Cannot access Play Store after enroll device as Android Enteprise Corporate Device

Hi,

I'm playing around with Android Enteprise (primarily on corporate owned devices). I'm in the Google managed domain scenario with free Google Android management (no Google Apps). I correctly bind my Google domain with Sophos Mobile and enabled the "Enforce EMM policies on Android devices" on Google admin EMM option. 

 

For the testing envirnment I'm using a Nexus 5X with Android 8.1.

 

When powering up the device the first configuration wizard appair. After entering the Google account the device ask me to install Sophos Mobile control and grant the device management authorization. So far so good. The Sophos Mobile Control show the green status, the device is compliant with company policy (for this demo I'm using the default compliant policy).  On the Google Play Store for Work I approved some apps but when I try to access the Play Services I'm prompt to choose the account to use for accessing the store. I select the only account available, the comporate account that I used to configure the device in the first wizard, and then this scrren appair:

 

Il'accept, the Sophos Mobile Control shows up, device is compliant. I'll try to access the Play Store and same message appair.

 

 

If I try to push app from Sophos Central I get this error:

Aug 16, 2018 10:24 AM   0  Accepted
Aug 16, 2018 10:24 AM   0  Started
Aug 16, 2018 10:24 AM Device has a work profile, but the Google account is unknown. -106  Completely failed

 

 

Best regards

Andrea

  • I'm still getting this error on the latest Sophos Control app.

     

  • In reply to Andrea Giacomin:

    I'm having the same problem, I have an older tablet that was enrolled the same way back in June. This works fine they have a Managed Play Store and it works perfectly.

    Any new ones I enroll dont get the Managed Play Store on the device.

    I logged a ticket through support and they don't have a clue what I am talking about and keep sending me horrible generic responses.

  • In reply to AndrewWatson:

    Figured it out after wasting 4 days on this hell.

    It seems that Android Enterprise Devices only enroll properly if the device is setup through the Add Device Wizard.

    For manually added devices or ones that have been added through bulk CSV upload then the Managed Google Play app will never install.

     

    An absolute Joke this is, what an absolute oversight from Sophos!

    No documentation about this show stopper of an issue, no advisory's or anything, support staff who dont have a clue.

     

    So I have 200 devices to enroll that have to be all done through this stupid wizard instead of being able to be bulk uploaded through a CSV which would be literally a 5 minute job.

    Now I'm going to have to sit clicking through that ridiculous wizard 200 times.

     

    Seriously this needs to be fixed and all methods of adding a device should be supported for Android Enterprise.

     

    Can a representative from Sophos please respond and explain why the hell it works like this?

    Is it a bug or some horrible by-design functionality?

    Feature Request - Add a fucking Message/Popup/Something that explains that an Android Enterprise Device cant be added through CSV bulk upload. 

     

    Thanks for ruining my week and delaying my rollout of the 200 tabs, should have just stayed on Mobile Iron.

  • In reply to AndrewWatson:

    Hi Andrew,

    Even with the "Add Device Wizard" I cannot access the Play Store. When I try to access the store I end up in an endless loop Google Play -> Checking Info -> Sophos Mobile Control.

     

    Are you running Google Apps for bussness as corporate email?

  • In reply to Andrea Giacomin:

    Hi Andrea, sorry to hear your still having issues, no I don't use google apps so it looks like our issues may not be related after all, although it looked like it was a similar issue.

    Are you pushing the SMC app to the device using the hosted APK method? So when you enroll it pulls down the APK file from the hosted URL that you specify in the settings on the portal.

  • In reply to AndrewWatson:

    Hi Andrew,

    I'm using the managed Google domain scenario. I've registered my domain with Google and proved the ownership. This is a service that Google offers for free.

    Then I added some user in the Google Admin Console and binded the Google domain with Sophos EMM. The SMC app is pushed via Google Play during the first boot wizard of Android, and it is enforced by Google Policy. 

    During the first boot of an Android Device I'll use a Google account, the same that I added on the Google Admin Console. The login process force the user to download and install SMC, at this point, after the enrolmment process, the device become a corporate device. 

    In this scenario I get the issue on the Google Play.

     

    If I disable the Google policy that enforce the installation of the SMC app and login with the same Google account I'm allowed to access the Play Store. In this case SMC app is not installed and then the corporate mobile policy are not enforced by SMC. That said I think that the issue is on Sophos side.

     

    Just for reference I used this documentation.

  • To guarantee that clients dependably approach the most up and coming form of the Company entry application, you should favor the Company Portal application for Android in the overseen Google Play store. By endorsing it, you ensure that every client gets programmed refreshes.

     

    write my paper