Using the alternative method to set up Android Enterprise

The alternative setup method consists of the following steps:

After completing these steps, continue to Managing users for Android Enterprise.

Step 1: Sign up for Android Enterprise with Google and get the EMM Token

Follow Google’s set up instructions to sign up for Android Enterprise, and then receive the EMM Token.

Prerequisite:

  • Your company has a corporate Google Account or will create one following Google’s instructions

You will need:

  • Access to your company’s Google administrator account

This step is performed on Google’s website and is subject to change by Google.

In a web browser:

  1. Go to Google’s Android Enterprise sign up page:
    “Sign up for Android Enterprise”
    https://www.google.com/a/signup/u/0/?enterprise_product=ANDROID_WORK
  2. Follow Google’s instructions
    • Your setup may involve several steps, depending on whether or not your domain is already a Google Apps customer.
    • You may need to verify ownership of your domain with Google.
    • You may be directed to create a service account. The instructions for the service account are in Step 2.

You will need to set up a service account, because it authenticates interactions between Ivanti EPMM in your domain and the Google EMM Play API. Follow Google’s instructions to do so here:
“Setup with a third-party EMM provider”

https://support.google.com/work/android/answer/6174046

Next, generate an EMM Token.

  1. Sign in to the Google Admin Console (admin.google.com) with your super administrator credentials.
  2. Navigate to Security> Android enterprise Settings. The page shows a token if one was generated in the last 30 days, or a button to generate a new token.
  3. Copy this token (as text) to use in Step 3.

Step 2: Create a Google service account and get a JSON file

In this step, you create a Google project and a service account with the EMM API enabled. You then receive a JSON file that holds a public/private key pair used to authorize interactions between apps on your domain and Google APIs.

This step is performed on Google’s website and is subject to change by Google. These instructions are based on: “Setup with a third-party EMM provider” https://support.google.com/work/android/answer/6174046

You will need access to your company’s Google administrator account

In a web browser:

  1. Go to Google’s Developers Console: https://console.developers.google.com
  2. Log in with your Google administrator account credentials.
  3. Create a new project.
  4. With the dashboard showing the new project, click “Enable and manage APIs”.
  5. Search for “Google Play EMM API”. Click the search result to select the API.
  6. Click “Enable” to enable Google Play EMM API for your project.
  7. Click “Credentials” in the left navigation pane.
  8. Click “Create credentials” and choose “Service account key”.
  9. For “Service account”, select “New service account” and type in a name.
  10. Select “Furnish a new private key”
  11. For “Key type”, select JSON.
  12. Click “Create”.

The JSON file will be downloaded to your computer. Check that the download file is given the name as indicated in the confirmation dialog with a “.json” extension, as some browsers may use a generic filename.

Important: Store this file securely.

Step 3: Generate the JSON enrollment file

In this step, you will use the EMM Token and JSON file you obtained from Google to receive the ActivateAfWForCore.json enrollment file from the Ivanti Support portal. You can use the same enrollment file to enroll or re-enroll any number of Ivanti EPMM instances that run on your domain.

You will need:

  • Your company’s login account for the Ivanti Support site
  • To get a login account, go to Login Request
  • Administrator access to Ivanti EPMM
  • The EMM Token from Step 1
  • The Google JSON file from Step 2

In Ivanti EPMM:

  1. Log in to the support portal at Ivanti Support site.
  2. Select Android enterprise Enrollments.
  3. Click Create New Android enterprise Enrollment.
  4. Click Use Alternate Setup to fill out the dialog with your EMM Token and domain URL.
  5. Click Choose file to upload the Google JSON file from Step 2: Create a Google service account and get a JSON file.
  6. Click Submit.

    The enrollment file will be generated.

  7. Click Download Google JSON Enrollment file.
  8. The ActivateAfWForCore.json enrollment file is downloaded to your computer.

    Some browsers may save the enrollment file with another name. Rename the file to ActivateAfwForCore.json before continuing.

Store the ActivateAfWForCore.json file securely.

You can use the same ActivateAfwForCore.json file to enable Android Enterprise on multiple Ivanti EPMM instances that belong to the same domain. You can also reuse the same file if you remove Android Enterprise from Ivanti EPMM, and then want to re-enroll it following the next steps again.

When this step completes successfully, Ivanti will be your Unified Endpoint Management (UEM) provider for Android Enterprise, and will appear in the Security > Android Enterprise settings on admin.google.com,

Step 4: Bind Ivanti EPMM with Android Enterprise

In this step, you upload the enrollment file from Step 3 to Ivanti EPMM, in order to bind Ivanti EPMM with your domain’s Android Enterprise account.

You will need:

  • Administrator access to Ivanti EPMM
  • The ActivateAfWForCore.json file from Step 3

In Ivanti EPMM:

  1. Go to Services > Google.
  2. Click Browse in the Android Enterprise section, in the box labeled “2”.
  3. Select the ActivateAfwForCore.json file you collected in Step 3.
  4. Click Connect.
  5. When the Google Account is connected successfully, box 2 will show a confirmation including Status: Connected.

Step 5: Authorize Ivanti EPMM to view and manage your Google users

In this step, you give Ivanti EPMM permission to read Android Enterprise user IDs from existing Google user accounts. Users with Google user accounts are eligible to use Android Enterprise.

By default, Ivanti EPMM uses the substitution value $EMAIL$ as the Google user account name. You can change this value to match your environment. You make this change by modifying the User Sync Variable field in this step. You can use any Ivanti EPMM substitution variables along with hard-coded strings, as long as the format of the string after variable substitution has the format of a Google email address.

The following table gives some examples:

Table 137.   Examples of Ivanti EPMM substitution variables for the Google user account name

User Sync Variable value

Use this value when...

$USER_CUSTOM1$

You have set $USER_CUSTOM1$ in your LDAP setting in the Admin Portal (at Services > LDAP) to be the Google email address of an LDAP user.

For example, after substitution: [email protected]

[email protected]

$USERID$ of an LDAP user is the same as the user name part of the user’s Google email address.

For example, after substitution: [email protected]

[email protected]$USER_CUSTOM2$

[email protected]$USER_CUSTOM2$

  • The Google account domain has a subdomain.

  • $USERID$ of an LDAP user is the same as the user name part of the user’s Google email address.

  • You have set $USER_CUSTOM2$ in your LDAP setting in the Admin Portal (at Services > LDAP) to the LDAP user domain.

 

For example, after substitution: [email protected]

You will need:

  • Steps 1 -4 completed

In Ivanti EPMM:

  1. Go to Services > Google.
  2. Change $EMAIL$ in the User Sync Variable field if $EMAIL$ is not the Google user account name that you have set up for your users.

    Changing the User Sync Variable later requires you to remove the Android Enterprise account as described in Removing the Android Enterprise account in Ivanti EPMM.

  3. Click Authorize in the Android Enterprise section, in the box labeled “3”.

When authorization completes successfully, the Android Enterprise section replaces the three steps with your account settings.

Step 6: Create the Android Enterprise setting

In this step, you create the Android Enterprise setting in Ivanti EPMM. This setting must be applied to each Android Enterprise-capable device in order for the device to have Android Enterprise functionality.

In the Ivanti EPMM Admin Portal:

  1. Go to Policies & Configs > Configurations
  2. Click Add New > Android > Android enterprise. The New Android enterprise (all modes) Setting dialog box opens.
  3. Type a name for this setting (for example, “Android Enterprise enabled”)
  4. Click Save.
  5. Apply it to a label that is also applied to Android Enterprise-capable devices.
    Important Recommendation: Apply this setting to the built-in Android label, or a custom label that is defined using the filter “android.afw_capable = true”. For more details, refer to the Getting Started with Ivanti EPMM.

Impact of Android Enterprise setting to devices that are not Android Enterprise-capable

There is no impact to devices that are not Android Enterprise-capable to have the Android Enterprise setting applied. Some devices might become Android Enterprise-capable in the future, if the carrier upgrades the device’s firmware.

To view the status of the Android Enterprise setting for a device:

  • Go to Devices & Users > Devices.
  • Open the device details for the device.
  • Click the Configurations tab.
  • Look for the Android Enterprise setting. The Status column will show:
    • Pending: The device has not yet confirmed that it has received the setting.
    • Applied: the setting is applied.
    • Sent: the device is not Android Enterprise-capable; the setting is ignored by [email protected]