Product Documentation

Managing Devices with Android for Work in XenMobile

Jul 27, 2015

Android for Work is a secure workspace available on Android devices running Android 5.0 and later that isolates business accounts, apps, and data from personal accounts, apps, and data. In XenMobile 10.1, you manage both bring your own device (BYOD) and company-owned Android devices by having users create a separate work profile on their devices that, combined with hardware encryption and the policies you deploy, securely separates a device's corporate and personal areas. You can remotely manage all corporate policies, apps, and data, and you can wipe the policies, apps, and data from the device without affecting the user's personal area. For more information about supported Android devices, see Google's devices page.

In XenMobile 10.1, you can also manage devices running Android 4.0 - 4.4 by having users download and install the Android for Work app, which supplies the same secure workspace functionality built into devices running Android 5.0 and later.

You use Google Play for Work to add, buy, and approve apps for deployment to a device's Android for Work workspace. You can use Google Play for Work to deploy your private Android apps, as well as public and third-party apps.

Requirements for Android for Work:

  • A publically accessible domain
  • A Google admin account
  • Devices running Android 5.0+ Lollipop with managed profile support or devices running Android 4.0 - 4.4 (Ice Cream Sandwich, Jelly Bean and KitKat) with the Android for Work app
  • A Google account with Google Play installed in the user's personal profile
  • A Work profile set up on the device

Before you can set Android for Work app restrictions, you must do the following:

  • Complete Android for Work setup tasks on Google.
  • Create a set of Google Play Credentials.
  • Configure Android for Work server settings.
  • Create at least one Android for Work device policy.
  • Add, buy, and approve Android for Work apps in the Google Play for Work app store.

You can use the following links when managing Android for Work:

Android for Work Prerequisites

Before you can administer Android for Work in XenMobile, you must:

  • Create an Android for Work account
  • Set up a service account
  • Download an Android for Work certificate
    Enable and authorize the Google Admin SDK and MDM APIs
  • Authorize your service account to use the directory and Google Play
  • Obtain a binding token.

The following sections describe how to do each of these tasks. After you have completed these tasks, you can create a set of Google Play Credentials, configure Android for Work settings, and manage Android for Work apps in XenMobile.

Create an Android for Work Account

You must meet the following prerequisites before you can set up an Android for Work account:

  • You must own a domain name; for example, example.com.
  • You must let Google verify that you own the domain.
  • You must enable and administer Android for Work through an enterprise mobility management (EMM) provider (XenMobile 10.1 or later).

If you have already verified your domain name with Google, you can skip to Set up an Android for Work service account and download an Android for Work certificate.

1. Go to the Google Android for Work portal (https://www.google.com/work/android/partners/) and navigate to the Partners page.

localized image

2. Click Begin Setup.

localized image

You are redirected to the following page where you enter your administrator information and company information.

localized image

2. Enter your administrator user information.

localized image

3. Enter your company information, as well as your admin account information.

localized image

The first step in the process is complete and you see the following page. 

localized image

Verify domain ownership

You must now allow Google to verify your domain. There are three ways to verify your domain: add a TXT or CNAME record to your domain host's website, upload an HTML file to your domain's web server, or add a <meta> tag to your home page. Google recommends the first method. The steps to verify your domain ownership are not covered in this article, but you can find the information you need here: https://support.google.com/a/answer/6095407/.

1. Click Start to begin verification of your domain. The Verify domain ownership page appears. Follow the instructions there to verify your domain.

2. When you are done, click Verify.

localized image
localized image

7. Google verifies your domain ownership.

localized image

8. You see the following page after successful verification. Click Continue.

localized image

9. Google creates an EMM binding token that you provide to Citrix and use when you configure Android for Work settings. Copy and save the token; you will need it later in the set-up procedure.

localized image

10. Click Finish to complete setting up Android for Work.

localized image

After you create an Android for Work service account, you can log on to the Google Admin console to manage your Android for Work mobility management settings.

Set up an Android for Work service account and download an Android for Work certificate

To allow XenMobile to contact Google Play and Directory services, you must create a new service account using Google’s Project portal for developers. This service account is used for server-to-server communication between XenMobile and Google services for Android for Work. For more information about the authentication protocol being used, go to https://developers.google.com/identity/protocols/OAuth2ServiceAccount.

1. In a web browser, go to https://console.developers.google.com/project and log on with your Google admin credentials. 

localized image

3. In the Select a project list, click Create a Project.

4. Type a project name, click the check box to agree to the Terms of Service and then, click Create

localized image

5. In the left-hand pane, click APIs & auth, and then click APIs.

localized image
localized image

6. Under Google Apps APIs, click Admin SDK. Alternatively, you can type "Admin SDK" in the search field and then click Admin SDK on the search results page.

7. Click Enable API.

8. Under API Library, search for EMM and select Google Play EMM API.

localized image

9. Click Enable API.

10. On the same page, in the left-hand pane under APIs & auth, click Credentials.

localized image

11. In the right-hand pane, click Create new Client ID. The Create Client ID dialog box appears.

localized image

12. Select Service account and click Create Client ID.

13. Click Okay, got it. After you click Okay, got it, a json file is downloaded to your computer. Be sure to save the file to a secure location.

Under Service account, note the email address and the certificate fingerprints (password). You will need both in later steps.

The email address is the service account that you use when binding XenMobile as your EMM provider and to enable API client access.

14. Under Service account, click Generate new P12 key. The certificate (P12 file) is downloaded to your computer. Be sure to save the certificate in a secure location.

localized image

15. Click Okay, got it.

localized image

16. Log on to the Google Admin portal at https://admin.google.com with your Google Android for Work administrator credentials.

17. Click Security.

localized image

18. Click Advanced Settings and then click Manage API client access.

localized image

19. Click Authorized API clients. The Manage API client access page appears.

20. In Client Name, type the client ID generated in step 14.

21. In One or More API Scopes, enter "https://www.googleapis.com/auth/admin.directory.user" (without quotation marks).

22. Click Authorize

localized image

Binding to EMM

Before you can use the XenMobile to manage your Android for Work devices, you must contact Citrix Technical Support (https://www.citrix.com/contact/technical-support.html) and provide your domain name, service account, and binding token. Citrix will bind the token to XenMobile as your Enterprise Mobility Management (EMM) provider.

1. To confirm the binding, log on to the Google Admin portal and click Security.

2. Click Android for Work settings. You will see that your Google Android for Work account is bound to Citrix as your EMM provider.

localized image

After you confirm the token binding, you can start using the XenMobile to manage your Android for Work devices. You have to import the P12 certificate you generated in step 14, set up Android for Work server settings, enable SAML-based single-sign-on, and define at least one Android for Work device policy. 

Import P12 certificate

Follow these steps to import your Android for Work P12 certificate:

1. Log on to the XenMobile 10.1 console.

2. Click Configure->Settings->Certificate. The Certificates page appears.

localized image
localized image

3. Click Import. The Import dialog box appears. Configure the following settings:

localized image
  • Import: In the list, click Keystore.
  • Keystore type: In the list, click PKCS#12.
  • Use as: In the list, click Server.
  • Keystore file: Click Browse and navigate to the P12 certificate.
  • Password: Type the keystore password.
  • Description: Optionally, type a description of the certificate.

4. Click Import.

Set up Android for Work server settings

1. Click Configure->Settings and then expand More.

localized image

2. Under Server, click Android for Work. The Android for Work page appears. Configure the following settings:

localized image
  • Domain name: Type your Android for Work domain name.
  • Domain Admin Account: Type your domain administrator user name.
  • Service Account ID: Type your service account ID.
  • Binding Token: Type, or copy and paste, the binding token.
  • Enable Android for Work: Click to enable or disable Android for Work.

3. Click Save.

Enable SAML-based single-sign-on

1. Log on to the XenMobile 10.1 console.

2. Click Configure->Settings->Certificate. The Certificates page appears. 

localized image

3. On the Certificates page, in the list of certificates, click the SAML certificate.

localized image

4. Click Export and save the certificate to your computer.

5. Log on to the Google Admin portal (https://admin.google.com) with your Android for Work administrator credentials.

6. Click Security.

localized image

7. Under Security, click Set up single sign-on (SSO) and configure the following settings:

localized image
  • Sign-in page URL: Type the URL for users signing in to your system and Google Apps. For example: https://<Xebmobile-FQDN>/aw/saml/signin.
  • Sign-out page URL: Type the URL to which users are redirected when the sign out. For example: https://<Xebmobile-FQDN>/aw/saml/signout.
  • Change password URL: Type the URL to let users change their password in your system. For example: https://<Xebmobile-FQDN>/aw/saml/changepassword. When defined here, users see this even if SSO is not available.
  • Verification certificate: Click CHOOSE FILE and navigate to the SAML certificate exported from XenMobile.

8. Click SAVE CHANGES.

Set up an Android for Work device policy

You can set up any device policy you want, but it is wise to set up a passcode policy so that users are required to establish a passcode on their devices when they first enroll. 

localized image

The basic steps to setting up any device policy are:

1. Log on to the XenMobile 10.1 console.

2. Click Configure->Device Policies.

3. Click Add and then select the policy you want to add from the Add a New Policy dialog box (in this example, you would click Passcode).

4. Complete the Policy Information page.

5. Click Android for Work and configure the settings for the policy.

6. Assign the policy to a delivery group.

For more information on setting up device policies, see Device Policies.

Your users can now download the Worx Home app from the Google Play store and enroll their devices in XenMobile (be sure to use user principal name for enrollment). After the devices successfully enroll, Worx Home will install the Android for Work profile so that users can access their Android for Work apps. Users may be asked to encrypt their devices during this process before they can continue.