Citrix XenMobile and Google Android for Work

With the release of Citrix XenMobile 10.1 server, users are now able to administer Android for Work Using Citrix XenMobile as the EMM platform.  Users can create a dedicated work profile for Android devices that includes operating system based encryption and sharing restrictions, ensuring that business data is separate and safe while personal information stays private.

The steps below provide a guide to enable and administer Android for Work with XenMobile.

We have various steps that are part of this implementation.

The diagram below illustrates the flow that we will be following in the process of Android for Work and XenMobile server integration.

Pre-Requisites:

1. Working XenMobile 10.1 environment.

2. Publicly accessible domain.

We can broadly categorize the flow into 5 stages.

1. Register with Google Android for Work and Claim your domain ownership(enterprise domain), collect the EMM token, Enable API’s and create Service account.

2. Binding to EMM

3. Enable XenMobile server with Android for Work.

4. Enable SAML based SSO with XenMobile Server as Identity provider.

5. Activate Work profile on Android devices/End user experience.

Stage 1: Registering with Google Android for Work.

Here, you will register with Google to create a Android for Work account. In the course will need to provide your/admin details as required by Google, link your Android for Work account with your enterprise domain and Claim your ownership of the domain after which you will be provided with your EMM binding token by Google.

1. Go to Google Android for Work portal. (https://www.google.com/work/android/) and navigate to partner page.

2. If you have XenMobile EMM solution deployed, proceed with BEGIN SETUP.

3. Provide your details, business details, Google admin account details and security verification code, accept the terms and condition and create your admin account.

4. Once you create your domain admin account, you will see the below screen. Click START to verify your domain ownership.

Claim your Domain Ownership.

5. Click VERIFY to verify your domain.

6. Follow the on screen instructions to Verify your Domain Ownerships.

Steps to verify the domain ownership are not covered here. There are multiple way to claim your domain ownership. Google recommends to Add a TXT record or CNAME record to your domain’s DNS settings. (Note : You can find more details on the same @ https://support.google.com/a/answer/6095407/)

7. Once you verify your Domain ownership, you will have an EMM Binding token. Please save it.(will use this token ID to bind it with XenMobile in following steps).

Steps to enable API’s and create a Service Account.

8.  Login to https://console.developers.google.com/ with your admin credentials and select Create a project.

AFW1

9.  Under New Project, Provide the Project Name and Click Create.

AFW2

10. . Once the Project is created, Under Google APIs click on “API Enable and manage APIs”.

AFW3

11. Under Google APIs, search for EMM and select Google Play EMM API.

AFW5

12. Click Enable API to enable the API.

AFW6

13. Once you enable the Google Play EMM API, Click on Go To Credentials.

AFW7

14. Now click on Service account.

AFW8

15. Click Create service account. 

AFW9

16. Under Create service account pane provide the Name, check the check box “Furnish a new private key” and select the key type as P12, check the check box “Enable Google Apps Domain-wide Delegation” and provide the “Product name for the consent screen” and Click Create.

AFW10

17. Once you click Create, you will be asked to save the P12 file, Once the service account is created you will be shown the password for the certificate. Click Close.

AFW12

18. In Permissions, click Service accounts > Options for your service account, click View Client ID.

AFW15

19. Download the JSON file using the Download JSON link (you can save the JSON file for your future reference). Make sure you note the Client ID and Service account details from this step which you will be using in Google Admin console and XenMobile server.

AFW13

20. Now Login to Google Admin portal (https://admin.google.com) with the Google Android for Work admin credentials, post login Click on Security.

21. Under Security, Select Advanced Settings and under Advanced Settings tab Click on Manage API client access

22. Under Manage API client access, under Authorized API clients provide the Client ID in the Client Name text box (as mentioned in step 16) and provide “https://www.googleapis.com/auth/admin.directory.user” in One or More API Scopes text box and click Authorize.

Stage 2 : Binding to EMM

Here, you will bind Google Android for Work with Citrix EMM, which will enable you to administer Android for Work with Citrix XenMobile server. To enable/disable this binding you need to reach out to Citrix Technical support.

23. To bind Android for Work with Citrix EMM,  Please reach out to Citrix Technical Support(https://www.citrix.com/contact/technical-support.html) along with your Binding token(which you have from step 7), enterprise Domain Name and Service Account(from step 19) details.

Once the binding is completed, you can confirm the same from Google Admin portal, Login to admin portal navigate to Security tab and under Android for Work settings you can see that your Google Android for Work account is bound to Citrix as EMM.

Stage 3 : Enable XenMobile Server with Android for Work

24. Login to the XenMobile Server Console, post login Click on Settings tab. Under Settings select Certificates.

AFW_XM1

25. Here you will need to upload the certificate(p12) file that you have downloaded from Google admin portal(in step 17). Click on Import option.

AFW_XM2

26. Select the type of cert as Keystore from Import drop down, select the keystore type as PKCS#12 from the drop down, select the usage of this Cert as Server from the Use as drop down, browse the Keystore file and provide the Keystore password and click import.

27. Navigate to Settings tab, Under Server select Android for Work.

AFW_XM3

28. Provide the Android for Work Domain Name, Domain Admin Account, Service Account ID and Check Enable Android for Work and Click Save.

AFW_XM4Configure the following settings:

  • Domain name: Type your Android for Work domain name; for example, domain.com.
  • Domain Admin Account: Type your domain administrator user name; for example, the email account used for Google Developer Portal.
  • Service Account ID: Type your service account ID; for example, the email associated in the Google Service Account (serviceaccountemail@xxxxxxxxx.iam.gserviceaccount.com).
  • Enable Android for Work: Click to enable or disable Android for Work.

Stage 4: Enabled SAML based SSO with XenMobile Server as IDP

29. Login to XenMobile Server and Navigate to Configure tab and click on Settings, Under Settings select Certificates.

AFW_XM1

30. Select the SAML certificate from the list of certificates and Export it from the XenMobile Server and save it on your computer(Note: You will use this SAML cert to upload into Google admin portal to enable SSO in the coming steps)

AFW_XM5

31. Now Login to Google admin portal (https://admin.google.com) with the Google Android for Work admin credentials, post login Click on Security.

32. Under Security, Select Set up single sign-on (SSO), enable check the check box Setup SSO with third party identity provider.

And provide the

Sign-in page URL as https://<XMS FQDN>/aw/saml/signin

Sign-out page URL as https://<XMS FQDN>/aw/saml/signout

Change password URL as https://<XMS FQDN>/aw/saml/changepassword

Under Verification Certificate browse the public SAML certificate that you have downloaded from XenMobile server(as in step 28) and Click SAVE CHANGES

 Stage 5: Activation of Work Profile and End user experience

33. End user should download Worx Home app from Google play store on to his Android device and Enroll his device to the XMS server.

34. Upon successful enrollment, Worx Home will inflate the Android Work profile after which end users can access their Android for Work apps. (in the process if your device is not encrypted, you will be asked to encrypt the device).

 Key Points:

1. Make sure you use userprincipalname for enrolment.

2. To trigger the Work profile on the Android device, you need to have a minimum of one Android for Work policy defined and deployed in XenMobile Server.

3. To define an Android for policy, login to XenMobile server and navigate to Configure tab, select Device policies.  Click on Add to a New device policy, from a Add a New Policy click on Passcode to define the passcode policy for Android for Work and deploy it to the required Delivery group.

Credits : Thanks to Chetan Ithal and XenMobile QA team for helping with Android for Work.