Using Android for Work

Enrolling a device with Android for Work allows you to encrypt your device drive, manage settings and apps on the device, and apply a work profile to only control work-related functionalities. You can also sync, wipe, lock, or unlock the device from the console.

The Android Enterprise agent can operate in the following management modes:

Profile Owner Mode (POM) is typically used on employee-owned devices, since it creates a “work profile” that is distinct from the rest of the device.

Device Owner Mode (DOM) is for Enterprise-owned devices and requires a specific provisioning process.

The Ivanti Android for Work agent offers more flexibility in device management than the standard agent. The standard agent has a limited use case because it “takes over” the user’s device (it can be used to fully wipe the device and control security settings), which is generally unwanted for employee-owned devices. The following table summarizes the agent use cases and differences.

Type of agent Typical use Full control of device? Can MDM wipe device?
Standard Employee-owned (BYOD) Yes Yes
AE POM Employee-owned (BYOD) No No
AE DOM Enterprise-owned Yes Yes

NOTE: You can only enroll devices with Android 5.1+.

NOTE: If your device is already enrolled using the standard Ivanti Agent, you must unenroll the device and enroll using the Ivanti Android Enterprise agent. However, do not remove the Ivanti agent; this is still needed for additional management tasks.

To enroll an Android device

1.Download the Ivanti Android Enterprise Agent from the Google Play store.

https://play.google.com/store/apps/details?id=afw.com.landesk.ldmsagent

2.From the device Notifications, tap the application to install it.

3.The app asks if you want to allow the application to be a device administrator. Tap Activate.

4.Provide the user's email address and password and tap Enroll.

5.If the device can determine the server address using a DNS look up, it enrolls the device. If the device is unable to determine the server address using a DNS lookup, it prompts you for the URL to the server. Provide the enrollment URL provided by your administrator.

6.Once the device is enrolled, the user is prompted to accept the profile. If the profile has not been signed, or has been signed by a certificate that the device doesn't trust, there is a warning displayed to the user. The user must allow profile installation for the device to be managed.

Once the user has installed the profile, settings are applied and the device downloads the software assigned to it.

Android Enterprise POM agent user experience

The experience for POM is significantly different from the standard agent.

  1. When the agent is installed, the user isn't offered a list of capabilities requested.
  2. The user is offered the Ivanti disclosure screen for “Device Admin,” which they must accept. It is worth noting that POM doesn't use Device Admin, but the disclosure is still required by Google.
  3. After the page is dismissed, the user sees a page from Android asking their permission to create a work profile.
  4. After the user accepts the various conditions, Android creates a work profile and it then launches the agent’s Enrollment screen.
  5. When the user tries to enroll, they may be presented with a enterprise-configured Enrollment Agreement which they must accept to proceed with enrollment.
  6. Once accepted, enrollment completes and the device is manageable.

The POM agent creates a work profile that separates enterprise data from personal data. Certain apps run within that work profile and store data there. These same apps can also run outside the work profile. To distinguish which data the app is using, Android creates two icons for the same app: the normal app icon and the work profile app icon, which is “badged” with a briefcase icon.

Android Enterprise DOM agent user experience

The experience for DOM is similar to standard agent, with the exception that certain Android screens are not presented because this is an enterprise-owned device.

  1. The user is offered the Ivanti disclosure screen for “Device Admin” which they must accept. It is worth noting that DOM doesn't use Device Admin, but the disclosure is still required by Google.
  2. After the page is dismissed, the user is presented with the enrollment page.
  3. When the user tries to enroll, they may be presented with a enterprise-configured Enrollment Agreement that they must accept to proceed with enrollment.
  4. Once accepted, enrollment completes and the device is manageable.