificate management app can declare a list of apps and URIs where the credentials can be used for authentication.\n\nNew APIs provide new functionality:\n\n- Check if the existing device-wide password is [compliant against explicit\n device password\n requirements](/reference/android/app/admin/DevicePolicyManager#isActivePasswordSufficientForDeviceRequirement()).\n- Check whether a certificate and private key are [installed under a given\n alias](/reference/android/app/admin/DevicePolicyManager#hasKeyPair(java.lang.String)).\n\nPrivacy and transparency enhancements for fully-managed devices\n\nIT administrators can manage permission grants or choose to opt out of managing\nsensor-related permission grants during provisioning. If the administrator\nchooses to manage permissions, users see an explicit message during the setup\nwizard. If the administrator chooses to opt out, users are prompted to accept or\ndeny permissions in-app when the app is first used. Administrators can always\ndeny permissions.\n\nNetwork configuration\n\nA [device policy controller](/work/dpc/build-dpc) (DPC) can get the list of a\ndevice's configured networks without requiring the location permission by using\na new API [getCallerConfiguredNetworks](/reference/android/net/wifi/WifiManager#getCallerConfiguredNetworks())\nrather than using the existing API\n[getConfiguredNetworks](/reference/android/net/wifi/WifiManager#getConfiguredNetworks())\n(which requires location permission). The list of networks returned is limited\nto work networks.\n\nA DPC on fully-managed devices can ensure only admin-provided networks are\nconfigured on the device, also without requiring the location permission.\n\nAdministrators can use the keys generated in secure hardware for Wi-Fi\nauthentication by\n[granting](/reference/android/app/admin/DevicePolicyManager#grantKeyPairToWifiAuth(java.lang.String))\na KeyChain key to the Wi-Fi subsystem for authentication and\n[configuring](/reference/android/net/wifi/WifiEnterpriseConfig#getClientKeyPairAlias())\nan enterprise Wi-Fi network with that key.\n\nConnected apps auto-granting\n\nTo allow a better user experience, a few preloaded applications have\nauto-granted the\n[configuration to share personal and work data](https://support.google.com/work/android/answer/10064639).\n\nOn Android 11+:\n\n- depending on the device OEM, preloaded assist apps or preloaded default IMEs\n- Google app, if it's preloaded.\n- Gboard app, if it's preloaded and the out-of-box default IME app.\n\nOn Android 12+:\n\n- Android Auto app, if it's preloaded.\n\nThe full list of application depends on the device OEM.\n| **Note:** IT admins cannot revoke these auto-granted configurations.\n\nDeprecations\n\nAndroid 12 includes the following notable API deprecations:\n\n- `setPasswordQuality()` and `getPasswordQuality()` are deprecated for setting device-wide passcode on work profile devices that are personal devices rather than company-owned. DPCs should use `setRequiredPasswordComplexity()` instead.\n- `setOrganizationColor()` and `getOrganizationColor()` are fully deprecated in Android 12.\n- `android.app.action.PROVISION_MANAGED_DEVICE` no longer works on Android 12. DPCs must implement activities with intent filters for the `ACTION_GET_PROVISIONING_MODE` and `ACTION_ADMIN_POLICY_COMPLIANCE` intent actions. Using `ACTION_PROVISION_MANAGED_DEVICE` to start provisioning causes the provisioning to fail. To continue to support Android 11 and lower, EMMs should continue to support the `PROVISION_MANAGED_DEVICE` constant.\n- `setPermissionPolicy()` and `setPermissionGrantState()` are deprecated for granting sensor-related permissions for all work profile devices targeting Android 12 and higher. The deprecations cause the following changes:\n - On devices upgrading from Android 11 to Android 12, existing permission grants remain, but new permission grants are not possible.\n - Ability to deny permissions remains.\n - If you develop and distribute applications relying on admin-granted permissions, you must ensure these follow the recommended way of requesting permissions.\n - Applications that follow the recommended way of requesting permissions continue to work as expected. Users are prompted to grant the permission; the app must be able to handle any outcome.\n - Applications that rely on admin-granted permissions and explicitly access permission-protected resources, without following the guidelines, may crash.\n\nLearn more\n\nTo learn about other changes that might affect your app, read the Android 12\nbehavior changes pages (for [apps targeting Android 12](/about/versions/12/behavior-changes-12)\nand [for all apps](/about/versions/12/behavior-changes-all))."]]