Product Documentation

Android for Work

Feb 14, 2017

Android at Work (formerly called Android for Work) is a secure workspace available on Android devices running Android 5.0 and later. The workspace isolates business accounts, apps, and data from personal accounts, apps, and data. In XenMobile, you manage both bring your own device (BYOD) and company-owned Android devices by having user create a separate work profile on their devices. By combining hardware encryption and the policies you deploy, you securely separate the corporate and personal areas on a device. You can remotely manage or wipe all corporate policies, apps, and data without affecting the personal area of the user. For more information about supported Android devices, see the Google Android Enterprise website.

You use Google Play to add, buy, and approve apps for deployment to the Android at Work workspace on a device. You can use Google Play to deploy your private Android apps, in addition to public and third-party apps. When you add a paid public app store app to XenMobile for an Android at Work, you can review the Bulk Purchase licensing status. That status is the total number of licenses available, the number now in use, and the email address of each user consuming the licenses. For details about adding an app to XenMobile, see To add a public app store app to XenMobile.

Requirements for Android at Work:

  • A publicly accessible domain
  • A Google administrator account
  • Devices that have managed profile support and that are running Android 5.0+ Lollipop
  • A Google account that has Google Play installed
  • A Work profile set up on the device

Before you can set Android at Work app restrictions, you must do the following:

  • Complete Android at Work setup tasks on Google.
  • Create a set of Google Play Credentials.
  • Configure Android at Work server settings.
  • Create at least one Android at Work device policy.
  • Add, buy, and approve Android at Work apps in the Google Play app store.

You can use the following links when managing Android at Work:

Android at Work Prerequisites

Before you can administer Android in XenMobile, you must

  • Create an Android at Work account.
  • Set up a service account.
  • Download an Android for Work certificate.
  • Enable and authorize the Google Admin SDK and MDM APIs.
  • Authorize your service account to use the directory and Google Play.
  • Obtain a binding token.

The following sections describe how to do each of these tasks. After you have completed these tasks, you can create a set of Google Play Credentials, configure Android settings, and manage Android apps in XenMobile. For details about creating a set of credentials, see Google Play Credentials.

Create an Android at Work Account

Meet the following prerequisites before you can set up an Android at Work account:

  • Own a domain name; for example,
  • Let Google verify that you own the domain.
  • Enable and administer Android at Work through an enterprise mobility management (EMM) provider, such as XenMobile 10.1 or later.

If you have already verified your domain name with Google, you can skip to this step: Set up an Android at Work service account and download an Android at Work certificate.

The following page displays where you type your administrator and company information.

localized image

2. Type your administrator user information.

localized image

2. Type your company information, in addition to your administrator account information.

localized image

The first step in the process is complete and you see the following page.

localized image

Verify domain ownership

Allow Google to verify your domain in one of the following ways:

  • Add a TXT or CNAME record to the website of your domain host.
  • Upload an HTML file to the web server of your domain.
  • Add a <meta> tag to your home page. Google recommends the first method. This article does not cover the steps to verify your domain ownership, but you can find the information you need here:

1. Click Start to begin the verification of your domain.

The Verify domain ownership page displays. Follow the instructions on the page to verify your domain.

2. Click Verify.

localized image
localized image

3. Google verifies your domain ownership.

localized image

4. After successful verification, the following page displays. Click Continue.

localized image

5. Google creates an EMM binding token that you provide to Citrix and use when you configure Android at Work settings. Copy and save the token; you need it later in the setup procedure.

localized image

6. Click Finish to complete setting up Android at Work. A page appears, indicating that you've successfully verified your domain.

After you create an Android at Work service account, you can sign in to the Google Admin console to manage your mobility management settings.

Set up an Android at Work service account and download an Android at Work certificate

To allow XenMobile to contact Google Play and Directory services, you must create a service account using the Google Project portal for developers. This service account is used for server-to-server communication between XenMobile and Google services for Android. For more information about the authentication protocol being used, go to

1. In a web browser, go to and sign in with your Google administrator credentials

2. In the Projects list, click Create Project.

localized image

3. In Project name, type a name for the project.

localized image

4. On the Dashboard, click Use Google APIs.

localized image

5. Click Library, in Search, type EMM and then click the search result.

localized image

6. On the Overview page, click Enable.

localized image

7. Next to Google Play EMM API, click Go to Credentials.

localized image

8. In the Add credentials to our project list, in step 1, click service account.

localized image

9. On the Service Accounts page, click Create Service Account.

localized image

10. In Create service account, name the account, and select the Furnish a new private key check box. Click P12, select the Enable Google Apps Domain-wide Delegation check box, and then click Create.

localized image

The certificate (P12 file) is downloaded to your computer. Be sure to save the certificate in a secure location.

11. On the Service account created confirmation page, click Close.

localized image

12. In Permissions, click Service accounts and then under Options for your service account, click View Client ID.

localized image

13. The details required for account authorization on the Google admin console display. Copy the Client ID and Service account ID to a location where you can retrieve the information later. You need this information, along with the domain name to send to Citrix support for whitelisting.

localized image

14. On the Library page, search for Admin SDK and then click the search result.

localized image

15. On the Overview page, click Enable.

localized image

16. Open the Google admin console for your domain and then click Security.

localized image

17. On the Settings page, click Show more and then click Advanced settings.

localized image
localized image

18. Click Manage API client access.

localized image

19. In Client Name, type the client ID that you saved earlier, in One or More API Scopes, type and then click Authorize.

localized image

Binding to EMM

Before you can use XenMobile to manage your Android devices, you must contact Citrix Technical Support and provide your domain name, service account, and binding token. Citrix binds the token to XenMobile as your enterprise mobility management (EMM) provider. For contact information for Citrix Technical Support, see Citrix Technical Support.

1. To confirm the binding, sign in to the Google Admin portal and then click Security.

2. Click Manage EMM provider for Android.

You see that your Google Android for Work account is bound to Citrix as your EMM provider.

After you confirm the token binding, you can start using the XenMobile console to manage your Android devices. Import the P12 certificate you generated in step 14. Set up Android at Work server settings, enable SAML-based single-sign-on (SSO), and define at least one Android for Work device policy.

localized image

Import the P12 certificate

Follow these steps to import your Android at Work P12 certificate:

1. Sign in to the XenMobile console.

2. Click the gear icon in the upper-right corner of the console to open the Settings page and then click Certificates. The Certificates page displays.

localized image

3. Click Import. The Import dialog box displays.

localized image

Configure the following settings:

  • Import: In the list, click Keystore.
  • Keystore type: In the list, click PKCS#12.
  • Use as: In the list, click Server.
  • Keystore file: Click Browse and navigate to the P12 certificate.
  • Password: Type the keystore password.
  • Description: Optionally, type a description of the certificate.

4. Click Import.

Set up Android at Work server settings

1. In the XenMobile console, click the gear icon in the upper-right corner of the console. The Settings page displays.

2. Under Server, click Android for Work. The Android for Work page displays.

localized image

Configure the following settings:

  • Domain name: Type your Android at Work domain name; for example,
  • Domain Admin Account: Type your domain administrator user name; for example, the email account used for Google Developer Portal.
  • Service Account ID: Type your service account ID; for example, the email associated in the Google Service Account (
  • Enable Android for Work: Click to enable or disable Android at Work.

3. Click Save.

Enable SAML-based single-sign-on

1. Sign in to the XenMobile console.

2. Click the gear icon in the upper-right corner of the console. The Settings page displays.

3. Click Certificates. The Certificates page dispalyspens.

localized image

3. In the list of certificates, click the SAML certificate.

4. Click Export and save the certificate to your computer.

5. Sign in to the Google Admin portal by using your Android at Work administrator credentials. For access to the portal, see Google Admin portal.

6. Click Security.

localized image

7. Under Security, click Set up single sign-on (SSO) and then configure the following settings.

localized image
  • Sign-in page URL: Type the URL for users signing in to your system and Google Apps. For example: https://<Xenmobile-FQDN>/aw/saml/signin.
  • Sign out page URL: Type the URL to which users are redirected when they sign out. For example: https://<Xenmobile-FQDN>/aw/saml/signout.
  • Change password URL: Type the URL to let users change their password in your system. For example: https://<Xenmobile-FQDN>/aw/saml/changepassword. If this field is defined, users see this prompt even when SSO is not available.
  • Verification certificate: Click CHOOSE FILE and then navigate to the SAML certificate exported from XenMobile.


Set up an Android at Work device policy

It is wise to set up a passcode policy so that users must establish a passcode on their devices when they first enroll.

localized image

The basic steps to setting up any device policy are as follows.

1. Sign on to the XenMobile console.

2. Click Configure, and then click Device Policies.

3. Click Add and then on the Add a New Policy dialog box, select the policy you want to add. In this example, you click Passcode.

4. Complete the Policy Information page.

5. Click Android for Work and then configure the settings for the policy.

6. Assign the policy to a Delivery Group.

For more information about setting up other device policies that are available for Android for Work, see XenMobile Device Policies by Platform.

Configure Android at Work account settings

Before you can start managing Android apps and policies on devices, you must set up an Android at Work domain and account information in XenMobile. First, complete Android at Work setup tasks on Google to set up a domain administrator and to obtain a service account ID and a binding token.

1. In the XenMobile web console, click the gear icon in the upper-right corner. The Settings page displays.

2. Under Server, click Android for Work. The Android for Work configuration page displays.

localized image

3. On the Android for Work page, configure the following settings:

  • Domain Name: Type your domain name.
  • Domain Admin Account: Type your domain administrator user name.
  • Service Account ID: Type your Google Service Account ID.
  • Enable Android for Work: Select whether to enable Android for Work or not.

4.Click Save.

Provisioning Device Owner mode in Android at Work

If you want to provision Android at Work in Device Owner mode, you must transfer data through a near-field communications (NFC) bump between two devices. One must be running the XenMobile Provisioning Tool and one must be restored to its factory settings. Device Owner mode is available for corporate-owned devices only.

Why NFC? Bluetooth, Wi-Fi, and other communication modes are disabled on a factory-reset device. NFC is the only communication protocol that the device can use in this state.


  • A XenMobile Server version 10.4 that is enabled for Android at Work.
  • A factory-reset device, provisioned for Android at Work in Device Owner mode. You can find steps to complete this prerequisite later in this article.
  • Another device with NFC capability, running the configured Provisioning Tool. The Provisioning Tool is available in Secure Hub 10.4 or on the Citrix downloads page.

Each device can have only one Android at Work profile, managed by an enterprise mobility management (EMM) app. In XenMobile, Secure Hub is the EMM app. Only one profile is allowed on each device. Attempting to add a second EMM app removes the first EMM app.

You can start Device Owner mode on new devices or on devices restored to factory settings. You manage the entire device by using XenMobile.

NFC bump in Device Owner mode

Provisioning a factory-reset device requires you to send the following data via an NFC bump to initialize Android at Work:

  • Package name of the EMM provider app that acts as Device Owner (in this case, Secure Hub).
  • Intranet/Internet location from which the device can download the EMM provider app.
  • SHA1 hash of EMM provider app to verify if the download is successful.
  • Wi-Fi connection details so that a factory-reset device can connect and download the EMM provider app. Note: Android now does not support 802.1x Wi-Fi for this step.
  • Time zone for the device (optional).
  • Geographic location for the device (optional).

When the two devices are bumped, the data from the Provisioning Tool is sent to the factory-reset device. That data is then used to download Secure Hub with administrator settings. If you don't enter time zone and location values, Android automatically configures the values on the new device.

Configuring the XenMobile Provisioning Tool

Before doing an NFC bump, you must configure the Provisioning Tool. This configuration is then transferred to the factory-reset device during the NFC bump.

localized image

You can type data into the required fields or populate them via text file. The steps in the next procedure describe how to configure the text file and contain descriptions for each field. The app doesn't save information after you type it, so you might want to create a text file to keep the information for future use.

To configure the Provisioning Tool by using a text file

Name the file nfcprovisioning.txt and place the file in the /sdcard/ folder on the SD card of the device. The app can then read the text file and populate the values.

The text file must contain the following data:<download_location>
This line is the intranet/internet location of the EMM provider app. After the factory-reset device connects to Wi-Fi following the NFC bump, the device must have access to this location for downloading. The URL is a regular URL, with no special formatting required.<SHA1 hash>
This line is the checksum of the EMM provider app. This checksum is used to verify that the download is successful. Steps to obtain the checksum are discussed later in this article.<wifi ssid>
This line is the connected Wi-Fi SSID of the device on which the Provisioning Tool is running.<wifi security type>
Supported values are WEP and WPA2. If the Wi-Fi is unprotected, this field must be empty.<wifi password>
If the Wi-Fi is unprotected, this field must be empty.<locale>
Enter language and country codes. The language codes are two-letter lowercase ISO language codes (such as en) as defined by ISO 639-1. The country codes are two-letter uppercase ISO country codes (such as US) as defined by ISO 3166-1. For example, type en_US for English as spoken in the United States. If you don't type any codes, the country and language are automatically populated.<timezone>
The time zone in which the device is running. Type an Olson name of the form area/location. For example, America/Los_Angeles for Pacific time. If you don't enter a name, the time zone is automatically populated.<package name>
This data isn't required, because the value is hardcoded into the app as Secure Hub. It's mentioned here only for the sake of completion.

If there is a Wi-Fi protected by using WPA2, a completed nfcprovisioning.txt file might look like the following:\u003d

If there is an unprotected Wi-Fi, a completed nfcprovisioning.txt file might look like the following:\u003d

To get the Secure Hub checksum

To get the checksum of any app, add the app as an enterprise app.

1. In the XenMobile console, navigate to Configure > Apps > Add.

The Add App window displays.

localized image

2. Click Enterprise.

The App information page displays.

localized image

3. Select the following configuration and then click Next.

The Android for Work Enterprise App page displays.

localized image

4. Provide the path to the .apk and then click Next to upload the file.

localized image

Once the upload is complete, the details of the uploaded package display.

localized image

5. Click Next to bring up a page to download the JSON file, which you then use to upload to Google Play. For Secure Hub, uploading to Google Play is not required, but you need the JSON file to read the SHA1 value from it.

localized image

A typical JSON file looks like the following:

localized image

6. Copy the file_sha1_base64 value and use it in the Hash field in the Provisioning Tool. Note: The hash must be URL safe.

  • Convert any + symbols to -
  • Convert any / symbols to _
  • Replace the trailing \u003d with =

If you store the hash in the nfcprovisioning.txt file on the SD card of the device, the app does the safety conversion. However, if you opt to type the hash manually, it's your responsibility to ensure its URL safety.

Libraries used

The Provisioning Tool uses the following libraries in its source code: