Home > Enterprise Mobility Management > Deployment Guides > Android Enterprise Deployment Guide (Android for Work)

Android Enterprise Deployment Guide (Android for Work)

Introduction

This article provides deployment guidance for Android for Work (now called Android Enterprise) with Cisco Meraki's System Manager. Android Enterprise is a platform for devices running on the Google Android mobile operating system that allows IT to manage and secure business applications using a work-specific profile. Android for Work comes in two different types of deployments:

  1. Work Profile or BYOD. In BYOD mode administrators only have control over work managed applications and settings. Systems Manager will containerize all corporate data and represent it using an orange badge icon. An administrator will have complete control over these applications, but have no visibility or control over personal applications on the device.
  2. Device Owner mode. In Device Owner mode administrators have complete control of the device. This type of deployment is primarily used on institutionally owned devices and include special features such as kiosk mode. (Device Owner mode can be thought of as the "Supervised" state for those familiar with iOS.)

Requirements

Managing Android Enteprise devices through Systems Manager requires:

  • A bound domain: either a Gmail address used for administration for Meraki-managed domain, or a G Suite account for Google-managed domain. The following section describes these two in more depth.
  • Android 5 (Lollipop) or higher devices, with features like Kiosk Mode requiring Android 6+
  • Device support for Google Play Services version 11.0.4+ (as of this writing)
  • Google requirements for Android Enterprise can be found here.

For more info on enrollment options for Android devices, reference our article here. More information about Android Enterprise can be found here: https://www.android.com/work 

 

Deployment Considerations

There are 5 main stages in an Android for Work deployment on Systems Manager:

  1. Determine and Bind a Work Domain
  2. Enable Authentication as a part of Enrollment 
  3. Enroll a Device
  4. Enable Device Restrictions
  5. Push Applications

Determine and Bind a Work Domain

There are two flavors of Android for Work (AfW), Google Managed and Meraki Managed:

  • Google Managed Domain - This is an Android for Work deployment that capitalizes on existing Google services. If services such as Gmail, Google Calendar, Google Docs, etc. are being used, it is likely a Google Managed Domain. This can be enabled in the Google Admin Console as a super administrator. Navigate to Security > Manage EMM provider for Android and copy the token. This will be entered in the first step of the process. Check the "Enforce EMM policies on Android Devices" to require SM be installed on the device in order to access Google services. 


If the free Android for Work subscription has not already been added to the Google Domain please reference the following article to enable it. The section that states "If you are a G Suite customer" provides more information about enabling the free subscription: https://support.google.com/work/andr.../6174046?hl=en

 

  • Meraki Managed Domain - If no Google services are currently being used, Meraki can generate a Managed Domain for your Android for Work deployment, which may be preferable to setting up a G Suite domain that otherwise may not be used. All that is needed is a Google supported administrative email address (i.e. any @gmail.com account). In Google documentation this is referred to as an Android for Work account (as these accounts can only be used for Android for Work). 

More about this can be read here: https://support.google.com/googlepla..._topic=7042018

Google Managed Domain

To bind an existing Google Managed Domain navigate to Organization > MDM, enter the domain name (e.g. 'meraki.com'), followed by the token copied from the Google Admin Console and click "Enroll Domain."

MDM_enrollment2.png

Meraki Managed Domain

To bind a Meraki Managed Domain navigate to Organization > MDM and click "Get signup URL".

MDM_enrollment.png
Next click the URL generated that appears in step 2 and it will redirect to the "Bring Android to Work" page. Click through the form to complete and create a Meraki Managed account. If possible, it is recommended to use a Gmail account associated with your organization and not a personal account.



Once the "Complete Registration" button has been clicked, return to the Meraki Dashboard. Under Organization > MDM, there should now be a bound domain associated to the email used to complete the "Bring Android to Work" page.

Enable Authentication as a part of Enrollment

Adding authentication is a necessary step in order to associate a user to the Android for Work profile placed onto a device. To enable authentication in Systems Manager, navigate to Systems Manager > General and select an option in the section labeled User authentication settings.
If a Google Managed Domain was used SM will automatically authenticate (via O-auth) against the associated Google domain. However if a Meraki Managed Domain was used, please select "Managed: User Meraki hosted accounts." If no user accounts have been created, click on the Configure Meraki hosted user, after clicking Save. The username and password entered as a Meraki Owner is what SM will authenticate against.

Enrolling a Device

As mentioned earlier there are two ways to deploy Android for work: BYOD mode or Device Owner mode. Each of these modes have different enrollment paths detailed below. Additional details and recommendations on choosing between the two for your deployment can be found in this article.

Google requires that Android 5.0+ devices be encrypted when using AfW. This is important for both general device security as well as application specific data security. More about it can be read here: https://support.google.com/a/answer/6178111?hl=en

BYOD Enrollment

Enrolling a BYOD device into Systems Manager is a simple 2-step process: 

  1. Install the Systems Manager app - This can be done two ways. Using a Google Managed domain, simply add a Google account in the bound domain and it will prompt the user to install the SM app. Alternatively, a Meraki Managed domain can download the SM app from the Google Play Store. The app can be found here: https://play.google.com/store/apps/d...=com.meraki.sm. Regardless of the domain type, once the app is installed, follow the steps provided on the device to complete enrollment.

  2. Sign in / Authenticate - When the app is opened two options will appear: Google and Meraki. These refer to the domain types that were bound to Dashboard.
  • If Google is selected it will prompt the user to login with their Google domain credentials and automatically enroll in the correct Dashboard network.
  • If Meraki is chosen it will prompt to enter a enrollment code (this can be found in Dashboard under Systems Manager > MDM > Add Devices > Android Tab) and subsequently ask for a username and password. 
  • Once authenticated, the device will inform the user that a work profile is being setup and then uninstall the non-badged copy of the Systems Manager app. This is normal and is to make sure that SM will only operate within the work container, and not the entire device. The app will go through a quick loading screen and will be setup for Android for Work. A successful BYOD enrollment will result in icons on the device with an orange badge or a "Work" folder being created on the device home screen. To control which badged apps are provisioned, see the below section.

 

A sample of the screens are shown below:


                  

 

Device Owner Enrollment

Device Owner mode is designed for institutionally owned devices with additional restrictions and control. Enrollment follows a similar process to BYOD, but everything is done in one step after a factory reset of the device. This step behaves slightly different depending on if a Google Managed or Meraki Managed domain is bound to Dashboard.

Device Owner mode can only be enabled after the factory reset of a device, and by default will disable all system apps unless configured otherwise. See the following section on controlling system apps.

If you have a Lollipop device (Android 5.0+) please reference this article for how to enable device owner mode. 

 

  • Google Managed - After a factory reset, follow the steps on screen until prompted for a Google Account. Sign in with an account that belongs to the bound Google Domain. This will prompt the installation of the SM app and automatically enroll the device in Dashboard.

 

                  

 

  • Meraki Managed - After factory reset, follow the steps on screen until prompted for a Google Account. Do NOT skip this step or enter an account but instead enter afw#meraki. This will install the SM app on the device. Next, tap on the "Enroll" and either enter the ten-digit network ID or scan a QR code found in Dashboard's 'Add devices' page. The app will prompt for authentication and finish setup.

 

                  

 

As shown in the last image, enabling Device Owner mode removes all non-essential apps from the device.

Controlling Native System Apps

By default, all apps will be disabled when enrolling in Device Owner mode, including the default SMS and phone dialing apps. In Work Profile mode, Systems Manager will automatically create a work version of default apps, indicated with the orange briefcase, into the work profile. The applications that are installed by default or treated as 'system apps' will vary by device manufacturer - for example, Samsung devices use different dialer, camera, and SMS apps from Google Nexus or Pixel devices.

To customize which default Android apps are provisioned into Device Owner mode, or duplicated into the managed work profile, see the Controlling Android System Apps article.

Verifying Enrollment

To verify whether a client device is enrolled, check the client page by navigating to Systems Manager > Monitor > Clients. Select the client from the list and check the Management section in the left-hand column near the top of the client details page. If the organization is successfully enrolled/synced, there will be a field called Android for Work Account. If the device is enrolled in android for work, it will say Yes. If this field does not exist, then it is likely that the organization is not enrolled in Android for Work correctly yet.

 

management.png

 

For Device Owner mode, you can also verify the device was successfully enrolled by launching the SM app and confirming 'SM is device owner'. If you see a warning icon here instead of a green check, tap the icon to reprovision the AfW account.

Enable Device Restrictions

Device restriction for AfW-enabled devices can be found under Systems Manager > MDM > Settings underneath the "More Android" tile. This drawer expands into 4 separate sections: App permissions, Restrictions, Device Owner, Kiosk Mode.

 

  • App permissions  - This setting allows for custom application permissions. Examples include denying an application access to the device's contacts, saved payments methods and even network access. Application permissions vary from app to app and a list of relevant permissions can be found using the "Fetch permissions" button that appears once an app has been selected.
  • Restrictions - These are general settings that can apply to all devices using Android for Work, both BYOD and Device Owner mode.

  • Device Owner - These are a special set of restriction that can only be applied to Android devices that are provisioned in Device Owner mode.
  • Kiosk Mode - Kiosk mode allows an administrator to lock a device into a particular application. This can only be used with Android 6+ devices in Device Owner mode. See more info here.
  • App permissions are not to be confused with App Settings. More about App Settings for Android for Work devices can be found here.
  • The general Restrictions (not the one found under More Android) only apply to KNOX devices using the older version of Systems Manager.

Installing Applications

Applications can be pushed silently to all AfW enabled devices in both BYOD and Device Owner mode for publicly listed Google Play Store apps, or custom .apk Android apps.

Play Store Apps

In order to push a Play Store app, it first needs to be added to the Apps page located at Systems Manager > MDM > Apps. Once added, it then needs to be approved for access in order for enrolled SM devices to download it. Free applications can be approved via the Meraki Dashboard, but paid applications need to be managed using the Google for Work Play Store.

For Google Managed Domains, log in to the Google for Work Play Store with an administrator account to approve applications and purchase licensing. For Meraki Managed domains, log in to the Google for Work Play Store using the email address that was bound to Dashboard on the Organization > MDM > Android for Work section.

 

         

 

Because it is possible to approve apps on both the Meraki Dashboard as well as the Google for Work Play Store some application approval discrepancies may arise. In order to resolve these, click Accounts > Sync Afw Apps in the Apps page.

Scoping

Once applications have been approved for an Android for Work organization they need to be scoped to devices to appear in the device app store. Approved applications (which have been scoped to devices via tags) will appear in both the Meraki Systems Manager App under "Managed Apps" as well as in the Play Store. Approved applications for the Work Play Store essentially create a white list of applications a device can download and use. Once pushed to a device, these applications will silently install.

See this article for information on app configuration settings.

Apps that have been added into Dashboard but not approved may be listed in the Play Store, but will not be available to download until approved. 

 

       

Enterprise Applications

To upload custom .apk files to the managed Play for Work Store please follow this Google article.

Additionally, there is the option to distribute the .apk file directly through the Meraki Dashboard. In Systems manager > MDM > Apps, click Add new > Android > Custom app. Fill in the fields as desired and either link to a URL where your .apk is hosted, or upload it directly to the Meraki Cloud.

See this article for information on app configuration settings.

Screen Shot 2017-12-08 at 1.19.27 PM.png

 

 

 

 

 

You must to post a comment.
Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 5681

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community