AndroidNexus Best Practices
Follow these guidelines to get the most out of AndroidNexus and ensure a secure, well-managed device fleet.
Organization & Planning
Use Friendly Names
Device codes are auto-generated (e.g., ACME-AND-0001), but you can set friendly names for easier identification:
Tips:
- Set descriptive friendly names like "John's Sales Phone" or "Warehouse Scanner 3"
- Update friendly names from the device detail view (click the pencil icon)
- Use names that help identify the device's user or purpose
Organize with Tags
Use tags to organize and filter your device fleet:
Example Tags:
- Department: sales, engineering, support, executive
- Location: hq, remote, field
- Device Type: phone, tablet, rugged
- Status: pilot, production, loaner
Tips:
- Apply multiple tags per device for flexible filtering
- Use consistent tag naming (lowercase, no spaces)
- Add tags during enrollment or from device detail view
- Filter devices by tags on the Devices page
Document Your Policies
Maintain documentation for each policy:
- Purpose: Why does this policy exist?
- Target audience: Who/what devices use it?
- Key settings: Summary of important configurations
- Change history: When and why it was modified
Security
Follow Least Privilege Principle
Only grant the minimum permissions necessary:
Good:
- Allow only required apps
- Block unnecessary features
- Restrict network access to needed resources
Avoid:
- Blanket admin access
- Disabling all security for convenience
- Leaving default policies unchanged
Enforce Strong Authentication
Minimum recommended password settings:
| Setting | Minimum Value |
|---|---|
| Length | 8 characters |
| Complexity | Letters + Numbers |
| Expiration | 90 days |
| History | 5 passwords |
| Max attempts | 10 |
Consider biometric authentication for better user experience with maintained security.
Keep Devices Updated
Configure automatic updates:
System Updates:
Policy: Automatic
Window: 02:00 - 06:00 (low usage hours)
Security Patches:
Policy: Automatic
Max Age: 30 days (compliance warning)
Monitor security patch levels and follow up on outdated devices.
Encrypt Everything
Always enable:
- Device storage encryption
- SD card encryption (if applicable)
- Work profile encryption (for BYOD)
Use Always-On VPN
For sensitive environments:
VPN Configuration:
Always On: Yes
Lockdown Mode: Yes # Block traffic without VPN
Trusted Networks: None # Always require VPN
Enrollment
Test Before Bulk Deployment
Before enrolling many devices:
- Enroll 1-2 test devices
- Verify all policy settings apply correctly
- Test all required apps install and work
- Confirm user experience is acceptable
- Document any issues and solutions
Use Appropriate Enrollment Methods
| Scenario | Recommended Method |
|---|---|
| 1-10 devices | QR Code |
| 10-100 devices | QR Code + batch processing |
| 100+ devices | Zero-Touch Enrollment |
| BYOD | Work Profile via app store |
| Kiosk | QR Code with kiosk policy |
Set Token Expiration
Don't leave enrollment tokens active forever:
Good:
- Expiration: 7 days
- Use Limit: 10 devices
- Descriptive name: "Q4-Sales-Rollout"
Avoid:
- No expiration
- Unlimited uses
- Generic names like "token1"
Policy Management
Start with Templates
Don't build from scratch:
- Choose the closest template
- Customize for your needs
- Test thoroughly
- Document changes
Test Policy Changes
Before applying changes broadly:
- Create a test policy or use a pilot device
- Apply changes to the test device first
- Verify expected behavior
- Monitor for 24-48 hours
- Roll out to remaining devices
Version Your Policies
Use the policy history feature:
- Add notes when making changes
- Reference ticket numbers or requests
- Document the reason for changes
- Know how to rollback if needed
Application Management
Vet Apps Before Deployment
Before adding to your library:
- App is from trusted publisher
- Reviews don't indicate security issues
- Permissions requested are reasonable
- App is actively maintained
- Compatible with your Android versions
Use Managed Configurations
Pre-configure apps to reduce user friction:
Microsoft Outlook:
email_address: ${user.email}
server: outlook.office365.com
Corporate VPN:
server: vpn.company.com
auto_connect: true
Monitor App Inventory
Regularly review:
- Apps installed across fleet
- Versions in use
- Apps that failed to install
- Unauthorized app attempts
Plan App Updates
For critical apps:
- Test updates on pilot devices first
- Schedule updates during low-usage hours
- Have a rollback plan
- Communicate changes to users
Monitoring & Compliance
Monitor System Alerts
AndroidNexus displays alerts in the dashboard for conditions such as:
| Condition | Severity |
|---|---|
| Device offline for extended period | Medium |
| Compliance violations | High |
| Low storage warnings | Low |
| Outdated security patches | Medium |
Current capabilities:
- View alerts in the dashboard with severity indicators
- Acknowledge alerts to dismiss them
- Filter alerts by severity level
Coming soon:
- Configurable email notifications
- Custom alert conditions and thresholds
- Integration with external notification services
Review Dashboard Daily
Morning checklist:
- Check offline device count
- Review compliance status
- Check for failed enrollments
- Review alert notifications
- Verify critical devices are online
Regular Compliance Audits
Monthly:
- Export compliance report
- Review non-compliant devices
- Follow up on persistent issues
- Update policies if needed
Quarterly:
- Review all policies
- Audit user access
- Check API key usage
- Review audit logs
Document Incidents
When issues occur:
- What happened: Device ID, symptoms
- When: Timestamp and duration
- Impact: Users/operations affected
- Resolution: Steps taken to fix
- Prevention: Changes to prevent recurrence
User Experience
Balance Security and Usability
Too restrictive = Shadow IT and workarounds
Good Balance:
- Allow personal apps in work profile
- Enable camera unless required to block
- Allow reasonable app installs from Play Store
- Keep password requirements manageable
Avoid:
- Blocking everything "just in case"
- Complex passwords changed too frequently
- Removing all user control
Communicate with Users
Before changes:
- Announce upcoming policy changes
- Explain the reason (security, compliance)
- Provide timeline
- Offer support resources
Provide Self-Service Options
Empower users when safe:
- Password reset (within policy limits)
- Device location (for lost devices)
- App installation (from approved list)
- Profile information updates
Disaster Recovery
Backup Your Configuration
Regularly export:
- Policy configurations
- Onboarding token settings
- Device reports (CSV exports)
Have a Lost Device Procedure
Document the steps:
- Verify device is actually lost
- Lock device immediately via Quick Actions
- Enable Lost Mode with contact information
- Wait 24 hours for recovery
- Factory Reset if not recovered
- Document and close incident
Plan for Admin Account Issues
Ensure:
- Multiple admin accounts exist
- Emergency access procedure documented
- API key for automated recovery
- Regular admin access reviews
Summary Checklist
Initial Setup
- Set up device tags for organization
- Create baseline policies
- Test enrollment process
- Configure onboarding tokens
Ongoing Operations
- Review dashboard daily
- Respond to alerts promptly
- Keep devices updated
- Monitor compliance
- Document incidents
Regular Reviews
- Monthly compliance audit
- Quarterly policy review
- Annual security assessment
- User feedback collection