Android Enterprise Integration

Last updated
Save as PDF

Android Enterprise

Android Enterprise is a Google-led initiative to enable the use of Android devices and apps in the workplace. The integration of Android Enterprise into Matrix42 Silverback enables you to enroll, configure and manage private and corporate-owned Android devices, including the provisioning and configuration of applications. This guide begins with an overview of the advantages, nuances, and key terms of Android Enterprise, followed by the integration steps and the enrollment options, application management and a description of the deployment programs for the automation of certain processes. We recommend going through this guide step by step in order to internalize the various steps bit by bit.

Benefits

Android Enterprise offers the following benefits listed below. Later in this document you will also find an overview with further descriptions of some of the key terms of Android Enterprise, which are mentioned in the benefits:

Simple Integration

The integration of Android Enterprise works with any (non G-Suite Account) Google account and is a matter of minutes
Starting from 13.06.2024, the creation and integration via Google Workspace accounts will be also available

For corporate owned devices

A fully locked-down mode for complete corporate ownership with optional personal account creation
Various methods of device provisioning such as via QR codes, NFC tags, deployment programs or barcodes created with StageNow
Utilization of deployment programs for automation processes, where devices receives during the out-of-the-box experience corporate configuration
Managed Play offers a corporate Google Play portal for users, which can contain only Administrator approved applications
Managed configurations offers an easy configuration schema for Administrator approved applications
Zero Day support for device configurations provided from manufacturers through OEM Configuration applications
A single application mode for kiosk-like applications, designed for corporate-owned, single-use devices (COSU)
Silent application installations without the need of personal Gmail accounts
Configuration of extensive security configurations and the handling of operating system updates.

For personal owned devices

Ability to create a dedicated corporate workspace container on a personal used device
Adding a work profile to Google Play, which can contain only Administrator approved applications for enterprises
Application installation inside the corporate workspace
Managed configurations offers an easy configuration schema for Administrator approved applications
Zero Day support for device configurations provided from manufacturers through OEM Configuration applications.

Before you start

Before you start with the integration, we would like to give you a brief overview of the different facets of Android Enterprise. The Android Enterprise variant described in this guide is based on the Google Play EMM API, which enables and executes Android device management via a client application, in our case the Matrix42 Companion application. With the evolution of Android Enterprise, Google has introduced a newer management option that utilizes a built-in client with the Android Management API, which is a cloud-only service that we provide to cloud customers. The main difference between the two is that management via the Matrix42 Companion application is the more mature option and management is available both on-premises and in the cloud. With cloud-only and clientless management via the built-in client and the Android Management API, standard management options are available, including the additional ownership option where corporate-owned devices can be provisioned with a work profile, a combination of the two management methods available via the Matrix42 Companion with the Google Play EMM API. The main disadvantage of administration via the Android Management API is, for example, that it is not yet possible to distribute client certificates and that the devices cannot be assigned to a particular user. This information should help you to make the right choice for you and, if you are a cloud customer, please note that you can run both variants in parallel in Silverback. For additional information, refer to Manage Android Enterprise with Android Management API. To proceed, review the key terms described below that are applying are available to the Play EMM and the Android Management API.

Key Terms

These key terms are associated with Android for Enterprise and will help you to understand how the configuration is working with Silverback and how to configure the deployment settings.

DPC Identifier Enrollment

When a user starts a new or reset device for the first time and thus begins the out-of-the-box experiences with the Android Setup wizard, he will reach the point during the process where he can add a Google account, unless the device has been added to one of the possible deployment programs. At this point, the setup can be directed into two different processes. For personal devices, if a user enters a personal Google account when entering a username, the standard Android setup wizard begins to set up the device as a regular personal device. For company-owned devices, a user or administrator can immediately start here with enrolling the device as a company-owned device. A DPC identifier is provided in the username field, which for Matrix42 and Silverback is the DPC identifier afw#matrix42. After entering this identifier and proceeding, the setup will direct the user to download the Matrix42 Companion application, which will be used to authenticate and complete the Silverback enrollment process. These company-owned devices are marked and handled in Silverback as Device Owner devices. However, if a user enters a personal Google account when entering a user name, the standard Android setup wizard begins to set up a personal device that can be equipped afterwards with a Work Profile to give users access to business resources. But for all enrollments performed from the out-of-the-box experience, including those described below, the devices are set up as corporate-owned devices.

Advanced QR-Code Provisioning

The Advanced QR-Code provisioning method allows to enroll corporate-owned devices into the Android Enterprise Device Owner Mode by scanning a QR-Code during the initial device setup. Administrators creates and either sends the QR codes to their end users or use the QR-Code by themselves to provision their devices by scanning the QR codes. Administrators or users can tap the Welcome screen six times in the same spot to launch the QR code setup wizard. The QR-Code contains either Wi-Fi credentials or a flag to use mobile data and allows either to automatic provisioning the device or let the user start at the Self-Service Portal.

NFC Enrollment

With Android Enterprise, provisioning devices via NFC tags is a very efficient and simple method. As the administrator, you only need to describe an NFC tag with a few configurations, and you or your users can then start and complete the enrollment process in the management system by contacting the NFC tag the first time the device is started. For additional information, please refer to Enroll Android Enterprise Devices with NFC Tags.

Zero-Touch Enrollment

Zero-touch enrollment (ZTE) is a streamlined process for Android devices to be provisioned for enterprise management. Zero-touch makes it simple to configure corporate devices online and have them shipped with enforced management so employees can open the box and get started. When devices are added to Zero-touch, users will recognize during the out of the box experience that the device belongs to an organization and depending on the configuration, devices will be automatically added into the management or users will start with the self service enrollment process or users are capable to scan their provided QR-Code to finish the enrollment process.

Knox Mobile Enrollment

As an alternative to Zero Touch Enrollment, Samsung offers Knox Mobile Enrollment (KME). Knox Mobile Enrollment streamlines the initial setup and enrollment of Samsung corporate devices. The procedure is like that of Zero Touch Enrollment, in which administrators are creating configuration profiles, which will be applied to devices during the out of the box experience and are influencing the enrollment options and experiences for users.

Device Owner

While enrolling devices with the DPC Identifier Enrollment, Advanced QR-Code, NFC or Zero-Touch and Knox Mobile Enrollment and entering (manually or automatically) afw#matrix42 during the setup, the Matrix42 Companion application will downloaded and automatically set as device owner during the setup process to manage the entire device and set it up as corporate-owned (and fully managed) device. A device owner can only be activated during the out-of-the-box experience and having this active, you gain more management capabilities. Within the Silverback Management Console, these devices are handled and visible as device owner devices in several areas.

Work Profile

Work Profiles are indented for personal owned devices and can be configured in Silverback inside any Tag. They are designed for "Bring your own device" and "Corporate -Owned, Personally Enabled" scenarios and will create a dedicated corporate workspace on a personal owned device or a corporate-owned device that is setup as a personal device. This dedicated corporate workspace will be created with a work profile that although sits entirely separately encrypted on disk. It utilizes also completely different encryption keys for work/personal areas and integrates directly with the current user on the device in order to provide both personal and work applications in the same app drawer – indicated by a briefcase.

Managed Account

Instead of using a personal Gmail account for Google services such as Google Play, a managed account can be distributed to corporate and personal devices. This account is created and assigned to the user's device by the mobile device management system. For corporate-owned devices, the Managed Account should be configured in a Tag with the Device Owner's Auto Population option set to Yes. This ensures that each corporate-owned device that is enrolled during the out-of-the-box experience is equipped with a Managed Account that can be used for multiple Google services, such as Managed Play. If this account isn't provisioned, some Google services won't be accessible and users will see a notification in the notification bar. For personal devices, the managed account is automatically distributed with the Work Profile. To automate the process of assigning a Work Profile and a Managed account, create a Tag, enable the Work Profile, and enable the Auto Population for personal devices so that when users select personal ownership in the self-service portal, the configuration is automatically applied and devices receive a tag configuration with a Work Profile enabled that includes the Managed Account.

Managed Play

Managed Play is simply the managed Google Play store on managed Android Enterprise devices and is the central point, where users can download Administrator approved applications. When adding a Managed Account to corporate or personal devices, the Managed Google Play store will use this account for downloading administrator approved applications. If a personal account is setup on the devices, users can switch inside the Google Play application between the personal Google Play and Managed Play section. On device owner (corporate) enrolled devices, Administrators can prevent adding manually accounts to the device to prevent the usage of personal Google accounts on devices for users.

Managed Configuration

On Android Enterprise, Google offers application developers a framework to provide in an easy and streamlined way application configuration options to Mobile Device Management systems. With that, Administrators can easily query, display, and configure available configurations for Managed Play apps through the Management Console. This is the go-to approach for all application configuration on managed devices with Android Enterprise.

COSU

The COSU (Corporate-Owned, Single-Use) solution set is designed for corporate-owned devices that fulfill a single use case, such as digital signage, ticket printing, or inventory management. This allows administrators to further lock down the usage of a device to a single app or small set of apps, and prevents users from enabling other apps or performing other actions on the device. COSU Mode is applicable for devices configured in the Device Owner Mode.

OEM Configuration

OEM Configuration is a feature or a paradigm of how the management of Android devices will evolve in the future. When we look back to the history of the Android Management it offered a set of useful and enterprise ready controls and all manufacturers needed to find their own enterprise strategies and thus, their own management APIs. Within the greatly working Android Enterprise Management platform, Google and device manufacturers are underlying new capabilities to create an easy adoptable device management. In a nutshell, device manufacturers will provide API management with separate applications, and you as an Administrator can configure these applications in Silverback. For an overview of common known OEM Configuration applications, please refer to Overview of OEMConfig apps.

Knox Service Plugin

The Knox Service Plugin (KSP) is a good example of how device manufacturers are leveraging the OEM Configuration with a solution that enables to use Knox Platform for Enterprise features as soon as they are commercially available. You as an Administrator can use the Knox Service Plugin to enable a wide range of Knox management features with Knox Platform for Enterprise policies on your managed devices. This automatic deployment method ensures that you can use the latest Knox features on the day it is launched. Refer to the official Knox Service Plugin Administrator Guide and Android Enterprise VII: Knox Service Plugin for additional information.