Provisioning an Android Enterprise device

Administrators register Android Enterprise devices, by registering a “work profile” and by provisioning “work managed” devices on a master device.

Before registering using a QR code for devices in a closed network or using AOSP deployment, see Setting up Ivanti EPMM with a closed network / AOSP deployment.

In-app registration for Android

Provisioning Android Enterprise devices using a QR code or NFC bump

To provision Android Enterprise devices using QR code or near field communication (NFC) bump, you will need to download and install the Provisioner app from Google Play on the master device.

Using this method, you can provision Android devices in a closed network or with a AOSP (Android Open Source Project) deployment. For more information, see Setting up Ivanti EPMM with a closed network / AOSP deployment.

Requirements to provision an Android Enterprise device

To provision an Android Enterprise device to be a work managed device, you need to:

  • Ensure the required Android Enterprise Configuration is defined and applied to a recommended label.
  • Enable Android Enterprise on the server.
  • In Devices & Users > Add Single Device, make sure the "Include Registration PIN only for Android Company-Owned Device Enrollment" field is selected.
  • In Settings > Device Registration, have the "Managed Devices / Device Owner (afw#, QR code, NFC)" field set to Password, Registration PIN or Password and Registration PIN.
  • In Settings > Device Registration, verify that the option Display QR Code and Registration URL is enabled. To disable sending users a QR code and registration URL, see .
  • Have an NFC-capable Android device (only if NFC is used) to serve as the master, with the Provisioner app installed.
  • Have Android Enterprise-capable devices to provision.

Enabling the Android beam for use with NFC bump

Procedure 

  1. Go to Settings on the device.
  2. Go to Networks > Wireless Networks.
  3. In the Connectivity section select Share & connect.
  4. Slide the NFC switch to On.
  5. Slide the Android Beam switch to On.

The steps to enable the Android beam and NFC may vary on different devices.

Provisioning Android Enterprise devices to become work managed devices

This section applies to Work Managed Devices and Work Profile on Company Owned Devices.

Procedure 

  1. Using the Android master device, download the Provisioner app from Google Play and install the app.
  2. Launch Provisioner on the master device.
  3. Select NFC or QR code for the Provisioning method.
  4. Tap App for Provisioning, and choose the client app to be installed on the provisioned device:

    Select this client app:

    To register with this EMM server:

    [email protected]

    Ivanti EPMM

    MDM

    Deutsche Telekom Ivanti EPMM

    Vodafone [email protected]

    Vodafone Ivanti EPMM

  5. Fill out the remaining fields in the Provisioner app. Some fields may auto-populate if a supported Wi-Fi type is present. The Wi-Fi fields are not shown if QR code is selected. Use these guidelines:

    Field

    Value

    Select app for provisioning

    [email protected]

    Time Zone

    Enter the time zone to be configured on the device

    Locale

    Enter the locale to be configured on the device

    Enable All System Apps

    Select the check box to enable all system apps

    Wi-Fi Network SSID

    Enter the Wi-Fi SSID the target device is to use

    Wi-Fi Security Type

    Enter the Wi-Fi security type

    Wi-Fi Password

    Enter the password for the Wi-Fi

    Bulk Enrollment

    Bulk enrollment is optional along with the hostname and username. Optionally select the Quick Start check box to use Quick Start feature.

    If a username is entered or Quick Start is checked, then a hostname is required.

  6. Tap Continue.
  7. If you selected NFC,tap Continue. The screen Bump the devices! appears on the master device. Continue with the NFC Bump section below.
  8. If you selected QR code, the screen Scan this QR code! appears on the master device. Continue with the QR Code section below.
  9. Configure NFC Bump.
    1. Confirm that the target device is displaying the Android Welcome screen.
    2. Press the master device back-to-back with the target device to initiate an NFC transfer. If the NFC transfer succeeds, the target device may make a sound, and then proceed to downloading the client app. If a Wi-Fi connection cannot be established, or if the device is unable to download the client app, the device will automatically do a factory reset.
    3. If you hear the sound or see a screen other than the Welcome screen, you can decouple the devices. This typically takes a few seconds. If the device is not encrypted, it will start the encryption process before continuing.
    4. You can continue to provision additional devices by “bumping” the devices to the master device. The target device must be showing the Welcome screen, and the master device must be showing the “Bump the devices!” screen.
  10. Configure QR Code provisioning.
    1. Confirm that the target device is displaying the Android Welcome screen.
    2. Tap the Android Welcome screen on the target device 6 times on the same place on the screen.
    3. You will be prompted to configure a WiFi network so the setup wizard can download a QR code reader to the target device.
    4. After the QR code reader is downloaded, the camera is launched.
    5. Hold the target device a few inches above the master device until the QR code is scanned successfully. The setup wizard will then proceed to download the client app. If it is unable to download the client app, it will automatically do a factory reset.
    6. You can continue to provision additional devices by scanning the QR code on the master device. The target device must have a camera ready to scan, and the master device must show the “Scan this QR code!” screen.
    7. The QR code can also be exported by tapping the Share icon. The options offered for exporting will vary by device.

Provisioning Android Enterprise devices using an afw# token

You can provision an Android Enterprise device in Device Owner mode using an afw# token instead of using the NFC bump or QR code methods. This method enables you to sign on a device with a token in the form afw#mobileiron.core which facilitates an automatic installation of the [email protected] client and provisioning in Device Owner mode.

Device Owner mode is supported on devices provisioned with Managed Google Play Accounts, using Android 6 or supported newer versions. For details see the Android EMM Developers guide.

Before you begin 

  • You must be enrolled with an Android Enterprise account.
  • The device must be Android Enterprise-capable.
  • The device must use Android 6 or supported newer versions.
  • In Devices & Users > Add Single Device, make sure the "Include Registration PIN only for Android Company-Owned Device Enrollment" field is selected. 
  • In Settings > Device Registration, have the "Managed Devices / Device Owner (afw#, QR code, NFC)" field set to Password, Registration PIN or Password and Registration PIN.
  • You must have an Android Enterprise token for Ivanti EPMM or a client branded token such as:
    • Ivanti EPMM: afw#mobileiron.core
    • Deutsche Telekom: afw#telekom.mi
    • Vodafone: afw#vodafone.mi
  • You must have a new or factory reset device.

Procedure 

  1. Power on the device and enter your WI-FI password.
    Your device may prompt you for a different password.
  2. In the Verify your account screen enter your Android Enterprise token. Select Next.
  3. On the Google Services screen select Install.
  4. Accept the Terms and Conditions.
  5. On the Setup work device screen select Next.
    The [email protected] client downloads and installs on the device. The device now enters Device Owner mode.

Provisioning Android Enterprise devices using Zero Touch

For information on Android Zero Touch provisioning, see the Android Zero Touch Provisioning Guide.

  • In Devices & Users > Add Single Device, make sure the "Include Registration PIN only for Android Company-Owned Device Enrollment" field is selected. 
  • In Settings > Device Registration, have the "Zero Touch and Samsung Knox Mobile Enrollment" field set to Password, Registration PIN or Password and Registration PIN.

Zero Touch enrollment with custom attributes

Administrators can specify certain custom device attributes at the time of initial provisioning. This works with the Provisioner app, QR code, Knox Mobile Enrollment (KME) and Zero Touch (ZT) for devices in Work managed device mode (DO) or corporate-owned personal-enabled (COPE) mode. It also works with all modes of registration, including PIN based and password based registration.

At initial registration and during any check-in, these custom attributes are passed on to Ivanti EPMM to categorize the device and place it in the correct group and assign the correct labels. The client sends property (customAttributes) consisting of the device custom attribute keys (variable name) and values that client wants Ivanti EPMM to set for that device. The client also sends to Ivanti EPMM updated values with the existing keys for the (customAttributes) key. If the client does not send a (customAttributes) key, the existing custom attributes values will not change.

Zero Touch enrollment with custom attributes is supported for custom attributes of type: String, Boolean, and Integer. The Provisioner App only supports String type.

It is the responsibility of the administrator to make sure that the custom attributes are setup correctly in Ivanti EPMM beforehand and match what is being sent by the Provisioner app or Zero Touch portal.

Use Case examples

Example - BOOLEAN

  • Attribute Name – COPE
  • Attribute Description – Enabled COPE Mode
  • Value Type – Boolean
  • Variable Name – True

Example - INTEGER

  • Attribute Name – OrgID
  • Attribute Description – Organization ID
  • Value Type – Integer
  • Variable Name – 3456

Example - STRING

  • Attribute Name – AEmode
  • Attribute Description – Android Enterprise Mode
  • Value Type – String
  • Variable Name – DO

For information on how to set custom attributes, see Adding custom attributes to users and/or devices.