IBM Security MaaS360

Hi,

does anyone know whether it's possible to see if an Android Enterprise Device is enrolled using "User Account" or "Device Account"?

A can't seem to find it under device settings.

I can see it under Devices->Enrollments (Android Account Type), but that only shows the enrollment requests for the last 90 days. If I go to Deployment Overview to view older requests, Android Account Type is not visible.

I need this insight when trouble shooting some app distribution issues ...

Hi,

does anyone know whether it's possible to see if an Android Enterprise Device is enrolled using "User Account" or "Device Account"?

A can't seem to find it under device settings.

I can see it under Devices->Enrollments (Android Account Type), but that only shows the enrollment requests for the last 90 days. If I go to Deployment Overview to view older requests, Android Account Type is not visible.

I need this insight when trouble shooting some app distribution issues ...

Hi Kjetil

Just to qualify Ethan's response: 

• User Account vs. Device Account only tends to make a difference when you are trying to re-enroll a device and the existing assigned Google account hasn't been released. This happens for Device Account enrolled devices where you try to wipe/re-enroll within a 24 hour period and Google platform (Android Enterprise) hasn't yet released the single-use account for re-use.
• Regarding apps, there shouldn't be any issue theoretically. When you look at the account that is set up to use Google Play (verify in Settings/Accounts and then check in Google Play), the only issue that might happen is that the user's personal account might try to install a work-type app. However Android Enterprise distributes the app to the work profile meaning the work account in DO/PO mode is automatically used not the user's personal Google account. So this doesn't tend to be an issue. 
• The only issue I can think of off hand is if you have a Private Play Store app which hasn't been distributed to the right Android Enterprise instance and this might cause issues for installs of these apps for certain devices. In case you need to go into this in detail please have a look at a blog I wrote some time ago - 
• https://community.ibm.com/community/user/security/blogs/eamonn-omahony/2021/10/20/apks-vs-private-apps-on-google-play

If still having issues after this let me know directly and we can discuss. 

Hi,

does anyone know whether it's possible to see if an Android Enterprise Device is enrolled using "User Account" or "Device Account"?

A can't seem to find it under device settings.

I can see it under Devices->Enrollments (Android Account Type), but that only shows the enrollment requests for the last 90 days. If I go to Deployment Overview to view older requests, Android Account Type is not visible.

I need this insight when trouble shooting some app distribution issues ...

Hi both, thanks!

Our customer has several (50+) devices enrolled towards the same MaaS360 user. I know that the current setting is to use Device Account, but I don't know if it has always been like that.

I was considering the following scenario:
1. a number of devices are enrolled towards the same user, using AE User Account enrollment.
2. more devices are enrolled towards the same user (as in 1.), but now using AE Device Account enrollment.

Would that be a problem?
(I know this was an issue earlier, but that was when one could only enroll 1 device towards a user when using Device Account enrollment. I.e. you could not switch between User Account and Device Account for the same MaaS360 user.)

BTW! The issue we're seeing is not related to private apps. It's a public Google Play app, and it installs fine on most devices ...

Hi Kjetil

Just to qualify Ethan's response: 

• User Account vs. Device Account only tends to make a difference when you are trying to re-enroll a device and the existing assigned Google account hasn't been released. This happens for Device Account enrolled devices where you try to wipe/re-enroll within a 24 hour period and Google platform (Android Enterprise) hasn't yet released the single-use account for re-use.
• Regarding apps, there shouldn't be any issue theoretically. When you look at the account that is set up to use Google Play (verify in Settings/Accounts and then check in Google Play), the only issue that might happen is that the user's personal account might try to install a work-type app. However Android Enterprise distributes the app to the work profile meaning the work account in DO/PO mode is automatically used not the user's personal Google account. So this doesn't tend to be an issue. 
• The only issue I can think of off hand is if you have a Private Play Store app which hasn't been distributed to the right Android Enterprise instance and this might cause issues for installs of these apps for certain devices. In case you need to go into this in detail please have a look at a blog I wrote some time ago - 
• https://community.ibm.com/community/user/security/blogs/eamonn-omahony/2021/10/20/apks-vs-private-apps-on-google-play

If still having issues after this let me know directly and we can discuss. 

Hi,

does anyone know whether it's possible to see if an Android Enterprise Device is enrolled using "User Account" or "Device Account"?

A can't seem to find it under device settings.

I can see it under Devices->Enrollments (Android Account Type), but that only shows the enrollment requests for the last 90 days. If I go to Deployment Overview to view older requests, Android Account Type is not visible.

I need this insight when trouble shooting some app distribution issues ...

Hi Kjetil

Just for clarification. 

The Google / Android Enterprise setting to choose User Account or Device Account is a setting which controls the way that Google assigns a Google account to a device for the work profile.

This is completely independent of the MaaS360 User account to which a device is enrolled. In case not clear we recommend that an individual user account be used for each individual enrolled device and wherever possible. 

Once enrolled the Device Account / User Account distinction is not relevant except for when re-enrolling. It is only relevant to assigning accounts from the Google platform (with something like "user@googleaccountservices.com") which is created or re-used depending on the choice of Device Account (1 device per Google user) or 10 devices max per Google user (re-use same ID for up to 10 enrollments). 

Hope this helps. If still having issue with app installs please contact Support

Hi both, thanks!

Our customer has several (50+) devices enrolled towards the same MaaS360 user. I know that the current setting is to use Device Account, but I don't know if it has always been like that.

I was considering the following scenario:
1. a number of devices are enrolled towards the same user, using AE User Account enrollment.
2. more devices are enrolled towards the same user (as in 1.), but now using AE Device Account enrollment.

Would that be a problem?
(I know this was an issue earlier, but that was when one could only enroll 1 device towards a user when using Device Account enrollment. I.e. you could not switch between User Account and Device Account for the same MaaS360 user.)

BTW! The issue we're seeing is not related to private apps. It's a public Google Play app, and it installs fine on most devices ...

Hi Kjetil

Just to qualify Ethan's response: 

• User Account vs. Device Account only tends to make a difference when you are trying to re-enroll a device and the existing assigned Google account hasn't been released. This happens for Device Account enrolled devices where you try to wipe/re-enroll within a 24 hour period and Google platform (Android Enterprise) hasn't yet released the single-use account for re-use.
• Regarding apps, there shouldn't be any issue theoretically. When you look at the account that is set up to use Google Play (verify in Settings/Accounts and then check in Google Play), the only issue that might happen is that the user's personal account might try to install a work-type app. However Android Enterprise distributes the app to the work profile meaning the work account in DO/PO mode is automatically used not the user's personal Google account. So this doesn't tend to be an issue. 
• The only issue I can think of off hand is if you have a Private Play Store app which hasn't been distributed to the right Android Enterprise instance and this might cause issues for installs of these apps for certain devices. In case you need to go into this in detail please have a look at a blog I wrote some time ago - 
• https://community.ibm.com/community/user/security/blogs/eamonn-omahony/2021/10/20/apks-vs-private-apps-on-google-play

If still having issues after this let me know directly and we can discuss. 

Hi,

does anyone know whether it's possible to see if an Android Enterprise Device is enrolled using "User Account" or "Device Account"?

A can't seem to find it under device settings.

I can see it under Devices->Enrollments (Android Account Type), but that only shows the enrollment requests for the last 90 days. If I go to Deployment Overview to view older requests, Android Account Type is not visible.

I need this insight when trouble shooting some app distribution issues ...

Hi again,

I'm aware of the difference between MaaS360 User Account and AE User account ;-)

The use case here is configuring many non-personal devices using KME (or GZT) - hence DO mode. Then it can be handy to set up several devices (possibly more than 10) towards the same MaaS360 user (by using AE Device Account for enrollment).

This has been possible since MaaS360 release 10.77:

"

Android
Bulk enrollment support for device account based Device Owner enrollments >>

MaaS360 supports two account types: user account and device account for Android Enterprise enrollments. In the previous releases, MaaS360 restricted the number of enrollments allowed per device account to 1 device. In this release, MaaS360 removes the restriction to allow hundreds of devices to be enrolled per device account.

"

Anyway, I suppose we're at the end of the road on this one ... I will ask the customer to try creating a new MaaS360 user, and enroll the "problem devices" towards this new user instead.

Hi Kjetil

Just for clarification. 

The Google / Android Enterprise setting to choose User Account or Device Account is a setting which controls the way that Google assigns a Google account to a device for the work profile.

This is completely independent of the MaaS360 User account to which a device is enrolled. In case not clear we recommend that an individual user account be used for each individual enrolled device and wherever possible. 

Once enrolled the Device Account / User Account distinction is not relevant except for when re-enrolling. It is only relevant to assigning accounts from the Google platform (with something like "user@googleaccountservices.com") which is created or re-used depending on the choice of Device Account (1 device per Google user) or 10 devices max per Google user (re-use same ID for up to 10 enrollments). 

Hope this helps. If still having issue with app installs please contact Support

Hi both, thanks!

Our customer has several (50+) devices enrolled towards the same MaaS360 user. I know that the current setting is to use Device Account, but I don't know if it has always been like that.

I was considering the following scenario:
1. a number of devices are enrolled towards the same user, using AE User Account enrollment.
2. more devices are enrolled towards the same user (as in 1.), but now using AE Device Account enrollment.

Would that be a problem?
(I know this was an issue earlier, but that was when one could only enroll 1 device towards a user when using Device Account enrollment. I.e. you could not switch between User Account and Device Account for the same MaaS360 user.)

BTW! The issue we're seeing is not related to private apps. It's a public Google Play app, and it installs fine on most devices ...

Hi Kjetil

Just to qualify Ethan's response: 

• User Account vs. Device Account only tends to make a difference when you are trying to re-enroll a device and the existing assigned Google account hasn't been released. This happens for Device Account enrolled devices where you try to wipe/re-enroll within a 24 hour period and Google platform (Android Enterprise) hasn't yet released the single-use account for re-use.
• Regarding apps, there shouldn't be any issue theoretically. When you look at the account that is set up to use Google Play (verify in Settings/Accounts and then check in Google Play), the only issue that might happen is that the user's personal account might try to install a work-type app. However Android Enterprise distributes the app to the work profile meaning the work account in DO/PO mode is automatically used not the user's personal Google account. So this doesn't tend to be an issue. 
• The only issue I can think of off hand is if you have a Private Play Store app which hasn't been distributed to the right Android Enterprise instance and this might cause issues for installs of these apps for certain devices. In case you need to go into this in detail please have a look at a blog I wrote some time ago - 
• https://community.ibm.com/community/user/security/blogs/eamonn-omahony/2021/10/20/apks-vs-private-apps-on-google-play

If still having issues after this let me know directly and we can discuss. 

Hi,

does anyone know whether it's possible to see if an Android Enterprise Device is enrolled using "User Account" or "Device Account"?

A can't seem to find it under device settings.

I can see it under Devices->Enrollments (Android Account Type), but that only shows the enrollment requests for the last 90 days. If I go to Deployment Overview to view older requests, Android Account Type is not visible.

I need this insight when trouble shooting some app distribution issues ...