Managing users for Android Enterprise
User accounts in MobileIron Core that are meant for Android Enterprise use are added, edited, and deleted in the same way as any Core user accounts. However, when you bind your user domain with Google, a user can register an Android Enterprise device only if the user is added as a user in your corporate Google Account.
MobileIron Core automatically syncs with your corporate Google Account to enable Android Enterprise for eligible users.
Syncing Google user accounts with Core
When you enabled Android Enterprise on Core, you provided Core with access to view your corporate Google Account including the list of users. Core has read-only access to the Google user accounts, which means Core cannot add or modify your users’ Google accounts.
Therefore, Core keeps a list of which of its users have Google user accounts, thereby linking each Core user account with its corresponding Google user account.
MobileIron Core automatically syncs the users in Core with the users in your corporate Google Account. However, the sync behavior depends on whether you use $EMAIL$ for the Google user accounts, as specified in the user sync variable.
| NOTE: | Removing a Google account for Core causes any Android Enterprise devices to retire when they check in. |
|
Sync time |
User sync variable is $EMAIL$ |
User sync variable is NOT $EMAIL |
|
Upon authorizing MobileIron to view the Google Account, when first enabling Android Enterprise |
Core adds users to its list of Google user accounts if the user is in Google’s list.
|
No action. |
|
On periodic intervals (approximately every 15 hours; subject to change) |
Core adds users to and deletes users from its list of Google user accounts based on Google’s list. |
Core deletes users from its list of Google user accounts based on Google’s list. |
|
On demand when a new user is added in Core |
No action. |
No action. |
|
On demand when a user registers a device to Core |
Core adds the user to its list of Google user accounts if the user is in Google’s list. |
Core adds the user to its list of Google user accounts if the user is in Google’s list. |
Note: Core ignores Google user accounts that have no corresponding user account in Core.
Adding a new user in Core
For the MobileIron administrator, there are no differences to the process for adding new users when working with Android Enterprise. Users can be added as local users, or automatically through LDAP, as usual.
Using Android Enterprise on a device
To be eligible to use Android Enterprise on a device, the user must have a Google account. This feature is applicable to Work Profile mode, Work managed device mode, and Managed device with work profile mode.
When the Google Play authentication token expires or changes were made (password, permissions, etc) requiring re-authorization, Mobile@Work will inform Core to reissue a new authorization token. This triggers Core to send a new authorization token to Mobile@Work in order to reauthorize Google Play. Mobile@Work can make up to 10 reauthorization requests within a 24-hour period. Upon the 11th request, an error message displays on the device, the device will be considered non-compliant and retired. In the Dashboard, a non-compliant icon displays next to the device to indicate to the administrator that there is a problem. The administrator should retire the device instance. It is recommended that all devices associated to that Google user ID to resync with Core. The device user will need to re-register with Google Play. Below is a log showing the client reauthorization requests and eventual revocation of token.
Additional information on Android Enterprise apps and related settings can be found in the MobileIron Apps@Work Guide.
Google account method for Android Enterprise profile provisioning
On the Google Admin Console, you can enforce EMM policies on Android devices. If enforced, when a device user adds a managed Google account to a device, such as from Settings, Mobile@Work is automatically downloaded and launched. Once the user has registered Mobile@Work with MobileIron Core and the work profile is created, the account is automatically added to the work profile.
On work managed devices, after factory reset, when the device user logs in with the managed Google account, Mobile@Work is automatically downloaded and launched. Once the user has registered Mobile@Work with MobileIron Core, the device is enrolled with Core as a work managed device.