Android Enterprise

Android Enterprise is a set of tools and services provided by Google as an enterprise management solution for Android devices. With Android Enterprise, you use Endpoint Management to manage company-owned Android devices and bring your own device (BYOD) Android devices. You can manage the entire device or a separate profile on the device. The separate profile isolates business accounts, apps, and data from personal accounts, apps, and data. You can also manage devices dedicated to a single use, such as inventory management.

For Android operating systems supported for Endpoint Management, see Supported device operating systems.

For a list of terms and definitions related to Android Enterprise, see the Google Android Enterprise developers guide article, Android Enterprise terminology. Google updates these terms frequently.

When you integrate Endpoint Management with managed Google Play to use Android Enterprise, you create an enterprise. Google defines an enterprise as binding between the organization and your enterprise mobile management (EMM) solution. All the users and devices that the organization manages through your solution belong to its enterprise.

An enterprise for Android Enterprise has three components: an EMM solution, a device policy controller (DPC) app, and a Google enterprise app platform. When you integrate Endpoint Management with Android Enterprise, the complete solution has these components:

  • Citrix Endpoint Management: The Citrix EMM. Endpoint Management is the unified endpoint management for a secure digital workspace. Endpoint Management provides the means for IT administrators to manage devices and apps for their organizations.
  • Citrix Secure Hub: The Citrix DPC app. Secure Hub is the launchpad for Endpoint Management. Secure Hub enforces policies on the device.
  • Managed Google Play: A Google enterprise app platform that integrates with Endpoint Management. The Google Play EMM API sets app policies and distributes app.

This illustration shows how administrators interact with these components and how the components interact with each other:

Android Enterprise workflow

Using managed Google Play with Endpoint Management

Note:

You can use either managed Google Play or G Suite to register Citrix as your EMM provider. This article discusses using Android Enterprise with managed Google Play. If your organization uses G Suite to provide access to app, you can use it with Android Enterprise. See Legacy Android Enterprise for G Suite customers.

When you use managed Google Play, you provision managed Google Play Accounts for devices and end users. Managed Google Play Accounts provide access to managed Google Play, allowing users to install and use apps you make available. If your organization uses a third-party identity service, you can link managed Google Play Accounts with your existing identity accounts.

Because this type of enterprise is not tied to a domain, you can create more than one enterprise for a single organization. For example, each department or region within an organization can enroll as a different enterprise to manage separate sets of devices and apps.

For Endpoint Management administrators, managed Google Play combines the user experience and app store features of Google Play with a set of management capabilities designed for enterprises. You use managed Google Play to add, buy, and approve apps for deployment to the Android Enterprise workspace on a device. You can use Google Play to deploy public apps, private apps, and third-party apps.

For users of managed devices, managed Google Play is the enterprise app store. Users can browse apps, view app details, and install them. Unlike the public version of Google Play, users can only install apps from managed Google Play that you make available for them.

Device deployment scenarios and modes of operation

Device deployment scenario refers to who owns the devices you deploy and how you manage them. Mode of operation refers to how the DPC manages and enforces policies on the device. The mode of operation supports the device deployment scenario.

Work profile: BYOD device deployment, profile owner mode

A BYOD deployment scenario allows employees to bring personally owned devices to work and use those devices to access company information and applications.

The profile owner mode of operation supports BYOD deployments. Through the DPC, the enterprise enables personal devices for work use by adding a work profile to the primary user account on the device. The work profile isolates business accounts, apps, and data from personal accounts, apps, and data. The work profile is associated with the primary user, but as a separate profile. As the profile owner, the DPC manages only the work profile on the device and has limited control outside of the work profile. For more details about work profiles, see the Google Android Enterprise help topic, What is a work profile?.

Profile owner mode is enabled when the device is enrolled in Endpoint Management. Because the DPC manages only the work profile, not the whole device, devices enrolled in profile owner mode do not need to be new or factory reset.

A device in profile owner mode is also called a work profile device. Profile owner mode is also called work profile mode or managed profile mode.

Note:

Endpoint Management does not support Zebra devices as in profile owner mode. Endpoint Management supports Zebra devices as fully managed devices and in device legacy mode (also called device admin mode).

Fully managed: Company-owned device deployment, device owner mode

In a company-owned deployment scenario, the enterprise owns and fully controls the devices it uses. Typically, organizations deploy company-owned devices when they need to strictly monitor and manage the whole device.

The device owner mode of operation supports company-owned deployments. In device owner mode, the DPC manages the entire device. As the device owner, the DPC can perform device-wide actions, such as configure device-wide connectivity, configure global settings, and perform a factory reset.

A device in device owner mode is a fully managed device.

Device owner mode is enabled during the initial device setup. Only new or factory reset devices can be enrolled into Endpoint Management in device owner mode.

Dedicated device: Company-owned device deployment, device owner mode

A dedicated device is a type of fully managed device. Dedicated devices are company-owned devices running in device owner mode. Dedicated devices provide a limited set of apps that serve a dedicated purpose, such as digital signage, ticket printing, or inventory management. When you provision a dedicated device, you provide only the required apps and prevent users from adding other apps.

Dedicated devices are also known as corporate owned single use (COSU) devices or kiosk mode devices.

Legacy device deployment, legacy mode

Legacy deployment scenarios are for devices running Android versions earlier than 5.0. Android versions earlier than 5.0 do not support device owner mode or profile owner mode. Android versions 5.1 supports device owner mode but not profile owner mode.

The legacy mode of operation, which is also called device admin mode, supports legacy device deployments. In legacy mode, DPC has limited control of a device. The DPC can wipe a device, require a passcode, or enforce some policies. To provide app management on legacy devices, use Google Play and allow users to add a Google Account. You can also have the DPC add a managed Google Play Account to the legacy device.

Legacy mode is discouraged for deployments where you can implement device owner mode or profile owner mode. Google recommends using the highest level of device management possible instead of a lowest common denominator solution across a large fleet. For information on migrating from legacy mode to device owner or profile owner mode, see Migrate from device administration to Android Enterprise.

Note:

Citrix also uses the term legacy to refer to customers who use Endpoint Management and G Suite, instead of managed Google Play, to manage Android Enterprise devices.

Authentication methods

Endpoint Management enrolls Android devices into MDM+MAM or MDM mode, with the option for users to register in MAM-only mode. Endpoint Management supports the following authentication methods for Android devices in MDM+MAM mode. For information, see the articles under Certificates and authentication.

  • Domain
  • Domain plus security token
  • Client certificate
  • Client certificate plus domain
  • Identity providers:
    • Azure Active Directory
    • Citrix Identity provider

Another rarely used authentication method is client certificate plus security token. For information, see https://support.citrix.com/article/CTX215200.

Requirements

Before you start using Android Enterprise, you need:

  • Accounts and credentials:

    • To set up Android Enterprise with managed Google Play, a corporate Google account
    • To download the latest MDX files, a Citrix customer account
    • To deploy private apps (optional), a Google developer account
  • For Samsung Knox Mobile Enrollment (optional), Knox premium licenses.

Connecting Endpoint Management to Google Play

To set up Android Enterprise for your organization, register Citrix as your EMM provider through managed Google Play. That setup connects managed Google Play to Endpoint Management and creates an enterprise for Android Enterprise in Endpoint Management.

You need a corporate Google account to sign in to Google Play.

  1. In the Endpoint Management console, click the gear icon in the upper-right corner. The Settings page appears.

  2. On the Settings page, click Android Enterprise. Settings page with Android Enterprise highlighted

  3. On the Android Enterprise page in Endpoint Management Settings, click Connect. Google Play opens. Android Enterprise connects to Google Play

  4. Sign in to Google Play with your corporate Google account credentials. Enter your organization name and confirm Citrix is your EMM provider.

  5. An enterprise ID is added for Android Enterprise. To enable Android Enterprise, slide Enable Android Enterprise to Yes.

    Enable Android Enterprise option

Your Enterprise ID appears in the Endpoint Management console.

Android Enterprise ID

Your environment is connected to Google and is ready to manage devices. You can now provide apps for users.

Endpoint Management can provide users with Citrix mobile productivity apps, MDX apps, public app store apps, web and SaaS apps, enterprise apps, and web links. For more information on these types of apps and providing them to users, see Add apps.

The following section shows how to provide mobile productivity apps.

Providing Citrix mobile productivity apps to Android Enterprise users

Providing Citrix mobile productivity apps for Android Enterprise users requires these steps.

  1. In your managed Google Play store, approve the apps you want your users to have. See Approve apps in managed Google Play.

  2. In the Endpoint Management console, publish the app as a public app store app. See Configure apps as public app store apps.

  3. In the Endpoint Management console, publish the same app again as an MDX app so the app can receive MDX policies. See Configure apps as MDX apps.

  4. In the Endpoint Management console, configure the rules for the security challenge your users use to access the work profiles on their devices. See Configure security challenge policy.

The apps you publish are available to devices enrolled in your Android Enterprise enterprise.

Approve apps in managed Google Play

Before you can add apps to Endpoint Management, first approve the app in your managed Google Play store. If you haven’t approved an app in your managed Google Play store, this error appears when you add the app:

Android Enterprise error

Go to the managed Google Play store to determine which apps are already available and approved for use in your enterprise.

  1. Log in to https://play.google.com/work with your Google account credentials.
  2. Click My managed apps to show all apps that have been approved for your users. Google play approval status

To approve an app in the managed Google Play store:

  1. While logged in to managed Google Play, select the app you want to approve. An Approve button appears on the app page. Google play approval
  2. Click Approve. Google play approval settings
  3. Click Approve again.
  4. Select Keep approved when app requests new permissions. Click Save. Google play approval settings

Configure apps as public app store apps

To configure Citrix Files as an Android Enterprise public app store app:

  1. In the Endpoint Management console, click Configure > Apps. The Apps page appears. Apps configuration screen

  2. Click Add. The Add App dialog box appears.

    Apps configuration screen

  3. Click Public App Store. The App Information page appears.

  4. On the App Information page, type the following information:

    • Name: Type a descriptive name for the app. This name appears under App Name on the Apps table.
    • Description: Type an optional description of the app.
    • App category: Optionally, in the list, click the category to which you want to add the app. For more information about app categories, see Create app categories.
  5. Click Next. The App Platforms page appears.

  6. Under Platforms, select Android Enterprise. Clear the others platforms.

  7. Under Android Enterprise, enter the bundle ID for the app and click Search. The app identifier can found in the URL for the app in the Google Play store. Android Enterprise app bundle ID

  8. If the console shows the app is not approved in the Google Play store, click Yes to approve it now. Android Enterprise app not approved

  9. Select the app to add it. Click Next. Android Enterprise add app box

  10. Assign the app to one or more delivery groups. Android Enterprise delivery group

  11. Click Save.

Repeat these steps for Citrix Secure Mail and Citrix Secure Web.

Configure apps as MDX apps

Mobile productivity apps do not use the native Android manifest. You must add these apps as MDX apps and configure their MDX policies before deploying the apps to users.

Before adding MDX apps, download the latest Android MDX files:

  1. Go to the Citrix Endpoint Management downloads page and log in with your Citrix customer credentials: https://www.citrix.com/downloads/citrix-endpoint-management/product-software/xenmobile-enterprise-edition-worx-apps-and-mdx-toolkit.html.

    MDX file download

  2. Decompress the downloaded file and extract its contents.

To add and configure an MDX app:

  1. In the Endpoint Management console, click Configure > Apps. The Apps page appears.

    Apps configuration screen

  2. Click Add. The Add App dialog box appears.

    Apps configuration screen

  3. Click MDX. The MDX App Information page appears.

  4. Name the application and click Next. MDX app information

  5. Click Next to get to Android platform configuration.

  6. Click Upload. MDX upload

  7. Navigate to the MDX file location and select the MDX file you want to install. MDX file selection

  8. Network access in some apps is Blocked by default. Enable network access. Click the menu and select Tunneled - Web SSO. Network access options

  9. Click Next through the pages, excepting the defaults, until you reach delivery group assignments page.

  10. Assign the app to the same delivery groups you assigned it to when publishing it as a public app store app.

  11. Click Save.

Repeat the steps to configure an MDX app for each mobile productivity app.

Configure security challenge policy

The Endpoint Management Passcode device policy configures security challenge rules. The challenges appear when users access their devices or the Android Enterprise work profiles on their devices. A security challenge can be a passcode or biometric recognition. For more information about the Passcode policy, see Passcode device policy.

  • If your Android Enterprise deployment includes BYOD devices, configure the passcode policy for the work profile.
  • If your deployment includes, company-owned, fully managed devices, configure the passcode policy for the device itself.
  • If your deployment includes both types of devices, configure both types of passcode policy.

To configure the passcode policy:

  1. In the Endpoint Management console, go to Configure > Device Policies.

  2. Click Add.

  3. Click Show filter to show the Policy Platform pane. In the Policy Platform pane, select Android Enterprise.

  4. Click Passcode on the right pane. Password security option

  5. Enter a Policy Name. Click Next. Password security name

  6. Configure the Passcode policy settings.
    • Set Device passcode required to On to see the settings available for security challenges for the device itself.
    • Set Work profile security challenge to On to see the settings available for work profile security challenges.
  7. Click Next.

  8. Assign the policy to one or more delivery groups.

  9. Click Save.

Creating enrollment profiles

Enrollment profiles control how Android devices are enrolled if Android Enterprise in enabled for your Endpoint Management deployment. Enrollment profiles determine whether Android devices are enrolled in the default Android Enterprise mode (fully managed or work profile) or in legacy (device administrator) mode.

By default, the Global enrollment profile enrolls new and factory reset Android Enterprise devices as fully managed devices and enrolls BYOD Android Enterprise devices as work profile devices.

Creating an enrollment profile for legacy devices

Google is deprecating the device administrator mode of device management and encouraging customers manage all Android devices in device owner mode or profile owner mode. (See Device admin deprecation in the Google Android Enterprise developer guides.) To support this change, Android Enterprise is now the default enrollment option for Android devices.

This change means that if Android Enterprise is enabled for your Endpoint Management deployment, all newly enrolled or re-enrolled Android devices are enrolled as Android Enterprise devices.

Your organization might not be ready to begin managing legacy Android devices in device owner mode or profile owner mode. In that case, you can continue to manage them in device administrator mode. Create an enrollment profile for legacy devices and re-enroll all enrolled legacy devices.

To create an enrollment profile for legacy devices:

  1. In the Endpoint Management console, go to Configure > Enrollment Profiles.

  2. To add an enrollment profile, click Add. In the Enrollment Info page, type a name for the enrollment profile.

  3. Click Next or select Android under Platforms. The Enrollment Configuration page appears.

  4. Set Management to Legacy device administration (not recommended). Click Next.

    Enrollment Profiles configuration screen

  5. Select Assignment (options). The Delivery Group Assignment screen appears.

  6. Choose the delivery group or delivery groups containing the administrators who enroll dedicated devices. Then click Save.

To continue managing legacy device in device administrator mode, enroll or re-enroll them using this profile. You enroll device administrator devices similar to work profile devices, by having users download Secure Hub and providing an enrollment server URL.

Provisioning Android Enterprise work profile devices

Android Enterprise work profile devices are enrolled in profile owner mode. These devices do not need to be new or factory reset. BYOD devices are enrolled as work profile devices. The enrollment experience is similar to Android enrollment in Endpoint Management. Users download Secure Hub from Google Play and enroll their devices.

By default, the USB Debugging and Unknown Sources settings are disabled on a device when it is enrolled in Android Enterprise as a work profile device.

When enrolling devices in Android Enterprise as work profile devices, always go to Google Play. From there, enable Secure Hub to appear in the user’s personal profile.

Provisioning Android Enterprise fully managed devices

You can enroll fully managed devices in the deployment you set up in the previous sections. Fully managed devices are company-owned devices and are enrolled in device owner mode. Only new or factory reset devices can be enrolled in device owner mode.

You can enroll devices in device owner mode using any of these enrollment methods:

  • DPC identifier token: With this enrollment method, users enter the characters afw#xenmobile when setting up the device. afw#xenmobile is the Citrix DPC identifier token. This token identifies the device as managed by Endpoint Management and downloads Secure Hub from the Google Play store. See Enrolling devices using the Citrix DPC identifier token.
  • Near field communication (NFC) bump: The NFC bump enrollment method transfers data through between two devices using near-field communication. Bluetooth, Wi-Fi, and other communication modes are disabled on a new or factory-reset device. NFC is the only communication protocol that the device can use in this state. See Enrolling devices with NFC bump.
  • QR code: QR code enrollment can be used to enroll a distributed fleet of devices that do not support NFC, such as tablets. The QR code enrollment method sets up and configures device profile mode by scanning a QR code from the setup wizard. See Enrolling devices using a QR code.
  • Zero touch: Zero-touch enrollment allows you to configure devices to enroll automatically when they are first powered on. Zero-touch enrollment is supported on some Android devices running Android 8.0 or later. See Zero-touch enrollment.
  • Google Accounts: Users enter their Google Account credentials to initiate the provisioning process. This option is for enterprises using G Suite.

Enrolling devices using the Citrix DPC identifier token

Users enter afw#xenmobile when prompted to enter a Google account after powering on new or factory reset devices for initial setup. This action downloads and installs Secure Hub. Users then follow the Secure Hub set-up prompts to complete the enrollment.

In this enrollment method is recommended for most customers because the latest version of Secure Hub is downloaded from the Google Play store. Unlike with other enrollment methods, you do not provide Secure Hub for download from the Endpoint Management server.

System requirements

  • Supported on all Android devices running the Android OS.

To enroll the device

  1. Power on a new or factory reset device.

  2. The initial device setup loads and prompts for a Google account. If the device loads the home screen of the device, check the notification bar for a Finish Setup notification.

    Device set up login prompt

  3. Enter afw#xenmobile in the Email or phone field.

    Device set up text

  4. Tap Install on the Android Enterprise screen prompting to install Secure Hub.

    Android Enterprise install

  5. Tap Install on the Secure Hub installer screen.

    Secure Hub install

  6. Tap Allow for all app permission requests.

  7. Tap Accept & Continue to install Secure Hub and allow it to manage the device.

    Secure Hub permissions

  8. Secure Hub is now installed and on the default enrollment screen. In this example, autodiscovery is not set up. If it was, the user can enter their username/email and a server would be found for them. Instead, enter the enrollment URL for the environment and tap Next.

    Secure Hub credentials

  9. The default configuration for Endpoint Management allows users to choose if they use MAM or MDM+MAM. If prompted in this way, tap Yes, Enroll to choose MDM+MAM.

    Secure Hub enroll device

  10. Enter the user name and password, then tap Next.

    Secure Hub login

  11. The user is prompted to configure a device passcode. Tap Set and enter a passcode.

    Secure Hub passcode

  12. The user is prompted to configure a work profile unlock method. For this example, tap Password, tap PIN, and enter a PIN.

    Passcode options

  13. The device is now on the Secure Hub My Apps landing screen. Tap Add apps from Store.

    Secure Hub apps screen

  14. To add Secure Web, tap Secure Web.

    Secure Hub store

  15. Tap Add.

    Secure web store

  16. Secure Hub directs the user to the Google Play store to install Secure Web. Tap Install.

    Secure app install

  17. After Secure Web is installed, tap Open. Enter a URL from an internal site in the address bar and verify that the page loads.

    Secure web test

  18. Go to Settings > Accounts on the device. Observe that the Managed Account can’t be modified. The developer options for sharing screen or remote debugging are also blocked.

    Account modification

Enrolling devices with NFC bump

To enroll a device as a fully managed device using NFC bumps requires two devices: One that is reset to its factory settings and one running the Endpoint Management Provisioning Tool.

System requirements and prerequisites

  • Supported Android devices.
  • A new or factory-reset device, provisioned for Android Enterprise as a fully managed device. You can find steps to complete this prerequisite later in this article.
  • Another device with NFC capability, running the configured Provisioning Tool. The Provisioning Tool is available in Secure Hub or on the Citrix downloads page.

Each device can have only one Android Enterprise profile, managed Secure Hub. Only one profile is allowed on each device. Attempting to add a second DPC app removes the installed Secure Hub.

Data transferred through the NFC bump

Provisioning a factory-reset device requires you to send the following data through an NFC bump to initialize Android Enterprise:

  • Package name of the DPC app that acts as device owner (in this case, Secure Hub).
  • Intranet/Internet location from which the device can download the DPC app.
  • SHA1 hash of DPC app to verify if the download is successful.
  • Wi-Fi connection details so that a factory-reset device can connect and download the DPC app. Note: Android now does not support 802.1x Wi-Fi for this step.
  • Time zone for the device (optional).
  • Geographic location for the device (optional).

When the two devices are bumped, the data from the Provisioning Tool is sent to the factory-reset device. That data is then used to download Secure Hub with administrator settings. If you don’t enter time zone and location values, Android automatically configures the values on the new device.

Configuring the Endpoint Management Provisioning Tool

Before doing an NFC bump, you must configure the Provisioning Tool. This configuration is then transferred to the factory-reset device during the NFC bump.

The Provisioning Tool configuration

You can type data into the required fields or populate them via text file. The steps in the next procedure describe how to configure the text file and contain descriptions for each field. The app doesn’t save information after you type it, so you might want to create a text file to keep the information for future use.

To configure the Provisioning Tool by using a text file

Name the file nfcprovisioning.txt and place the file in the /sdcard/ folder on the SD card of the device. The app can then read the text file and populate the values.

The text file must contain the following data:

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION=<download_location>

This line is the intranet/internet location of the EMM provider app. After the factory-reset device connects to Wi-Fi following the NFC bump, the device must have access to this location for downloading. The URL is a regular URL, with no special formatting required.

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM=<SHA1 hash>

This line is the checksum of the EMM provider app. This checksum is used to verify that the download is successful. Steps to obtain the checksum are discussed later in this article.

android.app.extra.PROVISIONING_WIFI_SSID=<wifi ssid>

This line is the connected Wi-Fi SSID of the device on which the Provisioning Tool is running.

android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE=<wifi security type>

Supported values are WEP and WPA2. If the Wi-Fi is unprotected, this field must be empty.

android.app.extra.PROVISIONING_WIFI_PASSWORD=<wifi password>

If the Wi-Fi is unprotected, this field must be empty.

android.app.extra.PROVISIONING_LOCALE=<locale>

Enter language and country codes. The language codes are two-letter lowercase ISO language codes (such as en) as defined by ISO 639-1. The country codes are two-letter uppercase ISO country codes (such as US) as defined by ISO 3166-1. For example, type en_US for English as spoken in the United States. If you don’t type any codes, the country and language are automatically populated.

android.app.extra.PROVISIONING_TIME_ZONE=<timezone>

The time zone in which the device is running. Type an Olson name of the form area/location. For example, America/Los_Angeles for Pacific time. If you don’t enter a name, the time zone is automatically populated.

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME=<package name>

This data isn’t required, because the value is hardcoded into the app as Secure Hub. It’s mentioned here only for the sake of completion.

If there is a Wi-Fi protected by using WPA2, a completed nfcprovisioning.txt file might look like the following:

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION=https://www.somepublicurlhere.com/path/to/securehub.apk

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM=ga50TwdCmfdJ72LGRFkke4CrbAk\u003d

android.app.extra.PROVISIONING_WIFI_SSID=Protected_WiFi_Name

android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE=WPA2

android.app.extra.PROVISIONING_WIFI_PASSWORD=wifiPasswordHere

android.app.extra.PROVISIONING_LOCALE=en_US

android.app.extra.PROVISIONING_TIME_ZONE=America/Los_Angeles

If there is an unprotected Wi-Fi, a completed nfcprovisioning.txt file might look like the following:

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION=https://www.somepublicurlhere.com/path/to/securehub.apk

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM=ga50TwdCmfdJ72LGRFkke4CrbAk\u003d

android.app.extra.PROVISIONING_WIFI_SSID=Unprotected_WiFi_Name

android.app.extra.PROVISIONING_LOCALE=en_US

android.app.extra.PROVISIONING_TIME_ZONE=America/Los_Angeles

To get the Secure Hub checksum

To get the checksum of any app, add the app as an enterprise app.

  1. In the Endpoint Management console, go to Configure > Apps and then click Add.

    The Add Apps window appears.

  2. Click Enterprise.

    The App information page displays.

    The App Information page

  3. Select the following configuration and then click Next.

    The Android Enterprise Enterprise App page appears.

    The Android Enterprise Enterprise App

  4. Provide the path to the .apk and then click Next to upload the file.

    Once the upload is complete, the details of the uploaded package appear.

    The file upload page

  5. Click Next. Click Download JSON to download the JSON file which you then use to upload to Google Play. For Secure Hub, uploading to Google Play is not required, but you need the JSON file to read the SHA1 value from it.

    The download JSON file page

    A typical JSON file looks like the following:

    A typical JSON file

  6. Copy the file_sha1_base64 value and use it in the Hash field in the Provisioning Tool.

    Note: The hash must be URL safe.

    • Convert any + symbols to -
    • Convert any / symbols to _
    • Replace the trailing \u003d with =

    If you store the hash in the nfcprovisioning.txt file on the SD card of the device, the app does the safety conversion. However, if you opt to type the hash manually, it’s your responsibility to ensure its URL safety.

Libraries used

The Provisioning Tool uses the following libraries in its source code:

  • v7 appcompat library, Design support library, and v7 Palette library by Google under Apache license 2.0

    For information, see Support Library Features Guide.

  • Butter Knife by Jake Wharton under Apache license 2.0

Enrolling devices using a QR code

To enroll a fully managed device using a QR code, you generate a QR code by creating a JSON and converting the JSON to a QR code. Device cameras scan the QR code to enroll the device.

System requirements

  • Supported on all Android devices running Android 7.0 and above.

Create a QR code from a JSON

Create a JSON with the following fields.

These fields are required:

Key: android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME

Value: com.zenprise/com.zenprise.configuration.AdminFunction

Key: android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM

Value: qn7oZUtheu3JBAinzZRrrjCQv6LOO6Ll1OjcxT3-yKM

Key: android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION

Value: https://play.google.com/managed/downloadManagingApp?identifier=xenmobile

These fields are optional:

  • android.app.extra.PROVISIONING_LOCALE: Enter language and country codes.

    The language codes are two-letter lowercase ISO language codes (such as en) as defined by ISO 639-1. The country codes are two-letter uppercase ISO country codes (such as US) as defined by ISO 3166-1. For example, enter en_US for English as spoken in the United States.

  • android.app.extra.PROVISIONING_TIME_ZONE: The time zone in which the device is running.

    Enter an Olson name of the form area/location. For example, America/Los_Angeles for Pacific time. If you don’t enter one, the time zone is automatically populated.

  • android.app.extra.PROVISIONING_LOCAL_TIME: Time in milliseconds since the Epoch.

    The Unix epoch (or Unix time, POSIX time, or Unix timestamp) is the number of seconds that have elapsed since January 1, 1970 (midnight UTC/GMT). The time doesn’t include leap seconds (in ISO 8601: 1970-01-01T00:00:00Z).

  • android.app.extra.PROVISIONING_SKIP_ENCRYPTION: Set to true to skip encryption during profile creation. Set to false to force encryption during profile creation.

A typical JSON looks like the following:

A typical JSON

Validate the JSON that is created using any JSON validation tool, such as https://jsonlint.com. Convert that JSON string to a QR code using any online QR code generator, such as https://goqr.me.

This QR code gets scanned by a factory-reset device to enroll the device as a fully managed device.

To enroll the device

After powering up a new or factory reset device:

  1. Tap the screen six times on the welcome screen to launch the QR code enrollment flow.
  2. When prompted, connect to Wi-Fi. The download location for Secure Hub in the QR code (encoded in the JSON) is accessible over this Wi-Fi network.

    Once the device successfully connects to Wi-Fi, it downloads a QR code reader from Google and launches the camera.

  3. Point the camera to the QR code to scan the code.

    Android downloads Secure Hub from the download location in the QR code, validate the signing certificate signature, install Secure Hub and sets it as the device owner.

For more information, see this Google guide for Android EMM developers: https://developers.google.com/android/work/prov-devices#qr_code_method.

Zero-touch enrollment

Zero-touch enrollment lets you set up devices to provision themselves as fully managed devices when they are powered on for the first time.

Your device reseller creates an account for you on the Android zero-touch portal, an online tool that lets you apply configurations to devices. Using the Android zero-touch portal, you create one or more zero-touch enrollment configurations and apply the configurations to the devices assigned to your account. When your users power up these devices, the devices are automatically enrolled in Endpoint Management. The configuration assigned to the device defines its automatic enrollment process.

System requirements

  • Supported for zero-touch enrollment begins with Android 8.0.

Devices and account information from your reseller

  • Devices eligible for zero-touch enrollment are purchased from an enterprise reseller or Google partner. For a list of Android Enterprise zero-touch partners, see the Android website.

  • An Android Enterprise zero-touch portal account, created by your reseller.

  • Android Enterprise zero-touch portal account login information, provided by your reseller.

Create a zero-touch configuration

When you create a zero-touch configuration, include a custom JSON to specify details of the configuration.

Use this JSON to configure the device to enroll on the Endpoint Management server you specify. Substitute the URL of your server for ‘URL’ in this example.

      {
          "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":
        {
              "serverURL":"URL",
         }
      }

You can use an optional JSON with more parameters to further customize your configuration. This example specifies the Endpoint Management server and the user name and password that devices using this configuration use to log on to the server.

     {
        "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":
          {
              "serverURL":"URL",
              "xm_username":"username",
              "xm_password":"password"
          }
            }
  1. Go to the Android zero-touch portal at https://partner.android.com/zerotouch. Log in with the account information from your zero-touch device reseller.

  2. Click Configuration. The zero-touch portal

  3. Click + above the configuration table. The zero-touch portal

  4. Enter your configuration information in the configuration window that appears. The zero-touch portal
    • Configuration name: Type the name you choose for this configuration.
    • EMM DPC: Choose Citrix Secure Hub.
    • DPC extras: Paste your custom JSON text in this field.
    • Company name: Type the name you want to appear on your Android Enterprise zero-touch devices during device provisioning.
    • Support email address: Type an email address that your users can contact for help. This address appears on your Android Enterprise zero-touch devices before device provisioning.
    • Support phone number: Type a phone number that your users can contact for help. This phone number appears on your Android Enterprise zero-touch devices before device provisioning.
    • Custom Message: Optionally, add one or two sentences to help your users contact you or give them more details about what’s happening to their device. This custom message appears on your Android Enterprise zero-touch devices before device provisioning.
  5. Click Add.

  6. To create more configurations, repeat steps 2 through 4.

  7. To apply a configuration to a device:

    1. In the Android zero-touch portal, click Devices.

    2. Find the device in the list of devices and choose the configuration you want to assign to it. The zero-touch portal

    3. Click Update.

You can apply a configuration to many devices using a CSV file.

For information on how to apply a configuration to many devices, see the Android Enterprise help topic Zero-touch enrollment for IT admins. This Android Enterprise help topic contains more information on how to manage configurations and apply them to devices.

Viewing fully managed devices in the Endpoint Management console

  1. In the Endpoint Management console, go to Manage > Devices.

  2. Add the Android enterprise Enabled Device? column by clicking the menu on the right of the table on this page. Android Enterprise device list

  3. To view available security actions, select a fully managed device and click Secure. When the device is fully managed, the Full Wipe action is available but Selective Wipe is not. That difference is because the device only allows apps from the managed Google Play store. There is not an option for the user to install applications from the public store. Your organization manages all the content on the device.

    Security actions

Provisioning dedicated Android Enterprise devices

Dedicated Android Enterprise devices are fully managed devices that are dedicated to fulfill a single use case. You restrict these devices to one app or small set of apps required to perform the tasks needed for this use case. You also prevent users from enabling other apps or performing other actions on the device.

Dedicated devices are enrolled using any of the enrollment methods used for other fully managed devices, as described in Provisioning Android Enterprise fully managed devices. Provisioning dedicated devices require more setup before enrollment.

Dedicated devices are also known as corporate owned single use (COSU) devices.

Note:

Unlike other fully managed devices, dedicated devices can only be enrolled by users with Active Directory accounts. Local users can’t enroll dedicated devices.

To provision dedicated devices:

  • Add a role-based access control (RBAC) role that allows Endpoint Management administrators to enroll dedicated devices to your Endpoint Management deployment. Assign this role to users whom you want to enroll dedicated devices.
  • Add an enrollment profile for Endpoint Management administrators that you allow to enroll dedicated devices to your Endpoint Management deployment.
  • Whitelist the app or apps you want the dedicated device to access.
  • Optionally, set the whitelisted app to allow lock task mode. When an app is in lock task mode, the app is pinned to the device screen when the user opens it. No Home button appears and the Back button is disabled. The user exits the app using an action programmed into the app, such as signing out.
  • Enroll each device as a fully managed device.

System requirements

  • Support for enrolling dedicated devices begins with Android 6.0.

Add the RBAC role for dedicated devices

The RBAC role for enrolling dedicated devices enables Endpoint Management to silently provision and activate a managed Google Play account on the device. Unlike managed Google Play user accounts, these device accounts identify a device that is not tied to a user.

You assign this RBAC role to Endpoint Management administrators to enable them to enroll dedicated devices.

To add the RBAC role for enrolling dedicated devices:

  1. In the Endpoint Management console, click the gear icon in the upper-right corner of the console. The Settings page appears.

  2. Click Role-Based Access Control. The Role-Based Access Control page appears, which displays the four default user roles, plus any roles you have previously added.

  3. Click Add. The Add Role page appears.

  4. Enter the following information.

    • RBAC name: Enter “COSU” or other descriptive name for the role. You cannot change the name of a role.
    • RBAC template: Choose the ADMIN template.
    • Authorized access: Select Admin console access and COSU devices enroller.
    • Console features: Select Devices.
    • Apply permissions: Select the groups to which you want to apply the COSU role. If you click To specific user groups, a list of groups appears from which you can select one or more groups.
  5. Click Next. The Assignment page appears.

  6. Enter the following information to assign the role to Active Directory groups.

    • Select domain: In the list, click a domain.
    • Include user groups: Click Search to see a list of all available groups. Or, type a full or partial group name to limit the list to only groups with that name.
    • In the list that appears, select the user groups to which you want to assign the role. When you select a user group, the group appears in the Selected user groups list. Add role
  7. Click Save.

Add a dedicated (COSU) enrollment profile

When your Endpoint Management deployment includes dedicated devices, a single Endpoint Management administrator or small group of administrators enroll many dedicated devices.

To ensure that these administrators can enroll all the devices required, create an enrollment profile for them with unlimited devices allowed per user. Assign this profile to a delivery group containing the administrators who enroll dedicated devices. That way, even if the default Global profile has a limited number of devices allowed per user, administrators can enroll an unlimited number of devices. Those administrators must be in the dedicated (COSU) enrollment profile.

  1. In the Endpoint Management console, go to Configure > Enrollment Profiles. The default Global profile appears.

  2. To add an enrollment profile, click Add. On the Enrollment Info page, type a name for the enrollment profile. Ensure that number of devices that members with this profile can enroll is set to unlimited.

  3. On the Android page:

    • Set Management to Android Enterprise.
    • Set Device owner mode to Company-owned device.

    Add role

  4. On the Delivery Group Assignment page, choose the delivery group or delivery groups containing the administrators who enroll dedicated devices. Then click Save.

    The Enrollment Profile page appears with the profile you added.

    Enrollment Profiles configuration screen

Whitelist apps and set lock task mode

The Kiosk device policy let you whitelist apps and set lock task mode. By default, Secure Hub and Google Play services are whitelisted.

To add the Kiosk policy:

  1. In the Endpoint Management console, click Configure > Device Policies. The Device Policies page appears.

  2. Click Add. The Add a New Policy dialog box appears.

  3. Expand More and then, under Security, click Kiosk. The Kiosk Policy page appears.

  4. Under Platforms, select Android Enterprise. Clear other platforms.

  5. In the Policy Information pane, type the Policy Name and an optional Description.

  6. Click Next and then click Add.

  7. To whitelist an app and allow or deny lock task mode for that app:

    Select the app you want to whitelist from the list.

    Choose Allow to set the app to be pinned to the device screen when the user starts the app. Choose Deny to set the app not to be pinned. Default is Allow.

    Device Policies configuration screen

  8. Click Save.

  9. To whitelist another app and allow or deny lock task mode for that app, click Add.

  10. Configure deployment rules and choose delivery groups. For more information, see Device policies.

To enroll the device

  1. Power on a new or factory reset device.

  2. Enroll the devices as a fully managed device, assigning it to a user that has the dedicated device RBAC role.

After the device is enrolled, it displays a list of the apps a user can run and lock into this screen.

App list

This example shows that while Gmail is on the device, it is not able to run.

Configure Android Enterprise device policies

Use these policies to configure how Endpoint Management interacts with devices running Android Enterprise. This table lists all device policies available for Android Enterprise devices.

     
Android Enterprise App Permissions Android Enterprise Managed Configurations App Inventory
App Uninstall Control OS Update Credentials
Custom XML Endpoint Management options Exchange
Files Keyguard Management Kiosk
Knox Platform for Enterprise Location Passcode
Restrictions Samsung MDM license key Scheduling
Wi-Fi    

See also, Android Enterprise supported device policies and MDX policies.

Security actions

Android Enterprise supports the following security actions. For a description of each security action, see Security actions.

Security action Android Enterprise (BYOD) Android Enterprise (company-owned)
Certificate Renewal Yes Yes
Full Wipe No Yes
Locate Yes Yes
Lock Yes Yes
Lock and Reset Password No Yes
Notify (Ring) Yes Yes
Revoke Yes Yes
Selective Wipe Yes No

Notes:

The Locate security action fails unless the Location device policy has set the location mode for the device to High Accuracy or Battery Saving.

The Lock and Reset Password command is not supported on work profile devices that are running versions of Android earlier than Android 8.0. On devices work profile devices that are running Android 8.0 or greater: The passcode sent locks the work profile but the device is not locked. If no passcode is sent, or the passcode sent doesn’t meet passcode requirements, and no passcode is already set on the work profile: The device is locked. If no passcode is sent, or the passcode sent doesn’t meet passcode requirements, but a passcode is already set on the work profile: The work profile is locked but device is not locked.

Unenroll an Android Enterprise enterprise

If you no longer want to use your Android Enterprise enterprise, you can unenroll the enterprise.

Warning:

After an enterprise is unenrolled, Android Enterprise apps on devices already enrolled through it are reset to their default states. Google no longer manages the devices. Re-enrolling them in an Android Enterprise enterprise might not restore previous functionality until you perform further configuration.

After the Android Enterprise enterprise is unenrolled:

  • Devices and users enrolled through the enterprise have the Android Enterprise apps reset to their default state. Android Enterprise App Permissions and Android Enterprise Managed Configurations policies previously applied no longer affect operations.
  • Endpoint Management manages devices enrolled through the enterprise. From the perspective of Google, those devices are unmanaged. You can’t add new Android Enterprise apps. You can’t apply Android Enterprise App Permissions or Android Enterprise Managed Configurations policies. You can apply other policies, such as Scheduling, Password, and Restrictions, to these devices.
  • If you attempt to enroll devices in Android Enterprise, they are enrolled as Android devices, not Android Enterprise devices.

Unenroll an Android Enterprise enterprise using the Endpoint Management server console and Endpoint Management Tools.

When you perform this task, the Endpoint Management server opens a popup window for Endpoint Management Tools. Before you begin, ensure that the Endpoint Management server has permission to open popup windows in the browser. Some browsers, such as Google Chrome, require you to disable popup blocking and add the address of the Endpoint Management site to the popup block whitelist.

To unenroll an Android Enterprise enterprise:

  1. In the Endpoint Management console, click the gear icon in the upper-right corner. The Settings page appears.

  2. On the Settings page, click Android Enterprise.

  3. Click Unenroll.

    Unenroll option