Setting up Android EMM for your organisation

Android Enterprise Mobility Management (EMM) allows further control of your organization's Android devices by allowing full device control and silent application installation and removal.

There are two options for preparing your organization for EMM

1 ) G Suite Account Enrolment

To set up an Android enterprise using Google Accounts, an organization must have a managed Google domain (Get started with G Suite for Education). Each domain can be linked to only one EMM console, and the organization must follow a verification process to prove that they own the domain.

For organizations that use G Suite, you can leverage their existing domain and identities—G Suite customers already have enterprise IDs, and users are already set up with managed Google Accounts.

• Go to the Mobile Guardian school dashboard and either register or sign in.
• On the school dashboard, click on Settings > Android Settings menu from the left panel.
• Click on the G Suite Account Enrolment button.
• In another tab, sign in to the Google Admin console at admin.google.com as a super administrator for your domain.
• Click Devices > Mobile & endpoints > Settings > Universal settings > General and ensure that it is turned off.

Please Note!  The step below is no longer available on the Google Admin console (Updated 30/09/2019)

• Click Devices> Mobile & endpoints > Settings > Third-Party> integrations and ensure that Google Mobile Management or any other 3rd party MDM provider has been removed as your EMM provider. Check the box to understand and accept the changes, and click Disabled.

• Edit the Android EMM settings
• Check the box " Enable third-party Android mobile management"
• Click on "Add EMM provider"
• Copy the token (a string of characters) or click Generate Token to generate a new token and then copy it. Note: If you're already using Android for Work, you can't view or generate a token.
• On the Mobile Guardian dashboard, add your Google domain admin email address used in Google Admin Console and your authentication token generated in the previous step.

Completion

After either of these flows has been followed, you will be redirected to the Mobile Guardian settings page showing the details of the enterprise created. On this page, you will have access to global settings for Android devices like default applications runtime permissions and your system update policy.

With this feature you would be able to enforce a Fully Managed Enrolled device or un-authenticated enrolled devices into COSU Mode.

COSU mode is a kiosk mode for Android devices which would lock the device to display only the Mobile Guardian on the device. The user would only be able to access third party applications that are added to the Mobile Guardian Launcher or in the My Catalogue section on the device.

2 ) Managed Google Play Account

Managed Google Play Accounts provide a lightweight identity model for organizations that don't use G Suite. Managed Google Play Accounts is a set of user, device, and admin accounts that are linked via Mobile Guardian. User validation requires Active Directory integration in order to create the managed Google account and link this to a device.

• Go to the Mobile Guardian school dashboard and either register or sign in.
• On the school dashboard, click on Settings > Android Settings menu from the left panel.
• Click on the Mobile Guardian Managed Account Enrolment button
• Click on Enrol button. You will be redirected to the "Bring Android to Work" page. Click through the form to complete and create your Account.
  • Remember to sign in with your desired Google account (Not a G Suite domain).
  • Enter an organization name. Go next
  • Click on the COMPLETE REGISTRATION button.

3 ) Further settings

All other Android settings are controlled by your profiles. Now that you have your enterprise enrolled, navigating to the Restrictions > Android tab of any profile will display all the settings available to EMM enrolled devices.

EMM also enables the silent installation (and removal) of applications. You may add an application available via the Google Play Store by using the search on the Applications page. Once added the application must be approved from the application details page before you will be allowed to configure it for installation for your device groups. See more at Configuring Android applications for silent install.