Home / Phone & Mobile Tech / Android Security Settings for Company-Owned Devices

Android Security Settings for Company-Owned Devices

Android phone showing security settings screen for company devices

Android is the most widely used mobile operating system in business environments, but default settings do not always meet the security requirements of a managed corporate device. Whether your organisation deploys Android Enterprise, Microsoft Intune, or manages handsets under a lighter-touch policy, the settings below should be reviewed and enforced on every company-owned phone.

The steps in this guide apply to Android 12 and above. Where the path differs between stock Android (Google Pixel) and Samsung One UI, both are noted.

1. Set a Strong Screen Lock

A screen lock is the first barrier between an attacker and company data. A six-digit PIN is the minimum acceptable standard; a password or passphrase is preferable for staff with access to sensitive systems.

  1. Go to Settings > Security > Screen Lock
  2. Choose PIN, Password, or Pattern — avoid Pattern, as it is the weakest option
  3. If biometrics are available (fingerprint or face unlock), enable them as a convenience layer on top of the PIN or password, not as a standalone lock

Samsung One UI: Settings > Lock Screen > Screen Lock Type

Also set the lock timeout to 30 seconds or less under Settings > Display > Screen Timeout to minimise the window a device is exposed if left unattended.

2. Verify Device Encryption

All Android devices running Android 6.0 and above encrypt storage by default, provided a screen lock is active. You cannot enable encryption manually on modern devices, but you can confirm it is in place.

  1. Go to Settings > Security
  2. Look for Encryption & Credentials or Encryption Status
  3. The status should read Encrypted

Samsung One UI: Settings > Biometrics and Security > Encrypt or Decrypt Device

If a device shows as unencrypted, remove it from service immediately. This should not occur on a modern handset with a screen lock set, but it is worth checking on older or refurbished stock.

3. Enable Google Play Protect

Google Play Protect scans installed apps continuously for malware and harmful behaviour. It is enabled by default, but it is worth confirming it has not been switched off.

  1. Go to Settings > Security > Google Play Protect
  2. Ensure Scan apps with Play Protect is toggled on
  3. Tap Scan to run an immediate check

Play Protect is part of Google Play Services and works identically across manufacturers, including Samsung. Any threats flagged should be removed before the device returns to active use.

4. Review and Restrict App Permissions

Apps frequently request permissions they do not need to function. On a company device, unnecessary access to the microphone, camera, contacts, or location should be revoked.

  1. Go to Settings > Privacy > Permission Manager
  2. Work through each permission type — Camera, Microphone, Location, Contacts, and Storage are the most business-critical
  3. For each category, review which apps have access and remove it where it is not required for the app to function

Samsung One UI: Settings > Privacy > Permission Manager (same path on recent One UI releases).

Pay particular attention to apps holding Allow all the time location access. This level of permission should be limited to navigation, field service, or logistics apps only.

5. Enable Find My Device

Find My Device allows IT to locate, lock, or remotely wipe a lost or stolen handset. It must be enabled before the device goes missing — it cannot be activated retroactively.

  1. Go to Settings > Security > Find My Device or Settings > Google > Find My Device
  2. Toggle Use Find My Device on
  3. Confirm the device appears at google.com/android/find when signed in to the associated Google account

Samsung One UI: Samsung devices also include a parallel service at Settings > Biometrics and Security > Find My Mobile, which uses the Samsung account. For corporate deployments, prefer the Google Find My Device service unless your MDM integrates specifically with Samsung Knox.

6. Disable USB Debugging

USB debugging is a developer tool that grants deep access to the device over a USB connection. It must be disabled on all company handsets unless an IT engineer requires it for active troubleshooting.

  1. Go to Settings > About Phone and check whether Developer Options is visible in the main Settings menu
  2. If it is, open Settings > Developer Options
  3. Toggle USB Debugging off
  4. Consider disabling Developer Options entirely by toggling off the master switch at the top of that screen

If your MDM is enforcing a policy that restricts Developer Options, this will already be handled centrally — but it is worth verifying manually on any unmanaged or newly enrolled device.

7. Set Up a Work Profile

If your organisation uses Android Enterprise or Microsoft Intune, a work profile creates a separate encrypted container on the device for corporate apps and data. Personal apps cannot access work data, and IT can remotely wipe the work profile without touching personal content on the same device.

Work profiles are provisioned by the MDM administrator, not configured manually by the user. If your organisation has a device management policy but no work profile has been applied, raise it with IT. Work profile apps appear with a small briefcase icon in the app drawer to distinguish them from personal apps.

On Samsung Knox-managed devices, the Knox container functions in a similar way and integrates with Intune and other MDM platforms. The underlying principle is the same: corporate data stays isolated and centrally manageable.

8. Enable Automatic OS and Security Patch Updates

Android delivers security patches monthly. Delaying updates leaves known vulnerabilities unpatched and increases exposure to exploits that are already publicly documented.

  1. Go to Settings > System > System Update (stock Android) or Settings > Software Update (Samsung One UI)
  2. Enable Auto Download over Wi-Fi
  3. Schedule automatic installation for outside business hours where possible

Check Settings > About Phone > Android Security Patch Level to confirm the current patch date. Any device more than three months behind on patches should be flagged to IT and kept off corporate networks until updated.

9. Block Installation of Apps from Unknown Sources

Sideloading — installing apps from outside the Google Play Store — is a common delivery vector for malware. On a company device, this capability should be disabled entirely.

  1. Go to Settings > Apps > Special App Access > Install Unknown Apps
  2. Work through each listed app
  3. Ensure no app has permission to install unknown apps enabled

Samsung One UI: Settings > Biometrics and Security > Install Unknown Apps

If your organisation distributes internal apps outside the Play Store — for example, via an MDM app catalogue — the MDM agent itself may require this permission. All other apps should have it revoked.

10. Use a VPN on Public Wi-Fi

Public Wi-Fi at hotels, coffee shops, and conference venues is a straightforward target for traffic interception. Any company data transmitted over an untrusted network should be routed through a VPN.

Do not install a consumer VPN app on a company device without IT authorisation. Most organisations with a remote working or travel policy will provide a corporate VPN — such as Cisco AnyConnect, Palo Alto GlobalProtect, or Microsoft Always On VPN — that can be configured on Android through the built-in VPN settings.

  1. Go to Settings > Network & Internet > VPN (stock Android) or Settings > Connections > More Connection Settings > VPN (Samsung One UI)
  2. Add your corporate VPN profile using the server address, type, and credentials supplied by IT
  3. Enable Always-on VPN if your organisation’s configuration supports it — this prevents any traffic leaving the device outside the tunnel

Putting It All Together

Working through this list takes roughly fifteen minutes per device. For organisations managing more than a handful of handsets, enforcing these settings manually is not sustainable — an MDM platform such as Microsoft Intune, VMware Workspace ONE, or Google Workspace endpoint management lets you push policies automatically and flag non-compliant devices from a central console.

If you are currently managing Android devices without an MDM in place, this checklist is a reasonable interim measure — but treat it as such. A lost handset with no remote wipe capability, no screen lock enforcement, and no work profile separation represents a significant data breach risk under UK GDPR. Getting a management solution in place should be a priority for any organisation issuing more than a small number of company-owned phones.