Android Betriebsmodus BYOD

Android Enrollment im Betriebsmodus Bring your own Device - BYOD

New article with version: 2.0.0

notempty

This article refers to a Resellerpreview

Einleitung

Bring your own Device - Personal device with business use:

Every employee uses his or her private device
Apps and data for work purposes are stored in a work container

Registration by scanning the registration token with the App Android Device Policy from the Google Play Store.
Hint:This app does not appear on the Home screen or in the App Launcher.
The app is launched from the list of installed apps in the Google Play Store

Eine Übersicht über die Betriebsarten von Android Enterprise sind im Wiki-Artikel Ersteinrichtung Android Enterprise zu finden.

Flow chart

The steps required to connect Android devices are described here:

Prerequisite:

Securepoint Mobile Device Management (MDM) must be linked to a Google account as Android Enterprise account
In Securepoint Unified Security Portal configured Android Enterprise Profile

Enrollment:

Creating a Registration Token for a Profile
Register device

Securepoint Mobile Device Management (MDM) must be linked to a Google account as Android Enterprise account
In Securepoint Unified Security Portal configured Android Enterprise Profile

Enrollment:

Creating a Registration Token for a Profile
Register device

Securepoint Mobile Device Management (MDM) must be linked to a Google account as Android Enterprise account
In Securepoint Unified Security Portal configured Android Enterprise Profile

Enrollment:

Creating a Registration Token for a Profile
Register device

Securepoint Mobile Device Management (MDM) must be linked to a Google account as Android Enterprise account
In Securepoint Unified Security Portal configured Android Enterprise Profile

Enrollment:

Creating a Registration Token for a Profile
Register device

Preparation

There must be a connection from the Securepoint Mobile Security Portal to an Android Enterprise account.

Show instructions for connecting

BYOD: Link Google Enterprise with Securepoint Mobile Security

In order to be able to use Google Enterprise for companies and administer it via Securepoint Mobile Security, a link must be established between the Mobile Security account and a Google account for EMM. It is important to note that there is only one Google Enterprise account for all devices of a tenant (customer with own mobile security account). Without EMM, every device has its own Google account.	Settings for Apple and Android
notempty A Google Account may only be associated with one tenant at a time ! ‍ Otherwise, all devices assigned to a tenant – and thus to a Google Account – will appear in all other tenants linked to the same Google Account!
Associating in the menu Associating in the menu
Mobile Security Settings → Android Enterprise → Add/Link
A Google account is enabled as an enterprise account by linking Securepoint Mobile Security as EMM provider
The communication of the Securepoint Mobile Security Portal runs completely via this Google account.
notempty To avoid unwanted side effects, a new account should definitely be created. It is recommended to use a naming scheme here: mdm.$customer_name@gmail.com

Show step-by-step instructions: Link to Google Enterprise Menu Mobile Security Settings → Android Enterprise → Add/Link Add Enterprise account Email address, for linking with Android Enterprise Email addresses with a domain of your own organisation can be used (e.g. mdm@anyideas.de) E-mail addresses from mail providers can be used (e.g. mdm.anyideas@gmail.com) If an e-mail address with a domain of your own organisation is used (e.g. mdm@anyideas.de), this must be confirmed If an e-mail address with a domain of a mail provider is used (e.g. mdm.anyideas@gmail.com), the option Register for Android only must be selected. Forwarding to https://play.google.com/work Company name. The link to Securepoint Mobile Security is already predefined. Data Protection Officer and EU authorized details required The registration with Google can be completed with it. You will be redirected back to the Securepoint Mobile Security Portal. The e-mail address with which the link was created should now be saved to enable later assignment. The setup must be completed with save. The link is now established. If this message appears when calling https://play.google.com/work, the registration in the Securepoint Mobile Security Portal has not yet been completed and no token linked!

There must be an Android profile that can be assigned to the device.

Further notes on Android profiles

BYOD: Android Profile

Under Mobile Security Android Profiles you can Add profile or Import profile or edit an existing profile (click on profile tile or → Edit )
Various configurations are made here, e.g:

Install and configure Apps
Password policies
Security settings

Control of the app store for private applications
Release of professional address books for private use (e.g. for incoming calls).
WiFi configurations
Restrictions
Password policies
Security settings

Best Practice: Description the most important configuration options

notempty

In addition to configuring the basic settings, restrictions, networks, etc., the following settings are required in the profile:

Applications Applications Installation type Kiosk must be added in the Applications tab for a single app
Caption	Value	Description	Application with the installation type Kiosk
Add application
Packetname	en.selected.app	Select package from dropdown menu or add with select application
Installation type	Kiosk	The app is automatically installed in Kiosk mode: it is set as the preferred output type and set to the allowlist for lock task mode. Device setup is not completed until the app is installed Users cannot remove the app after it is installed You can only set this installation type for one app per profile If this is present in the profile, the status bar will be disabled automatically.

Restrictions Restrictions Settings in the Restrictions tab for the kiosk mode
Activate the custom kiosk launcher		Hides all system apps on the homescreen and shows only the apps installed via the profile. It is recommended to additionally disable the status bar to block access to device settings.
Power Button Actions	Not specified	Sets the behavior of a device in kiosk mode when a user presses and holds the on / off button. Available by default
	Available	The on / off menu (e.g. power off, restart) is displayed when a user long presses the on / off button of a device in kiosk mode
	Blocked	The On / Off menu (e.g. power off, restart) is not displayed when a user long presses the On / Off button of a device in kiosk mode This may prevent users from turning off the device
System error warnings	Not specified	Specifies whether to block system error dialogs for crashed or unresponsive apps in kiosk mode. Muted by default.
	Activated	All system error dialogs such as crash and app not responding (ANR) are displayed.
	Mute	All system error dialogs like crash and unresponsive app (ANR) are blocked. When blocked, the system forcibly stops the app as if the user closes the app from the user interface.
Systemnavigation	Not specified	Indicates which navigation functions are enabled in Kiosk mode (e.g. Home, overview keys).
	Activated	Home and overview buttons are activated.
	Deactivated	The Home and Overview buttons cannot be accessed.
	Home button only	Only the home button is enabled.
Status bar	Not specified	Specifies whether system information and notifications are disabled in kiosk mode. By default, notifications and system information are disabled.
	Notifications and system information enabled	System informations and notifications are displayed in the status bar in kiosk mode
	Notifications and system informations disabled	System informations and notifications are disabled in kiosk mode
	System informations only	Only system information is displayed in the status bar
Device settings	Not specified	Specifies whether a user can access the app settings of the device in kiosk mode Allowed by default
	Allowed	Access to the Settings app is allowed in Kiosk mode
	Blocked	Access to the Settings app is not allowed in Kiosk mode

notempty

In addition to configuring the basic settings, restrictions, networks, etc., the following settings are required in the profile:

Personal use Personal use In the tab Personal use this must be explicitly allowed and if necessary further settings must be made.
Caption	Value	Description	Personal use tab
Activate	default: off	Enables the control of private use notempty If this switch is not enabled, the user can install private apps without any restrictions!
Disable camera		Disables the camera in the personal profile In order to use the camera for business applications, it must be stored as an app in the Applications tab.
Deactivate the screen recording		Screen recordings (screenshots) are not possible when activated
Account types with disabled management		Account types that cannot be managed by the user. com.google prevents adding Google accounts in apps, for example. com.twitter.android.auth.login com.facebook.auth.login com.linkedin.android com.google prevents adding Google accounts in all Google Apps (incl. Gmail, Google Calendar, Google Drive, etc.) ‍ Must not be entered for COPE devices. If this option is subsequently removed, a new enrollment must be performed. com.google prevents Google accounts from being added. Private use would thus no longer be possible and must therefore not be used with COPE devices
Max. days without work	0	Controls how long the work profile can stay off. (In the app overview, the apps and notifications of the work profile can be deactivated.)
Personal Play Store mode	Not specified	Specifies whether to allow or block the apps in the Personal apps section of the personal profile. Standard block list. It is also necessary to specify the Installation type.
Approval list	Only apps that are explicitly specified in Personal apps and whose Installation type is set to Available may be installed in the personal profile.
Blocklist	All Play Store apps can be installed in the personal profile, except for those whose installation type is "Blocked" under "Personal apps".

Personal applications	Add application	Guidelines for apps in the personal profile of a company-owned device with a work profile
Packetname	en.selected.app	Select package from dropdown menu or add with select application
Installation type	Not specified	The way the installation is performed. (Not specified=Default: Available) Unspecified is counted as Available and overrides the Play Store mode Blocklist or Unspecified setting.
	Block	The app is blocked and cannot be installed. If the app was installed using an old profile, it will be uninstalled
	Available	The app is ready for installation Private apps must be added with their own Google account
Cross-profile guidelines
Activate		Policies that, when activated, define restrictions on communication between private and business profile
Show work contacts in personal profile	Allowed default value	Allows work profile contacts to appear when searching for personal profile contacts and incoming calls
	Not allowed	Prevents contacts from the work profile from being displayed when searching for personal profile contacts and incoming calls
	Not specified	Corresponds to Allowed
Cross-profile copy & paste		Prevents users from pasting text copied from the work profile into the personal profile. Text copied from the personal profile can be pasted into the work profile and text copied from the work profile can be pasted into the work profile.
	Allowed	Text copied in one of the profiles can be pasted in the other profile
	Not specified	Corresponds to Not allowed
Cross-profile data sharing	Refuse from work to personal profile default value	Prevents users from sharing work profile data with apps in the personal profile. Personal data can be shared with work apps.
		Prevents data from being passed from both the personal profile to the work profile and from the work profile to the personal profile.
	Allowed	Data from one of the profiles can be shared with the other profile.
	Not specified	Corresponds to Not allowed
Save		All data must be stored in order to be transferred to the devices.

Device enrollment

BYOD: Registration Token for a Profile

Under Mobile Security Android Devices it is possible to Register new device

Caption	Option	Description	Register new device with Android Enterprise	Register new device with Android Enterprise	Register new device with Android Enterprise	Register new device with Android Enterprise
Would you like to use an existing registration token?	Create a new registration token	If a registration token has already been created that has not yet expired, it can be selected and displayed here. (Fig. see below)
Profile	Android Enterprise Profil	This profile is to be applied to the device to be registered.
License	TTT-Point AG \| MDM [0/10] (aaaa)	Select the license to be used for new enrolled devices. It is possible to assign devices to a new License after a runtime license expires.
Use code		Determines whether or not a code is required during enrollment at the end of device registration notempty Should be enabled to prevent devices that have fallen into unauthorized hands from being registered with configured credentials or other company secrets notempty For security reasons for ZeroTouch Enrolment, only enrolment tokens that have been provided with a PIN can be selected.
More options
Duration	30 days	Specifies how long this token can be used After this, device registration with this token is no longer possible. Possible values: 30 minutes One hour One day One week 15 days 30 days 60 days 90 days Infinite ‍ Technically, it is a limit of 10,000 years
Additional data		Any data associated with the registration token. Displayed under Devices in the device overview
Only once		Specifies whether the registration token may only be used once.
Allow private use	Private use is permitted	Determines whether private use is allowed on a device logged in with this registration token. For private devices: A work profile is set up on the device. The MDM has exclusive access to apps and data within this profile. The MDM can control whether an exchange of data between the work profile and the normal environment on the device is allowed to take place. Disabling private use prevents the device from being provisioned. Private use cannot be disabled on a private device.					Private use is permitted	Determines whether private use is allowed on a device logged in with this registration token. For corporate devices: A working profile is set up on the device. The MDM has full access to applications and data in the work profile and in the normal environment.	Private use is not permitted	Determines whether private use is allowed on a device logged in with this registration token. Disabling private use prevents the creation of a work container.	Private use is not permitted	Determines whether private use is allowed on a device logged in with this registration token. Disabling private use prevents the creation of a work container.

Create registration token		Creates a registration token with QR code and a value that can be entered using the keyboard. The name of the associated profile is displayed, as well as the date on which it expires and can no longer be used.

BYOD: Register device

Private devices with additional work profile (BYOD)

In order to be able to distinguish private from business apps, the app Android Device Policy is required.
On private devices in which only the work profile is managed by an organisation - and thus by the Securepoint Mobile Security Profile - this app must be installed manually from the Android App Store.
With this app the registration token is scanned or entered via the keyboard and the devices can be registered and configured in the portal.

Installing the app Android Device Policy from the Google App Store
Scanning the QR code or entering the registration token via the keyboard
- A work profile is created on the device for the Enterprise profile.
- All configured applications, restrictions etc. are created and applied within the work profile.

Show step-by-step instructions

Switching on for the first time or device reset (factory settings)
Country settings selection
Tapping the display 7 times quickly opens a QR code scanner
Scanning of the profile QR code (see above)
A work profile is created on the device
- All configured apps, restrictions, etc. are created and applied within the work profile.
- Apps are displayed in the "Business area and marked with a suitcase icon
A private Google account can be stored additionally
This step can also be done later
- A private profile is created
- There is a separate area Private with its own playstore

Show step-by-step instructions

Fully managed devices (COPE, Company Owned personal enabled) are connected directly to the Android Enterprise profile during initial setup or after a device reset. The link to a Google account and thus to an app store is defined by the assigned profile.

Initial power-up or device reset (factory settings)
Selection of regional settings
Tap the display 7 times quickly to open a QR code scanner
Scanning the profile QR code (see above)
The device is configured as a fully managed device.
- All policies, apss and restrictions stored in the profile will be applied directly to the device
  This process may take a few minutes during the initial installation!

Show step-by-step instructions