This article provides deployment guidance for Android for Work with Cisco Meraki's System Manager. Android for Work is a platform for devices running on the Google Android mobile operating system that allows IT to manage and secure business applications using a work-specific profile. Android for Work comes in two different types of deployments:
Requirements for Android for Work can be found here: https://support.google.com/work/andr...answer/6174145
More information about Android for Work can be found here: https://www.android.com/work/
There are 5 main stages in an Android for Work deployment on Systems Manager:
There are two flavors of Android for Work (AfW), Google Managed and Meraki Managed:
If the free Android for Work subscription has not already been added to the Google Domain please reference the following article to enable it. The section that states "If you are a G Suite customer" provides more information about enabling the free subscription: https://support.google.com/work/andr.../6174046?hl=en
More about this can be read here: https://support.google.com/googlepla..._topic=7042018
To bind an existing Google Managed Domain navigate to Organization > MDM, enter the domain name, followed by the token copied from the Google Admin Console and click "Enroll Domain."
To bind a Meraki Managed Domain navigate to Organization > MDM and click "Get signup URL".
Next click the URL generated that appears in step 2 and it will redirect to the "Bring Android to Work" page. Click through the form to complete and create a Meraki Managed account.
Once the "Complete Registration" button has been clicked, return to the Meraki Dashboard. Under Organization > MDM, there should now be a bound domain associated to the email used to complete the "Bring Android to Work" page.
Adding authentication is a necessary step in order to associate a user to the Android for Work profile placed onto a device. To enable authentication in Systems Manager, navigate to Systems Manager > General and select an option in the section labeled User authentication settings.
If a Google Managed Domain was used please leave the drop down as disabled. SM will automatically authenticate (via O-auth) against the associated domain. However if a Meraki Managed Domain was used, please select "Managed: User Meraki hosted accounts." If no user accounts have been created, click on the Configure Meraki hosted user, after clicking Save. The username and password entered as a Meraki Owner is what SM will authenticate against.
As mentioned earlier there are two ways to deploy Android for work: BYOD mode or Device Owner mode. Each of these modes have a slightly different enrollment paths detailed below:
Google requires that Android 5.0+ devices be encrypted when using AfW. This is important for both general device security as well as application specific data security. More about it can be read here: https://support.google.com/a/answer/6178111?hl=en
Enrolling a BYOD device into Systems Manager is a simple 2-step process:
Install the Systems Manager app - This can be done two ways. Using a Google Managed domain, simply add the account and it will prompt the user to install the SM app. Alternatively, a Meraki Managed domain can download the SM app from the Google Play Store. The app can be found here: https://play.google.com/store/apps/d...=com.meraki.sm. Regardless of the domain type, once the app is installed follow the steps provided on the device to complete enrollment.
Device Owner mode is designed for institutionally owned devices and follows a similar process to BYOD, however everything is done in 1 step after a factory reset of the device. This step behaves slightly different depending on if a Google Managed or Meraki Managed domain is bound to Dashboard.
Device Owner mode can only be enabled after the factory reset of a device.
If you have a Lollipop device (Android 5.0+) please reference this article for how to enable device owner mode.
As shown in the last image, enabling Device Owner mode removes all non-essential apps from the device.
Device restriction for AfW-enabled devices can be found under Systems Manager > MDM > Settings underneath the "More Android" tile. This drawer expands into 4 separate sections: App permissions, Restrictions, Device Owner, Kiosk Mode.
Restrictions - These are general settings that can apply to all devices using Android for Work, both BYOD and Device Owner mode.
Applications can now be pushed silently to all AfW enabled devices in both BYOD and Device Owner mode. Setting up silent application push involves 2 steps:
Because it is possible to approve apps on both the Meraki Dashboard as well as the Google for Work Play Store some application approval discrepancies may arise. In order to solve these, click the Sync Apps button located on the Systems Manager > MDM > Apps page.
To upload custom .apk files to the Work Play Store please follow this Google article: https://support.google.com/googlepla.../2623322?hl=en