Managing the closed network / AOSP devices

Listing details for Registration status, post-registration reception and provisions, and app management.

Registration status values

Upon registration to Ivanti EPMM, the device sends all device details to Ivanti EPMM. The Device Details page > Registration Status field lists the following values:

Table 5.  Registration status values

Action

Registration Status value

Android Enterprise configuration sent to device

Work Managed Device

Closed network / AOSP configuration sent to device

Work Managed Device - Non GMS

Device does not receive the AOSP configuration

The device is retired (factory reset.)

Closed network / AOSP device capabilities

After successful registration, devices will be able to receive and provision the following:

Table 6.  Closed network / AOSP device capabilities

Type

Description

Configurations
  • Android Enterprise
  • Android XML
  • Android APN
  • Exchange
  • MTD
  • Certificates
  • VPN
  • Wi-Fi

Policies
  • Android Quick Setup
  • Android Kiosk
  • Firmware policy
  • Security
  • Privacy
  • Lockdown
  • MTD local actions
  • MTD anti-phishing
  • Compliance policy
  • Sync policy

App Management
  • Support for in-house apps with configurations/restrictions
  • Apps@Work

Standard device management capabilities

All the supported device management commands of Android Enterprise work for closed network / AOSP deployment, except "Shared Kiosk- Signout."

App Management

  • With a closed network / AOSP deployment, devices registered as a non-GMS device will have access to all in-house applications through Apps@Work.

  • In non-closed networks / AOSP deployments, all apps need to be uploaded as in-house apps using their .apks since there is no access to Google's application bundles.

  • When applying app restrictions, make sure to have the Install this app for Android enterprise and Enable AOSP app restrictions check boxes selected.

For more information about app management, see "Adding in-house apps for Android" in the Ivanti EPMM Apps@Work Guide.

Always-On VPN for AOSP for Android Enterprise devices

In AOSP mode, you can have Always-On VPN status for devices using Android 10 and later supported versions. Directing traffic from the device through the VPN is useful for highly regulated industries and for customers who would deploy AOSP functionality.

Before you begin 

Be sure to have an Android Enterprise configuration in place with the Always On check box selected. See Enabling an Android Enterprise VPN client to be always on.

Procedure 

  1. Go to Services > Google and select the Enable AOSP/Closed Network Devices check box (see Enabling a closed network / AOSP deployment in Ivanti EPMM.)

  2. Install a VPN app. When applying app restrictions, make sure to have the Install this app for Android enterprise and Enable AOSP app restrictions check boxes selected.

  3. In Services > Sentry, add a new Standalone Sentry with a public certificate ( see "Standalone Sentry certificate" in the Ivanti Standalone Sentry Installation Guide.)

  4. In the Device Details page, the status of AOSP is displayed in the following fields:

    • Registration Date - Registration date of the device.

    • Registration IMSI - Registration of ISMI (international mobile subscriber identity) number.

    • Registration Status - Indicates the AOSP (non GMS) is registered as a Work Managed Device.

    • Registration UUID - Unique ID when registering from the client.

  5. The result is on user's device > System Settings > VPN provided app > Always-On VPN is switched on.