Enabling Android Enterprise

To enable Ivanti EPMM to provide Android Enterprise features, you must perform setup steps with Google, Ivanti Support, and Ivanti EPMM. You will associate a managed Google Play Account with Ivanti EPMM. Note that this procedure does not share your enterprise’s user names or email addresses with Google.

Depending on if you are a new or upgrading customer, the app distribution settings are different. If you are a new customer, the app distribution is set to per device by default. You cannot change this setting. For upgrading customers, you have a choice between apps distribution per user or per device. Also for upgrading customers, app distribution per user is selected by default. Many users have multiple devices. If a user has multiple devices, when app distribution is set per device then you can make a different set of apps available on each device.

Procedure 

  1. Log into help.ivanti.com.

  2. Select Android enterprise Enrollments.

  3. Select Create New Android enterprise Enrollment.

    The screen Android enterprise Setup - Step 1 displays.

  4. Select Begin.

    Do not select Alternate Setup Method. If you used the alternate setup method in the past, see Method 1: Setting up using AFW json file generated from google account.

    After selecting Begin, the screen Android enterprise Setup - Step 2 displays.

  5. Use the radio buttons to select a brand that matches the Ivanti EPMM you are using.

  6. Select Submit.

  7. The Bring Android to Work page displays. Select Sign In.

  8. Sign in with a Google account.

  9. Select Get Started.

  10. Enter your Organization details: name and agree to the managed Google Play agreement.

  11. Select CONFIRM.

  12. Select COMPLETE REGISTRATION.

  13. The Android enterprise Enrollment page displayed in help.ivanti.com.

    Select Download Google JSON Enrollment file.

    The downloadService JSON file is downloaded.

    Store it in an accessible file location for later use, such as if you need to enable Android Enterprise on another Ivanti EPMM.

  14. Log into the Admin Portal and go to Services > Google.

  15. Upload the JSON file. Use the browse button to navigate to the JSON file you downloaded earlier in this procedure and select Connect.

    The Google Play App Catalog dialog box opens with this warning message: If more than one Ivanti EPMM instance is publishing the Google Play layout, you will be sending redundant (possibly conflicting) layouts to Google. This does NOT affect the distribution of apps, only the layout visible in Google Play. To use a Custom Layout in the Google Play store see “Distributing your enterprise apps in the Google Play App catalog or in Apps@Work” in the Ivanti EPMM Apps@Work Guide. This step is optional.

  16. Go to Policies & Configs > Configurations > Add New > Android > Android enterprise to go to the New Android enterprise (all modes) Setting dialog box.

  17. Enter a Name and Description.

  18. To make devices that this setting applies to be in a work profile, select Enable Managed Device with Work Profile (on Android 10 and below.) This setting applies to Android 8, 9, and 10 devices.

  19. If you are in a European country that has GDPR requirements, Ivanti recommends selecting the Prompt user for enabling location setting (Fully Managed, Managed Device with Work Profile and Work Profile on Company Owned Device) check box. This is located in the Android 10 and higher only section of the New Android enterprise (all modes) Setting dialog box.

    Administrators also need to select the Prompt User to Enable Location Services if Wi-Fi/MTD configuration is pushed (Android enterprise) check box in the Privacy Policy. If this is not selected, then Wi-Fi / MTD configurations will fail if the device user does not enable the device's location setting. For more information, see "Privacy policies" inGetting Started with Ivanti EPMM.

  20. Ignore Auto update Mobile@Work app on the devices. This option is no longer applicable. Using Google Play on the device, a user can specify that apps should be updated automatically. Select Save.

  21. Apply the Android Enterprise setting to a label that is also applied to Android Enterprise-capable devices.
    For example, apply this setting to the built-in Android Label, or a custom label that is defined using the filter “android.afw_capable = true”. For more details about labels, refer to Getting Started with Ivanti EPMM.

For information on the other fields on the Android Enterprise setting, see:

Impact of Android Enterprise setting to devices that are not Android Enterprise-capable

There is no impact to devices that are not Android Enterprise-capable to have the Android Enterprise setting applied. Some devices might become Android Enterprise-capable in the future, if the carrier upgrades the device’s firmware.

To view the status of the Android Enterprise setting for a device:

  1. Go to Devices & Users > Devices.

  2. Open the device details for the device.

  3. Select the Configurations tab.

  4. Look for the Android Enterprise setting. The Status column displays:
    • Pending: The device has not yet confirmed that it has received the setting.

    • Applied: The setting is applied.

    • Sent: The device is not Android Enterprise-capable; the setting is ignored by Ivanti Mobile@Work .

Determining if a device is Android Enterprise-capable

You can check if a device is Android Enterprise capable by doing the following:

  • On the device, open Ivanti Mobile@Work . Tap the menu, and tap Settings > About > Product Details. Look for Android Enterprise (AFW) Support and see if its value is Yes.

  • Once the device is registered, on Ivanti EPMM go to Devices & Users > Devices page. Find the device and select the caret next to the display name to view the Device Details. Look for the “Android enterprise Capable” row. The value is true if the device is capable.

Enabling run-time permissions for Android Enterprise apps

You can specify whether run-time permissions are automatically accepted or denied for Android Enterprise apps, or whether the device user is prompted to accept run-time permissions when each app requests them. You make this choice in the Android Enterprise setting. The choice you make applies to all Android Enterprise apps on devices that receive the Android Enterprise setting, based on the labels on the devices and the setting.

However, you can also specify run-time permissions for each permission for each app in the app’s settings in the Ivanti EPMM App Catalog. The run-time permissions setting for the app in the App Catalog overrides the run-time permissions setting in the Android Enterprise setting.

The run-time permission settings are supported only on Android 6.0 or supported newer versions.

Procedure 

  1. In the Admin Portal, go to Policies & Configs > Configurations.

  2. Select an Android Enterprise setting.

  3. Select Edit.

  4. Select Enable Runtime Permissions.

    The choices for run-time permissions display.

  5. Select a run-time permission setting.
    • User Prompt: The device user is prompted to accept or deny each run-time permission that each app requests when it launches. This behavior also applies if you do not select Enable Runtime Permissions.

    • Always Accept: The run-time permissions are automatically accepted for each app when it launches. The device user is not prompted.

    • Always Deny: The run-time permissions are automatically denied for each app when it launches. The device user is not prompted.

  6. Select Save.

“Features specific to Android Enterprise devices” in the Ivanti EPMM Apps@Work Guide.

Adding a Google account to an Android Enterprise managed device

As an administrator, you can add an additional Google account to an Android Enterprise managed device. This action enables you to control which Google account can be added to the Android Enterprise account. This account can only be administered or modified by you, the device administrator. The device user cannot modify or remove the added account or add another account to the managed profile.

Procedure 

  1. In the Admin Portal, go to Policies & Configs > Configurations.

  2. Select an Android Enterprise setting.

  3. Select Edit.

  4. Select Add Google Account check box in the For Android 6.0 and higher only section.

    A Google Account field displays.

  5. Enter the name of a Google Account you want to add.

    The added account must be an account with a Google domain. The name can include any of the following Ivanti EPMM substitution variables listed in the information popup next to the field. For example, you can enter:

  6. Go to Policies & Configs > Policies and select the lockdown policy for this device.

  7. Uncheck the Allow the user to create and modify accounts option if it is checked.

 

Searching for devices that are registered as Android Enterprise devices

The Device Details pane for a device indicates the registration status of Android Enterprise devices. These values are:

  • Work Profile

  • Work Managed Device

  • Managed Device with Work Profile

  • Work Profile on Company Owned Device

You can use advanced search to find devices with the registration statuses of interest to you, and create dynamic labels for those sets of devices, if desired.

Searching for Devices

Enabling an Android Enterprise VPN client to be always on

You can specify an Android Enterprise VPN client as an Always-On client.

Procedure 

  1. Go to Policies & Configs > Configurations.

  2. Select an Android Enterprise setting.

  3. Select Edit.

  4. Select the Always-On VPN check box to display the App Identifier drop-down menu.
    The drop-down menu lists only apps that are configured to be installed as Android Enterprise apps.

  5. Select a VPN app to apply the Always-On setting.

  6. Select Save.

Note the following:

The Android Enterprise setting displays in Device Details as Partially Applied with an error message in the following cases:

  • The selected app is not installed on the device.

  • The selected app is installed on the device, but it is not a VPN app, or it is a VPN app that does not support Always-On.

Moving in-house apps to a Knox v3 Workspace

You can move your in-house apps to a Knox v3 Workspace.

Procedure 

  1. Go to Policies & Configs > Configurations.

  2. Select Add New > Android > Android enterprise. The New Android enterprise (all modes) Setting dialog box is displayed.

  3. Select the check box next to the Move In-house app into workspace field. Then the Package Names field is displayed.

  4. Use the drop-down menu next to the Package Names field to select an app name.

  5. Select Save.

For more information, see VPN clients deployed either inside or outside Knox Workspace.

Requiring a password for accessing the work profile

Typically, a password for an enterprise work profile should not be the same as the device password; however, some devices allow the two passwords to be the same.

Within the Work Challenge section, having the “Block unified password” option selected will force the device user to enter a password twice – first to unlock the device, second to unlock the work profile. (Using the "Block unified password" field helps disable the use one lock option on the device to force device users to specify a security challenge for apps running in the work profile.) This feature is supported on devices using Android 7 or supported newer versions.

  • For devices using Ivanti Mobile@Work 10.1.0.0 for Android and Android 9.0 or supported newer versions, select Block unified password (device and work profiles) in the Android Enterprise setting. This option appears when you select the Work Challenge option.

  • For other devices, distribute an Android Enterprise setting with a work challenge configuration that has stricter requirements than the device passcode settings on the security policy for the devices. For example, stricter requirements include increasing the minimum password length in the Minimum Password Length field or increasing the number of complex characters in the Minimum Number of Complex Characters field.

    For more information, see step 15 in the procedure below.

Procedure 

  1. In the Admin Portal, go to Policies & Configs > Configurations.

  2. Select an Android Enterprise setting.

  3. Select Edit.

  4. In the For Android 7.0 and higher only section, select the Work Challenge check box. When a work challenge is set, the administrator can block device passcode matching the work profile. This is to enforce separate work and device passwords so that device users do not unlock the work profile at the same time as unlocking the device.

    The Password fields display for configuring your work challenge requirements.

  5. Select the Password Type:
    • Simple PIN: Includes repeated characters, or ascending/descending characters, for example, 123 or CBA.

    • Complex PIN: Select On to include numbers that are not repeated and should not be in a sequence, for example, 1234, 2468, 9876. An example of repeating digits is 4444.

    • Alphanumeric: At least one letter and one number is required.

  6. Set Minimum Password Length to the minimum password length ranging from 1 to 16 numbers or characters.

  7. Set Maximum Inactivity Timeout to the maximum time allowed for the device to be inactive before the user must reenter the work challenge to access the work profile. This may be set to Never to prevent timeout.

  8. Use Minimum Number of Complex Characters to set the minimum number of complex characters required in the password. Complex characters are special characters that are not numbers or letters, such as !, *, and #.

  9. Set the Maximum Password Age to the number of days until the user must change the work challenge.

  10. Set Maximum Number of Failed Attempts to the maximum number of attempts to enter the correct password in one login. The default value for failed attempts is 10. When the maximum number of attempts is reached, the work profile is retired.

  11. Set Password History to how many old work challenge passwords are stored so that the device user cannot repeat them.

  12. Select Block Fingerprint to prevent a device user from using a fingerprint to replace the work challenge password.

    Both the Block Iris Scan and Block Face unlock fields require either a Samsung device running Samsung OS 7.0 or supported newer versions or a non-Samsung device running Android 9.0 or supported newer versions.

  13. Select Block Iris Scan (Android 9 or Samsung only) to prevent a device user from using an iris scan to replace the work challenge password.

  14. Select Block Face unlock (Android 9 or Samsung only) to prevent a device user from using a face scan to replace the work challenge password.

  15. Select Block unified password (device and work profiles) - by selecting this option, the administrator forces the device user to set a secondary password for the work profile. The system shows the security challenge when the user attempts to open any work apps. This feature is supported on devices using Android 7 or supported newer versions. If this field is de-selected (default), then the device user can use the same password for unlocking the device and the work profile.

Impact of removing the Android Enterprise setting from a device

Removing the Android Enterprise setting from a device causes the device to become retired.

The Android Enterprise setting can be inadvertently removed from a device if:

  • The setting is applied to a dynamic label instead of a built-in label, and the device is dynamically removed from the label for any reason, OR

  • The Android Enterprise setting is manually removed from a label shared with a device.

Removing the setting from the device causes the following to happen:

Table 3.   Removing Android Enterprise Setting

Android Enterprise status

If Android Enterprise setting is removed:

Work Profile mode

  • Starting in Ivanti EPMM10.7.0.0, Ivanti EPMM will not display the device as registered. Instead, the Ivanti Mobile@Work app will notify Ivanti EPMM that the device is retired before deleting the work profile.

  • User can re-register the device. The user must re-enable Ivanti Mobile@Work through the Google Play store.

Work Managed Device (DO) mode

  • The device becomes unregistered and performs a factory reset.

  • The device can be re-registered at a later time.

Work Profile on Company Owned Device mode

  • Same as for Work Managed Device (DO) mode.

Removing an Android Enterprise configuration causes device to retire