Manage applications in Android enterprise
An organization enrolled in the Android enterprise program from Google can enable a work profile on the employee's devices. The work profile allows the lT department to manage a work environment without restricting users from using their device for personal apps and data.
Administrators control the work profiles, which are kept separate from personal accounts, apps, and data. By default, work notifications and app icons have an Android enterprise icon (a red briefcase) on them and appear next to personal apps in the apps launcher.
The Android EMM service can be used to assign a device owner as well as install a work profile on a device. However, if a device is assigned a device owner, it is not possible to install a work profile on the device.
The organization use an enterprise mobility management (EMM) provider, for example Snow Device Manager, to manage the devices.
For more information about the Android Enterprise program, see https://enterprise.google.com/android/.
This chapter describes how to create the Android EMM service and how to manage applications in Snow Device Manager using the Android enterprise program.
Prerequisites
A Google account must be used to enroll in the Android Enterprise program. Use a role-based Google account, that is, not a personal Google account. The Google account must be an account that previously has not been used to create an Android EMM service or been connected to a G Suite account.
The devices must have Android version 5 or later. However, some functionalities are only available for Android version 7 or later.
The Snow app must have version 5.6 or later.
Create Android EMM service
On the Domain Admin tab, click Service management.
The Service Management workbench appears.
Click the Domain services tab.
Click Add, and then select androidemm.
A new Android EMM integration service is created with a temporary name and the Android EMM Service dialog box appears.
In the Android EMM Service dialog box:
Optionally, change the Name of the service.
Click Generate a Signup URL.
A web browser opens.
Note
If you are already signed in with your personal Google Account, sign out before logging in with the Google account for the Android EMM service.
On Google Play web site:
Click Log in.
A Google dialog box appears.
Type Email address or phone number of the Google account and then click Next.
Type Password of the Google account and then click Next.
The Google dialog box closes.
Click Get started.
A dialog box appears.
Type Organization name, select the I have read... check box, and then click Confirm.
Note
Ignore the message from Google that you have to return to the EMM provider to complete the registration.
Click Complete registration.
The Google Play sign-up process is confirmed.
In the Android EMM Service dialog box in Snow Device Manager console:
Click Complete Enrollment.
The Android EMM Domain Service dialog box appears.
Click OK.
Select one of the Work profile policy options according to the table below.
Leave the default color as is or click the Add icon
to select a new Main text color .Optionally, select the Skip encryption during provisioning check box.
Note
The default option is to leave the check box cleared so that data is encrypted. This option is only available for Android version Nougat or later versions.
Select one of the Account type options according to the table below.
Select one of the Product policy options according to the table below.
Select one the the Permission policy options according to the table below.
To select Enrollment group, click
, select user group and then click OK.Note
The default enrollment group is root/users. Select a group that is not used by another Android EMM Service. Only users in the selected enrollment group or its sub groups will be included in the service.
Select Language.
Click Apply.
The Android EMM Service is created.
Setting | Option | Description |
|---|---|---|
Work profile policy | Install a work profile on enrolling devices only | This is the default option. A work profile will only be installed on new devices, and not on already enrolled devices. |
Install a work profile on all devices | A work profile will be installed on both new and already enrolled devices. | |
Never install a work profile on a device | This option can be used to temporarily stop enrollment of work profiles. | |
Account type | Automatically select account type | This is the default option. In most cases, this setting does not need to be changed. The system automatically selects to enroll devices as work profiles or as device owner. |
User Account that can be used on multiple devices | This option is used to enroll work profile devices only. | |
Device Account specific to a single device | This option is used to enroll device owner devices only. | |
Product policy | Approved products for the enterprise | This is the default option. All approved applications will be available for the user. |
Approved products for the user (white-list) | Initially, only the Snow app will be available for the user. | |
All products, including non approved | All applications in Google Play will be available for the user. | |
Permission policy | Automatically approve future permissions for a product | This is the default option. The user does not have to approve future permissions. |
Only approve the current set of permissions for a product | The manager must approve future permissions. |
Renew credentials
The credentials for the Google account can be renewed if the credentials have been compromised.
Verify account
The Google account can be verified if there are problems with the service,
Unenroll/reset account
The account can be unenrolled or reset if the connection between Snow Device Manager and Google should be removed.
It is possible to reactivate the account if an account is unenrolled by mistake.