IBM Security MaaS360

 View Only

Enhancing Your Android Enterprise Rollout

By Matt Shaver posted Thu November 05, 2020 12:53 PM


We are in full Android Enterprise fervor here at MaaS360 as Android 11 begins to permeate the market.  Admins everywhere are beginning to execute their battle plans to make the changeover from the deprecated Device Admin style management over to Android Enterprise, and we're seeing a lot of the same questions pop up over-and-over.  I hope to address many of those today, and alleviate some of the fears that are causing some organizations to slow, or even pause, their transition to the modern management style for all Android devices.

Let's start with....
The Google Account

The Google account is a service feature that allows MaaS360 to distribute applications and related content to devices, even silently with no user interaction required.  Normally the Google account is something that the user would apply manually to the device, but with Android Enterprise bound with a Gmail address (not a G Suite account), MaaS360 actually creates these accounts silently on the devices.  No credential management required.  Pretty great! 

These accounts, however, are still bound by the rules and regulations of the Play store, and the same account can only be applied on a limited number of active devices before they will begin to get auto-logged out of Play services.  This can cause a lot of issues with app distribution, so we've built out support for two options when enrolling devices:

User Accounts - each device a user enrolls will receive the same Google account configured by MaaS360.  This is ideal for scenarios where the device ratio is generally only one or two per user.
Device Account - each device a user enrolls will receive a different Google account configured by MaaS360.  This is great for scenarios where a user enrolls many devices.  Perfect for cases where the "user" isn't actually a person, but maybe a building, vehicle, or location.

Both of these may be used in the same environment, and while one doesn't necessarily have benefits over the other at this time (other than bypassing the Google Play limits), there could be use cases in the future where each plays a significant role, so choose accordingly based on potential, not just what works easiest today.

These options can be selected in the Deployment Settings  or when generating an enrollment request.Settings

Settings 2

Next, let's talk about.......
Activating Full Device Management

As many admins are painfully aware, the step away from Device Admin means that more than a few steps were added to fully control an Android Device.  Android seems to have taken a few cues from Apples "Supervised" option and made it so that a device has to be factory reset (or new out-of-box) in order to activate this management style (formerly known as Device Owner or DO.  Now, simply called Work Managed). 

The easiest way to get these types of devices up-and-running is to leverage either KNOX Mobile Enrollment (KME - for Samsung devices only) or zero touch enrollment (for any other device brand).  Please refer to Google documentation for supported devices, and reach out to a zero touch reseller to activate a portal account.

The zero touch/KME option is ideal for devices going directly to users, whereas other methods require a bit of trust or admin control in order to ensure proper workflows.  The easiest "other" method to get started with fully managed devices is the MaaS360 code: afw#maas360.  This is the most widely used method, and the easiest for both end-users and admins alike to understand with a fresh device.   During activation, when the device prompts for a Google account sign in, simply enter afw#maas360 in the field, and follow the on screen prompts.

New: This method will work for both Gmail and G Suite account integrations.  With G Suite setups, users will receive a prompt to sign in with their G Suite account a bit later on in the enrollment process.  For full end user instructions, see our work managed enrollment guide.

Admins that are tasked with setting up devices and then provisioning them to users, we have some good news for you!  In order to streamline the enrollment, and minimize the number of on screen taps to the lowest possible number, we have created a user-less option for enrollment.  This can be done either via the KME/zero touch workflows or a QR code.

From Devices-->Enrollments-->Other Enrollment Options choose either the QR code or the zero touch/KME file generator and choose to mark the device as "Corporate Shared."

The shared secret is not something admins will have to remember or record, and it is good until a new one is generated.  This will help admins easily disable old enrollment codes.  Until the shared secret is regenerated, the QR code or zero touch profile is good for any number of enrollments.  For more complete instructions, refer to the user-less enrollment guide.

Important note: when leveraging user-less enrollment is that the Google Account is not created until a user is signed in to the device.  It will be managed, policy will be enforced, and various restrictions put in place, but application distributions and user related settings (such as email configurations) will not permeate until a user is signed in.  This must be done on the device - at this time MaaS360 does not support assigning users to Android devices from the portal.

Last, but certainly not least......
Migration to Android Enterprise

Much of the migration to Android Enterprise is VERY manual.  It will require setting up devices in a fashion that is unfamiliar to even seasoned MDM admins. 

Many organizations are choosing to migrate over as part of new device purchase workflows, rather than trying to navigate end users through the process of trying to start over and hoping they get it right on the first try.  While our hands are tied when it comes to fully managed device setup, we can offer a bit of assistance in the area of work profile devices for BYOD environments.  There is a migration process available to get from DA to PO.

To get started, issue the migration command from either the device view menu or as a group action. (If you do not see the option to migrate, please reach out to your account manager).

This will enable the migration in the app for users to explore at their leisure and save them the hassle of having to un-enroll and re-enroll.  The app will migrate MaaS360 app data as well, so they won't have to worry about losing any files that are local to the agents.  For more information about these workflows, please visit our DA-to-PO migration page in the Knowledge Center.

Hopefully these workflows will make some decisions a little bit easier as you adjust to a post-Device Admin management life, but just in case you need to catch up on the multitude of capabilities that Android Enterprise has to offer, please take a look at our......
Android Enterprise: The Comprehensive Guide (PDF)
Android Enteprise Checkpoint Webinar (Video)
Deep Dive In To Android Enterprise Policy (Video)
Device Admin Deprecated Features (Article)
Android Enterprise Recommended Devices (External Site)

More resources and progress checklists (Article)