Welcome to the third part of our Citrix Endpoint Management and Android Enterprise series. In this edition we will dive deep into Android Enterprise’s fully managed device (formerly known as work-managed) solution set and also understand what capabilities Citrix Endpoint Management (CEM) supports in this management mode.

What Is a Fully Managed Device?

A fully managed device solution is most ideal for corporate-owned devices. These are the devices that a company/organization provides its employees for work-related matters and are primarily used for accessing corporate apps and data — anywhere, at any time.

Because the company owns the devices, IT administrators would like to have full authority over them to ensure they meet all the security criteria necessary to access sensitive corporate information. With a fully managed device solution, IT admins are provided with an extended range of device settings and policy controls that are unavailable in a work-profile scenario for managing devices.

How Citrix Endpoint Management Helps with Managing Android Devices in Fully Managed Mode

To get started, the IT administrator first needs to configure Android Enterprise in Citrix Endpoint Management. This process is straightforward and requires carrying out a few simple steps. You can find instructions here.

Citrix Endpoint Management supports all the different ways of provisioning a new/factory reset device into fully managed mode:

  • IT administrators can provision the device by using a device policy controller (DPC) identifier at the device start up, e.g. “afw#xenmobile.”
  • IT administrators can provision the device by scanning a QR code generated by providing all the user credentials.
  • IT administrators can provision the device by NFC bumping it with the CEM’s NFC provisioning app.
  • IT administrators can provision the devices by preconfiguring the devices purchased from authorized resellers in the zero-touch portal.

The video below shows the end user experience and explains provisioning the device in the ways mentioned above.

Once the devices are provisioned and onboarded to Citrix Endpoint Management, IT administrators can distribute corporate apps and data and enforce a number of device policies on them.

Citrix Endpoint Management provides the following device-policy configurations from the console:

  • Passcode: set device passcode requirements to match your organization requirements
  • Restrictions: allows or restricts end users from using certain features of their devices such as camera, screen capture, installing non-Google Play apps, copy/paste, etc.
  • Exchange: configure Microsoft ActiveSync to run Exchange mail on the devices
  • Control OS update: allows or defers OS updates on the devices
  • Managed app configurations: provides ability to define app configurations provided by the app developer for a given app
  • Managed app permissions: lets IT admin specify the behavior when apps request dangerous permissions
  • Credentials: delivers certificates to the devices
  • App uninstall: lets IT admin specify which apps need to be uninstalled from the devices
  • Wi-Fi*: sets Wi-Fi profile for the devices
  • Location*: allows IT admin to track the locations and movement of the devices
  • VPN*: allows configuring a VPN connection to provide a device-level encrypted connection to the intranet
  • Custom XML*: supports policy definition for ruggedized devices such as Zebra, Sonim, and Honeywell

* Available in upcoming CEM releases

In addition to the above-mentioned device policies, CEM also provides security actions such as lock, wipe, locate, and revoke to be carried out on the fully managed devices.

Citrix Endpoint Management distributes the app store/enterprise apps to fully managed devices through a managed Google Play (similar to that in work profile) on the device.

The IT administrator needs to approve the apps and set the preference on handling the app permission requests in Google Play before the same app is deployed from the CEM console to fully managed devices.

If you are currently managing Android devices in Citrix Endpoint Management via device admin and are looking to migrate to Android Enterprise fully managed, then do the following:

  • Configure Android Enterprise in Citrix Endpoint Management
  • Define Android Enterprise device policies from the console
  • Approve applications from Google Play and deploy the same from CEM console
  • Factory reset the devices and use one of the above-mentioned device provisioning options to enroll the devices into CEM

Voila! If you’ve taken the actions above, you should now be managing your Android devices and having a much more secure and better experience. I will be back soon with the last part of this series, where we will look into Android Enterprise dedicated devices.

If you are not a Citrix Endpoint Management customer and would like give it a try, please click here