Using the alternative method to set up Android Enterprise
The alternative setup method consists of the following steps:
- Step 1: Sign up for Android Enterprise with Google and get the EMM Token: in the Google Admin Console.
- Step 2: Create a Google service account and get a JSON file: in the Google Admin Console
- Step 3: Generate the JSON enrollment file: from the Ivanti Support site
- Step 4: Bind Core with Android Enterprise: in Core
- Step 5: Authorize Core to view and manage your Google users: in Core
- Step 6: Create the Android Enterprise setting: in Core
After completing these steps, continue to Managing users for Android Enterprise.
Step 1: Sign up for Android Enterprise with Google and get the EMM Token
Follow Google’s set up instructions to sign up for Android Enterprise, and then receive the EMM Token.
Prerequisite:
- Your company has a corporate Google Account or will create one following Google’s instructions
You will need:
- access to your company’s Google Admin account
This step is performed on Google’s website and is subject to change by Google.
In a web browser:
- Go to Google’s Android Enterprise sign up page:
“Sign up for Android Enterprise”
https://www.google.com/a/signup/u/0/?enterprise_product=ANDROID_WORK - Follow Google’s instructions
- Your setup may involve several steps, depending on whether or not your domain is already a Google Apps customer.
- You may need to verify ownership of your domain with Google.
- You may be directed to create a service account. The instructions for the service account are in Step 2.
You will need to set up a service account, because it authenticates interactions between Core in your domain and the Google EMM Play API. Follow Google’s instructions to do so here:
“Setup with a third-party EMM provider”
https://support.google.com/work/android/answer/6174046
Next, generate an EMM Token.
- Sign in to the Google Admin Console (admin.google.com) with your super administrator credentials.
- Navigate to Security> Android enterprise Settings. The page shows a token if one was generated in the last 30 days, or a button to generate a new token.
- Copy this token (as text) to use in Step 3.
Step 2: Create a Google service account and get a JSON file
In this step, you create a Google project and a service account with the EMM API enabled. You then receive a JSON file that holds a public/private key pair used to authorize interactions between apps on your domain and Google APIs.
This step is performed on Google’s website and is subject to change by Google. These instructions are based on: “Setup with a third-party EMM provider” https://support.google.com/work/android/answer/6174046
You will need access to your company’s Google Admin account
In a web browser:
- Go to Google’s Developers Console: https://console.developers.google.com
- Log in with your Google Admin account credentials.
- Create a new project.
- With the dashboard showing the new project, click “Enable and manage APIs”.
- Search for “Google Play EMM API”. Click the search result to select the API.
- Click “Enable” to enable Google Play EMM API for your project.
- Click “Credentials” in the left navigation pane.
- Click “Create credentials” and choose “Service account key”.
- For “Service account”, select “New service account” and type in a name.
- Select “Furnish a new private key”
- For “Key type”, select JSON.
-
Click “Create”.
The JSON file will be downloaded to your computer. Check that the download file is given the name as indicated in the confirmation dialog with a “.json” extension, as some browsers may use a generic filename.
Important: Store this file securely.
Step 3: Generate the JSON enrollment file
In this step, you will use the EMM Token and JSON file you obtained from Google to receive the ActivateAfWForCore.json enrollment file from the Ivanti Support portal. You can use the same enrollment file to enroll or re-enroll any number of Core instances that run on your domain.
You will need:
- your company’s login account for the Ivanti Support site at https://help.mobileiron.com.
- To get a login account, go to https://info.mobileiron.com/LoginRequest.html.
- administrator access to Core
- the EMM Token from Step 1
- the Google JSON file from Step 2
In Core:
- Log in to the support portal at https://help.mobileiron.com.
- Select Android enterprise Enrollments.
- Click Create New Android enterprise Enrollment.
- Click Use Alternate Setup to fill out the dialog with your EMM Token and domain URL.
- Click Choose file to upload the Google JSON file from Step 2: Create a Google service account and get a JSON file.
-
Click Submit.
The enrollment file will be generated.
- Click Download Google JSON Enrollment file.
-
The ActivateAfWForCore.json enrollment file is downloaded to your computer.
Some browsers may save the enrollment file with another name. Rename the file to ActivateAfwForCore.json before continuing.
IMPORTANT: | Store the ActivateAfWForCore.json file securely. |
You can use the same ActivateAfwForCore.json file to enable Android Enterprise on multiple Core instances that belong to the same domain. You can also reuse the same file if you remove Android Enterprise from Core, and then want to re-enroll it following the next steps again.
When this step completes successfully, Ivanti will be your Unified Endpoint Management (UEM) provider for Android Enterprise, and will appear in the Security > Android Enterprise settings on admin.google.com,
Step 4: Bind Core with Android Enterprise
In this step, you upload the enrollment file from Step 3 to Core, in order to bind Core with your domain’s Android Enterprise account.
You will need:
- administrator access to Core
- the ActivateAfWForCore.json file from Step 3
In Core:
- Go to Services > Google.
- Click Browse in the Android Enterprise section, in the box labeled “2”.
- Select the ActivateAfwForCore.json file you collected in Step 3.
- Click Connect.
- When the Google Account is connected successfully, box 2 will show a confirmation including Status: Connected.
Step 5: Authorize Core to view and manage your Google users
In this step, you give Core permission to read Android Enterprise user IDs from existing Google user accounts. Users with Google user accounts are eligible to use Android Enterprise.
By default, Core uses the substitution value $EMAIL$ as the Google user account name. You can change this value to match your environment. You make this change by modifying the User Sync Variable field in this step. You can use any Core substitution variables along with hard-coded strings, as long as the format of the string after variable substitution has the format of a Google email address.
The following table gives some examples:
User Sync Variable value |
Use this value when... |
$USER_CUSTOM1$ |
You have set $USER_CUSTOM1$ in your LDAP setting in the Admin Portal (at Services > LDAP) to be the Google email address of an LDAP user. For example, after substitution: [email protected] |
$USERID$ of an LDAP user is the same as the user name part of the user’s Google email address. For example, after substitution: [email protected] |
|
$USERID$@$USER_CUSTOM2$ $USERID$@someSubDomain.$USER_CUSTOM2$ |
•The Google account domain has a subdomain. •$USERID$ of an LDAP user is the same as the user name part of the user’s Google email address. •You have set $USER_CUSTOM2$ in your LDAP setting in the Admin Portal (at Services > LDAP) to the LDAP user domain.
For example, after substitution: [email protected] |
You will need:
- Steps 1 -4 completed
In Core:
- Go to Services > Google.
-
Change $EMAIL$ in the User Sync Variable field if $EMAIL$ is not the Google user account name that you have set up for your users.
NOTE: Changing the User Sync Variable later requires you to remove the Android Enterprise account as described in Removing the Android Enterprise account in Core. - Click Authorize in the Android Enterprise section, in the box labeled “3”.
When authorization completes successfully, the Android Enterprise section replaces the three steps with your account settings.
Step 6: Create the Android Enterprise setting
In this step, you create the Android Enterprise setting in Core. This setting must be applied to each Android Enterprise-capable device in order for the device to have Android Enterprise functionality.
In the Core Admin Portal:
- Go to Policies & Configs > Configurations
- Click Add New > Android > Android enterprise. The New Android enterprise (all modes) Setting dialog box opens.
- Type a name for this setting (for example, “Android Enterprise enabled”)
- Click Save.
- Apply it to a label that is also applied to Android Enterprise-capable devices.
Important Recommendation: Apply this setting to the built-in Android label, or a custom label that is defined using the filter “android.afw_capable = true”. For more details, refer to the Getting Started with MobileIron Core.
Impact of Android Enterprise setting to devices that are not Android Enterprise-capable
There is no impact to devices that are not Android Enterprise-capable to have the Android Enterprise setting applied. Some devices might become Android Enterprise-capable in the future, if the carrier upgrades the device’s firmware.
To view the status of the Android Enterprise setting for a device:
- Go to Devices & Users > Devices.
- Open the device details for the device.
- Click the Configurations tab.
- Look for the Android Enterprise setting. The Status column will show:
- Pending: The device has not yet confirmed that it has received the setting.
- Applied: the setting is applied.
- Sent: the device is not Android Enterprise-capable; the setting is ignored by Mobile@Work.