Setting up Android enterprise (Android for Work)
Android enterprise (Android for Work) is a program offered by Google that enables mobility administrators to:
- Separate work and personal data
- Secure and manage enterprise apps
- Control system apps (such as Camera and Gallery)
- Centrally provision and configure apps in the Android enterprise container
- Prevent data loss (screen capture)
You can configure MobileIron Cloud as the EMM server that manages Android enterprise. Android enterprise requires at least MobileIron Go app for Android 3.0. There are two supported configurations of Android enterprise, Device Owner and Managed Profile – Employee Owned.
MobileIron Cloud currently supports Android enterprise only on devices that are running Android 5.0 and have Android enterprise enabled by the manufacturer. Android enterprise is required for Kiosk mode on devices running Android 5.0.
Before You Start
If you have not already registered your domain with Google, you must first sign up for the program on the Google website:
During the process you will:
- Claim a domain (must match the domain for user email addresses)
- Receive a token
- Download a JSON client ID
Both items are required when you set up Android enterprise on MobileIron Cloud.
After the process, you will receive an email containing instructions for verifying that you own the domain you claimed.
If the company has already used its domain name to sign up for Google Apps for Work, see https://support.google.com/work/android/answer/6174062 for information on enabling Android enterprise.
Connecting MobileIron Cloud with Android enterprise
Once you have signed up for Android enterprise, set up MobileIron Cloud as the EMM server for Google’s program.
Getting Your Android enterprise Credentials
To get your Android enterprise credentials
- Go to Admin > Android enterprise.
- Click Google Developers Console.
- Click the first displayed link to go to the Google Developers Console.
- Select Create a project from the drop-down menu.
- Enter a name for the project.
- Accept the terms of service.
- Click Create.
- Click API & auth.
- Select APIs.
- Type emm in the Search field to find the Google Play EMM API.
- Click the Google Play EMM API link.
- Click Enable API.
- Click Credentials.
- Select Service account.
- Click Create to save the JSON file.
Adding your Android enterprise MDM Token to MobileIron Cloud
Log into https://admin.google.com.
If you do not see Android enterprise Settings, click Show More.
Select Android enterprise Settings.
Under Manage enterprise mobility management provider, copy the MDM token.
Return to the MobileIron Cloud portal.
In box 2, paste the MDM token you just copied.
In the Domain field, enter the domain you claimed with Google.
Click Choose File and upload the JSON file you downloaded.
The message Connected to Google displays when the connection is successful.
In box 3 click Authorize to indicate that you want to give MobileIron Cloud access to your Google user data.
The message Connected to Users displays in the MobileIron Cloud portal.
Synchronizing user between MobileIron Cloud and Google
Before you deploy Android enterprise to Android users managed by MobileIron Cloud, each user must have a corresponding record on the Google Admin Portal. The steps required for synchronizing the user information between MobileIron Cloud and the Google Admin Portal depend on whether you have set up an integration with your organization’s directory services (AD/LDAP).
Active Directory/LDAP Users
If you have set up an AD/LDAP integration with MobileIron Cloud, then you must use Google Apps Directory Sync set up an AD/LDAP integration with the Google Admin Portal. See https://support.google.com/a/answer/106368?hl=en for more information.
If you created only local users in MobileIron Cloud and do not intend to integrate it with a directory service, then complete the following steps to synchronize those users with the Google Admin Portal:
Log into the Google Admin Portal at: admin.google.com.
. Click the Add user or Add multiple users icon in the lower right corner.
For each MobileIron Cloud user that will use Android enterprise, add a Google user with the same username and email address as the MobileIron Cloud user.
In the MobileIron Cloud portal for each MobileIron Cloud user that was just added to the Google Admin Portal:
a. Click the username link in the Users tab to display the user's details.
b. Select Sync the User with Google User Directory.
c. Click Sync with Google User Directory.
d. Confirm that Google Status is listed as Enabled.
Deploying Android enterprise to Supported devices
Two configurations are required for deploying Android enterprise:
The Android enterprise: Work Profile (Android for Work) configuration enables Android enterprise.
A Lockdown & Kiosk configuration defines the Android enterprise restrictions to apply.
Retiring Registered Devices
Before you deploy Android enterprise to devices that are already registered with MobileIron Cloud, you must retire those devices.
To deploy the device
In the MobileIron Cloud portal, go to Configurations.
Click Android enterprise: Work Profile (Android for Work).
Select All Devices or Custom.
If you selected Custom, search for and select the device groups that should receive the Android for Work settings.
Click Back to list (upper left corner).
Click Lockdown & Kiosk: Android enterprise (Android for Work)
In the Name field, enter text that identifies the configuration.
Under Choose Lockdown Type, select Work Profile.
Select the lockdown settings you want to apply to the target devices.
Select All Devices or Custom.
If you selected Custom, search for and select the device groups that should receive the Android enterprise settings.
Note: You cannot make changes to the resulting profile once it has been deployed. Instead, you need to create a new Android enterprise configuration and deploy it.
You can confirm that Android enterprise has been deployed in the following ways:
- Under Users > Users, find the entry for a user, and then check that the Google Status is Enabled.
Under Devices > Devices, click the link for a device, and then check that status for Android enterprise is Enabled.
Google Status for a user should be listed as Enabled. If it is not Enabled, then the user will not be able to register devices.
Note: If Android enterprise was set up as managed Google Play Accounts, then the user is not shown as Google Status: Enabled until after an Android for Work device is registered. See Managed Google Play Accounts for more information about managed Google Play Accounts.
Deploying Android enterprise Apps
Any app developed for Android enterprise may include options that you can configure through MobileIron Cloud.
To configure the options:
- In the MobileIron Cloud portal, go to Apps >App Catalog.
- Find the app in the Google Play Store.
- Click the app entry.
- .Accept permissions on behalf of Android enterprise users.
- Click Next.
- Select a distribution option.
- Expand Advanced Options & App Configuration.
- Select the options you want to apply.
- Select a promotion option.
- Click Done.
Configuring Business Apps
Android enterprise apps are available in the Business Apps section of the app catalog, including the following apps:
- Divide Productivity