Android Enterprise

Android Enterprise is a set of tools and services provided by Google as an enterprise management solution for Android devices. With Android Enterprise:

  • You use Endpoint Management to manage company-owned Android devices and bring your own device (BYOD) Android devices.
  • You can manage the entire device or a separate profile on the device. The separate profile isolates business accounts, apps, and data from personal accounts, apps, and data.
  • You can also manage devices dedicated to a single use, such as inventory management. For an overview of Android Enterprise capabilities from Google, see Android Enterprise Management.

For a list of terms and definitions related to Android Enterprise, see the Google Android Enterprise developers guide article, Android Enterprise terminology. Google updates these terms frequently.

For a list of Android operating systems supported for Endpoint Management, see Supported device operating systems.

When you integrate Endpoint Management with managed Google Play to use Android Enterprise, you create an enterprise. Google defines an enterprise as binding between the organization and your enterprise mobile management (EMM) solution. All the users and devices that the organization manages through your solution belong to its enterprise.

An enterprise for Android Enterprise has three components: an EMM solution, a device policy controller (DPC) app, and a Google enterprise app platform. When you integrate Endpoint Management with Android Enterprise, the complete solution has these components:

  • Citrix Endpoint Management: The Citrix EMM. Endpoint Management is the unified endpoint management for a secure digital workspace. Endpoint Management provides the means for IT administrators to manage devices and apps for their organizations.
  • Citrix Secure Hub: The Citrix DPC app. Secure Hub is the launchpad for Endpoint Management. Secure Hub enforces policies on the device.
  • Managed Google Play: A Google enterprise app platform that integrates with Endpoint Management. The Google Play EMM API sets app policies and distributes app.

This illustration shows how administrators interact with these components and how the components interact with each other:

Android Enterprise workflow

Using managed Google Play with Endpoint Management

Note:

You can use either managed Google Play or G Suite to register Citrix as your EMM provider. This article discusses using Android Enterprise with managed Google Play. If your organization uses G Suite to provide access to apps, you can use it with Android Enterprise. See Legacy Android Enterprise for G Suite customers.

When you use managed Google Play, you provision managed Google Play Accounts for devices and end users. Managed Google Play Accounts provide access to managed Google Play, allowing users to install and use apps you make available. If your organization uses a third-party identity service, you can link managed Google Play Accounts with your existing identity accounts.

Because this type of enterprise is not tied to a domain, you can create more than one enterprise for a single organization. For example, each department or region within an organization can enroll as a different enterprise. Using different enterprises lets you manage separate sets of devices and apps.

For Endpoint Management administrators, managed Google Play combines the user experience and app store features of Google Play with a set of management capabilities designed for enterprises. You use managed Google Play to add, buy, and approve apps for deployment to the Android Enterprise workspace on a device. You can use Google Play to deploy public apps, private apps, and third-party apps.

For users of managed devices, managed Google Play is the enterprise app store. Users can browse apps, view app details, and install them. Unlike the public version of Google Play, users can only install apps from managed Google Play that you make available for them.

Device deployment scenarios and profiles

Device deployment scenarios refer to who owns the devices you deploy and how you manage them. Device profiles refer to how the DPC manages and enforces policies on devices.

A work profile isolates business accounts, apps, and data from personal accounts, apps, and data. For more details about work profiles, see the Google Android Enterprise help topic, What is a work profile.

Device management Use cases Work profile Personal profile Notes
Company-owned devices (fully managed) Company-owned devices intended only for work use No Yes. The DPC can perform device-wide actions, such as configure device-wide connectivity, configure global settings, and perform a factory reset. For new or factory reset devices only.
Fully managed with a work profile Company-owned devices intended for work and personal use Yes Yes. Two copies of the DPC run on these devices: One manages the device in device owner mode and the other manages the work profile in profile owner mode. You can apply separate policies to the device and the work profile. Formerly known as corporate-owned personally enabled (COPE) devices.
Dedicated devices* Company-owned devices configured for a single use case, such as digital signage or ticket printing No Yes. You provide only the required apps and prevent users from adding other apps. Formerly known as corporate owned single use (COSU) devices.
BYOD work profile** Personal devices enrolled with work profile management (also known as profile owner mode) Yes Yes. The DPC manages only the work profile, not the whole device. These devices don’t need to be new or factory reset.

* Users can share a dedicated device. When a user signs on to an app on a dedicated device, the state of their work is with the app, not the device.

** Endpoint Management does not support Zebra devices as in BYOD work profile mode. Endpoint Management supports Zebra devices as fully managed devices and in device legacy mode (also called device admin mode).

For information on migrating from legacy mode to device owner or profile owner mode, see Migrate from device administration to Android Enterprise.

Authentication methods

Enrollment profiles determine whether Android devices enroll in MAM, MDM, or MDM+MAM, with the option for users to opt out of MDM. Endpoint Management supports the following authentication methods for Android devices enrolled in MDM+MAM. For information, see the articles under Certificates and authentication.

  • Domain
  • Domain plus security token
  • Client certificate
  • Client certificate plus domain
  • Identity providers:
    • Azure Active Directory
    • Citrix identity provider

Another rarely used authentication method is client certificate plus security token. For information, see https://support.citrix.com/article/CTX215200.

Requirements

Before you start using Android Enterprise, you need:

  • Accounts and credentials:

    • To set up Android Enterprise with managed Google Play, a corporate Google account
    • To download the latest MDX files, a Citrix customer account
    • To deploy private apps (optional), a Google developer account
  • Firebase Cloud Messaging (FCM) configured for Endpoint Management. See Firebase Cloud Messaging for instructions.

  • For Samsung Knox Mobile Enrollment (optional), Knox premium licenses.

Connecting Endpoint Management to Google Play

To set up Android Enterprise for your organization, register Citrix as your EMM provider through managed Google Play. That setup connects managed Google Play to Endpoint Management and creates an enterprise for Android Enterprise in Endpoint Management.

You need a corporate Google account to sign in to Google Play.

  1. In the Endpoint Management console, click the gear icon in the upper-right corner. The Settings page appears.

  2. On the Settings page, click Android Enterprise.

Settings page with Android Enterprise highlighted

  1. On the Android Enterprise page in Endpoint Management Settings, click Connect. Google Play opens.

Android Enterprise connects to Google Play

  1. Sign in to Google Play with your corporate Google account credentials. Enter your organization name and confirm Citrix is your EMM provider.

  2. An enterprise ID is added for Android Enterprise. To enable Android Enterprise, slide Enable Android Enterprise to Yes.

    Enable Android Enterprise option

Your Enterprise ID appears in the Endpoint Management console.

Android Enterprise ID

Your environment is connected to Google and is ready to manage devices. You can now provide apps for users.

Endpoint Management can provide users with Citrix mobile productivity apps, MDX apps, public app store apps, web and SaaS apps, enterprise apps, and web links. For more information on these types of apps and providing them to users, see Add apps.

The following section shows how to provide mobile productivity apps.

Providing Citrix mobile productivity apps to Android Enterprise users

Providing Citrix mobile productivity apps for Android Enterprise users requires these steps.

  1. Publish the apps as MDX apps. See Configure apps as MDX apps.

  2. Configure the rules for the security challenge your users use to access the work profiles on their devices. See Configure security challenge policy.

The apps you publish are available to devices enrolled in your Android Enterprise enterprise.

Note:

When you deploy an Android Enterprise public app store app to an Android user, that user is automatically enrolled in Android Enterprise.

Configure apps as MDX apps

To configure a Citrix productivity app as an MDX app for Android Enterprise:

  1. In the Endpoint Management console, click Configure > Apps. The Apps page appears.

    Apps configuration screen

  2. Click Add. The Add App dialog box appears.

    Apps configuration screen

  3. Click MDX. The App Information page appears.

  4. On the left side of the page, select Android Enterprise as the platform.

  5. On the App Information page, type the following information:

    • Name: Type a descriptive name for the app. This name appears under App Name on the Apps table.
    • Description: Type an optional description of the app.
    • App category: Optionally, in the list, click the category to which you want to add the app. For more information about app categories, see Create app categories.
  6. Click Next. The Android Enterprise MDX App page appears.

  7. Click Upload and navigate to the file location of the .mdx files for the app. Select the file and click Open.

  8. The UI notifies you if the attached application requires approval from the managed Google Play store. To approve the application without leaving the Citrix Endpoint Management console, click Yes.

    Add an MDX app

  9. When the managed Google Play store page opens, click Approve.

    Approve an MDX app

  10. Click Approve again.

  11. Select Keep approved when app requests new permissions. Click Save.

    Google play approval settings

  12. When the app is approved and saved, more settings appear on the page. Configure these settings:

    • File name: Type the file name associated with the app.
    • App Description: Type a description for the app.
    • Product track: Specify which product track you want to push to user devices. If you have a track designed for testing, you can select and assign it to your users. The default is Production.
    • App version: Optionally, type the app version number.
    • Package ID: The URL of the app in the Google Play store.
    • Minimum OS version: Optionally, type the oldest operating system version that the device can run to use the app.
    • Maximum OS version: Optionally, type the most recent operating system that the device must run to use the app.
    • Excluded devices: Optionally, type the manufacturer or models of devices that cannot run the app.
  13. Configure the MDX Policies. For more information about app policies for MDX apps, see MDX Policies at a Glance and MAM SDK Overview.

  14. Configure the deployment rules. For information, see Deploy resources.

  15. Expand Store Configuration. This setting doesn’t apply to Android Enterprise apps, which appear only in managed Google Play.

    Apps configuration screen

    Optionally, you can add an FAQ for the app or screen captures that appear in the app store. You can also set whether users can rate or comment on the app.

    • Configure these settings:
      • App FAQ: Add FAQ questions and answers for the app.
      • App screenshots: Add screen captures to help classify the app in the app store. The graphic you upload must be a PNG. You cannot upload a GIF or JPEG image.
      • Allow app ratings: Select whether to permit a user to rate the app. The default is ON. Allow app comments: Select whether to permit users to comment about the selected app. The default is ON.
  16. Click Next. The Approvals page appears.

    Apps configuration screen

    You use workflows when you need approval when creating user accounts. If you don’t want to set up approval workflows, you can skip to Step 15.

    Configure these settings to assign or create a workflow:

    • Workflow to Use: In the list, click an existing workflow or click Create a new workflow. The default is None.
    • If you select Create a new workflow, configure these settings. For more information, see Create and manage workflows.
    • Name: Type a unique name for the workflow.
    • Description: Optionally, type a description for the workflow.
    • Email Approval Templates: In the list, select the email approval template to be assigned. When you click the eye icon to the right of this field, a dialog box appears where you can preview the template.
    • Levels of manager approval: In the list, select the number of levels of manager approval required for this workflow. The default is 1 level. Possible options are:
      • Not Needed
      • 1 level
      • 2 levels
      • 3 levels
    • Select Active Directory domain: In the list, select the appropriate Active Directory domain to be used for the workflow.
    • Find additional required approvers: Type the name of the additional required person in the search field and then click Search. Names originate in Active Directory.
    • When the name appears in the field, select the check box next to the name. The name and email address appear in the Selected additional required approvers list.
      • To remove a person from the Selected additional required approvers list, do one of the following:
        • Click Search to see a list of all the persons in the selected domain.
        • Type a full or partial name in the search box, and then click Search to limit the search results.
        • Persons in the Selected additional required approvers list have check marks next to their name in the search results list. Scroll through the list and clear the check box next to each name you want to remove.
  17. Click Next. The Delivery Group Assignment page appears.

    Apps configuration screen

  18. Next to Choose delivery groups, type to find a delivery group or select a group or groups in the list. The groups you select appear in the Delivery groups to receive app assignment list.

  19. Expand Deployment Schedule and then configure the following settings:

    • Next to Deploy, click ON to schedule deployment or click OFF to prevent deployment. The default option is ON.
    • Next to Deployment schedule, click Now or Later. The default option is Now.
    • If you click Later, click the calendar icon and then select the date and time for deployment.
    • Next to Deployment condition, click On every connection or click Only when previous deployment has failed. The default option is On every connection.
    • Next to Deploy for always-on connection, ensure that OFF is selected. The default option is OFF. The always-on connections are not available for Android Enterprise to customers who began using Endpoint Management with version 10.18.19 or later. We don’t recommend the connections for customers who began using Endpoint Management before version 10.18.19.

      This option applies when you have configured the scheduling background deployment key in Settings > Server Properties.

      The deployment schedule you configure is the same for all platforms. Any changes you make apply to all platforms, except for Deploy for always-on connection.

  20. Click Save.

Repeat the steps for each mobile productivity app.

Configure security challenge policy

The Endpoint Management Passcode device policy configures security challenge rules. The challenges appear when users access their devices or the Android Enterprise work profiles on their devices. A security challenge can be a passcode or biometric recognition. For more information about the Passcode policy, see Passcode device policy.

  • If your Android Enterprise deployment includes BYOD devices, configure the passcode policy for the work profile.
  • If your deployment includes, company-owned, fully managed devices, configure the passcode policy for the device itself.
  • If your deployment includes both types of devices, configure both types of passcode policy.

To configure the passcode policy:

  1. In the Endpoint Management console, go to Configure > Device Policies.

  2. Click Add.

  3. Click Show filter to show the Policy Platform pane. In the Policy Platform pane, select Android Enterprise.

  4. Click Passcode on the right pane.

Password security option

  1. Enter a Policy Name. Click Next.

    Password security name

  2. Configure the Passcode policy settings.
    • Set Device passcode required to On to see the settings available for security challenges for the device itself.
    • Set Work profile security challenge to On to see the settings available for work profile security challenges.
  3. Click Next.

  4. Assign the policy to one or more delivery groups.

  5. Click Save.

Creating enrollment profiles

Enrollment profiles control how Android devices are enrolled if Android Enterprise in enabled for your Endpoint Management deployment. When you create an enrollment profile to enroll Android Enterprise devices, you can configure the enrollment profile to enroll new and factory reset devices as:

  • Fully managed devices
  • Dedicated devices (COSU devices)
  • Fully managed devices with a work profile (COPE devices)

You can also configure each of these Android Enterprise enrollment profiles to enroll BYOD Android devices as work profile devices.

If Android Enterprise is enabled for your Endpoint Management deployment, all newly enrolled or re-enrolled Android devices are enrolled as Android Enterprise devices. By default, the Global enrollment profile enrolls new and factory reset Android devices as fully managed devices and enrolls BYOD Android devices as work profile devices.

When you create enrollment profiles, you assign delivery groups to them. If a user belongs to multiple delivery groups that have different enrollment profiles, the name of the delivery group determines the enrollment profile used. Endpoint Management selects the delivery group that appears last in an alphabetized list of delivery groups. For more information, see Enrollment profiles.

Add an enrollment profile for fully managed devices

The Global enrollment profile enrolls fully managed devices by default, but you can create more enrollment profiles to enroll fully managed devices.

  1. In the Endpoint Management console, go to Configure > Enrollment Profiles.

  2. To add an enrollment profile, click Add. In the Enrollment Info page, type a name for the enrollment profile.

  3. Set the number of devices that members with this profile can enroll.

  4. Select Android under Platforms or click Next. The Enrollment Configuration page appears.

  5. Set Management to Android Enterprise.

  6. Set Device owner mode to Company owned device.

    Enrollment Profiles configuration screen

  7. BYOD work profile allows you to configure the enrollment profile to enroll BYOD devices as work profile devices. New and factory reset devices are enrolled as fully managed devices. Set BYOD work profile to On to allow enrollment of BYOD devices as work profile devices. Set BYOD work profile to Off to restrict enrollment to fully managed devices. Default is On.

  8. Choose whether to enroll devices in Citrix MAM.

  9. If you set BYOD work profile to On, configure user consent. To allow users of BYOD work profile devices to decline device management when they enroll their devices, set Allow users to decline device management to On.

    If BYOD work profile is set to On, the default value of Allow users to decline device management is On. If BYOD work profile is set to Off, then Allow users to decline device management is disabled.

  10. Select Assignment (options). The Delivery Group Assignment screen appears.

  11. Choose the delivery group or delivery groups containing the administrators who enroll fully managed devices. Then click Save.

    The Enrollment Profile page appears with the profile you added.

    Enrollment Profiles configuration screen

Add a dedicated device enrollment profile

When your Endpoint Management deployment includes dedicated devices, a single Endpoint Management administrator or small group of administrators enroll many dedicated devices. To ensure that these administrators can enroll all the devices required, create an enrollment profile for them with unlimited devices allowed per user.

  1. In the Endpoint Management console, go to Configure > Enrollment Profiles.

  2. To add an enrollment profile, click Add. In the Enrollment Info page, type a name for the enrollment profile. Ensure that number of devices that members with this profile can enroll is set to unlimited.

  3. Select Android under Platforms or click Next. The Enrollment Configuration page appears.

  4. Set Management to Android Enterprise.

  5. Set Device owner mode to Dedicated device.

    Enrollment Profiles page

  6. BYOD work profile allows you to configure the enrollment profile to enroll BYOD devices as work profile devices. New and factory reset devices are enrolled as dedicated devices. Set BYOD work profile to On to allow enrollment of BYOD devices as work profile devices. Set BYOD work profile to Off to restrict enrollment to company-owned devices. Default is On.

  7. Choose whether to enroll devices in Citrix MAM.

  8. If you set BYOD work profile to On, configure user consent. To allow users of BYOD work profile devices to decline device management when they enroll their devices, set Allow users to decline device management to On.

    If BYOD work profile is set to On, the default value of Allow users to decline device management is On. If BYOD work profile is set to Off, then Allow users to decline device management is disabled.

  9. Select Assignment (options). The Delivery Group Assignment screen appears.

  10. Choose the delivery group or delivery groups containing the administrators who enroll dedicated devices. Then click Save.

    The Enrollment Profile page appears with the profile you added.

    Enrollment Profiles configuration screen

Add an enrollment profile for fully managed devices with a work profile

  1. In the Endpoint Management console, go to Configure > Enrollment Profiles.

  2. To add an enrollment profile, click Add. In the Enrollment Info page, type a name for the enrollment profile.

  3. Set the number of devices that members with this profile can enroll.

  4. Select Android under Platforms or click Next. The Enrollment Configuration page appears.

  5. Set Management to Android Enterprise. Set Device owner mode to Fully managed with work profile.

    Enrollment Profiles configuration screen

  6. BYOD work profile allows you to configure the enrollment profile to enroll BYOD devices as work profile devices. New and factory reset devices are enrolled as fully managed devices with a work profile. Set BYOD work profile to On to allow enrollment of BYOD devices as work profile devices. Set BYOD work profile to Off to restrict enrollment to dedicated devices. Default is Off.

  7. Choose whether to enroll devices in Citrix MAM.

  8. If you set BYOD work profile to On, configure user consent. To allow users of BYOD work profile devices to decline device management when they enroll their devices, set Allow users to decline device management to On.

    If BYOD work profile is set to On, the default value of Allow users to decline device management is On. If BYOD work profile is set to Off, then Allow users to decline device management is disabled.

  9. Select Assignment (options). The Delivery Group Assignment screen appears.

  10. Choose the delivery group or delivery groups containing the administrators who enroll fully managed devices with a work profile. Then click Save.

    The Enrollment Profile page appears with the profile you added.

    Enrollment Profiles page

Adding an enrollment profile for legacy devices

Google deprecated the device administrator mode of device management. Google encourages customers to manage all Android devices in device owner mode or profile owner mode. (See Device admin deprecation in the Google Android Enterprise developer guides.)

To support this change:

  • Citrix made Android Enterprise the default enrollment option for Android devices.
  • If Android Enterprise is enabled for your Endpoint Management deployment, all newly enrolled or re-enrolled Android devices are enrolled as Android Enterprise devices.

Your organization might not be ready to begin managing legacy Android devices using Android Enterprise. In that case, you can continue to manage them in device administrator mode. For devices already enrolled in device administrator mode, Endpoint Management continues to manage them in device administrator mode.

Create an enrollment profile for legacy devices to allow new Android device enrollments to use device administrator mode.

To create an enrollment profile for legacy devices:

  1. In the Endpoint Management console, go to Configure > Enrollment Profiles.

  2. To add an enrollment profile, click Add. In the Enrollment Info page, type a name for the enrollment profile.

  3. Set the number of devices that members with this profile can enroll.

  4. Select Android under Platforms or click Next. The Enrollment Configuration page appears.

  5. Set Management to Legacy device administration (not recommended). Click Next.

    Enrollment Profiles configuration screen

  6. Choose whether to enroll devices in Citrix MAM.

  7. To allow users to decline device management when they enroll their devices, set Allow users to decline device management to On. Default is On.

  8. Select Assignment (options). The Delivery Group Assignment screen appears.

  9. Choose the delivery group or delivery groups containing the administrators who enroll dedicated devices. Then click Save.

The Enrollment Profile page appears with the profile you added.

Enrollment profile page

To continue managing legacy device in device administrator mode, enroll or re-enroll them using this profile. You enroll device administrator devices similar to work profile devices, by having users download Secure Hub and providing an enrollment server URL.

Provisioning Android Enterprise work profile devices

Android Enterprise work profile devices are enrolled in profile owner mode. These devices do not need to be new or factory reset. BYOD devices are enrolled as work profile devices. The enrollment experience is similar to Android enrollment in Endpoint Management. Users download Secure Hub from Google Play and enroll their devices.

By default, the USB Debugging and Unknown Sources settings get disabled on a device when you enroll the device in Android Enterprise as a work profile device.

When enrolling devices in Android Enterprise as work profile devices, always go to Google Play. From there, enable Secure Hub to appear in the user’s personal profile.

Provisioning Android Enterprise fully managed devices

You can enroll fully managed devices in the deployment you set up in the previous sections. Fully managed devices are company-owned devices and are enrolled in device owner mode. Only new or factory reset devices can be enrolled in device owner mode.

You can enroll devices in device owner mode using any of these enrollment methods:

  • DPC identifier token: With this enrollment method, users enter the characters afw#xenmobile when setting up the device. afw#xenmobile is the Citrix DPC identifier token. This token identifies the device as managed by Endpoint Management and downloads Secure Hub from the Google Play store. See Enrolling devices using the Citrix DPC identifier token.
  • Near field communication (NFC) bump: The NFC bump enrollment method transfers data through between two devices using near-field communication. Bluetooth, Wi-Fi, and other communication modes are disabled on a new or factory-reset device. NFC is the only communication protocol that the device can use in this state. See Enrolling devices with NFC bump.
  • QR code: QR code enrollment can be used to enroll a distributed fleet of devices that do not support NFC, such as tablets. The QR code enrollment method sets up and configures device profile mode by scanning a QR code from the setup wizard. See Enrolling devices using a QR code.
  • Zero touch: Zero-touch enrollment allows you to configure devices to enroll automatically when they are first powered on. Zero-touch enrollment is supported on some Android devices running Android 8.0 or later. See Zero-touch enrollment.
  • Google Accounts: Users enter their Google Account credentials to initiate the provisioning process. This option is for enterprises using G Suite.

Enrolling devices using the Citrix DPC identifier token

Users enter afw#xenmobile when prompted to enter a Google account after powering on new or factory reset devices for initial setup. This action downloads and installs Secure Hub. Users then follow the Secure Hub set-up prompts to complete the enrollment.

In this enrollment method is recommended for most customers because the latest version of Secure Hub is downloaded from the Google Play store. Unlike with other enrollment methods, you do not provide Secure Hub for download from the Endpoint Management server.

System requirements

  • Supported on all Android devices running the Android OS.

To enroll the device

  1. Power on a new or factory reset device.

  2. The initial device setup loads and prompts for a Google account. If the device loads the home screen of the device, check the notification bar for a Finish Setup notification.

    Device set up login prompt

  3. Enter afw#xenmobile in the Email or phone field.

    Device set up text

  4. Tap Install on the Android Enterprise screen prompting to install Secure Hub.

    Android Enterprise installation

  5. Tap Install on the Secure Hub installer screen.

    Secure Hub installation

  6. Tap Allow for all app permission requests.

  7. Tap Accept & Continue to install Secure Hub and allow it to manage the device.

    Secure Hub permissions

  8. Secure Hub is now installed and on the default enrollment screen. In this example, AutoDiscovery is not set up. If it was, the user can enter their username/email and a server would be found for them. Instead, enter the enrollment URL for the environment and tap Next.

    Secure Hub credentials

  9. The default configuration for Endpoint Management allows users to choose if they use MAM or MDM+MAM. If prompted in this way, tap Yes, Enroll to choose MDM+MAM.

    Secure Hub enroll device

  10. Enter the user name and password, then tap Next.

    Secure Hub login

  11. The user is prompted to configure a device passcode. Tap Set and enter a passcode.

    Secure Hub passcode

  12. The user is prompted to configure a work profile unlock method. For this example, tap Password, tap PIN, and enter a PIN.

    Passcode options

  13. The device is now on the Secure Hub My Apps landing screen. Tap Add apps from Store.

    Secure Hub apps screen

  14. To add Secure Web, tap Secure Web.

    Secure Hub store

  15. Tap Add.

    Secure web store

  16. Secure Hub directs the user to the Google Play store to install Secure Web. Tap Install.

    Secure app installation

  17. After Secure Web is installed, tap Open. Enter a URL from an internal site in the address bar and verify that the page loads.

    Secure web test

  18. Go to Settings > Accounts on the device. Observe that the Managed Account can’t be modified. The developer options for sharing screen or remote debugging are also blocked.

    Account modification

Enrolling devices with NFC bump

To enroll a device as a fully managed device using NFC bumps requires two devices: One that is reset to its factory settings and one running the Endpoint Management Provisioning Tool.

System requirements and prerequisites

  • Supported Android devices.
  • A new or factory-reset device, provisioned for Android Enterprise as a fully managed device. You can find steps to complete this prerequisite later in this article.
  • Another device with NFC capability, running the configured Provisioning Tool. The Provisioning Tool is available in Secure Hub or on the Citrix downloads page.

Each device can have only one Android Enterprise profile, managed Secure Hub. Only one profile is allowed on each device. Attempting to add a second DPC app removes the installed Secure Hub.

Data transferred through the NFC bump

Provisioning a factory-reset device requires you to send the following data through an NFC bump to initialize Android Enterprise:

  • Package name of the DPC app that acts as device owner (in this case, Secure Hub).
  • Intranet/Internet location from which the device can download the DPC app.
  • SHA1 hash of DPC app to verify if the download is successful.
  • Wi-Fi connection details so that a factory-reset device can connect and download the DPC app. Note: Android now does not support 802.1x Wi-Fi for this step.
  • Time zone for the device (optional).
  • Geographic location for the device (optional).

When the two devices are bumped, the data from the Provisioning Tool is sent to the factory-reset device. That data is then used to download Secure Hub with administrator settings. If you don’t enter time zone and location values, Android automatically configures the values on the new device.

Configuring the Endpoint Management Provisioning Tool

Before doing an NFC bump, you must configure the Provisioning Tool. This configuration is then transferred to the factory-reset device during the NFC bump.

The Provisioning Tool configuration

You can type data into the required fields or populate them via text file. The steps in the next procedure describe how to configure the text file and contain descriptions for each field. The app doesn’t save information after you type it, so you might want to create a text file to keep the information for future use.

To configure the Provisioning Tool by using a text file

Name the file nfcprovisioning.txt and place the file in the /sdcard/ folder on the SD card of the device. The app can then read the text file and populate the values.

The text file must contain the following data:

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION=<download_location>

This line is the intranet/internet location of the EMM provider app. After the factory-reset device connects to Wi-Fi following the NFC bump, the device must have access to this location for downloading. The URL is a regular URL, with no special formatting required.

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM=<SHA1 hash>

This line is the checksum of the EMM provider app. This checksum is used to verify that the download is successful. Steps to obtain the checksum are discussed later in this article.

android.app.extra.PROVISIONING_WIFI_SSID=<wifi ssid>

This line is the connected Wi-Fi SSID of the device on which the Provisioning Tool is running.

android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE=<wifi security type>

Supported values are WEP and WPA2. If the Wi-Fi is unprotected, this field must be empty.

android.app.extra.PROVISIONING_WIFI_PASSWORD=<wifi password>

If the Wi-Fi is unprotected, this field must be empty.

android.app.extra.PROVISIONING_LOCALE=<locale>

Enter language and country codes. The language codes are two-letter lowercase ISO language codes (such as en) as defined by ISO 639-1. The country codes are two-letter uppercase ISO country codes (such as US) as defined by ISO 3166-1. For example, type en_US for English as spoken in the United States. If you don’t type any codes, the country and language are automatically populated.

android.app.extra.PROVISIONING_TIME_ZONE=<timezone>

The time zone in which the device is running. Type the database name of the area/location. For example, type America/Los_Angeles for Pacific time. If you don’t type a name, the time zone automatically populates.

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME=<package name>

This data isn’t required, because the value is hardcoded into the app as Secure Hub. It’s mentioned here only for the sake of completion.

If there is a Wi-Fi protected by using WPA2, a completed nfcprovisioning.txt file might look like the following:

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION=https://www.somepublicurlhere.com/path/to/securehub.apk

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM=ga50TwdCmfdJ72LGRFkke4CrbAk\u003d

android.app.extra.PROVISIONING_WIFI_SSID=Protected_WiFi_Name

android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE=WPA2

android.app.extra.PROVISIONING_WIFI_PASSWORD=wifiPasswordHere

android.app.extra.PROVISIONING_LOCALE=en_US

android.app.extra.PROVISIONING_TIME_ZONE=America/Los_Angeles

If there is an unprotected Wi-Fi, a completed nfcprovisioning.txt file might look like the following:

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION=https://www.somepublicurlhere.com/path/to/securehub.apk

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM=ga50TwdCmfdJ72LGRFkke4CrbAk\u003d

android.app.extra.PROVISIONING_WIFI_SSID=Unprotected_WiFi_Name

android.app.extra.PROVISIONING_LOCALE=en_US

android.app.extra.PROVISIONING_TIME_ZONE=America/Los_Angeles

To get the checksum of Citrix Secure Hub

The checksum of Secure Hub is a constant value: qn7oZUtheu3JBAinzZRrrjCQv6LOO6Ll1OjcxT3-yKM. To download an APK file for Secure Hub, use the following Google Play store link: https://play.google.com/managed/downloadManagingApp?identifier=xenmobile.

To get an app checksum

Prerequisites:

  • The apksigner tool from the Android SDK Build Tools
  • OpenSSL command line

To get the checksum of any app, follow these steps:

  1. Download the app’s APK file from the Google Play store.
  2. In the OpenSSL command line, navigate to the apksigner tool: android-sdk/build-tools/<version>/apksigner and type the following:

    apksigner verify -print-certs <apk_path> | perl -nle 'print $& if m{(?<=SHA-256 digest:) .*}'  | xxd -r -p | openssl base64 | tr -d '=' | tr -- '+/=' '-_'
    

    The command returns a valid checksum.

  3. To generate the QR code, enter the checksum in the PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM field. For example:
{
  "android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME": "com.zenprise/com.zenprise.configuration.AdminFunction",
  "android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":"qn7oZUtheu3JBAinzZRrrjCQv6LOO6Ll1OjcxT3-yKM",
  "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION": "https://play.google.com/managed/downloadManagingApp?identifier=xenmobile",
  "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": {
      "serverURL": "https://supportablility.xm.cloud.com"
   }
}

Libraries used

The Provisioning Tool uses the following libraries in its source code:

  • v7 appcompat library, Design Support library, and v7 palette support library by Google under Apache license 2.0

    For information, see Support Library Features Guide.

  • Butter Knife by Jake Wharton under Apache license 2.0

Enrolling devices using a QR code

To enroll a fully managed device using a QR code, you generate a QR code by creating a JSON and converting the JSON to a QR code. Device cameras scan the QR code to enroll the device.

System requirements

  • Supported on all Android devices running Android 7.0 and above.

Create a QR code from a JSON

Create a JSON with the following fields.

These fields are required:

Key: android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME

Value: com.zenprise/com.zenprise.configuration.AdminFunction

Key: android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM

Value: qn7oZUtheu3JBAinzZRrrjCQv6LOO6Ll1OjcxT3-yKM

Key: android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION

Value: https://play.google.com/managed/downloadManagingApp?identifier=xenmobile

These fields are optional:

  • android.app.extra.PROVISIONING_LOCALE: Enter language and country codes.

    The language codes are two-letter lowercase ISO language codes (such as en) as defined by ISO 639-1. The country codes are two-letter uppercase ISO country codes (such as US) as defined by ISO 3166-1. For example, enter en_US for English as spoken in the United States.

  • android.app.extra.PROVISIONING_TIME_ZONE: The time zone in which the device is running.

    Type the database name of the area/location. For example, type America/Los_Angeles for Pacific time. If you don’t type a name, the time zone automatically populates.

  • android.app.extra.PROVISIONING_LOCAL_TIME: Time in milliseconds since the Epoch.

    The Unix epoch (or Unix time, POSIX time, or Unix timestamp) is the number of seconds that have elapsed since January 1, 1970 (midnight UTC/GMT). The time doesn’t include leap seconds (in ISO 8601: 1970-01-01T00:00:00Z).

  • android.app.extra.PROVISIONING_SKIP_ENCRYPTION: Set to true to skip encryption during profile creation. Set to false to force encryption during profile creation.

A typical JSON looks like the following:

A typical JSON

Validate the JSON that is created using any JSON validation tool, such as https://jsonlint.com. Convert that JSON string to a QR code using any online QR code generator, such as https://goqr.me.

This QR code gets scanned by a factory-reset device to enroll the device as a fully managed device.

To enroll the device

After powering up a new or factory reset device:

  1. Tap the screen six times on the welcome screen to launch the QR code enrollment flow.
  2. When prompted, connect to Wi-Fi. The download location for Secure Hub in the QR code (encoded in the JSON) is accessible over this Wi-Fi network.

    Once the device successfully connects to Wi-Fi, it downloads a QR code reader from Google and launches the camera.

  3. Point the camera to the QR code to scan the code.

    Android downloads Secure Hub from the download location in the QR code, validate the signing certificate signature, install Secure Hub and sets it as the device owner.

For more information, see this Google guide for Android EMM developers: https://developers.google.com/android/work/prov-devices#qr_code_method.

Zero-touch enrollment

Zero-touch enrollment lets you set up devices to provision themselves as fully managed devices when they are powered on for the first time.

Your device reseller creates an account for you on the Android zero-touch portal, an online tool that lets you apply configurations to devices. Using the Android zero-touch portal, you create one or more zero-touch enrollment configurations and apply the configurations to the devices assigned to your account. When your users power up these devices, the devices are automatically enrolled in Endpoint Management. The configuration assigned to the device defines its automatic enrollment process.

System requirements

  • Supported for zero-touch enrollment begins with Android 8.0.

Devices and account information from your reseller

  • Devices eligible for zero-touch enrollment are purchased from an enterprise reseller or Google partner. For a list of Android Enterprise zero-touch partners, see the Android website.

  • An Android Enterprise zero-touch portal account, created by your reseller.

  • Android Enterprise zero-touch portal account login information, provided by your reseller.

Create a zero-touch configuration

When you create a zero-touch configuration, include a custom JSON to specify details of the configuration.

Use this JSON to configure the device to enroll on the Endpoint Management server you specify. Substitute the URL of your server for ‘URL’ in this example.

      {
          "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":
        {
              "serverURL":"URL",
         }
      }

You can use an optional JSON with more parameters to further customize your configuration. This example specifies the Endpoint Management server and the user name and password that devices using this configuration use to log on to the server.

     {
        "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":
          {
              "serverURL":"URL",
              "xm_username":"username",
              "xm_password":"password"
          }
            }
  1. Go to the Android zero-touch portal at https://partner.android.com/zerotouch. Log in with the account information from your zero-touch device reseller.

  2. Click Configuration. The zero-touch portal

  3. Click + above the configuration table. The zero-touch portal

  4. Enter your configuration information in the configuration window that appears. The zero-touch portal
    • Configuration name: Type the name you choose for this configuration.
    • EMM DPC: Choose Citrix Secure Hub.
    • DPC extras: Paste your custom JSON text in this field.
    • Company name: Type the name you want to appear on your Android Enterprise zero-touch devices during device provisioning.
    • Support email address: Type an email address that your users can contact for help. This address appears on your Android Enterprise zero-touch devices before device provisioning.
    • Support phone number: Type a phone number that your users can contact for help. This phone number appears on your Android Enterprise zero-touch devices before device provisioning.
    • Custom Message: Optionally, add one or two sentences to help your users contact you or give them more details about what’s happening to their device. This custom message appears on your Android Enterprise zero-touch devices before device provisioning.
  5. Click Add.

  6. To create more configurations, repeat steps 2 through 4.

  7. To apply a configuration to a device:

    1. In the Android zero-touch portal, click Devices.

    2. Find the device in the list of devices and choose the configuration you want to assign to it. The zero-touch portal

    3. Click Update.

You can apply a configuration to many devices using a CSV file.

For information on how to apply a configuration to many devices, see the Android Enterprise help topic Zero-touch enrollment for IT admins. This Android Enterprise help topic contains more information on how to manage configurations and apply them to devices.

Provisioning dedicated Android Enterprise devices

Dedicated Android Enterprise devices are fully managed devices that are dedicated to fulfill a single use case. Dedicated devices are also known as corporate owned single use (COSU) devices. You restrict these devices to one app or small set of apps required to perform the tasks needed for this use case. You also prevent users from enabling other apps or performing other actions on the device.

Enroll dedicated devices using any of the enrollment methods used for other fully managed devices, as described in Provisioning Android Enterprise fully managed devices. Provisioning dedicated devices require more setup before enrollment.

To provision dedicated devices:

  • Add an enrollment profile for Endpoint Management administrators that you allow to enroll dedicated devices to your Endpoint Management deployment. See Creating enrollment profiles.
  • To enable a dedicated device to access apps, add them to the allow list.
  • Optionally, set the allowed app to allow lock task mode. When an app is in lock task mode, the app is pinned to the device screen when the user opens it. No Home button appears and the Back button is disabled. The user exits the app using an action programmed into the app, such as signing out.
  • Enroll each device in the enrollment profile you added.

System requirements

  • Support for enrolling dedicated devices begins with Android 6.0.

Allow apps and set lock task mode

The Kiosk device policy lets you allow apps and set lock task mode. By default, Secure Hub and Google Play services are on the allow list.

To add the Kiosk policy:

  1. In the Endpoint Management console, click Configure > Device Policies. The Device Policies page appears.

  2. Click Add. The Add a New Policy dialog box appears.

  3. Expand More and then, under Security, click Kiosk. The Kiosk Policy page appears.

  4. Under Platforms, select Android Enterprise. Clear other platforms.

  5. In the Policy Information pane, type the Policy Name and an optional Description.

  6. Click Next and then click Add.

  7. To allow an app and allow or deny lock task mode for that app:

    Select the app you want to allow from the list.

    Choose Allow to set the app to be pinned to the device screen when the user starts the app. Choose Deny to set the app not to be pinned. Default is Allow.

    Device Policies configuration screen

  8. Click Save.

  9. To allow another app and allow or deny lock task mode for that app, click Add.

  10. Configure deployment rules and choose delivery groups. For more information, see Device policies.

To enroll the device

  1. Click Next or select Android under Platforms. The Enrollment Configuration page appears.

  2. Set Management to Android Enterprise.

  3. Set Device owner mode to Dedicated device.

    Enrollment Profiles configuration screen

  4. Select Assignment (options). The Delivery Group Assignment screen appears.

  5. Choose the delivery group or delivery groups containing the administrators who enroll dedicated devices. Then click Save.

If you enabled BYOD work profile in the enrollment profile, devices that are not new or factor reset are enrolled as work profile devices. See Provisioning Android Enterprise work profile devices.

Provision Android Enterprise fully managed devices with a work profile (COPE devices)

Fully managed devices with a work profile, formerly called COPE devices, are company-owned devices that are used for both work and personal purposes. Your organization manages the entire devices. You can apply one set of policies to the device and a separate set of policies to the work profile.

In the Endpoint Management console, fully managed devices with a work profile appear with these terms:

  • The device ownership is “Corporate”.

  • The device Android Enterprise install type is “Corporate Owner Personally Enabled”.

System requirements

  • Support for enrolling fully managed devices with work profiles begins with Android 8.0.

Add an enrollment profile for fully managed devices with work profiles

  1. In the Endpoint Management console, go to Configure > Enrollment Profiles.

  2. To add an enrollment profile, click Add. In the Enrollment Info page, type a name for the enrollment profile. Ensure that the number of devices that members with this profile can enroll is set to unlimited.

  3. Click Next or select Android under Platforms. The Enrollment Configuration page appears.

  4. Set Management to Android Enterprise.

  5. Set Device owner mode to Fully managed with work profile.

    Enrollment Profiles configuration screen

  6. Select Assignment (options). The Delivery Group Assignment screen appears.

  7. Choose the delivery group or delivery groups containing the administrators who enroll dedicated devices. Then click Save.

    The Enrollment Profile page appears with the profile you added.

    Enrollment Profiles configuration screen

If a user belongs to multiple delivery groups that have different enrollment profiles, the name of the delivery group determines the enrollment profile used. Endpoint Management selects the delivery group that appears last in an alphabetized list of delivery groups.

To enroll the device

New and factory reset devices enroll as fully managed devices with a work profile. Those devices use any of the enrollment methods used for other fully managed devices, as described in Provisioning Android Enterprise fully managed devices.

Devices that are not new or factor reset are enrolled as work profile devices as described in Provisioning Android Enterprise work profile devices.

Viewing Android Enterprise devices in the Endpoint Management console

To view Android Enterprise fully managed devices, dedicated devices, and fully managed devices with a work profile:

  1. In the Endpoint Management console, go to Manage > Devices.

  2. Add the Android enterprise Enabled Device? column by clicking the menu on the right of the table on this page. Android Enterprise device list

  3. To view available security actions, select a fully managed device and click Secure. When the device is fully managed, the Full Wipe action is available but Selective Wipe is not. That difference is because the device only allows apps from the managed Google Play store. There is not an option for the user to install applications from the public store. Your organization manages all the content on the device.

    Security actions

Configure Android Enterprise device policies

Use these policies to configure how Endpoint Management interacts with devices running Android Enterprise. This table lists all device policies available for Android Enterprise devices.

Important:

For devices that enroll in Android Enterprise and use MDX apps: You can control some settings through MDX and Android Enterprise. Use the least restrictive policy settings for MDX and control the policy through Android Enterprise.

     
Android Enterprise App Permissions Android Enterprise Managed Configurations App Inventory
App Uninstall Control OS Update Credentials
Custom XML Endpoint Management options Exchange
Files Keyguard Management Kiosk
Knox Platform for Enterprise Location Passcode
Restrictions Samsung MDM license key Scheduling
Wi-Fi    

Device policies for fully managed devices with work profile (COPE devices)

For fully managed devices with work profiles, you can use some device policies to apply separate settings to the entire device and the work profile. You can use other device policies to apply settings only to the entire device or only to the work profile of fully managed devices with work profiles.

Policy Applies to
Android Enterprise App Permissions Work profile
Android Enterprise Managed Configurations Work profile
App Inventory Work profile
App Uninstall Work profile
Control OS Update N/A
Credentials Work profile
Custom XML N/A
Endpoint Management options Work profile
Exchange N/A
Files Work profile
Keyguard Management Device and work profile
Kiosk N/A
Knox Platform for Enterprise Work profile
Location Device (location mode only)
Passcode Device and work profile
Restrictions Device and work profile (create separate policies for the device and the work profile)
Samsung MDM license key N/A
Scheduling Work profile
Wi-Fi Device

See also, Supported device policies and MDX policies for Android Enterprise and MAM SDK Overview.

Security actions

Android Enterprise supports the following security actions. For a description of each security action, see Security actions.

Security action Work profile Fully managed
Certificate Renewal Yes Yes
Full Wipe Yes (after a selective wipe) Yes
Locate Yes Yes
Lock Yes Yes
Lock and Reset Password No Yes
Notify (Ring) Yes Yes
Revoke Yes Yes
Selective Wipe Yes Yes

Security action notes

  • The locate security action fails unless the Location device policy sets the location mode for the device to High Accuracy or Battery Saving. See Location device policy.

  • On work profile devices that are running versions of Android earlier than Android 8.0:

    • The lock and reset password action isn’t supported.
  • On work profile devices with Android 8.0 or greater:

    • The passcode sent locks the work profile. The device itself isn’t locked.
    • If no passcode is set on the work profile:
      • If no passcode is sent, or the passcode sent doesn’t meet passcode requirements: The device is locked.
    • If a passcode is set on the work profile:
      • If no passcode is sent, or the passcode sent doesn’t meet passcode requirements: The work profile is locked but the device itself isn’t locked.

Unenroll an Android Enterprise enterprise

If you no longer want to use your Android Enterprise enterprise, you can unenroll the enterprise.

Warning:

After an enterprise is unenrolled, Android Enterprise apps on devices already enrolled through it are reset to their default states. Google no longer manages the devices. Re-enrolling them in an Android Enterprise enterprise might not restore previous functionality until you perform further configuration.

After the Android Enterprise enterprise is unenrolled:

  • Devices and users enrolled through the enterprise have the Android Enterprise apps reset to their default state. Android Enterprise Managed Configurations policies previously applied no longer affect operations.
  • Endpoint Management manages devices enrolled through the enterprise. From the perspective of Google, those devices are unmanaged. You can’t add new Android Enterprise apps. You can’t apply Android Enterprise Managed Configurations policies. You can apply other policies, such as Scheduling, Password, and Restrictions, to these devices.
  • If you attempt to enroll devices in Android Enterprise, they are enrolled as Android devices, not Android Enterprise devices.

Unenroll an Android Enterprise enterprise using the Endpoint Management server console and Endpoint Management Tools.

When you perform this task, Endpoint Management opens a Tools popup window. Before you begin, ensure that your browser has permission to open popup windows. Some browsers, such as Google Chrome, require you to disable popup blocking and add the address of the Endpoint Management site to the popup allow list.

To unenroll an Android Enterprise enterprise:

  1. In the Endpoint Management console, click the gear icon in the upper-right corner. The Settings page appears.

  2. On the Settings page, click Android Enterprise.

  3. Click Unenroll.

    Unenroll option