Android Enterprise managed configurations policy

The Android Enterprise managed configurations device policy controls various app configuration options and app restrictions. The app developer defines the options and tooltips available for an app. If a tooltip mentions using a “templated value,” use the corresponding Endpoint Management macro instead. For more information, see Remote configuration overview (on the Android developer site) and Macros.

The app configuration settings can include items such as:

  • App email settings
  • Whitelist or blacklist URLs for a web browser
  • Option to control app content sync through a cellular connection or only by a Wi-Fi connection

For information about the settings that appear for your apps, contact the app developer.

Prerequisites

To add or configure this policy, go to Configure > Device Policies. For more information, see Device policies.

Android Enterprise settings

After you choose to add an Android Enterprise managed configurations device policy, a prompt to select an app appears. If there are no Android Enterprise apps added to Endpoint Management, you cannot proceed.

Note: Always-on VPN is not available for Android Enterprise currently.

After you select an app, then configure the policy settings. The settings are specific to each app.

Image of Device Policies configuration screen

Configure VPN profiles for Android Enterprise

Make VPN profiles available to Android Enterprise devices using the Citrix SSO app with the Android Enterprise managed configuration device policy.

Start by adding Citrix SSO to the Endpoint Management console as a Google Play store app. See Add a public app store app.

Image of SSO app in console

Create an Android Enterprise managed configuration for Citrix SSO

Configure the Android Enterprise managed configurations device policy for Citrix SSO to create VPN profiles. Devices that have the Citrix SSO app installed and the policy deployed have access to the VPN profiles you create.

You need your Citrix Gateway FQDN and port.

  1. In the Endpoint Management console, click Configure > Device Policies. Click Add.

  2. Select Android Enterprise. Click Android Enterprise Managed Configurations.

    Image of select Android Enterprise policies

  3. When the Select Application ID window appears, choose Citrix SSO from the list and click OK.

    Image of Select Application ID window

  4. Type a name and description for your Citrix SSO VPN configuration. Click Next.

    Image of Android Enterprise managed configuration wizard

  5. Configure VPN profile parameters.

    • VPN Profile Name. Type a name for the VPN profile. If you are creating more than one VPN profile, use a unique name for each. If you don’t provide a name, the address you put in the Server Address field is used as the VPN profile name.

    • Server Address(*). Type your Citrix Gateway FQDN. If your Citrix Gateway port is not 443, also type your port. Use URL format. For example,https://gateway.mycompany.com:8443.

    • Username (optional). Provide the user name that end users use to authenticate to the Citrix Gateway. You can use the Endpoint Management macro {user.username} for this field. (See Macros.) If you don’t provide a user name, users are prompted to provide a user name when the connect to Citrix Gateway.

    • Password (optional). Provide the password that end users use to authenticate to the Citrix Gateway. If you don’t provide a user name, users are prompted to provide a password when the connect to Citrix Gateway.

    • Certificate Alias (optional). Provide a certificate alias in Android KeyStore to be used for client certificate authentication. This certificate is pre-selected for users if your are using certificate-based authentication.

    • Per-App VPN Type (optional). If you are using per-app VPN to restrict which apps use this VPN, you can configure this setting. If you select Allow, network traffic for app package names listed in the PerAppVPN app list are routed through the VPN. The network traffic of all other apps is routed outside the VPN. If you select Disallow, network traffic for app package names listed in the PerAppVPN app list are routed outside the VPN. The network traffic of all other apps is routed through the VPN. Default is Allow.

    • PerAppVPN app list. A list of apps whose traffic is allowed or disallowed on the VPN, depending on the value of Per-App VPN Type. List the app package names separated by commas or semicolons. App package names are case sensitive and must appear on this list exactly as they appear in the Google Play store. This list is optional. Keep this list empty for provisioning device-wide VPN.

    • Default VPN profile. The VPN profile name seen when users tap the connect switch in the Citrix SSO app instead of tapping a specific profile. If this field is left empty, the main profile is used for connection. If only one profile is configured, it is marked as default profile.

    • Disable User Profiles. If this setting is ON, users can’t create their own VPNs on their devices. If this setting is OFF, users can create their own VPNs on their devices. Default is OFF.

    • Block Untrusted Servers. This setting is OFF when using a self-signed certificate for Citrix Gateway or when the root certificate for the CA issuing the Citrix Gateway certificate is not in the system CA list. If this setting is ON, the Android operating system validates the Citrix Gateway certificate. If the validation fails, the connection is not allowed. Default value is ON.

    Image of Android Enterprise managed configuration wizard

  6. Optionally, create custom parameters. The custom parameters XenMobileDeviceId and UserAgent are supported. Select the current VPN configuration and click Add.

    Image of Android Enterprise managed configuration wizard

    1. Create a custom parameter:

      • Parameter name. Type XenMobileDeviceId. This field is the device ID to use for Network Access Check based on device enrollment in Endpoint Management. If Endpoint Management enrolls and manages the device, the VPN connection is allowed. Otherwise, authentication is denied at the time of VPN establishment.

      • Parameter value For Endpoint Management to determine the enrollment and management state of the devices, the value of XenMobileDeviceID set to DeviceID_${device.id}.

    Image of Android Enterprise managed configuration wizard

    1. To create another custom parameter, click Add again. Create this custom parameter.

      • Parameter name. Type UserAgent. This text appended to the User-Agent HTTP header for performing an extra check on Citrix Gateway. Value of this text is appended to the User-Agent HTTP header by the Citrix SSO app while communicating with the Citrix Gateway.

      • Parameter value. Type the text you want to append to the User-Agent HTTP header. This text must conform to the HTTP User-Agent specifications.

  7. Optionally, create more VPN profile configurations. Click Add under the list of configurations. A new configuration appears in the list. Select the new configuration and repeat step 5 and, optionally, step 6.

    Image of Android Enterprise managed configuration wizard

  8. When you have created all the VPN profiles you want, click Next.

  9. Configure deployment rules for this managed configuration for Citrix SSO.

  10. Click Save.

This managed configuration for Citrix SSO now appears in your list of configured device policies.

Accessing VPN profiles from the device

To access the VPN profiles you created, Android Enterprise users install Citrix SSO from the Google Play store.

The VPN profile or profiles you configured appear in the Managed Connections area of the app. Users tap the VPN profile to connect using that VPN profile.

Image of Managed Connection area of SSO app on device

After users have authenticated and connected, a check mark appears next to the VPN profile. The key icon indicates the VPN is connected.

Image of Managed Connection area of SSO app on device

Adding the Knox service plug-in app

If you plan on using Android Enterprise with Knox, add the Knox service plug-in to Endpoint Management.

  1. Log in to your Google account and navigate to https://play.google.com/work/apps/details?id=com.samsung.android.knox.kpu. Approve the plug-in.
  2. Log in to your Endpoint Management console and add the Knox service plug-in as an Android enterprise app as a public app store app. For more information on adding public app store apps, see Add a public app store app.
  3. In your Endpoint Management console, navigate to Configure > Device policies. Click Add.
  4. Click Android Enterprise Managed Configuration. In the dialog that comes up, select Knox Service Plugin from the menu.
  5. Type a name for the policy then continue to the platform page. Image of Android Enterprise managed configuration Knox service plug-in policy
  6. On the platform page, type a Profile name for your Knox profile and input the KPE Premium License key from Samsung. The policies that appear below these fields come from your Knox deployment. For more information on Knox policies, see https://docs.samsungknox.com/knox-platform-for-enterprise/admin-guide/about-knox-workspace.htm.
  7. Click Next and configure deployment rules for the policy.
  8. Click Save.