How to set up Android Management

Android Management (formerly known as Android for Work) makes Android devices enterprise ready in two ways, a work profile on your personal phone or a company issued phone that is placed in device owner mode. A work profile is a container-like environment where corporate applications can co-exist with personal applications on one device while keeping the corporate data separate and secure. A device in device owner mode provides the system administrator with full control of the device.

Pre-requisites

For both work profile and device owner mode, confirm that you have met the following pre-requisites:

  • Android devices must be on 5.0 Lollipop or newer.
  • (Required only if you use domain mapping to bind the Google generated Android Management token to Privileged Access Service) You have a Google Android Management account (G Suite) with the following configurations:

    • Enable the Android Management (formerly known as Android for Work) service.

    • “Enforce EMM policies on Android devices” either enabled or disabled.

      If you enable this option, Centrify MDM policies will be binding on the enrolled Android Enterprise device. Refer to Google's documentation for more information about this option.

    • You can create the Google Android Management account from the Google website.

See Device owner prerequisites for additional pre-requisites.

Configuring a work profile

A work profile is a container-like environment where corporate applications can co-exist with personal applications on one device while keeping the corporate data separate and secure.

The high-level procedures for setting up a work profile are:

  1. Verify that you have fulfilled the pre-requisites. See Pre-requisites.
  2. Map your company’s domain to Privileged Access Service. This mapping binds the Google generated Android Management (formerly known as Android for Work) token to Privileged Access Service and identifies Centrify as the MDM provider. See Binding Android Management token to Privileged Access Service.
  3. Create a work profile policy set in Admin Portal. See Creating a Work Profile policy set.
  4. Add and configure a Google SAML application with user provisioning in Admin Portal. Provisioning is optional but highly recommended because it allows for users that are created in the Google Apps account to be automatically added to Privileged Access Service and vice versa. See for information on provisioning G Suite.
  5. Configure applications that you want added to the work profile. See Configuring applications .

Binding Android Management token to Privileged Access Service

As part of enabling work profile on Privileged Access Service and identifying Centrify as the MDM provider, you must bind the Google generated Android Management token to Privileged Access Service. You have two options for binding the token to Privileged Access Service:

Important: If you have existing devices registered in Android Management (formerly known as Android for Work) under one token binding option and you switch to the other option, you will need to re-register these devices. Switching from one token binding method to another breaks the connection between the Android Management ecosystem and Privileged Access Service, so device re-registertration is required.

Configuring Google Play

This option uses a Google account to create the necessary token. This option eliminates the need to create a Google Android Management account (G-suite).

  1. Log in to Admin Portal.
  2. Click Settings > Endpoints > Android Management.
  3. Select the Manage Google Play Accounts option.

  4. Click Configure here.

    You need a Google account for the configurations. Best practice is to not use your personal Google account.

    The Google Play window opens.

  5. Click Get Started.

    The Google Play configuration page opens.

  6. Provide the following information:

    1. Enter your organization name.

    2. Read the Google Play agreement and select the associated check box.

    3. Click Confirm.

    4. Click Complete Registration to return to Admin Portal.

    The Google generated token is now bound to Privileged Access Service. The Managed Google Play Accounts is now active.

Domain mapping

Before performing this mapping, you must have a Google Android Management account with your company’s domain configured. See Pre-requisites.

  1. Go to Settings > Endpoints > Android Management in Admin Portal.
  2. Click Add.

  3. Select your company domain from the drop down.

    If you do not see a domain, verify that you have created your Google Android Management account (G Suite) correctly and the Android Management service was enabled. The “Your Primary Domain in G Suite” setting on the Google SAML application configuration page determines the available domain in this drop down.

  4. Enter the Android Management (formerly known as Android for Work) token generated by Google when you add your domain to the Google account.

  5. Click OK.

Creating a Work Profile policy set

You enable users with the work profile by creating the work profile policy set and pushing it to specified devices/users. The Centrify application is automatically deployed to the work profile for all devices that receive this policy set. Users can then use the application to manage their work profile applications. If users delete the application, the work profile and all work profile applications are deleted from the device.

  1. Log in to Admin Portal as an administrator.
  2. Click Core Services > Policies > create a new policy set or update an existing one > Mobile Device Policies > Android Management Settings.

  3. Click Enable Work Profiles and select Yes from the drop down.

    Selecting Yes enables users to create a work profile on their devices.

  4. On the Exchange Settings page, define the profile for Microsoft Exchange ActiveSync accounts in the Android Management email application.

    Configuring Microsoft Exchange ActiveSync automatically deploys the Gmail application to the specified users’ devices. Do not manually deploy another Gmail application to the same users because this can cause conflicting configurations.

    Note:   For devices with Privileged Access Service version 16.7 or older, configuring Microsoft Exchange ActiveSync deploys the Divide Productivity application. When you upgrade Privileged Access Service on both the device and cloud to 16.8 or newer, previously registered devices will have both the Divide Productivity and Gmail applications. Users can delete Divide Productivity when they are ready. With the 17.7 release, Google will no longer make Divide Productivity available for download. Previously installed instances of Divide Productivity will continue to be supported.

  5. Use the Certificate Profiles option to distribute certificates to the devices.

    The Add option allows you to upload and distribute a common certificate for all users.

    The Push user certificate to Android device option allows you to push individual certificates to individual users. Privileged Access Service generates the certificates automatically.

    Certificates can then be used by Wi-Fi providers or websites for authentication.

  6. Update devices with the policy changes.

    You can manually push policy changes or wait for the policy push delay or update interval you set in Device Policy Management on the Settings page in Admin Portal. See Updating device configuration policy changes.

    If you do not see a domain, verify that you have created your Google account correctly and the Android Management (formerly known as Android for Work) service was enabled. The “Your Primary Domain in G Suite” setting on the Google SAML app configuration page determines the available domain in this drop down.

  7. Use the Restrictions option to configure the following restrictions:

    • Limit copy/paste to managed profile

    • Permit data sharing from Work Profile

    • Permit screen capture (work profile or device owner mode)

  8. Use the System Apps option to view, add, or delete system applications. The default system applications that will be available in the work profile are displayed.

  9. Use the VPN Setting option to configure the automatic re-establishment of VPN connection when the device reconnects to the network after a disconnect.

    This policy option applies to devices in work profile or device owner mode and is supported on Android 7 and newer. The default setting (--) is No. If you enable this policy option, additional options (Package Name and Lockdown Enabled) become available.

  10. Click Save.

Configuring applications

You add and configure applications using Admin Portal so that users can access these applications on their devices as part of Android Management (formerly known as Android for Work) -- in work profile or on devices registered in device owner mode. Before you can configure applications, you need to create a Google Apps administrator account. You create the Google Android Management account from the Google website.

You can deploy Android app store applications or Android custom/in-house applications (both Android Management private applications and Centrify applications). Android Management private applications must first be published to the Google Play Console. For instructions on publishing Android Management private applications, see Publishing private applications. After you publish the private application, see to deploy it to mobile devices; this link contains configuration and deployment instructions for both Android Management private applications and Centrify applications. Only applications you deploy will be available in the user’s work Play Store.

For Android app store applications, configuring applications that you want users to access via Android Management is very similar to configuring applications for their personal profile. The differences are:

  • For each application, you must choose one of the two “Install to Android Management” options (on the Applications Settings page).
  • For applications with restrictions, you can set those restrictions.
  • When you save the configuration settings, you must accept the Android Management (formerly known as Android for Work) permissions. If you do not accept the permissions, the applications will not be available to users.

See for Android app store application configuration and deployment instructions.

Publishing private applications

Android Management private applications must first be published to the Google Play Console before you can publish them. You must first register as a developer before you can publish private applications.

  1. Sign in to the Google Account that will act as the account owner for your developer account.

  2. Go to the Google Play Console to begin registration.

  3. Check the agreement box to accept the Google Play Developer distribution agreement. If your account has previously violated this agreement, you can't register as a Google Play developer.

  4. Click Continue to payment.

  5. Pay the registration fee and click Accept and continue.

  6. Enter your developer account details, including a developer name which is the name that is displayed in Google Play.

It can take up to 48 hours for your Google Play developer registration to be processed.

  1. Sign in to the Google Play Console.

  2. Click Add new application.

  3. Select a default language and add a title for the app.

    4. The name should be exactly how you want it to appear in managed Google Play.

  4. Go to Pricing & Distribution > User programs > Managed Google Play.

  5. Check the Turn on advanced managed Google Play features box.

  6. Check the Privately target this app to a list of organizations box.

  7. Click Choose Organizations.

  8. For each organization that you want to publish the app to, enter the Organization ID and a description (or name) and click Add. You can enter up to 20 organizations per app.

  9. Click Done.

  10. When you're ready to publish your app, create and rollout a production release. After your app is published, you can create new releases or set up a staged rollout.

After it is published, your application will be available for distribution within a few hours. See to deploy it.

If the developer account you used to publish your private app is also an administrator account for your organization, then the app will automatically be approved for your organization. If you target additional organizations that you're not the administrator of, the administrators of these organizations will need to approve the private app manually.

Enrolling devices in device owner mode

A device in device owner mode provides the system administrator with full control of the device. You register company issued devices in device owner mode so that you can restrict activities and functions on the device using Admin Portal. Privileged Access Service is the administrator of devices in device owner mode. To place a device in device owner mode, you need a master device that is configured for NFC provisioning. You then use the master device to bump other devices (referred to as target devices) and initiate the registration.

Device owner prerequisites

To register devices in device owner mode, you need the following:

  • Android devices must be on 5.0 Lollipop or newer.
  • (Required only if you use domain mapping to bind the Google generated Android Management token to Privileged Access Service) You have a Google Android Management account (G Suite) with the following configurations:

    • Enable the Android Management (formerly known as Android for Work) service.

    • “Enforce EMM policies on Android devices” either enabled or disabled.

      If you enable this option, Centrify MDM policies will be binding on the enrolled Android Enterprise device. Refer to Google's documentation for more information about this option.

    • You can create the Google Android Management account from the Google website.

  • Have both the master and target devices at hand. Bumping the devices requires that you have both devices with you.

  • The master device should already be registered to Privileged Access Service.

  • The target devices must be set to factory reset.

  • Both the master and target devices must have a wireless network (mobile or WiFi).

Configure master device for NFC provisioning

You must configure the master device for NFC provisioning to register target devices in device owner mode.

  1. Log in to Admin Portal.
  2. Click Core Services > Policies.
  3. Select the policy set for the user associated with the master device.
  4. Click Mobile Device Policies > Android Management Settings > Device Owner.
  5. Select Yes in the Allow Provisioning mode drop down.
  6. Click Save.
  7. Do the following on the master device:

    1. On the master device, go to the Settings page and tap Start NFC Provisioning.

      This action synchronizes the master device with Privileged Access Service and gets the provisioning data.

    2. (Optional) On the Provisioning Mode window, you can activate the Send Username/Password option to enter the user’s Privileged Access Service username/password.
      The typical scenario for providing username/password is if you are registering multiple devices and do not need to track individual device owners. In this case you would provide one username/password and bump multiple devices to this one account. For target devices of versions M (6.0) and newer, providing the credentials will initiate auto registration. Users of target devices that are older than version M (6.0) will need to finish the registration manually.

    3. Bump the master device with the target device.

      You are now done with the master device. You either finish registering the target device yourself or ask the device owner to do it. See Registering target devices.

Registering target devices

You use the target device to finish registering it in device owner mode. The system administrator can either finish the registration on the target device or ask the device user to do it.

To finish registering the target device:

  1. Connect the target device to an available wi-fi after NFC bump has been performed.

    After it is connected, the phone downloads the client application and sets it as the device owner.

  2. You may need to enter your Privileged Access Service credentials to finish installing the client application, depending on how the system administrator configured the registration and your device version. If the system administrator has entered the user credentials and the device is of version M (6.0) or newer, then the client application is automatically installed, the device is registered, and policies are synchronized.

  3. On the Google account information screen, click Accept to get redirected to the Privileged Access Service log in screen.

  4. Enter your Privileged Access Service credentials to complete the Google account setup.