Legacy Android for Work for G Suite Customers

G Suite customers must use the legacy Android for Work settings to configure legacy Android for Work.

Requirements for legacy Android for Work:

  • A publicly accessible domain
  • A Google administrator account
  • Devices that have managed profile support and that are running Android 5.0+ Lollipop
  • A Google account that has Google Play installed
  • A Work profile set up on the device

To start configuring legacy Android for Work, click legacy Android for Work in the Android for Work page in XenMobile Settings.

Image of legacy Android for Work option

Create an Android for Work Account

Before you can set up an Android for Work account, you must verify your domain name with Google.

If you have already verified your domain name with Google, you can skip to this step: Set up an Android for Work service account and download an Android for Work certificate.

  1. Navigate to https://www.google.com/a/signup/?enterprise_product=ANDROID_WORK.

    The following page displays where you type your administrator and company information.

    Image of account setup page

  2. Type your administrator user information.

    Image of administrator user information

  3. Type your company information, in addition to your administrator account information.

    Image of company information screen

    The first step in the process is complete and you see the following page.

    Image of verification page.

Verify domain ownership

Allow Google to verify your domain in one of the following ways:

  • Add a TXT or CNAME record to the website of your domain host.
  • Upload an HTML file to the web server of your domain.
  • Add a <meta> tag to your home page. Google recommends the first method. This article does not cover the steps to verify your domain ownership, but you can find the information you need here: https://support.google.com/a/answer/6248925.
  1. Click Start to begin the verification of your domain.

    The Verify domain ownership page appears. Follow the instructions on the page to verify your domain.

  2. Click Verify.

    Image of the Verify button

    Image of the Verify confirmation

  3. Google verifies your domain ownership.

    Image of domain ownership verification

  4. After successful verification, the following page appears. Click Continue.

    Image of success confirmation page

  5. Google creates an EMM binding token that you provide to Citrix and use when you configure Android for Work settings. Copy and save the token; you need it later in the setup procedure.

    Image of binding token

  6. Click Finish to complete setting up Android for Work. A page appears, indicating that you’ve successfully verified your domain.

After you create an Android for Work service account, you can sign in to the Google Admin console to manage your mobility management settings.

Set up an Android for Work service account and download an Android for Work certificate

To allow XenMobile to contact Google Play and Directory services, you must create a service account using the Google Project portal for developers. This service account is used for server-to-server communication between XenMobile and Google services for Android. For more information about the authentication protocol being used, go to https://developers.google.com/identity/protocols/OAuth2ServiceAccount.

  1. In a web browser, go to https://console.cloud.google.com/project and sign in with your Google administrator credentials

  2. In the Projects list, click Create Project.

    Image of the Create Project option

  3. In Project name, type a name for the project.

    Image of the Project name option

  4. On the Dashboard, click Use Google APIs.

    Image of the Use Google APIs option

  5. Click Library, in Search, type EMM and then click the search result.

    Image of the EMM search option

  6. On the Overview page, click Enable.

    Image of the Enable option

  7. Next to Google Play EMM API, click Go to Credentials.

    Image of the Go to Credentials option

  8. In the Add credentials to our project list, in step 1, click service account.

    Image of the service account option

  9. On the Service Accounts page, click Create Service Account.

    Image of the Create Service Account option

  10. In Create service account, name the account, and select the Furnish a new private key check box. Click P12, select the Enable Google Apps Domain-wide Delegation check box and then click Create.

    Image of the Create service account options

    The certificate (P12 file) is downloaded to your computer. Be sure to save the certificate in a secure location.

  11. On the Service account created confirmation page, click Close.

    Image of the confirmation page

  12. In Permissions, click Service accounts and then under Options for your service account, click View Client ID.

    Image of the View Client ID option

  13. The details required for account authorization on the Google admin console display. Copy the Client ID and Service account ID to a location where you can retrieve the information later. You need this information, along with the domain name to send to Citrix support for whitelisting.

    Image of the account authorization details

  14. On the Library page, search for Admin SDK and then click the search result.

    Image of the Admin SDK search

  15. On the Overview page, click Enable.

    Image of the Enable button

  16. Open the Google admin console for your domain and then click Security.

    Image of the Security option

  17. On the Settings page, click Show more and then click Advanced settings.

    Image of the Advanced settings

    Image of Advanced setttings

  18. Click Manage API client access.

    Image of the Manage API client access option

  19. In Client Name, type the client ID that you saved earlier, in One or More API Scopes, type https://www.googleapis.com/auth/admin.directory.user and then click Authorize.

    Image of the Client name options

Binding to EMM

Before you can use XenMobile to manage your Android devices, you must contact Citrix Technical Support and provide your domain name, service account, and binding token. Citrix binds the token to XenMobile as your enterprise mobility management (EMM) provider. For contact information for Citrix Technical Support, see Citrix Technical Support.

  1. To confirm the binding, sign in to the Google Admin portal and then click Security.

  2. Click Manage EMM provider for Android.

    You see that your Google Android for Work account is bound to Citrix as your EMM provider.

    After you confirm the token binding, you can start using the XenMobile console to manage your Android devices. Import the P12 certificate you generated in step 14. Set up Android for Work server settings, enable SAML-based single-sign-on (SSO), and define at least one Android for Work device policy.

    Image of the Manage EMM provide for Android options

Import the P12 certificate

Follow these steps to import your Android for Work P12 certificate:

  1. Sign in to the XenMobile console.

  2. Click the gear icon in the upper-right corner of the console to open the Settings page and then click Certificates. The Certificates page appears.

    Image of the Certificates page

  3. Click Import. The Import dialog box appears.

    Image of the Import dialog box

    Configure the following settings:

    • Import: In the list, click Keystore.
    • Keystore type: In the list, click PKCS#12.
    • Use as: In the list, click Server.
    • Keystore file: Click Browse and navigate to the P12 certificate.
    • Password: Type the keystore password.
    • Description: Optionally, type a description of the certificate.
  4. Click Import.

Set up Android for Work server settings

  1. In the XenMobile console, click the gear icon in the upper-right corner of the console. The Settings page appears.

  2. Under Server, click Android for Work. The Android for Work page appears.

    Image of the Android for Work page

    Configure the following settings and then click Save.

    • Domain name: Type your Android for Work domain name; for example, domain.com.
    • Domain Admin Account: Type your domain administrator user name; for example, the email account used for Google Developer Portal.
    • Service Account ID: Type your service account ID; for example, the email associated in the Google Service Account (serviceaccountemail@xxxxxxxxx.iam.gserviceaccount.com).
    • Client ID: Type the numerical client ID of your Google service account.
    • Enable Android for Work: Select to enable or disable Android for Work.

Enable SAML-based single-sign-on

  1. Sign in to the XenMobile console.

  2. Click the gear icon in the upper-right corner of the console. The Settings page appears.

  3. Click Certificates. The Certificates page appears.

    Image of the Certificates page

  4. In the list of certificates, click the SAML certificate.

  5. Click Export and save the certificate to your computer.

  6. Sign in to the Google Admin portal by using your Android for Work administrator credentials. For access to the portal, see Google Admin portal.

  7. Click Security.

    Image of the Security option

  8. Under Security, click Set up single sign-on (SSO) and then configure the following settings.

    Image of the SSO settings

    • Sign-in page URL: Type the URL for users signing in to your system and Google Apps. For example: https://<Xenmobile-FQDN>/aw/saml/signin.
    • Sign out page URL: Type the URL to which users are redirected when they sign out. For example: https://<Xenmobile-FQDN>/aw/saml/signout.
    • Change password URL: Type the URL to let users change their password in your system. For example: https://<Xenmobile-FQDN>/aw/saml/changepassword. If this field is defined, users see this prompt even when SSO is not available.
    • Verification certificate: Click CHOOSE FILE and then navigate to the SAML certificate exported from XenMobile.
  9. Click SAVE CHANGES.

Set up an Android for Work device policy

Set up a Passcode policy so that users must establish a passcode on their devices when they first enroll.

Image of the Passcode policy page

The basic steps to setting up any device policy are as follows.

  1. Sign on to the XenMobile console.

  2. Click Configure, and then click Device Policies.

  3. Click Add and then on the Add a New Policy dialog box, select the policy you want to add. In this example, you click Passcode.

  4. Complete the Policy Information page.

  5. Click Android for Work and then configure the settings for the policy.

  6. Assign the policy to a Delivery Group.

Supported device policies and MDX policies

The following table displays the device policies and MDX policies supported by the Android for Work container. For more information on device policies and MDX policies, see Device Policies and MDX Policies at a glance, respectively.

Authentication policies Supported Supported Values Notes
App passcode X All  
Online session required   Off only  
Maximum offline period X All  
Alternate NetScaler Gateway   Blank only  
App Network Access policies Supported Supported Values Notes
Network access X All  
Certificate label   Blank only  
Preferred VPN mode X All  
Permit VPN mode switching X All  
PAC file URL or proxy server X All  
Default log output X All  
Default log level X All  
Max log files X All  
Max log file size X All  
Redirect app logs X All  
Encrypt logs X All  
Whitelist WiFi networks   Blank only  
Device Security policies Supported Supported Values Notes
Block jailbroken or rooted X All  
Require device encryption X All  
Require device lock X All  
Network Requirements policies Supported Supported Values Notes
Require WiFi X Off  
Miscellaneous Access policies Supported Supported Values Notes
App update grace period (hours) X All  
Erase app data on lock X All  
Active poll period (minutes) X All  
Encryption policies Supported Supported Values Notes
Encryption keys X Offline access permitted Supported through Android Enterprise Policy
Private file encryption X Disabled only Supported through Android Enterprise Policy
Private file encryption exclusions X NA (empty) Supported through Android Enterprise Policy
Access limits for public files X NA (empty) Supported through Android Enterprise Policy
Public file encryption X Disabled only Supported through Android Enterprise Policy
Public file encryption exclusions X NA (empty) Supported through Android Enterprise Policy
Public file migration X Disabled only Supported through Android Enterprise Policy
App Interaction policies Supported Supported Values Notes        
Security Group X Empty Supported through Android Enterprise Policy Cut and copy X Unrestricted only Supported through Android Enterprise Policy
Paste X Unrestricted only Supported through Android Enterprise Policy        
Document exchange (Open In) X Unrestricted only Supported through Android Enterprise Policy        
Inbound document exchange (Open In) X All Supported through Android Enterprise Policy        
Inbound document exchange whitelist X Empty Supported through Android Enterprise Policy        
Restricted Open In exception list X Empty Supported through Android Enterprise Policy        
App Restrictions policies Supported Supported Values Notes
Block camera X On only Supported through Android Enterprise Policy
Block Gallery X On only Supported through Android Enterprise Policy
Block localhost connection X All  
Block mic record X Off only Supported through Android Enterprise Policy
Block location services X Off only Supported through Android Enterprise Policy
Block SMS compose X Off only Supported through Android Enterprise Policy
Block screen capture X Off only Supported through Android Enterprise Policy
Block device sensor X All  
Block NFC X Off only Supported through Android Enterprise Policy
Block printing X All  
Block app logs X All  
App Geofence policies Supported Supported Values Notes
Center point longitude X All  
Center point latitude X All  
Radius X All  

Configure Android for Work account settings

Before you can start managing Android apps and policies on devices, you must set up an Android for Work domain and account information in XenMobile. First, complete Android for Work setup tasks on Google to set up a domain administrator and to obtain a service account ID and a binding token.

  1. In the XenMobile web console, click the gear icon in the upper-right corner. The Settings page displays.

  2. Under Server, click Android for Work. The Android for Work configuration page appears.

Image of the Android for Work configuration page

  1. On the Android for Work page, configure the following settings:

    • Domain Name: Type your domain name.
    • Domain Admin Account: Type your domain administrator user name.
    • Service Account ID: Type your Google Service Account ID.
    • Client ID:: Type the client ID of your Google service account.
    • Enable Android for Work: Select whether to enable Android for Work or not.
  2. Click Save.

Set up G Suite partner access for XenMobile

Some end-point management features for Chrome use Google partner APIs to communicate between XenMobile and your G Suite domain. For example, XenMobile requires the APIs for device policies that manage Chrome features such as Incognito mode and Guest mode.

To enable the partner APIs, you set up your G Suite domain in the XenMobile console and then configure your G Suite account.

Set up your G Suite domain in XenMobile

To enable XenMobile to communicate with the APIs in your G Suite domain, go to Settings > Google Chrome Configuration and configure the settings.

Image of Google Chrome settings screen

  • G Suite domain: The G Suite domain that hosts the APIs needed by XenMobile.
  • G Suite admin account: The administator account for your G Suite domain.
  • G Suite client ID: The client ID for Citrix. Use this value to configure partner access for your G Suite domain.
  • G Suite enterprise ID: The enterprise ID for your account, filled in from your Google enterprise account.

Enable partner access for devices and users in your G Suite domain

  1. Log in into the Google admin console: https://admin.google.com

  2. Click Device Management.

    Image of Google administrator console

  3. Click Chrome management.

    Image of Google administrator console

  4. Click User settings.

    Image of Google administrator console

  5. Search for Chrome Management - Partner Access.

    Image of Google administrator console

  6. Select the Enable Chrome Management - Partner Access check box.

  7. Agree that you understand and want to enable partner access. Click Save.

  8. In the Chrome management page, click Device Settings.

    Image of Google administrator console

  9. Search for Chrome Management - Partner Access.

    Image of Google administrator console

  10. Select the Enable Chrome Management - Partner Access check box.

  11. Agree that you understand and want to enable partner access. Click Save.

  12. Go to the Security page and then click Advanced Settings.

    Image of Google administrator console

  13. Click Manage API client Access.

  14. In the XenMobile console, go to Settings > Google Chrome Configuration and copy the value of G Suite Client ID. Then, return to the Manage API client Access page and paste the copied value to the Client Name field.

  15. In One or More API Scopes, add the URL: https://www.googleapis.com/auth/chromedevicemanagementapi

    Image of Google administrator console

  16. Click Authorize.

    The message “Your settings have been saved” appears.

Image of Device Policies configuration screen

Enrolling Android for Work devices

If your device enrollment process requires users to enter a username or user ID, the format accepted depends on how the XenMobile server is configured to search for users by User Principal Name (UPN) or SAM account name.

If the XenMobile server is configured to search for users by UPN, users must enter a UPN in the format:

  • username@domain

If the XenMobile server is configured to search for users by SAM users must enter a SAM in one of these formats:

  • username@domain
  • domain\username

To determine which type of user name your XenMobile server is configured for:

  1. In the XenMobile server console click the gear icon in the upper-right corner. The Settings page appears.
  2. Click LDAP to view the configuration of the LDAP connection.
  3. Near the bottom of the page, view the User search by field:

    • If it is set to userPrincipalName, XenMobile server is set for UPN.
    • If it is set to sAMAccountName, XenMobile server is set for SAM.

Unenrolling an Android for Work enterprise

You can unenroll an Android for Work enterprise using the XenMobile Server console and XenMobile Tools.

When you perform this task, the XenMobile Server opens a popup window for XenMobile Tools. Before you begin, ensure that the XenMobile Server has permission to open popup windows in the browser you are using. Some browsers, such as Google Chrome, require you to disable popup blocking and add the address of the XenMobile site to the popup block whitelist.

Warning:

After an enterprise is unenrolled, Android for Work apps on devices already enrolled through it are reset to their default states. The devices will no longer be managed by Google. Re-enrolling them in an Android for Work enterprise may not restore previous functionality without further configuration.

After the Android for Work enterprise is unenrolled:

  • Devices and users enrolled through the enterprise have the Android for Work apps reset to their default state. Android for Work App Permissions and Android for Work App Restrictions policies previously applied no longer have an effect.
  • Devices enrolled through the enterprise are managed by XenMobile, but are unmanaged from Google perspective. No new Android for Work apps can be added. No Android for Work App Permissions or Android for Work App Restrictions policies can be applied. Other policies, such as Scheduling, Password, and Restrictions can still be applied to these devices.
  • If you attempt to enroll devices in Android for Work, they are enrolled as Android devices, not Android for Work devices.

To unenroll an Android for Work enterprise:

  1. In the XenMobile console, click the gear icon in the upper-right corner. The Settings page appears.

  2. On the Settings page, click Android for Work.

  3. Click Remove Enterprise.

    Image of the Remove Enterprise option

  4. Specify a password. You’ll need this for the next step to complete the unenrollment. Then click Unenroll.

    Image of the Unenroll option

  5. When the XenMobile Tools page opens, enter the password you created in the previous step.

    Image of the password field

  6. Click Unenroll.

    Image of the Unenroll option

Provisioning work-managed device mode in Android for Work

Work-managed device mode for Android for Work is available for corporate-owned devices only. XenMobile supports these methods of enrollment in work-managed device mode:

  • afw#xenmobile: With this enrollment method, the user enters the characters “afw#xenmobile” when setting up the device. This token identifies the device as managed by XenMobile and downloads Secure Hub.
  • QR code: QR code provisioning is an easy way to provision a distributed fleet of devices that do not support NFC, such as tablets. The QR code enrollment method can be used on fleet devices that have been reset to their factory settings. The QR code enrollment method sets up and configures work-managed device mode by scanning a QR code from the setup wizard.
  • Near field communication (NFC) bump: The NFC bump enrollment method can be used on fleet devices that have been reset to their factory settings. An NFC bump transfers data through between two devices using near-field communication. Bluetooth, Wi-Fi, and other communication modes are disabled on a factory-reset device. NFC is the only communication protocol that the device can use in this state.

afw#xenmobile

The enrollment method is used after powering on a new or factory reset devices for initial setup. Users enter “afw#xenmobile” when prompted to enter a Google account. This action downloads and installs Secure Hub. Users then follow the Secure Hub set-up prompts to complete the enrollment.

In this enrollment method is recommended for most customers because the latest version of Secure Hub is downloaded from the Google Play store. Unlike with other enrollment methods, you do not provide Secure Hub for download from the XenMobile server.

Prerequisites:

  • Supported on all Android devices running Android 5.0 and above..

QR code

To enroll a device in device mode using a QR code, you generate a QR code by creating a JSON and converting the JSON to a QR code. Device cameras scan the QR code to enroll the device.

Prerequisites:

  • Supported on all Android devices running Android 7.0 and above.

Create a QR code from a JSON

Create a JSON with the following fields.

These fields are required:

Key: android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME

Value: com.zenprise/com.zenprise.configuration.AdminFunction

Key: android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM

Value: qn7oZUtheu3JBAinzZRrrjCQv6LOO6Ll1OjcxT3-yKM

Key: android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION

Value: https://path/to/securehub.apk

Note:

If Secure Hub is uploaded onto Citrix XenMobile server as an enterprise app, it can be downloaded from https://<fqdn>:4443/*instanceName*/worxhome.apk. The path to the Secure Hub APK must be accessible over the Wi-Fi connection that the device connects to during provisioning.

These fields are optional:

  • android.app.extra.PROVISIONING_LOCALE: Enter language and country codes.

    The language codes are two-letter lowercase ISO language codes (such as en) as defined by ISO 639-1. The country codes are two-letter uppercase ISO country codes (such as US) as defined by ISO 3166-1. For example, enter en_US for English as spoken in the United States.

  • android.app.extra.PROVISIONING_TIME_ZONE: The time zone in which the device is running.

    Enter an Olson name of the form area/location. For example, America/Los_Angeles for Pacific time. If you don’t enter one, the time zone is automatically populated.

  • android.app.extra.PROVISIONING_LOCAL_TIME: Time in milliseconds since the Epoch.

    The Unix epoch (or Unix time, POSIX time, or Unix timestamp) is the number of seconds that have elapsed since January 1, 1970 (midnight UTC/GMT). The time doesn’t include leap seconds (in ISO 8601: 1970-01-01T00:00:00Z).

  • android.app.extra.PROVISIONING_SKIP_ENCRYPTION: Set to true to skip encryption during profile creation. Set to false to force encryption during profile creation.

A typical JSON looks like the following:

Image of a typical JSON

Validate the JSON that is created using any JSON validation tool, such as https://jsonlint.com. Convert that JSON string to a QR code using any online QR code generator, such as http://goqr.me.

This QR code gets scanned by a factory-reset device to enroll the device in work-managed device mode.

To enroll the device

To enroll a device in work-managed device mode, the device must be in factory reset state.

  1. Tap the screen six times on the welcome screen to launch the QR code enrollment flow.
  2. When prompted, connect to Wi-Fi. The download location for Secure Hub in the QR code (encoded in the JSON) is accessible over this Wi-Fi network.

    Once the device successfully connects to Wi-Fi, it downloads a QR code reader from Google and launches the camera.

  3. Point the camera to the QR code to scan the code.

    Android downloads Secure Hub from the download location in the QR code, validate the signing certificate signature, install Secure Hub and sets it as device owner.

For more information, see this Google guide for Android EMM developers: https://developers.google.com/android/work/prov-devices#qr_code_method.

NFC bump

To enroll a device in device mode using NFC bumps requires two devices: One that is reset to its factory settings and one running the XenMobile Provisioning Tool.

Prerequisites:

  • Supported on all Android devices running Android 5.0, Android 5.1, Android 6.0 and above.
  • A XenMobile Server version 10.4 that is enabled for Android for Work.
  • A factory-reset device, provisioned for Android for Work in work-managed device mode. You can find steps to complete this prerequisite later in this article.
  • Another device with NFC capability, running the configured Provisioning Tool. The Provisioning Tool is available in Secure Hub 10.4 or on the Citrix downloads page.

Each device can have only one Android for Work profile, managed by an enterprise mobility management (EMM) app. In XenMobile, Secure Hub is the EMM app. Only one profile is allowed on each device. Attempting to add a second EMM app removes the first EMM app.

You can start work-managed device mode on new devices or on devices restored to factory settings. You manage the entire device by using XenMobile.

Data transferred through the NFC bump

Provisioning a factory-reset device requires you to send the following data through an NFC bump to initialize Android for Work:

  • Package name of the EMM provider app that acts as device owner (in this case, Secure Hub).
  • Intranet/Internet location from which the device can download the EMM provider app.
  • SHA1 hash of EMM provider app to verify if the download is successful.
  • Wi-Fi connection details so that a factory-reset device can connect and download the EMM provider app. Note: Android now does not support 802.1x Wi-Fi for this step.
  • Time zone for the device (optional).
  • Geographic location for the device (optional).

When the two devices are bumped, the data from the Provisioning Tool is sent to the factory-reset device. That data is then used to download Secure Hub with administrator settings. If you don’t enter time zone and location values, Android automatically configures the values on the new device.

Configuring the XenMobile Provisioning Tool

Before doing an NFC bump, you must configure the Provisioning Tool. This configuration is then transferred to the factory-reset device during the NFC bump.

Image of the Provisioning Tool configuration

You can type data into the required fields or populate them via text file. The steps in the next procedure describe how to configure the text file and contain descriptions for each field. The app doesn’t save information after you type it, so you might want to create a text file to keep the information for future use.

To configure the Provisioning Tool by using a text file

Name the file nfcprovisioning.txt and place the file in the /sdcard/ folder on the SD card of the device. The app can then read the text file and populate the values.

The text file must contain the following data:

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION=<download_location>

This line is the intranet/internet location of the EMM provider app. After the factory-reset device connects to Wi-Fi following the NFC bump, the device must have access to this location for downloading. The URL is a regular URL, with no special formatting required.

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM=<SHA1 hash>

This line is the checksum of the EMM provider app. This checksum is used to verify that the download is successful. Steps to obtain the checksum are discussed later in this article.

android.app.extra.PROVISIONING_WIFI_SSID=<wifi ssid>

This line is the connected Wi-Fi SSID of the device on which the Provisioning Tool is running.

android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE=<wifi security type>

Supported values are WEP and WPA2. If the Wi-Fi is unprotected, this field must be empty.

android.app.extra.PROVISIONING_WIFI_PASSWORD=<wifi password>

If the Wi-Fi is unprotected, this field must be empty.

android.app.extra.PROVISIONING_LOCALE=<locale>

Enter language and country codes. The language codes are two-letter lowercase ISO language codes (such as en) as defined by ISO 639-1. The country codes are two-letter uppercase ISO country codes (such as US) as defined by ISO 3166-1. For example, type en_US for English as spoken in the United States. If you don’t type any codes, the country and language are automatically populated.

android.app.extra.PROVISIONING_TIME_ZONE=<timezone>

The time zone in which the device is running. Type an Olson name of the form area/location. For example, America/Los_Angeles for Pacific time. If you don’t enter a name, the time zone is automatically populated.

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME=<package name>

This data isn’t required, because the value is hardcoded into the app as Secure Hub. It’s mentioned here only for the sake of completion.

If there is a Wi-Fi protected by using WPA2, a completed nfcprovisioning.txt file might look like the following:

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION=http://www.somepublicurlhere.com/path/to/securehub.apk

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM=ga50TwdCmfdJ72LGRFkke4CrbAk\u003d

android.app.extra.PROVISIONING_WIFI_SSID=Protected_WiFi_Name

android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE=WPA2

android.app.extra.PROVISIONING_WIFI_PASSWORD=wifiPasswordHere

android.app.extra.PROVISIONING_LOCALE=en_US

android.app.extra.PROVISIONING_TIME_ZONE=America/Los_Angeles

If there is an unprotected Wi-Fi, a completed nfcprovisioning.txt file might look like the following:

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION=http://www.somepublicurlhere.com/path/to/securehub.apk

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM=ga50TwdCmfdJ72LGRFkke4CrbAk\u003d

android.app.extra.PROVISIONING_WIFI_SSID=Unprotected_WiFi_Name

android.app.extra.PROVISIONING_LOCALE=en_US

android.app.extra.PROVISIONING_TIME_ZONE=America/Los_Angeles

To get the Secure Hub checksum

To get the checksum of any app, add the app as an enterprise app.

  1. In the XenMobile console, go to Configure > Apps and then click Add.

    The Add Apps window appears.

  2. Click Enterprise.

    The App information page displays.

    Image of the App Information page

  3. Select the following configuration and then click Next.

    The Android for Work Enterprise App page appears.

    Image of the Android For Work Enterprise App

  4. Provide the path to the .apk and then click Next to upload the file.

    Once the upload is complete, the details of the uploaded package appear.

    IMage of the file upload page

  5. Click Next to open page to download the JSON file, which you then use to upload to Google Play. For Secure Hub, uploading to Google Play is not required, but you need the JSON file to read the SHA1 value from it.

    Image of the download JSON file page

    A typical JSON file looks like the following:

    Image of a typical JSON file

  6. Copy the file_sha1_base64 value and use it in the Hash field in the Provisioning Tool.

    Note: The hash must be URL safe.

    • Convert any + symbols to -
    • Convert any / symbols to _
    • Replace the trailing \u003d with =

    If you store the hash in the nfcprovisioning.txt file on the SD card of the device, the app does the safety conversion. However, if you opt to type the hash manually, it’s your responsibility to ensure its URL safety.

Libraries used

The Provisioning Tool uses the following libraries in its source code:

  • v7 appcompat library, Design support library, and v7 Palette library by Google under Apache license 2.0

    For information, see Support Library Features Guide.

  • Butter Knife by Jake Wharton under Apache license 2.0

Provision work profile mode in Android for Work

Work profile mode for Android for Work is available for devices on which you securely separate the corporate and personal areas on a device. For example, work profile mode is available for BYOD devices. The enrollment experience for work profile mode is similar to Android enrollment in XenMobile. Users download Secure Hub from Google Play and enroll their devices.

By default, the USB Debugging and Unknown Sources settings are disabled on a device when it is enrolled in Android for Work in work profile mode.

Tip:

When enrolling devices in Android for Work in work profile mode, always go to Google Play. From there, enable Secure Hub to appear in the user’s personal profile.