Home > Enterprise Mobility Management > Deployment Guides > Android Enterprise Deployment Guide (Android for Work)

Android Enterprise Deployment Guide (Android for Work)


This article provides deployment guidance for Android for Work (now called Android Enterprise) with Cisco Meraki's System Manager. Android for Work is a platform for devices running on the Google Android mobile operating system that allows IT to manage and secure business applications using a work-specific profile. Android for Work comes in two different types of deployments:

  1. BYOD or Managed Work Profile. In BYOD mode administrators only have control over work managed applications and settings. Systems Manager will containerize all corporate data and represent it using an orange badge icon. An administrator will have complete control over these applications, but have no visibility or control over personal applications on the device.
  2. Device Owner mode. In Device Owner mode administrators have complete control of the device. This type of deployment is primarily used on institutionally owned devices and include special features such as kiosk mode. (Device Owner mode can be thought of as the "Supervised" state for those familiar with iOS.)

For more info on the enrollment methods available, reference our article here.

Requirements for Android for Work can be found here: https://support.google.com/work/andr...answer/6174145

More information about Android for Work can be found here: https://www.android.com/work/ 

Deployment Considerations

There are 5 main stages in an Android for Work deployment on Systems Manager:

  1. Determine and Bind a Work Domain
  2. Enable Authentication as a part of Enrollment
  3. Enroll a Device
  4. Enable Device Restrictions
  5. Push Applications

Determine and Bind a Work Domain

There are two flavors of Android for Work (AfW), Google Managed and Meraki Managed:

  • Google Managed Domain - This is an Android for Work deployment that capitalizes on existing Google services. (If services such as Gmail, Google Calendar, Google Docs, etc. are being used, it is likely a Google Managed Domain.) This can be enabled in the Google Admin Console as a super administrator. Navigate to Security > Manage EMM provider for Android and copy the token. This will be entered in the first step of the process. Check the "Enforce EMM policies on Android Devices" to require SM be installed on the device in order to access Google services. 

If the free Android for Work subscription has not already been added to the Google Domain please reference the following article to enable it. The section that states "If you are a G Suite customer" provides more information about enabling the free subscription: https://support.google.com/work/andr.../6174046?hl=en


  • Meraki Managed Domain - If no Google services are currently being used, Meraki will created a Managed Domain for an Android for Work deployment. All that is needed is a Google supported administrative email address (e.g. any @gmail.com account). In Google documentation this is referred to as an Android for Work account (as these accounts can only be used for Android for Work).

More about this can be read here: https://support.google.com/googlepla..._topic=7042018

Google Managed Domain

To bind an existing Google Managed Domain navigate to Organization > MDM, enter the domain name, followed by the token copied from the Google Admin Console and click "Enroll Domain."


Meraki Managed Domain

To bind a Meraki Managed Domain navigate to Organization > MDM and click "Get signup URL".

Next click the URL generated that appears in step 2 and it will redirect to the "Bring Android to Work" page. Click through the form to complete and create a Meraki Managed account.

Once the "Complete Registration" button has been clicked, return to the Meraki Dashboard. Under Organization > MDM, there should now be a bound domain associated to the email used to complete the "Bring Android to Work" page.

Enable Authentication as a part of Enrollment

Adding authentication is a necessary step in order to associate a user to the Android for Work profile placed onto a device. To enable authentication in Systems Manager, navigate to Systems Manager > General and select an option in the section labeled User authentication settings.
If a Google Managed Domain was used please leave the drop down as disabled. SM will automatically authenticate (via O-auth) against the associated domain. However if a Meraki Managed Domain was used, please select "Managed: User Meraki hosted accounts." If no user accounts have been created, click on the Configure Meraki hosted user, after clicking Save. The username and password entered as a Meraki Owner is what SM will authenticate against.

Enrolling a Device

As mentioned earlier there are two ways to deploy Android for work: BYOD mode or Device Owner mode. Each of these modes have a slightly different enrollment paths detailed below:

Google requires that Android 5.0+ devices be encrypted when using AfW. This is important for both general device security as well as application specific data security. More about it can be read here: https://support.google.com/a/answer/6178111?hl=en

BYOD Enrollment

Enrolling a BYOD device into Systems Manager is a simple 2-step process: 

  1. Install the Systems Manager app - This can be done two ways. Using a Google Managed domain, simply add the account and it will prompt the user to install the SM app. Alternatively, a Meraki Managed domain can download the SM app from the Google Play Store. The app can be found here: https://play.google.com/store/apps/d...=com.meraki.sm. Regardless of the domain type, once the app is installed follow the steps provided on the device to complete enrollment.

  2. Sign in / Authenticate - When the app is opened two options will appear: Google and Meraki. These refer to the domain types that were bound to Dashboard. If Google is selected it will prompt the user to login with their Google credentials and automatically enroll in the correct Dashboard network. If Meraki is chosen it will prompt to enter a enrollment code (this can be found in Dashboard under Systems Manager > MDM > Add Devices > Android Tab) and subsequently ask for a username and password. Once authenticated, the device will inform the user that a work profile is being setup and then uninstall the Meraki app. This is normal and is to make sure that SM will only operate within the work container, and not the entire device. The app will go through a quick loading screen and will be setup for Android for Work. A successful BYOD enrollment will result in icons on the device with an orange badge or a "Work" folder being created on the device home screen. To control which badged apps are provisioned, see the below section. A sample of the screens are show below:



Device Owner Enrollment

Device Owner mode is designed for institutionally owned devices and follows a similar process to BYOD, however everything is done in 1 step after a factory reset of the device. This step behaves slightly different depending on if a Google Managed or Meraki Managed domain is bound to Dashboard.

Device Owner mode can only be enabled after the factory reset of a device.


If you have a Lollipop device (Android 5.0+) please reference this article for how to enable device owner mode. 


  • Google Managed - After factory reset, follow the steps on screen until prompted for a Google Account and simply sign in with an account the belongs to the bound Google Domain. This will prompt the installation of the SM app and automatically enroll the device in Dashboard.




  • Meraki Managed - After factory reset follow the steps on screen until prompted for a Google Account. Do NOT skip this step or enter an account but instead enter afw#meraki. This will install the SM app on the device. Next tap on the "Enroll" and either enter the network ID or scan a QR code to associate to a Dashboard network. The app will prompt for authentication and once verified will finish installing on the device.




As shown in the last image, enabling Device Owner mode removes all non-essential apps from the device.

Controlling System Apps

To customize which default Android apps are provisioned into Device Owner mode, or in the managed work profile, see the Controlling Android System Apps article.

Verifying Enrollment

To verify whether a client device is enrolled, check the client page by navigating to Systems Manager > Monitor > Clients. Select the client from the list and check the Management section in the left-hand column near the top of the client details page. If the organization is successfully enrolled/synced, there will be a field called Android for Work Account. If the device is enrolled in android for work, it will say Yes. If this field does not exist, then it is likely that the organization is not enrolled in Android for Work correctly yet.



Enable Device Restrictions

Device restriction for AfW-enabled devices can be found under Systems Manager > MDM > Settings underneath the "More Android" tile. This drawer expands into 4 separate sections: App permissions, Restrictions, Device Owner, Kiosk Mode.


  • App permissions  - This setting allows for custom application permissions. Examples include denying an application access to the device's contacts, saved payments methods and even network access. Application permissions vary app to app and a list of relevant permissions can be found using the "Fetch permissions" button that appears once an app has been selected.
  • Restrictions - These are general settings that can apply to all devices using Android for Work, both BYOD and Device Owner mode.

  • Device Owner - These are a special set of restriction that can only be applied to Android devices that are provisioned in Device Owner mode.
  • Kiosk Mode - Kiosk mode allows an administrator to lock a device into a particular application. This can only be used with Android 6+ devices in Device Owner mode.
  • App permissions are not to be confused with App Settings. More about App Settings for Android for Work devices can be found here.
  • The general Restrictions (not the one found under More Android) only apply to KNOX devices using the older version of Systems Manager.

Push Applications

Applications can now be pushed silently to all AfW enabled devices in both BYOD and Device Owner mode. Setting up silent application push involves 2 steps:

  • App Addition and Approval - In order to push an application it first needs to be added to the Apps page located at Systems Manager > MDM > Apps. Once an application is added, it then needs to be approved. Free applications can be approved via the Meraki Dashboard, however paid applications need to be managed using the Google for Work Play Store. For Google Managed Domains log in to the Google for Work Play Store with an administrator account to approve applications and purchase licensing. For Meraki Managed domains, log in to the Google for Work Play Store using the email address that was bound to Dashboard on the Organization > MDM > Android for Work section.




Because it is possible to approve apps on both the Meraki Dashboard as well as the Google for Work Play Store some application approval discrepancies may arise. In order to solve these, click the Sync Apps button located on the Systems Manager > MDM > Apps page.


  • Scoping - Once applications have been approved for an Android for Work organization they need to be scoped to devices to appear on the Device app store. Approved applications (which have been scoped to devices via tags) will appear in both the Meraki Systems Manager App under "Managed Apps" as well as in the Play Store. Approved applications for the Work Play Store essentially create a white list of applications a device can download and use. Once pushed to a device, these applications will silently install.



Enterprise Applications

To upload custom .apk files to the Play for Work Store please follow this Google article: https://support.google.com/googlepla.../2623322?hl=en






You must to post a comment.
Last modified
15:18, 20 Sep 2017



This page has no classifications.

Article ID

ID: 5681

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community