Android for Work is Google’s enterprise MDM solution. A device enrolled using Android for Work will create a secure profile to host all company information. This allows the administrators to apply policies and remotely administer and secure corporate apps and data without affecting personal apps and data.
Identity Models: Managed Google Play Accounts vs Google Accounts
The first Android for Work implementation in XenMobile was done before Google added support for Managed Google Play Accounts (EMM Managed) scenarios. The Google Accounts (Google Managed) enrollment process for administrators involved several steps, including contacting Citrix support to have an Enterprise and Service Account created and proving domain ownership. With Managed Google Play Accounts scenarios, the enrollment process for administrators is simplified.
Creating an EMM-Managed Enterprise and Enrolling into XMS
- Feature must be turned on
- For cloud deployments, the feature flag enabling the feature must be turned on in Launch Darkly
- For on-premises deployments, the “afw.accounts” server property must be set to TRUE
- Administrator must have a non-G suite Google account that can be used as the administrator account to manage the enterprise
How to Create and Enroll an EMM-Managed Enterprise
To create an EMM-Managed enterprise, the administrator performs the following steps:
Log into the XMS console, navigate to Settings, then choose Android for Work.
Tap the button that guides the user to XenMobileTools. Note: The XenMobileTools page will open in a new tab.
On XenMobileTools page, tap Go to Google Play button
Log into Google with a non-G suite account, provide the Enterprise name, accept the terms and conditions, and tap “Complete Registration”
Set a password and download the configuration file. Note: This password is used to encrypt the configuration file to be exported from XenMobileTools and to decrypt it after importing into XMS.
Go back to the tab with Android for Work Settings page in the XMS console, upload the configuration file downloaded in step 5, and enter the password provided in step 5.
The Enterprise administrator can use the Google Play Administrator Console to provision apps for users. This applies to both EMM-Managed and Google Managed scenarios and is unchanged from existing Android for Work app management.
Under the Managed Google Play Accounts (EMM Managed) identity model, each user will have a “ghost” Google account automatically provisioned for it and mapped to the actual user account. Users will see this account when looking in Secure Hub settings.
Information for Existing Customers
Upgrading to XMS versions that support v2
For any customers who created a Google Accounts (Google Managed) enterprise (i.e. v1) in existing XMS 10.6 or earlier version, it will continue to work the same way after upgrading XMS to versions that support Android for Work v2 (a database migration will occur in the background the first time the administrator logs into XMS console after the XMS upgrade. When navigating to the Android for Work section of Settings in the XMS console, the UI will be very similar to previous versions. The only difference is that the client id field is now shown as a fourth text box under Service Account ID (previously it was only available in Server Properties).
Moving from Android for Work v1 to v2
For customers that wish to delete an existing Google Managed enterprise v1 configuration, the admin must set the “use.afw.accounts” Server Property to “True”, then navigate to the Android for Work section of Settings in the XMS console. The UI should now show the buttons prompting the administrator to go to XenMobileTools to create a configuration and upload it into XMS. The existing v1 configuration will remain in XMS until the v2 configuration is successfully imported into XMS. Note that multiple enterprises are not supported at this time, so it is not possible to have active v1 and v2 configurations at the same time.
Information for G Suite Customers
The current implementation does not support Managed Google Play Accounts (EMM Managed) enterprises for G Suite customers. G Suite customers who wish to use Android for Work must follow the v1 workflow. If there’s no existing Android for Work v1 configuration and the v2 feature is enabled, the administrator will need to switch to the Google Managed configuration page if they are a G Suite customer. This is accomplished using the down arrow next to the title or the link in the description, as shown in the image below.
“Android for Work” vs. “Android”
Google has renamed “Android for Work” to just “Android” in documentation. Citrix is continuing to use “Android for Work” naming to prevent confusion between the MDM enrollment scenario and the platform itself. Read here for more information: https://support.google.com/work/android/answer/7218437