Managing users for Android Enterprise

User accounts in Ivanti EPMM that are meant for Android Enterprise use are added, edited, and deleted in the same way as any Ivanti EPMM user accounts. However, when you bind your user domain with Google, a user can register an Android Enterprise device only if the user is added as a user in your corporate Google Account.

Ivanti EPMM automatically syncs with your corporate Google Account to enable Android Enterprise for eligible users.

Syncing Google user accounts with Ivanti EPMM

When you enabled Android Enterprise on Ivanti EPMM, you provided Ivanti EPMM with access to view your corporate Google Account including the list of users. Ivanti EPMM has read-only access to the Google user accounts, which means Ivanti EPMM cannot add or modify your users’ Google accounts.

Therefore, Ivanti EPMM keeps a list of which of its users have Google user accounts, thereby linking each Ivanti EPMM user account with its corresponding Google user account.

Ivanti EPMM automatically syncs the users in Ivanti EPMM with the users in your corporate Google Account. However, the sync behavior depends on whether you use $EMAIL$ for the Google user accounts, as specified in the user sync variable.

Removing a Google account for Ivanti EPMM causes any Android Enterprise devices to retire when they check in.

Table 137.   Ivanti EPMM behavior and the user sync variable

Sync time

User sync variable is $EMAIL$

User sync variable is NOT $EMAIL

Upon authorizing Ivanti EPMM to view the Google Account, when first enabling Android Enterprise

Ivanti EPMM adds users to its list of Google user accounts if the user is in Google’s list.

 

No action.

On periodic intervals (approximately every 15 hours; subject to change)

Ivanti EPMM adds users to and deletes users from its list of Google user accounts based on Google’s list.

Ivanti EPMM deletes users from its list of Google user accounts based on Google’s list.

On demand when a new user is added in Ivanti EPMM

No action.

No action.

On demand when a user registers a device to Ivanti EPMM

Ivanti EPMM adds the user to its list of Google user accounts if the user is in Google’s list.

Ivanti EPMM adds the user to its list of Google user accounts if the user is in Google’s list.

Note: Ivanti EPMM ignores Google user accounts that have no corresponding user account in Ivanti EPMM.

Adding a new user in Ivanti EPMM

For the Ivanti EPMM administrator, there are no differences to the process for adding new users when working with Android Enterprise. Users can be added as local users, or automatically through LDAP, as usual.

Using Android Enterprise on a device

To be eligible to use Android Enterprise on a device, the user must have a Google account. This feature is applicable to Work Profile mode, Work managed device mode, and Managed device with work profile mode.

When the Google Play authentication token expires or changes were made (password, permissions, etc) requiring re-authorization, Ivanti Mobile@Work will inform Ivanti EPMM to reissue a new authorization token. This triggers Ivanti EPMM to send a new authorization token to Ivanti Mobile@Work in order to reauthorize Google Play. Ivanti Mobile@Work can make up to 10 re-authorization requests within a 24-hour period. Upon the 11th request, an error message displays on the device, the device will be considered non-compliant and retired. In the Dashboard, a non-compliant icon displays next to the device to indicate to the administrator that there is a problem. The administrator should retire the device instance. It is recommended that all devices associated to that Google user ID to resync with Ivanti EPMM. The device user will need to re-register with Google Play. Below is a log showing the client re-authorization requests and eventual revocation of token.

Logs showing client requested Google re-authorization token

Additional information on Android Enterprise apps and related settings can be found in the Ivanti EPMM Apps@Work Guide.

Google account method for Android Enterprise profile provisioning

On the Google Admin Console, you can enforce EMM policies on Android devices. If enforced, when a device user adds a managed Google account to a device, such as from Settings, Ivanti Mobile@Work is automatically downloaded and launched. Once the user has registered Ivanti Mobile@Work with Ivanti EPMM and the work profile is created, the account is automatically added to the work profile.

On work managed devices, after factory reset, when the device user logs in with the managed Google account, Ivanti Mobile@Work is automatically downloaded and launched. Once the user has registered Ivanti Mobile@Work with Ivanti EPMM, the device is enrolled with Ivanti EPMM as a work managed device.