How to set up Android Management

Android Management (formerly known as Android for Work) makes Android devices enterprise ready in two ways, a work profile on your personal phone or a company issued phone that is placed in device owner mode. A work profile is a container-like environment where corporate applications can co-exist with personal applications on one device while keeping the corporate data separate and secure. A device in device owner mode provides the system administrator with full control of the device.

Pre-requisites

For both work profile and device owner mode, confirm that you have met the following pre-requisites:

  • Android devices must be on 5.0 Lollipop or newer.
  • (Required only if you use domain mapping to bind the Google generated Android Management token to Privileged Access Service) You have a Google Android Management account (G Suite) with the following configurations:
    • Enable the Android Management (formerly known as Android for Work) service.

    • “Enforce EMM policies on Android devices” either enabled or disabled.

      If you enable this option, Centrify MDM policies will be binding on the enrolled Android Enterprise device. Refer to Google's documentation for more information about this option.

    • You can create the Google Android Management account from the Google website.

See Device owner prerequisites for additional pre-requisites.

Configuring a work profile

A work profile is a container-like environment where corporate applications can co-exist with personal applications on one device while keeping the corporate data separate and secure.

The high-level procedures for setting up a work profile are:

  1. Verify that you have fulfilled the pre-requisites. See Pre-requisites.
  2. Map your company’s domain to Privileged Access Service. This mapping binds the Google generated Android Management (formerly known as Android for Work) token to Privileged Access Service and identifies Centrify as the MDM provider. See Binding Android Management token to Privileged Access Service.
  3. Create a work profile policy set in Admin Portal. See Creating a Work Profile policy set.
  4. Add and configure a Google SAML application with user provisioning in Admin Portal. Provisioning is optional but highly recommended because it allows for users that are created in the Google Apps account to be automatically added to Privileged Access Service and vice versa. See for information on provisioning G Suite.
  5. Configure applications that you want added to the work profile. See Configuring applications .

Binding Android Management token to Privileged Access Service

As part of enabling work profile on Privileged Access Service and identifying Centrify as the MDM provider, you must bind the Google generated Android Management token to Privileged Access Service. You have two options for binding the token to Privileged Access Service:

Important: If you have existing devices registered in Android Management (formerly known as Android for Work) under one token binding option and you switch to the other option, you will need to re-register these devices. Switching from one token binding method to another breaks the connection between the Android Management ecosystem and Privileged Access Service, so device re-registertration is required.

Configuring Google Play

This option uses a Google account to create the necessary token. This option eliminates the need to create a Google Android Management account (G-suite).

Domain mapping

Before performing this mapping, you must have a Google Android Management account with your company’s domain configured. See Pre-requisites.

Creating a Work Profile policy set

You enable users with the work profile by creating the work profile policy set and pushing it to specified devices/users. The Centrify application is automatically deployed to the work profile for all devices that receive this policy set. Users can then use the application to manage their work profile applications. If users delete the application, the work profile and all work profile applications are deleted from the device.

Configuring applications

You add and configure applications using Admin Portal so that users can access these applications on their devices as part of Android Management (formerly known as Android for Work) -- in work profile or on devices registered in device owner mode. Before you can configure applications, you need to create a Google Apps administrator account. You create the Google Android Management account from the Google website.

You can deploy Android app store applications or Android custom/in-house applications (both Android Management private applications and Centrify applications). Android Management private applications must first be published to the Google Play Console. For instructions on publishing Android Management private applications, see Publishing private applications. After you publish the private application, see to deploy it to mobile devices; this link contains configuration and deployment instructions for both Android Management private applications and Centrify applications. Only applications you deploy will be available in the user’s work Play Store.

For Android app store applications, configuring applications that you want users to access via Android Management is very similar to configuring applications for their personal profile. The differences are:

  • For each application, you must choose one of the two “Install to Android Management” options (on the Applications Settings page).
  • For applications with restrictions, you can set those restrictions.
  • When you save the configuration settings, you must accept the Android Management (formerly known as Android for Work) permissions. If you do not accept the permissions, the applications will not be available to users.

See for Android app store application configuration and deployment instructions.

Publishing private applications

Android Management private applications must first be published to the Google Play Console before you can publish them. You must first register as a developer before you can publish private applications.

It can take up to 48 hours for your Google Play developer registration to be processed.

After it is published, your application will be available for distribution within a few hours. See to deploy it.

If the developer account you used to publish your private app is also an administrator account for your organization, then the app will automatically be approved for your organization. If you target additional organizations that you're not the administrator of, the administrators of these organizations will need to approve the private app manually.

Enrolling devices in device owner mode

A device in device owner mode provides the system administrator with full control of the device. You register company issued devices in device owner mode so that you can restrict activities and functions on the device using Admin Portal. Privileged Access Service is the administrator of devices in device owner mode. To place a device in device owner mode, you need a master device that is configured for NFC provisioning. You then use the master device to bump other devices (referred to as target devices) and initiate the registration.

Device owner prerequisites

To register devices in device owner mode, you need the following:

  • Android devices must be on 5.0 Lollipop or newer.
  • (Required only if you use domain mapping to bind the Google generated Android Management token to Privileged Access Service) You have a Google Android Management account (G Suite) with the following configurations:
    • Enable the Android Management (formerly known as Android for Work) service.

    • “Enforce EMM policies on Android devices” either enabled or disabled.

      If you enable this option, Centrify MDM policies will be binding on the enrolled Android Enterprise device. Refer to Google's documentation for more information about this option.

    • You can create the Google Android Management account from the Google website.

  • Have both the master and target devices at hand. Bumping the devices requires that you have both devices with you.

  • The master device should already be registered to Privileged Access Service.

  • The target devices must be set to factory reset.

  • Both the master and target devices must have a wireless network (mobile or WiFi).

Configure master device for NFC provisioning

You must configure the master device for NFC provisioning to register target devices in device owner mode.

Registering target devices

You use the target device to finish registering it in device owner mode. The system administrator can either finish the registration on the target device or ask the device user to do it.

To finish registering the target device:

  1. Connect the target device to an available wi-fi after NFC bump has been performed.

    After it is connected, the phone downloads the client application and sets it as the device owner.

  2. You may need to enter your Privileged Access Service credentials to finish installing the client application, depending on how the system administrator configured the registration and your device version. If the system administrator has entered the user credentials and the device is of version M (6.0) or newer, then the client application is automatically installed, the device is registered, and policies are synchronized.

  3. On the Google account information screen, click Accept to get redirected to the Privileged Access Service log in screen.

  4. Enter your Privileged Access Service credentials to complete the Google account setup.