Android Enrollment
Overview
Systems Manager offers multiple ways of enrolling and managing Android devices depending on your use case: Android Enterprise (formerly named Android for Work) work profile mode, device owner mode, COSU (kiosk) mode, and Samsung KNOX. The following lists a few common scenarios and the preferred form of enrollment:
- Enable employees to bring Android devices to work and access corporate apps and content: Android Enterprise work profile mode
- Deploy and manage corporate-owned Android devices: Android Enterprise device owner mode
- Deploy and manage single purpose Android devices: Android Enterprise device owner mode (with kiosk mode)
Because KNOX-enrolled devices support a different EMM featureset with Systems Manager, Samsung KNOX enrollment is only recommended for managing single-purpose Samsung devices on 5.0 and earlier, or for deploying email settings specifically with ActiveSync.
This guide will detail the key differences between the various states of enrollment supported. Read our Android deployment guide for more information on Android Enterprise. Legacy enrollment instructions for Android 4.4 devices can be found in the Dashboard 'Add devices' page, but does not support any of the Android Enterprise functionality detailed below.
Deployment Considerations
Each Android device can only be enrolled through ONE of the following methods, which is important to keep in mind if your organization has newer Samsung models that support both KNOX and AfW. Note that while each device is only enrolled in one way, your overall Dashboard can support configurations for all three at any time - enrolling one device with a work profile does not keep you from enrolling another through device owner mode.
Feature Comparison
The table below highlights the primary differences between the deployment methods. Note that this is not a comprehensive list of all available Systems Manager features on Android. Android 4 devices that do not support AfW or KNOX can still enroll into Systems Managers for a few features like wireless configuration, but will not support most of the below.
Samsung KNOX | Work profile (BYOD) | Device Owner | |
App installs | Will prompt the end user for confirmation | Silent installs to the container | Silent installs to the whole device |
App restrictions | Block apps from being downloaded, does not affect installed apps | Allow apps within container, users can still use personal Play Store | Only basic system apps installed by default, allow only for all other apps |
Kiosk mode | Single app mode | Unsupported | Multi-app kiosk mode, custom app support, code unlocking, update windowing (Android 6+) |
Email configurations | ActiveSync | Managed app settings (Gmail) | Managed app settings (Gmail) |
Other restrictions* | Permissions blocked, screen lock features | App permissions, screen lock features, ADB access, cross-profile copy paste, app uninstallations within container, etc. | App permissions, screen lock features, ADB access, cross-profile copy paste, app uninstallations within container, etc. |
Device owner-specific* | N/A | N/A | Disable keyguard, screen capture, volume control, factory reset, account modification, Wi-Fi configuration, data roaming, SMS, USB file transfer, tethering/hotspotting, etc. |
*Review the payloads under Systems Manager > Settings and filter for Android to see the full list of settings available. Configurations that require Device Owner mode will be indicated as such.
Device Owner Mode
Android Enterprise device owner mode provide the most EMM functionality for company or school-owned devices, granting Dashboard admins control over all app installations, kiosk mode, and several additional restrictions. It is important to note that enrolling into DO mode will encrypt the entire device, and require a factory reset, as device owner setup takes place during initial device setup.
Kiosk Mode
Deploying a device in kiosk mode, which locks it into only using one or more specific applications, will require enrolling into device owner mode, and then installing a configuration profile with the kiosk mode payload.
Work Profile BYOD
Work profile mode is recommended for BYOD or other devices that need to be managed, but without granting MDM control to personal applications and data. It enables much of the same functionality, but creates an encrypted, managed work container within the device, instead of managing the whole device. The container creates an automatic separation between work and personal data and apps.
As an example, Systems Manager can limit what apps can be installed or access data in the container, for example, while leaving the user free to use personal apps outside of the container. Devices can be enrolled at any time, and will not require factory resets.
KNOX
KNOX is recommended for only a few specific Samsung deployments scenarios:
- You require kiosk mode on Android 5 devices, and cannot upgrade the operating system to a later version. Device owner kiosk mode is only supported on Android 6+.
- Your email configurations require ActiveSync and cannot be replicated with managed app settings through Gmail.
In all other cases, we suggest Android Enterprise for broader functionality support, and future-proof your network as additional features and restrictions come out.
Enrollment
For a guided walkthrough of enrollment in Dashboard, navigate to Systems Manager > Manage > Add devices > Android. There are also detailed instructions for work profile and device owner enrollments for Android Enterprise here.
Note that device owner enrollments take place during the setup assistant, following a factory reset or upon initial bootup. Work profile and KNOX enrollments can be completed at any time through enroll.meraki.com, the SM Android app, Sentry Enrollment, or through SMS/email.
A KNOX capable device that also supports AfW will by default enroll with KNOX. During the setup process, a window will prompt to provision a work profile. No will keep it as KNOX, yes will begin the AfW work profile enrollment process.
A work profile can also be installed on a Knox-enrolled device later by clicking on 'Enable Managed Profile'.
Additional Enrollment Methods
SM Sentry Enrollment SSID
You can also use SM Sentry to force iOS, Android, Windows, and Mac devices to enroll in Systems Manager for an efficient mass deployment or BYOD. When enabled on a given SSID for a Cisco Meraki wireless AP, Sentry facilitates the secure and rapid onboarding and deployment of SM to mobile devices. For more information on Systems Manager Sentry enrollment, please visit the following page.
Other Options
You can also send Android device enrollment information to your users via email or SMS, by navigating to Systems Manager > Manage > Add devices > Android.
In situations where the Google Play Store is inaccessible, the latest version of the Android SM app can be downloaded at the following link: https://dl.meraki.net/androidsm/AndroidSM.apk