Home > Enterprise Mobility Management > Device Enrollment > Android Enrollment

Android Enrollment

Overview

Systems Manager offers multiple ways of enrolling and managing Android devices depending on your use case: Android enterprise (formerly named Android for Work) work profile mode, device owner mode, COSU (kiosk) mode, and Samsung KNOX. The following lists a few common scenarios and the preferred form of enrollment:

  • Enable employees to bring Android devices to work and access corporate apps and content: Android Enterprise work profile mode
  • Deploy and manage corporate-owned Android devices: Android Enterprise device owner mode
  • Deploy and manage single purpose Android devices: Android Enterprise device owner mode (with kiosk mode) 

Because KNOX-enrolled devices support a different EMM featureset with Systems Manager, Samsung KNOX enrollment is only recommended for managing single-purpose Samsung devices on 5.0 and earlier, or for deploying email settings specifically with ActiveSync.

This guide will detail the key differences between the various states of enrollment supported. Read our Android deployment guide for more information on Android enterprise.

Deployment Considerations

Each Android device can only be enrolled through ONE of the following methods, which is important to keep in mind if your organization has newer Samsung models that support both KNOX and AfW. Note that while each device is only enrolled in one way, your overall Dashboard can support configurations for all three at any time - enrolling one device with a work profile does not keep you from enrolling another through device owner mode.

Feature Comparison

The table below highlights the primary differences between the deployment methods. Note that this is not a comprehensive list of all available Systems Manager features on Android. Android 4 devices that do not support AfW or KNOX can still enroll into Systems Managers for a few features like wireless configuration, but will not support most of the below. 

  Samsung KNOX Work profile (BYOD) Device Owner
App installs Will prompt the end user for confirmation Silent installs to the container Silent installs to the whole device
App restrictions Blacklist apps from being downloaded, does not affect installed apps Whitelist apps within container, users can still use personal Play Store Only basic system apps installed by default, whitelist only for all other apps
Kiosk mode Single app mode Unsupported Multi-app kiosk mode, custom app support, code unlocking, update windowing (Android 6+)
Email configurations ActiveSync Managed app settings (Gmail) Managed app settings (Gmail)
Other restrictions* Permissions blacklist, screen lock features App permissions, screen lock features, ADB access, cross-profile copy paste, app uninstallations within container, etc.   App permissions, screen lock features, ADB access, cross-profile copy paste, app uninstallations within container, etc.  
Device owner-specific* N/A N/A Disable keyguard, screen capture, volume control, factory reset, account modification, Wi-Fi configuration, data roaming, SMS, USB file transfer, tethering/hotspotting, etc.

*Review the payloads under Systems manager > Settings > Add settings > More Android to see the full list of settings available.

Device Owner Mode

Android Enterprise device owner mode provide the most EMM functionality for company or school-owned devices, granting Dashboard admins control over all app installations, kiosk mode, and several additional restrictions. It is important to note that enrolling into DO mode will encrypt the entire device, and require a factory reset, as device owner setup takes place during initial device setup.

Kiosk Mode

Deploying a device in kiosk mode, which locks it into only using one or more specific applications, will require enrolling into device owner mode, and then installing a configuration profile with the kiosk mode payload, under MDM > Settings > Add settings > More Android.

Work Profile BYOD

Work profile mode is recommended for BYOD or other devices that need to be managed, but without granting MDM control to personal applications and data. It enables much of the same functionality, but creates an encrypted, managed work container within the device, instead of managing the whole device. The container creates an automatic separation between work and personal data and apps.

As an example, Systems Manager can limit what apps can be installed or access data in the container, for example, while leaving the user free to use personal apps outside of the container. Devices can be enrolled at any time, and will not require factory resets.

KNOX

KNOX is recommended for only a few specific Samsung deployments scenarios:

  1. You require kiosk mode on Android 5 devices, and cannot upgrade the operating system to a later version. Device owner kiosk mode is only supported on Android 6+.
  2. Your email configurations require ActiveSync and cannot be replicated with managed app settings through Gmail.

In all other cases, we suggest Android for Work to support broader functionality, and future-proof your network as additional features and restrictions come out.

Enrollment

For a guided walkthrough of enrollment in Dashboard, navigate to Systems manager > MDM > Add devices > Android. There are also detailed instructions for work profile and device owner enrollments for Android Enterprise here.

 

Note that device owner enrollments take place during the setup assistant, following a factory reset or upon initial bootup. Work profile and KNOX enrollments can be completed at any time through m.meraki.com, the SM Android app, Sentry Enrollment, or through SMS/email.

 

A KNOX capable device that also supports AfW will by default enroll with KNOX. During the setup process, a window will prompt to provision a work profile. No will keep it as KNOX, yes will begin the AfW work profile enrollment process.

 

A work profile can also be installed on a Knox-enrolled device later by clicking on 'Enable Managed Profile'.

Additional Enrollment Methods

SM Sentry Enrollment SSID

You can also use SM Sentry to force iOS, Android, Windows, and Mac devices to enroll in Systems Manager for an efficient mass deployment or BYOD. When enabled on a given SSID for a Cisco Meraki wireless AP, Sentry facilitates the secure and rapid onboarding and deployment of SM to mobile devices. For more information on Systems Manager Sentry enrollment, please visit the following page.

Other Options

You can also send Android device enrollment information to your users via email or SMS, by navigating to MDM > Add devices (Return to the old look) > Android. This method allows you to pre-configure a tag to be applied upon registration.

You must to post a comment.
Last modified
15:26, 26 May 2017

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 4275

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case