Manage Android Enterprise with Android Management API

Requirements

• Silverback 23.0 Update 2 SaaS
• A Gmail account that's not already associated with an enterprise

Device Ownerships

Google offers different device ownerships that provide different features and functionality. The Device Ownership for a device is defined during the enrollment, and later in this guide in the Policy Management  section you will find the option to define policies for each ownership and instructions on how to enroll devices with the desired device ownership. An overview of the different types of Device Ownership can be found in the table below. 

Before you start

Before you start, here are a few things to keep in mind:

• A device can only be assigned to one policy, and policy switching is not supported..
• Use a persona model to create and configure policies and enroll your devices.
• For corporate-owned devices, the serial number is the only unique identifier for a device.
• For personally owned devices, the company-specific ID is the only unique identifier for a device.
• Users and devices have a randomized user name and device name. Therefore, it is not currently possible to use individual usernames to configure mail clients.
• System variables are not currently supported for managed configurations.
• Adding visibility flags, assigning labels to the device, and changing the ownership of a device after enrollment are not supported.
• Policies can only be deleted if there are no devices associated with the policy.
• Policies cannot be named Default and cannot be renamed after they are created.
• Do not use # / \ symbols in policy names or use exceptionally long names
• Devices that have been manually reset to factory settings by the user or if the user manually deletes the work profile remain unchanged in the Android Management API and Management Console. Review the Additional Information section for more information.

Create your Enterprise

To activate and integrate the Android Management API, you will need a (non-GSuite) Gmail account that is not already associated with an Enterprise. During the process, you will be taken to the Android Enterprise activation page. Once you have successfully signed in with your Google account, follow the instructions to create your business with Google. You will then be redirected to Silverback to complete the integration process.

• Open to your Silverback Management Console
• Login as an Administrator
• Navigate to Admin
• Select Android Management
• Press Activate
• Confirm with OK
• Press Sign In
• Login with your non-GSuite Gmail account that is not already associated with an Enterprise
• Select Get started
• Enter a Domain name or Business name e.g, Imagoverum
• Press Next
• Enter your contact details for your Data Protection Officer and the EU Representative or skip the step for now as these details can be added later
• Enable the I have read and agree to the Managed Google Play agreement checkbox.
• Press Confirm
• Click Complete Registration to be redirected to the Silverback Management Console
• At this point a Sign-up URL and and Enterprise Token is created for Silverback
• Now leave everything as it is and press Save and Confirm with OK to complete the registration and to fetch all your Enterprise information in Silverback

Congratulations! Your Enterprise is now ready and you can choose what to do next:

• Update your Enterprise to add or update several organization related information
• Delete your Enterprise for testing purposes or 
• Proceed with adding your Applications

Update your Enterprise

After your Android Enterprise Integration with the Android Management API, you can adjust at any time several information for your Enterprise. If you are not already the Android Management Screen, login to your Management Console and navigate to Admin > Android Management.

• You can update your Enterprise Display Name that used to display to users in various places across Android Enterprise (e.g. on the Device Lockscreen).
• You can define a primary color to display in the device management app UI
  • Either by entering the color in the Hex format, e.g #000000 for black
  • Or by selecting the colored area to easily pick your color
• You can enter a primary contact email that will used to send important announcements related to managed Google Play
• And you can update your Data Protection Officer and EU Representative Contact Information if needed
• Press Save and confirm with OK to save your changes

Delete your Enterprise

Deleting your Android Enterprise automatically resets all company-owned devices to factory settings and removes the work profile from personal devices. Your applications and policies will also be irrevocably deleted. If you need to delete your Enterprise, you can do so by performing the following steps:

• Navigate to Admin
• Select Android Management
• Press Delete 
• Confirm the Deletion by entering your Enterprise ID
• Press OK
• Wait until the deletion is finished
• If you have followed the tutorial step by step, create again your Enterprise and/or proceed with integrating your applications

Add your OEM Configuration App

At this point, you can start with integration your OEM Configuration App or add any other app type that is described in the chapters below.

• Navigate to App Portal
• Select Android Enterprise
• Press New Application
• Press the search icon
• Search for an application, e.g. Knox Service Plugin
• Select your Application and confirm with Select
• Enter the Name to a user friendly Application (Optional)
• Now define your App Management options as a Template that will be used when you add the applications later into a Policy
• Press Save

Add additional Managed Play Apps

• Repeat the above mentioned steps again to add additional applications like Microsoft 365 Apps.

Add Web Apps

When you add an app into the App Portal and use the search icon, as you have already learned in the course, the Managed Google Play is displayed in the iFrame in each case. Here you have in the left side of the iFrame more functions like Web Apps, Private Apps, and Organize Apps. Web apps are Android apps that you create using a website address (URL), icon image, and title. For those who have been using Silverback for a while, the Web App features are the counterpart to the Web Clips you can distribute for other platforms. Web apps open in Google Chrome, so be sure to add Google Chrome as a Managed Play application in the App Portal if you plan to distribute Web apps. For more information, see the official Create Web Apps documentation provided by Google.

Add Enterprise Apps 

If you want to distribute enterprise applications (*.apk), Android Enterprise provides the ability to upload and distribute via the Managed Google Play iFrame as a Google Hosted Private App. To do this, click New Application in the App Portal and use the search icon to open the Managed Play iFrame. In the left tab, select Private Applications and upload your *.apk file. Afterwards you can add the application to the App Portal as a Managed Play application for distribution. For additional information, see the official Publish private apps from managed Play in your EMM console documentation. In case you receive the Error that the package name is already used by another application while uploading, get in touch with the application developer to use the option outlined in Add Enterprise Apps to Managed Google Play. This lets the app developer share the private app with your Enterprise ID through their Google Play Developer Console.

Organize apps into collections

When you have opened the Managed Play iFrame, you will find in the left tab the Organize Apps section. The Managed Google Play's Organize apps feature lets you group work apps into collections. Collections are displayed on the front page of the managed Play Store app, giving your users quick and easy access to the apps they need for work. You can use collections to organize apps into different categories. For example, you can create an Prodcutivity collection for frequently used apps, and an Collaboration collection for apps related to Microsoft Teams, Viva Engage, etc. In the managed Play Store app, each collection is displayed as a row of apps on the homepage. Users can identify collections by their title (Essentials or Expenses, for example), and can scroll horizontally to view all the apps in a collection. For more information, see the official Organize apps into collections documentation.

Create your Policy

• Navigate to Tags
• Press New Policy
• Review the Tooltip next to Name
• Now enter a unique Name for your Policy, e.g. Marketing Department 
• Enter a Description, e.g. Device Configuration for Marketing Department (optional)
• Enable Profile and Apps as Features
• Select your Device Ownership
• Press Save

Configure your Policy

In the first phase of implementing Android Management via the Android Management API, we focused on the main functions for creating your enterprise, device enrollment, device integration, and device actions, so the profile section currently offers only a selection of restrictions. Android Enterprise's approach is to include the OEM configuration from the hardware vendor for configuring devices. The OEM configuration provides almost all the options for configuring your devices for the specific deployment scenario. As an example, we will configure and deploy passcode settings and a Wi-Fi profile with the Knox Service Plugin. You can use this as a model and review the other OEM Configurations to perform such actions for Zebra devices, for example. Google does not offer an OEM configuration application and we will be adding more profiles as soon as possible in upcoming Silverback releases, so stay tuned. 

Add Additional Apps

• From the Apps Tab in the Policy, you can add now several addition apps from the App Portal
• Press again Assign More Apps
• Add your application(s)
• Activate the applications by pressing the edit button to configure your App Management options
• After you have added and configured all your desired Apps, it is time to enroll a device
• Proceed with Device Enrollment

Enrollments based on the Ownership

Add Features by creating a custom QR-Code

As mentioned above, we will gradually add more features for managing Android devices via the Android Management API. This includes some configuration options that can be provided with the QR code for device enrollments. To get you started right away, we will show you how to create a custom QR code with additional features.

• While having your current Policy opened, navigate to Enrollment
• Now scan the displayed Code with a QR-Code reader on a mobile devices to review the content
• Every barcode on the Android Management API contains the following minimum information:
  • Device Admin Component is the registered component to activate the Device Admin on the device
  • Device Admin Signature Checksum is corresponding checksum the Device Admin App
  • Package Download Location contains the Google Play link to the Device Policy Controller
  • Admin Extras contains the Enrollment Token for your policy
• In general, the content of your QR-Code looks like this:

{
"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME":"com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":"I5YvS0O5hXY46mb01BlRjq4oJJGs2kuUcHvVkAPEXlg",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION":"https://play.google.com/managed/downloadManagingApp?identifier=setup",
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN":"OTQGFQLNFYLWPLFKTJUEWUYB"}
}

• While comparing the available Extra Bundles from the official Google Documentation, you can add several options to your QR-Code as shown in the example below: 

{
"android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME":"com.google.android.apps.work.clouddpc/.receivers.CloudDeviceAdminReceiver",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":"I5YvS0O5hXY46mb01BlRjq4oJJGs2kuUcHvVkAPEXlg",
"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION":"https://play.google.com/managed/downloadManagingApp?identifier=setup",
"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED": true,
"android.app.extra.PROVISIONING_USE_MOBILE_DATA": false,
"android.app.extra.PROVISIONING_LOCALE": "en_us",
"android.app.extra.PROVISIONING_WIFI_SSID": "Imagoverum #2.4",
"android.app.extra.PROVISIONING_WIFI_PASSWORD": "Pa$$w0rd",
"android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE": "WPA",
"android.app.extra.PROVISIONING_WIFI_HIDDEN": true,
"android.app.extra.PROVISIONING_WIFI_PROXY_HOST": "192.168.0.50",
"android.app.extra.PROVISIONING_WIFI_PROXY_PORT": "8080",
"android.app.extra.PROVISIONING_WIFI_PROXY_BYPASS": true,
"android.app.extra.PROVISIONING_WIFI_PAC_URL": "http://proxy.imagoverum.com/proxy.pac",
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN":"OTQGFQLNFYLWPLFKTJUEWUYB"}
}

• You can paste the example content into any Text Editor and modify the settings to your needs
• Then you can use a QR-Code creator like https://www.the-qrcode-generator.com to create your custom QR-Code and use it for device enrollments.

Zero Touch or Knox Mobile Enrollment

• To utilize the Zero Touch Enrollment, please refer to Android Enterprise V: ZeroTouch Enrollment and select in your configuration Android Device Policy as EMM DPC and add the following to the DPC Extras and ensure to use the enrollment token from your target Policy. Then assign the profile to your devices as usual.

{"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN":"EHYXZWKAXTOUREPKUROZJDWX"}}

• To utilize the Knox Mobile Enrollment, please refer to Android Enterprise VI: Knox Mobile Enrollment and select during the Android enterprise profile creation Other as Pick your EMM and use the following URL: https://play.google.com/managed/downloadManagingApp?identifier=setup and keep the EMM server URI field empty. In the next screen, use the following as Custom JSON data with the enrollment token from your target Policy. Then assign the profile to your devices as usual.

{"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN":"EHYXZWKAXTOUREPKUROZJDWX"}

Device Information

You can access the Device Overview screen by clicking a device in the Management Console. Depending on the ownership, manufacturer and OS version of the device, some information from the device may or may not be transmitted and displayed. For example, personally owned devices transmit much less information than corporate-owned devices. If there is no information at all in any of the areas described below, that area will be hidden in the Device Overview, with the exception of the Network Information.   

Non-Compliance

The Non-Compliance section displays information about whether the target and actual state between the configured policy and the device match. For example, common cases include:

• A policy includes an application that is not supported for the device type. This can be provoked very easily by adding the Knox Service Plugin into a policy and enrolling a Google Pixel device into that policy. As Knox service plugin is only supported for Samsung devices, the application is not available and can't be installed on Google devices. 
• For an application, the App Management option is set to Required or Forced as the installation type, and the application is still being installed (Screenshot below).  
• A restriction has been set that is either not supported by the management mode or requires a newer OS version (API level) of the device.
• A restriction set in the policy has not yet been set by the user. A good example here is the Degree of location detection enabled restriction, which must be manually deactivated or changed by the user to make the device compliant again.
• By default, Google sets some default compliance rules for the Android Management API that will restrict the use of the device or work profile if it is out of compliance. In this case, the user has 10 days to bring the device into compliance before the device is either reset or the work profile is removed. The Degree of location detection enabled restriction is again a perfect practical example. Please refer to Set up policy compliance rules for additional information and note that only the default compliance rules set by Google are currently active, and in this scenario devices will remain as managed in the Management Console.
• You can get more information about the reasons for non-compliance here: Non Compliance Reason

Device Actions

Based on device ownership, several device actions can be performed, as described below. Please note that the Lock, Block, Factory Wipe, and Delete Business Data actions are located in the Devices tab (Managed, Blocked), while the Restart and Clear Passcode actions are located in the Device Overview under Actions.   

Review Device Policy

Users and administrators can see when the device was last synchronized with the Android Management API, which policies are applied to the device, and which applications are associated with the device in Settings > Google > (Work Profile) > Device Policy. Users can also see what information an IT or administrator can access. Note, however, that the information may not be fully visible under Policies that affect your device. By tapping the three dots on the upper right in the Your Work device screen, users can also manually Sync policies.

Capture and Analyze Logs

For troubleshooting scenarios with the device management via the Android Management API, there is a separate tab in the Log view called Android Management . You can set the depth of the logs under Admin > Logs in the Vendor Specific Logs section using the Configure button. Here you can use the log level options Information and Error, where Information is a more verbose level than Error. The View Log button will take you to the corresponding Android Management tab in the logs. With Information set as the log level, you can closely examine all the events that happen on the Android Management API. Please do not forget to set the log level back to Error after an analysis.

By using Notepad++ with the JSON Viewer plugin you can easily beautify the messages using the Format JSON option and removing any content before the { symbol, e.g when the event starts with The response from Android Management API has been received: { you need to remove the bold part and then utilize the Format JSON option.