MS/enrollment/emm/COBO

In order to be able to use Google Enterprise for companies and administer it via Securepoint Mobile Security, a link must be established between the Mobile Security account and a Google account for EMM.
It is important to note that there is only one Google Enterprise account for all devices of a tenant (customer with own mobile security account). Without EMM, every device has its own Google account.

Settings for Apple and Android

notemptyA Google Account may only be associated with one tenant at a time !

Otherwise, all devices assigned to a tenant – and thus to a Google Account – will appear in all other tenants linked to the same Google Account!

Associating in the menu

→ Android Enterprise → Add/Link

A Google account is enabled as an enterprise account by linking Securepoint Mobile Security as EMM provider

The communication of the Securepoint Mobile Security Portal runs completely via this Google account.

notemptyTo avoid unwanted side effects, a new account should definitely be created.

It is recommended to use a naming scheme here: mdm.$customer_name@gmail.com


1.	2.	3.


Abb.1	Abb.2	Abb.3


Abbildungen

Menu Mobile Security Settings → Android Enterprise → Add/Link

Add Enterprise account

There must be an Android profile that can be assigned to the device.

COBO: Android Profile

Under Mobile Security Android Profiles you can Add profile or Import profile or edit an existing profile (click on profile tile or → Edit )
Various configurations are made here, e.g:

Install and configure Apps
Password policies
Security settings

Control of the app store for private applications
Release of professional address books for private use (e.g. for incoming calls).
WiFi configurations
Restrictions
Password policies
Security settings

Best Practice: Description the most important configuration options

notemptyIn addition to configuring the basic settings, restrictions, networks, etc., the following settings are required in the profile:

Applications Applications Installation type Kiosk must be added in the Applications tab for a single app
Caption	Value	Description	Application with the installation type Kiosk
Add application
Packetname	en.selected.app	Select package from dropdown menu or add with select application
Installation type	Kiosk	The app is automatically installed in Kiosk mode: it is set as the preferred output type and set to the allowlist for lock task mode. Device setup is not completed until the app is installed Users cannot remove the app after it is installed You can only set this installation type for one app per profile If this is present in the profile, the status bar will be disabled automatically.

Restrictions Restrictions Settings in the Restrictions tab for the kiosk mode
Activate the custom kiosk launcher		Hides all system apps on the homescreen and shows only the apps installed via the profile. It is recommended to additionally disable the status bar to block access to device settings.
Power Button Actions	Not specified	Sets the behavior of a device in kiosk mode when a user presses and holds the on / off button. Available by default
	Available	The on / off menu (e.g. power off, restart) is displayed when a user long presses the on / off button of a device in kiosk mode
	Blocked	The On / Off menu (e.g. power off, restart) is not displayed when a user long presses the On / Off button of a device in kiosk mode This may prevent users from turning off the device
System error warnings	Not specified	Specifies whether to block system error dialogs for crashed or unresponsive apps in kiosk mode. Muted by default.
	Activated	All system error dialogs such as crash and app not responding (ANR) are displayed.
	Mute	All system error dialogs like crash and unresponsive app (ANR) are blocked. When blocked, the system forcibly stops the app as if the user closes the app from the user interface.
Systemnavigation	Not specified	Indicates which navigation functions are enabled in Kiosk mode (e.g. Home, overview keys).
	Activated	Home and overview buttons are activated.
	Deactivated	The Home and Overview buttons cannot be accessed.
	Home button only	Only the home button is enabled.
Status bar	Not specified	Specifies whether system information and notifications are disabled in kiosk mode. By default, notifications and system information are disabled.
	Notifications and system information enabled	System informations and notifications are displayed in the status bar in kiosk mode
	Notifications and system informations disabled	System informations and notifications are disabled in kiosk mode
	System informations only	Only system information is displayed in the status bar
Device settings	Not specified	Specifies whether a user can access the app settings of the device in kiosk mode Allowed by default
	Allowed	Access to the Settings app is allowed in Kiosk mode
	Blocked	Access to the Settings app is not allowed in Kiosk mode

notemptyIn addition to configuring the basic settings, restrictions, networks, etc., the following settings are required in the profile:

Personal use Personal use In the tab Personal use this must be explicitly allowed and if necessary further settings must be made.
Caption	Value	Description	Personal use tab
Activate	default: off	Enables the control of private use notemptyIf this switch is not enabled, the user can install private apps without any restrictions!
Disable camera		Disables the camera in the personal profile In order to use the camera for business applications, it must be stored as an app in the Applications tab.
Deactivate the screen recording		Screen recordings (screenshots) are not possible when activated
Account types with disabled management		Account types that cannot be managed by the user. com.google prevents adding Google accounts in apps, for example. com.twitter.android.auth.login com.facebook.auth.login com.linkedin.android com.google prevents adding Google accounts in all Google Apps (incl. Gmail, Google Calendar, Google Drive, etc.) Must not be entered for COPE devices. If this option is subsequently removed, a new enrollment must be performed. com.google prevents Google accounts from being added. Private use would thus no longer be possible and must therefore not be used with COPE devices
Max. days without work	0	Controls how long the work profile can stay off. (In the app overview, the apps and notifications of the work profile can be deactivated.)
Personal Play Store mode	Not specified	Specifies whether to allow or block the apps in the Personal apps section of the personal profile. Standard block list. It is also necessary to specify the Installation type.
Approval list	Only apps that are explicitly specified in Personal apps and whose Installation type is set to Available may be installed in the personal profile.
Blocklist	All Play Store apps can be installed in the personal profile, except for those whose installation type is "Blocked" under "Personal apps".

Personal applications	Add application	Guidelines for apps in the personal profile of a company-owned device with a work profile
Packetname	en.selected.app	Select package from dropdown menu or add with select application
Installation type	Not specified	The way the installation is performed. (Not specified=Default: Available) Unspecified is counted as Available and overrides the Play Store mode Blocklist or Unspecified setting.
	Block	The app is blocked and cannot be installed. If the app was installed using an old profile, it will be uninstalled
	Available	The app is ready for installation Private apps must be added with their own Google account
Cross-profile guidelines
Activate		Policies that, when activated, define restrictions on communication between private and business profile
Show work contacts in personal profile	Allowed default value	Allows work profile contacts to appear when searching for personal profile contacts and incoming calls
	Not allowed	Prevents contacts from the work profile from being displayed when searching for personal profile contacts and incoming calls
	Not specified	Corresponds to Allowed
Cross-profile copy & paste		Prevents users from pasting text copied from the work profile into the personal profile. Text copied from the personal profile can be pasted into the work profile and text copied from the work profile can be pasted into the work profile.
	Allowed	Text copied in one of the profiles can be pasted in the other profile
	Not specified	Corresponds to Not allowed
Cross-profile data sharing	Refuse from work to personal profile default value	Prevents users from sharing work profile data with apps in the personal profile. Personal data can be shared with work apps.
		Prevents data from being passed from both the personal profile to the work profile and from the work profile to the personal profile.
	Allowed	Data from one of the profiles can be shared with the other profile.
	Not specified	Corresponds to Not allowed
Save		All data must be stored in order to be transferred to the devices.

Device enrollment

COBO: Registration Token for a Profile

Under Mobile Security Android Devices it is possible to Register new device

Caption	Option	Description	Register new device with Android Enterprise	Register new device with Android Enterprise	Register new device with Android Enterprise	Register new device with Android Enterprise
Would you like to use an existing registration token?	Create a new registration token	If a registration token has already been created that has not yet expired, it can be selected and displayed here. (Fig. see below)
Profile	Android Enterprise Profil	This profile is to be applied to the device to be registered.
License	TTT-Point AG \| MDM [0/10] (aaaa)	Select the license to be used for new enrolled devices. It is possible to assign devices to a new License after a runtime license expires.
Use code		Determines whether or not a code is required during enrollment at the end of device registration notempty Should be enabled to prevent devices that have fallen into unauthorized hands from being registered with configured credentials or other company secrets notemptyFor security reasons for ZeroTouch Enrolment, only enrolment tokens that have been provided with a PIN can be selected.
More options
Duration	30 days	Specifies how long this token can be used After this, device registration with this token is no longer possible. Possible values: 30 minutes One hour One day One week 15 days 30 days 60 days 90 days Infinite Technically, it is a limit of 10,000 years
Additional data		Any data associated with the registration token. Displayed under Devices in the device overview
Only once		Specifies whether the registration token may only be used once.
Allow private use	Private use is permitted	Determines whether private use is allowed on a device logged in with this registration token. For private devices: A work profile is set up on the device. The MDM has exclusive access to apps and data within this profile. The MDM can control whether an exchange of data between the work profile and the normal environment on the device is allowed to take place. Disabling private use prevents the device from being provisioned. Private use cannot be disabled on a private device.					Private use is permitted	Determines whether private use is allowed on a device logged in with this registration token. For corporate devices: A working profile is set up on the device. The MDM has full access to applications and data in the work profile and in the normal environment.	Private use is not permitted	Determines whether private use is allowed on a device logged in with this registration token. Disabling private use prevents the creation of a work container.	Private use is not permitted	Determines whether private use is allowed on a device logged in with this registration token. Disabling private use prevents the creation of a work container.

Create registration token		Creates a registration token with QR code and a value that can be entered using the keyboard. The name of the associated profile is displayed, as well as the date on which it expires and can no longer be used.

COBO: Register device

Fully managed devices (COBO, COSU)

In order to be able to distinguish private from business apps, the app Android Device Policy is required.
On private devices in which only the work profile is managed by an organisation - and thus by the Securepoint Mobile Security Profile - this app must be installed manually from the Android App Store.
With this app the registration token is scanned or entered via the keyboard and the devices can be registered and configured in the portal.

Installing the app Android Device Policy from the Google App Store
Scanning the QR code or entering the registration token via the keyboard
- A work profile is created on the device for the Enterprise profile.
- All configured applications, restrictions etc. are created and applied within the work profile.


1.	2.	3.


Abb.1	Abb.2	Abb.3


Abbildungen

Installing the App [Android Device Policy]

Installierte ADP-App öffnen

Start the app Next

If the QR code is to be photographed, access authorization for images and videos is required.

Enter code via keyboard or scan

Scan QR code

scanned code is checked

Work Profile Accept & Next

Work profile is set up

Work profile is registered

A display lock is required for work profiles

If necessary, a display lock must be set up.

The apps configured in the profile must be installed.

Display the apps that will be installed.

After installation, the work profile is set up.

Switching on for the first time or device reset (factory settings)
Country settings selection
Tapping the display 7 times quickly opens a QR code scanner
Scanning of the profile QR code (see above)
A work profile is created on the device
- All configured apps, restrictions, etc. are created and applied within the work profile.
- Apps are displayed in the "Business area and marked with a suitcase icon
A private Google account can be stored additionally
This step can also be done later
- A private profile is created
- There is a separate area Private with its own playstore


1.	2.	3.


Abb.1	Abb.2	Abb.3


Abbildungen

Fig.1

Fig.2

Fig.3

Fig.4

Fig.5

Fig.6

Fig.7

Display of the contact information when the text IT administrator is clicked

Fig.8

Fig.9

Fig.10

Fig.11

Fig.12

Fig.13

Fig.14

Fig.15

Fig.16

Fig.17

Fig.18

Fig.19

Fig.20

Fig.21

Fully managed devices (COPE, Company Owned personal enabled) are connected directly to the Android Enterprise profile during initial setup or after a device reset. The link to a Google account and thus to an app store is defined by the assigned profile.

Initial power-up or device reset (factory settings)
Selection of regional settings
Tap the display 7 times quickly to open a QR code scanner
Scanning the profile QR code (see above)
The device is configured as a fully managed device.
- All policies, apss and restrictions stored in the profile will be applied directly to the device
  This process may take a few minutes during the initial installation!


1.	2.	3.


Abb.1	Abb.2	Abb.3


Abbildungen

Select country setting
7 quick taps on the display opens a QR code scanner
Devices with Android ≤ 9 (Pie) already require a temporary WLAN connection to load a QR code scanner.

Scan QR Code

In order to receive the profile settings, a temporary connection to a WiFi is established. The access data will not be saved!

Indicates that this device is managed by an organization.

Work profile is being prepared
(The whole device, is covered by the work profile!)

The device is set up as an working device.

Privacy Notice

Google services to be allowed (as needed)

Device update. With the update of the Play-Store, important operating system parts also receive an update. This enables Android to provide all devices with security-relevant updates more quickly than would be the case with the adapted device manufacturer versions.

Apss configured in the profile will be installed.
This process can take several minutes!

Zero touch devices

Registration in the menu Mobile Security Android Zero-Touch
Either

Add device to an existing configuration:
- Edit configuration: Click on the device tile (or via the hamburger menu in the device tile at the top right) / Edit)
- if necessary, select a new valid enrollment token
  Enrollment tokens are valid for a maximum of 30 days
- Select device(s) by IMEI or serial number
- Save information

or

with the button Add configuration
- select enrollment token
- select customer
- Fill in other details (company name, contact details...)
- Select device(s) by IMEI or serial number
- Save details

As soon as the device is connected to the Internet for the first time or after a factory reset, the profile is pushed to the device and the connection to the MDM is established.
The enrollment on the device itself is, depending on the configuration, exactly as described in the sections COPE, COBU or COSU.
Only the scanning of the enrollment token is omitted!

Name	TTT-Point Zero Touch	Configuration name	[[Datei: ]] Menu for adding zero touch devices
Enrollment token	Profile: Selected profile \| Token abCD12	The selected enrollment token (as created in the Devices / Enroll new device menu) will be applied to all devices enrolled with this configuration. notemptyFor security reasons for ZeroTouch Enrolment, only enrolment tokens that have been provided with a PIN can be selected.
Customer	SecurepointCustomer	The description for the customer as it was transmitted to the device retailer. If several Gmail addresses were linked to the zero touch portal, different descriptions can be selected here.
Standard		Defines whether this configuration is the default or not. When is enabled, new zero touch devices are automatically added to this configuration unless another is specified Note: At least one configuration should be defined as default.
Company	TTT-Point	Freely selectable designation for the company to which this device is to be assigned.
E-mail	admin@anyideas.de	Contact Email Address Displays on mobile during the setup process when IT Administrator is tapped on the "This device belongs to your organization" screen.
Phone number	01234-56789	Contact phone number display see above
Custom message	Welcome to TTT-Point	Shown on the display during device setup
Devices	123456789012345	This configuration can be assigned to devices based on their IMEI or serial number The box is only active if a customer has been selected as well
Save		Saves the configuration

Zero touch configuration with assigned device

Closing by user

The end user must now switch on the device for the first time and establish an Internet connection.
The configuration from the profile is then automatically applied to the device.

Remove devices from Mobile Security management

Fully managed devices

Under Devices / Delete in the respective device tile the administration can be removed from the devices:

All data will be deleted.
The devices are reset automatically and immediately to their factory status!

Flow chart

Preparation

COBO: Link Google Enterprise with Securepoint Mobile Security