Management and Security powered by Landesk

Use Android Enterprise

Enrolling a device with Android Enterprise (AE) allows you to encrypt your device drive, manage settings and apps on the device, and apply a work profile to only control work-related functionalities. You can also sync, wipe, lock, or unlock the device from the console.

The AE agent can operate in two or more modes, primarily POM and DOM. POM is “Profile Owner Mode” and is typically used on BYOD devices, since it creates a “work profile” containing Work apps that is distinct from the rest of the device. DOM “Device Owner Mode” is for Enterprise-owned devices and requires a specific provisioning process.

The Standard agent is generally less desirable because it “takes over” the user’s BYOD device (it can be used to fully wipe the device, which distresses some users). The following table summarizes the agent use cases and differences.

Type of agent Typical use Full control of device? Can MDM wipe device?
Standard BYOD Yes Yes
AE POM BYOD No No
AE DOM Enterprise-owned Yes Yes

NOTE: For unenrolled devices that are discovered through the Exchange Server, you can only perform device discovery and wipe.

NOTE: You can only enroll devices with Android 5.1+.

NOTE: If your device is already enrolled using the standard Ivanti Agent, you must unenroll the device and enroll using the Ivanti Android Enterprise agent. However, do not remove the Ivanti agent; this is still needed for additional management tasks.

Once a user enrolls their mobile device, that device appears in the Network View and you can view the device's inventory information.

If you plan to distribute documents or links to users, they must also install the Ivanti Workspaces app.

To enroll an Android device

1.Download the Ivanti Android Enterprise Agent from the Google Play store.

https://play.google.com/store/apps/details?id=afw.com.landesk.ldmsagent

2.From the device Notifications, tap the application to install it.

3.The app asks if you want to allow the application to be a device administrator. Tap Activate.

4.Provide the user's email address and password and tap Enroll.

If the device can determine the server address using a DNS lookup, it enrolls the device. If the device is unable to determine the server address using a DNS lookup, it prompts you for the URL to the server. Provide the enrollment URL provided by your administrator.

As the device is enrolled, the user is prompted to accept the profile. If the profile has not been signed, or has been signed by a certificate that the device doesn't trust, there is a warning displayed to the user. The user must install the profile in order to be managed.

Once the user has installed the profile, settings are applied and the device downloads the software assigned to it.

Android Enterprise POM agent user experience

The experience for POM is significantly different from the standard agent.

  1. When the agent is installed, the user isn't offered a list of capabilities requested.
  2. The user is offered the Ivanti disclosure screen for “Device Admin,” which they must accept. It is worth noting that POM doesn't use Device Admin, but the disclosure is still required by Google.
  3. After the page is dismissed, the user sees a page from Android asking their permission to create a work profile.
  4. After the user accepts the various conditions, Android creates a work profile and it then launches the agent’s Enrollment screen.
  5. When the user tries to enroll, they may be presented with a enterprise-configured Enrollment Agreement which they must accept to proceed with enrollment.
  6. Once accepted, enrollment completes and the device is manageable.

The POM agent creates a work profile that separates enterprise data from personal data. Certain apps run within that work profile and store data there.

These same apps can also run outside the work profile. To distinguish which data the app is using, Android creates two icons for the same app: the normal app icon and the work profile app icon, which is “badged”. Android places a briefcase badge over the icon if it is in the work profile.

Android Enterprise DOM agent user experience

The experience for DOM is similar to standard agent with the exception that certain Android screens are not presented because this is an enterprise-owned device.

  1. The user is offered the Ivanti disclosure screen for “Device Admin” which they must accept. It is worth noting that DOM doesn't use Device Admin, but the disclosure is still required by Google.
  2. After the page is dismissed, the user is presented with the enrollment page.
  3. When the user tries to enroll, they may be presented with a enterprise-configured Enrollment Agreement that they must accept to proceed with enrollment.
  4. Once accepted, enrollment completes and the device is manageable.

 

 

 


Was this article useful?    

The topic was:

Inaccurate

Incomplete

Not what I expected

Other