Currently deploying Android Enterprise to a single managed Workspace user (shared across 6 devices) in a child OU with third party integration enabled and pretty much everything the initial setup guide requires. (Enabling Admin SDK and Google Play EMM, creating the service account and exporting the token to Sophos)
Note: This is a full control configuration. Device gets setup and enrolls with SMC no problem. After approving a set of Managed Google Play apps I try opening Google Play and navigating to the app in question. App shows as not approved by admin. Trying to perform this via Task Bundle or through remote installation via the Google Play website does not work either. The former task bundle will show as completed and "installed apps" shows as waiting for the devices next sync. Tried manually syncing and decreasing the sync time to 4 hours to no effect.
Trying to get to the install from SMC instead leads to the same prompt. Tried to get around this by opening up the policy to anything in the Play Store and now I receive "This item is not available." Verified that the managed app link takes you to the correct store page and that the app is approved by the google domain administrator account.
I have tried clearing all related Google Play/Services caches--this allows the "view my work apps" tab to show up briefly but if I try and get to the app page again through SMC, it makes that tab dissapear -- not a major issue since I can search the app but still indicative of either a misconfiguration on my part or API not playing well.
Additionally, the device constantly receives a notification to finish signing into it's managed google account -- hitting that, or trying to finish the sign in through system settings, causes a quick redirect to SMC where the device synchronizes and nothing happens.
Lastly, policies applied during enrollment still appear to be setting up. This has been the case for the last couple of hours.
I've been working with support on this issue for the last 3 days and have received no major assistance. The only thing of note would be this detail from a support rep:
"As pe ryour concerns about the app, I have analyzed the logs and found an error. Could you please make sure the device is online, SMC app is running and communicating to Sophos Central :
EST; 2022/12/15 14:50:54; W; Https request failed StatusCode:410 for URL https://smc-device-if-cloudstation-us-west-2.prod.hydra.sophos.com/client-api/enroll/buczmn31/checkin
REST; 2022/12/15 14:50:54; W; Https request failed
Exception: java.io.FileNotFoundException: https://smc-device-if-cloudstation-us-west-2.prod.hydra.sophos.com/client-api/enroll/buczmn31/checkin"
The device is clearly able to communicate to Sophos since I can send messages to it and receive confirmation from the Mobile portal. Some assistance with this would be greatly appreciated.
Hi Riley
Thanks for reaching out to the Sophos Community Forum.
If you are being prompted to enter a google account, this leads me to believe that the initial setup of Android Enterprise is not yet complete.
Can you confirm if you've followed the steps mentioned on the page Set up Android Enterprise (Managed Google Play Account scenario)?
I suggest checking out the following Recommended Read article on setting up Android Enterprise Full Device enrollment as well.
Not to mention no option for a Task Bundle is available even though I have created a Task Bundle in accordance with the second link you have sent. And yes, I have created a user and assigned it to the device prior to this.
Let me know if the following page lends any further guidance regarding the user assignment process.- Manage users for Android Enterprise (Managed Google Domain scenario)
A user must be assigned to the device when you choose to enroll the device. I suspect the Task Bundles section remains empty due to the user specified.
This guide mentions the Self Service portal -- unless I am misunderstanding the product, this is counter-intuitive to full device enrollment which is what I'm trying to do. I should not have to have a user do anything because these are not their devices in this instance.
I need devices managed wholly by my organization, with a google account already created in Workspace for the sole purpose of accessing apps that I whitelist through Central.
I have worked with a technician on this and the best they could give me is "Well, works for me!" after verifying that all my configurations is correct.
Regardless, the lack of Task Bundles appearing when enrolling is only a small part of a greater issue. Please reread my post.
When inquiring internally regarding this issue, I was informed that enrollment when using the Managed Google Domain scenario can only be done by using the Self Service Portal.
I will reach out to you via Private Message to advise further.