Home
Insight15.11.2021

Android Enterprise enrollment

What is Android Enterprise and is it supported by Relution?

In addition to the well-known management of Android devices via the function of the device administrator, also called “Classic Mode”, where the Relution Client is required as device administrator for the device enrollment and the other MDM functions, Relution also supports the Android Enterprise Enrollment. For this option, there are the variants work profile (BYOD), managed device (COD) and personal profile (COPE) available.

With Android Enterprise, Relution communicates with Google’s Device Management Server and no longer directly with the device. Enrollment and all MDM functions can therefore be performed without the Relution Client. No private Google IDs are required to install apps from the Managed Google Play Store on the devices.

How to set up Android Enterprise in Relution?

In order to use Android Enterprise with the Mobile Device Management Relution, the corresponding Relution organization must be linked to a Google organization. A guide for the linking is available in the following Insight: Android Enterprise setup in Relution.

Can apps be installed on Android Enterprise devices via Relution?

In contrast to the Android “Classic Mode”, where only native apps can be distributed as .apk files, Android Enterprise installs apps from the Managed Play Store. No Google ID is required to install apps, as the unique technical ID is automatically used in the background. This also automatically distributes app updates to devices via the Managed Play Store. This eliminates the need to manually update the app via new versions of an .apk file.

Android Enterprise work profile (BYOD)

Is it possible to use Android Enterprise work profile with Relution?

If the Relution organization is linked to a Google account, the type “work profile” can be selected in addition to the platform “Android Enterprise” during enrollment:

insight-android_enterprise_device_profile-01-en.png

What are the advantages of Android Enterprise work profile?

The Android work profile allows companies, administrations or schools to set up a container on employees’ private devices, so-called Bring Your Own Devices (BYOD), which contains exclusively business apps, content and functions. Business and private data on the device are thus strictly separated. This can be, for example, the separation of private and business emails. These can be used independently of each other via the Android Enterprise work profile, without private and business content mixing when receiving and sending emails on the device. The business email account only has access to business contacts, while the private email account only has access to private contacts. Generated data on the device or in used apps cannot be read by Relution.

Android Enterprise managed device (COD)

Can you use Android Enterprise managed device with Relution?

If the Relution organization is linked to a Google account, the type “managed device” can be selected in addition to the platform “Android Enterprise” during enrollment:

insight-android_enterprise_device_profile-02-en.png

What are the benefits of managed devices?

In contrast to the work profile, managed devices are intended for corporate owned devices (COD). The company, administration or school thus has complete control over the device and can control all functions of the device in addition to the app installation. For example, it is possible to set up WLAN connections and install apps or prohibit access to the settings. Generated data on the device or in used apps cannot be read by Relution. Only the device details and which apps are installed on the device can be read.

Android Enterprise managed device with personal profile (COPE)

Is it possible to use Android Enterprise managed device with a personal profile with Relution?

If the Relution organization is linked to a Google account, the type “managed device with personal profile” can be selected in addition to the platform “Android Enterprise” during enrollment:

insight-android_enterprise_device_profile-03-en.png

What are the benefits of managed devices with personal profile (COPE)?

Managed devices with a personal profile are also under the full control of the MDM of a company, administration or school. However, in addition to a “Work” area, there is automatically another “Personal” area on the device. This means that a work device can also be used privately. The business and private data on the device are also strictly separated, as with the work profile. Unlike a private device with a work profile, the user cannot delete the work profile on a work device with a personal profile.

How to configure Android Enterprise devices in Relution?

Enrolled Android Enterprise devices can be given specific settings via policies that can be applied to compatible devices. Here, Android Enterprise configurations are differentiated into “work profile” and “managed device”:

insight-android_enterprise_device_profile-04-en.png

The following configurations are identical for both types, but each refers to the specific application area:

  • Manage apps
  • Manage runtime permissions
  • Password
  • Restrictions.

With work profile, the settings only affect the work profile, as there is no control over the entire device. Restrictions that relate to the device therefore have no effect on the work profile. With managed device, the settings always apply to the entire device.

Furthermore, there are advanced configurations that are only available for managed device:

  • Advanced Keyguard Management
  • Advanced location sharing settings
  • System radio management
  • WiFi.

How are public apps installed on Android Enterprise devices?

Apps from the Managed Play Store can be loaded onto the devices via the Manage work apps configuration:

insight-android_enterprise_device_profile-05-en.png

On the respective app detail page, the app can be added to the configuration via the “Select” button:

insight-android_enterprise_device_profile-06-en.png
insight-android_enterprise_device_profile-07-en.png

Are presets for installing apps on Android Enterprise devices possible?

For each app added, the following parent settings can be made:

insight-android_enterprise_device_profile-08-en.png
insight-android_enterprise_device_profile-09-en.png
  • Pre-installed means that the app is installed on the device, but may be removed by the user unless this is globally prevented in the restrictions.
  • Forced installation means that the app is installed on the device and cannot be removed by the user.
  • Blocked means that the app cannot be installed or, if already installed, cannot be used. The app will be hidden if necessary.
  • Available means that the app is available to the user in the Managed Play Store on the device and can be installed by the user as needed.
  • Disabled (checkbox) means that the app, if installed, may not be used. The app is not uninstalled, unlike blocked.
  • Minimum required version code specifies which version of the app must be installed as a minimum.

Further specific settings can be made for individual app.

Manage runtime permissions

If an app asks for permissions at runtime, e.g. access to camera or GPS, the user usually has to decide whether access is granted or not.

Via this setting, the administrator can specify how the app’s request is answered. In this case, the user is no longer asked for consent.

insight-android_enterprise_device_profile-10-en.png

The following settings are possible:

insight-android_enterprise_device_profile-11-en.png
  • Use global default means that the same setting applies to all apps, which is controlled separately via the "Manage runtime permissions" configuration.
  • Ask the user means the device behaves as normal and the user is asked for authorization.
  • Giving permissions means that the app gets the permission without asking the user.
  • Deny permissions means that the app is not given permission without asking the user.

Standard Android permissions

The default response for runtime permissions applies to all permissions of an app. In contrast, with the standard Android permissions, it is possible to specify separately for each permission which response is to be used.

Here, the administrator has the option of specifying which response should be given for a particular permission in order to proceed in a more differentiated manner. For the respective permission of this app, the global setting is thus overridden.

This reduces support efforts, since permissions can no longer be set incorrectly. In addition, data protection can be ensured and, for example, access to GPS position data can be prevented centrally.

insight-android_enterprise_device_profile-12-en.png

Custom permissions

If an app uses additional app-specific app permissions that require approval, it can be configured here.

insight-android_enterprise_device_profile-13-en.png

Managed configuration

If an app supports the managed configuration, it is possible to query and maintain it from Google. The interface comes from Google and cannot be influenced by Relution. The setting options that are available here are defined by the developer of the respective app. If an app does not offer a managed configuration, no options are available here.

insight-android_enterprise_device_profile-14-en.png

What other apps can be installed on Android Enterprise devices?

In addition to public apps, private apps and web apps can also be added and installed:

insight-android_enterprise_device_profile-15-en.png

Private apps are apps that have been uploaded to the Play Store by the company but are not available to the public. The package name used for a private app must not be used by an app published to the Play Store.

Can web links be deployed to devices with Android Enterprise?

In the Managed Play Store, links to any web content can be made available via the Web Apps menu item in addition to apps. Different options can be selected here:

insight-android_enterprise_device_profile-16-en.png

What are runtime permissions and what settings are possible?

In addition to configuring permissions at app level, global settings can be made via this configuration. These apply accordingly to all apps for which no special settings apply. This reduces support efforts, since permissions can no longer be set incorrectly. In addition, data protection can be ensured and, for example, access to GPS position data can be prevented centrally.

insight-android_enterprise_device_profile-17-en.png

Can passwords for Android Enterprise devices be pre-configured?

The password configuration can be used to specify that a password must be used by the user on the device. In addition, the administrator can specify that no company apps can be used until a password of the corresponding strength has been assigned.

insight-android_enterprise_device_profile-18-en.png

Can Android Enterprise devices be restricted?

Individual functions of the device can be switched on or off via the Restrictions configuration. Settings for the following categories are available for this purpose:

  • Preset restrictions
  • User account restrictions
  • App Restrictions
  • Restrictions for adjustments
  • Device restrictions
  • Multimedia restrictions
  • Network restrictions
  • Restrictions for storage
  • Telephone restrictions.
insight-android_enterprise_device_profile-19-en.png

Can functions on the lock screen of a managed device be restricted (Keyguard)?

The “Extended keyguard management” configuration can be used to manage functions that are available while the device is locked. These include functions that unlock the device as well as the camera.

insight-android_enterprise_device_profile-20-en.png

Is it possible to configure location services on a managed device?

Location services can generally be disabled or restricted via the “Advanced location sharing settings” configuration. For example, locating via GPS can be deactivated (battery-saving).

insight-android_enterprise_device_profile-21-en.png

What settings can be made under the System Radio Management configuration for managed devices?

The System Radio Management configuration can be used to turn on or off functions of the device that are related to wireless network technologies (Bluetooth, WiFi, cellular).

insight-android_enterprise_device_profile-22-en.png

Can WiFi networks be preconfigured for managed devices?

With the “WiFi” configuration, networks are predefined and made available to the Android Enterprise managed device:

insight-android_enterprise_device_profile-23-en.png

What are the advantages of Android Enterprise?

In summary, Android Enterprise offers extensive settings and is continuously expanded and optimized by Google/Alphabet. The increasing standardization makes it possible to use devices from different manufacturers.

The uniform procedure ensures that all configurations work independently of the device manufacturer. The advantages at a glance:

  • Direct communication with Google's Device Management Server.
  • Apps no longer need to be deployed natively as .apk files, but are installed directly from the Managed Play Store.
  • No Google ID and thus no user interaction is required when installing the app on the device
  • Via the work profile it is possible to provide an independent work container for apps, mails and data with strict data separation.
  • Managed devices can be fully controlled and all functions of the devices can be controlled analog to the Apple Supervised Mode.
  • A Managed Google Play Store enables the provision of only allowed apps Managed configurations can be defined, similar to Apple iOS Managed App Configurations
  • Enforced device encryption.

Nevertheless, Samsung still offers a variety of additional configurations with its Knox program, which currently still offers the largest range of options.