MobileIron Cloud Help

Setting up Android enterprise (Android for Work)

License: Silver

 

Android enterprise (Android for Work) is a program offered by Google that enables mobility administrators to:

  • Separate work and personal data
  • Secure and manage enterprise apps
  • Control system apps (such as Camera and Gallery)
  • Centrally provision and configure apps in the Android enterprise container
  • Prevent data loss (screen capture)

You can configure MobileIron Cloud as the EMM server that manages Android enterprise. Android enterprise requires at least MobileIron Go app for Android 3.0. There are two supported configurations of Android enterprise, Device Owner and Managed Profile – Employee Owned.

Supported Devices

MobileIron Cloud currently supports Android enterprise only on devices that are running Android 5.0 and have Android enterprise enabled by the manufacturer. Android enterprise is required for Kiosk mode on devices running Android 5.0.

Before You Start

If you have not already registered your domain with Google, you must first sign up for the program on the Google website:

https://www.google.com/a/signup/u/0/?enterprise_product=ANDROID_WORK

 

During the process you will:

  • Claim a domain (must match the domain for user email addresses)
  • Receive a token
  • Download a JSON client ID

Both items are required when you set up Android enterprise on MobileIron Cloud.

 

After the process, you will receive an email containing instructions for verifying that you own the domain you claimed.

 

If the company has already used its domain name to sign up for Google Apps for Work, see https://support.google.com/work/android/answer/6174062 for information on enabling Android enterprise.

 

Connecting MobileIron Cloud with Android enterprise

Once you have signed up for Android enterprise, set up MobileIron Cloud as the EMM server for Google’s program.

 

Getting Your Android enterprise Credentials

To get your Android enterprise credentials

 

  1. Go to Admin > Android enterprise.
  2. Click Google Developers Console.
  3. Click the first displayed link to go to the Google Developers Console.
  4. Select Create a project from the drop-down menu.
  5. Enter a name for the project.
  6. Accept the terms of service.
  7. Click Create.
  8. Click API & auth.
  9. Select APIs.
  10. Type emm in the Search field to find the Google Play EMM API.
  11. Click the Google Play EMM API link.
  12. Click Enable API.
  13. Click Credentials.
  14. Select Service account.
  15. Click Create to save the JSON file.

Adding your Android enterprise MDM Token to MobileIron Cloud

  1. Log into https://admin.google.com.

  2. Click Security.

  3. If you do not see Android enterprise Settings, click Show More.

  4. Select Android enterprise Settings.

  5. Under Manage enterprise mobility management provider, copy the MDM token.

  6. Return to the MobileIron Cloud portal.

  7. Click Done.

  8. In box 2, paste the MDM token you just copied.

  9. In the Domain field, enter the domain you claimed with Google.

  10. Click Choose File and upload the JSON file you downloaded.

  11. Click Connect.
    The message Connected to Google displays when the connection is successful.

  12. In box 3 click Authorize to indicate that you want to give MobileIron Cloud access to your Google user data.

  13. Click Accept.
    The message Connected to Users displays in the MobileIron Cloud portal.

Synchronizing user between MobileIron Cloud and Google

Before you deploy Android enterprise to Android users managed by MobileIron Cloud, each user must have a corresponding record on the Google Admin Portal. The steps required for synchronizing the user information between MobileIron Cloud and the Google Admin Portal depend on whether you have set up an integration with your organization’s directory services (AD/LDAP).

Active Directory/LDAP Users

If you have set up an AD/LDAP integration with MobileIron Cloud, then you must use Google Apps Directory Sync set up an AD/LDAP integration with the Google Admin Portal. See https://support.google.com/a/answer/106368?hl=en for more information.

Local Users

If you created only local users in MobileIron Cloud and do not intend to integrate it with a directory service, then complete the following steps to synchronize those users with the Google Admin Portal:

 

  1. Log into the Google Admin Portal at: admin.google.com.

  2. Click Users.

  3. . Click the Add user or Add multiple users icon in the lower right corner.

  4. For each MobileIron Cloud user that will use Android enterprise, add a Google user with the same username and email address as the MobileIron Cloud user.

  5. In the MobileIron Cloud portal for each MobileIron Cloud user that was just added to the Google Admin Portal:
    a. Click the username link in the Users tab to display the user's details.
    b. Select Sync the User with Google User Directory.
    c. Click Sync with Google User Directory.
    d. Confirm that Google Status is listed as Enabled.

Deploying Android enterprise to Supported devices

Two configurations are required for deploying Android enterprise:

  • The Android enterprise: Work Profile (Android for Work) configuration enables Android enterprise.

  • A Lockdown & Kiosk configuration defines the Android enterprise restrictions to apply.  

Retiring Registered Devices

Before you deploy Android enterprise to devices that are already registered with MobileIron Cloud, you must retire those devices.

To deploy the device

  1. In the MobileIron Cloud portal, go to Configurations.

  2. Click Android enterprise: Work Profile (Android for Work).

  3. Click Edit.

  4. Click Next.

  5. Select All Devices or Custom.

  6. If you selected  Custom, search for and select the device groups that should receive the Android  for Work settings.

  7. Click Done.

  8. Click Back to list (upper left corner).

  9. Click +Add.

  10. Click Lockdown & Kiosk: Android enterprise (Android for Work)

  11. In the Name field, enter text that identifies the configuration.

  12. Under Choose Lockdown Type, select Work Profile.

  13. Select the lockdown settings you want to apply to the target devices.

  14. Click Next.

  15. Select All Devices or Custom.

  16. If you selected Custom, search for and select the device groups that should receive the Android enterprise settings.

  17. Click Done.

 

Note: You cannot make changes to the resulting profile once it has been deployed. Instead, you need to create a new Android enterprise configuration and deploy it.

 

Confirming Deployment

You can confirm that Android enterprise has been deployed in the following ways:

  • Under Users > Users, find the entry for a user, and then check that the Google Status is Enabled.
  • Under Devices > Devices, click the link for a device, and then check that status for Android enterprise is Enabled.

Google Status for a user should be listed as Enabled. If it is not Enabled, then the user will not be able to register devices.

Note: If Android enterprise was set up as managed Google Play Accounts, then the user is not shown as Google Status: Enabled until after an Android for Work device is registered. See Managed Google Play Accounts for more information about managed Google Play Accounts.

Deploying  Android enterprise Apps

Any app developed for Android enterprise may include options that you can configure through MobileIron Cloud.

To configure the options:

  1. In the MobileIron Cloud portal, go to Apps >App Catalog.
  2. Find the app in the Google Play Store.
  3. Click the app entry.
  4. .Accept permissions on behalf of Android enterprise users.
  5. Click Next.
  6. Select a distribution option.
  7. Expand Advanced Options & App Configuration.
  8. Select the options you want to apply.
  9. Select a promotion option.
  10. Click Done.

Configuring Business Apps

Android enterprise apps are available in the Business Apps section of the app catalog, including the following apps: