Sophos Mobile - Android Enterprise Full Device Management Enrollment

Android Enterprise full device management enrollment


Introduction
As of Android 10, device administrator management (legacy) is no longer possible due to google depreciating the usage of this on the OS. Android Enterprise device management is Google's new initiative to allow companies to manage Android devices within the workplace.


Within Sophos mobile we currently offer two Android Enterprise management modes:

• Android Enterprise full device management: This allows you to fully control the device using the settings and policies google gives access to. This is commonly used for devices that a company purchased to distribute to their users.
• Android Enterprise Work profile management: This allows you to manage a dedicated workspace that is given on a user’s device. This is commonly used for a "Bring Your Own Device" setup as you can only control the restrictions within the created workspace on the phone. (This doesn't allow the administrator to control the entire phone)


Goals

• Understand how to prepare Android Enterprise full device management enrollment.
• Understand how to successfully enroll a device into Sophos mobile using Android Enterprise full device management.


Prerequisites
• Android Enterprise has already been set up under the google setup tab. For information on this please see: https://docs.sophos.com/central/Mobile/help/en-us/esg/Sophos-Mobile/tasks/SetupAfWManagedGooglePlayAccount.html
• A user you are prepared to assign the device to. For more information on users please see: https://docs.sophos.com/central/Mobile/help/en-us/esg/Sophos-Mobile/concepts/Users.html



Android Enterprise Full device management

Preparing enrollment for the device:

1. Start by heading into the 'Android Policies' section within your mobile dashboard and create a new Android Enterprise Device Policy.



2. Once created you will be able to edit the configuration for the policy there. For a full list of the configurations please see the following page: https://docs.sophos.com/central/Mobile/help/en-us/esg/Sophos-Mobile/concepts/ConfigurationsAfWDO.html
3. After you have finished your configurations, save the policy then head to the 'Task bundles' section on the left-hand pane and select Android. Once at the Android task bundles page click on the 'Create' box and select to create a new task bundle.



4. Within your newly created task bundle, name the task bundle then click 'add task' and select "Enroll".




5. From here you will want to select 'full device' for the type of enrollment, then select the policy we created in step 2.




6. Save the task bundle then head into the 'Devices' section on the left-hand pane. From here click 'Add' then 'Add device wizard' which will run through an enrollment wizard.



7. Running through the add device wizard, the first section will be to assign a user to the device. For Android enterprise enrollment a user must be assigned to the device.



8. Next you can select the device details such as the name you want to give the device within your mobile dashboard as well as the group you wish for the device to be assigned to. For more information on device groups please see: https://docs.sophos.com/central/Mobile/help/en-us/esg/Sophos-Mobile/concepts/DeviceGroups-1.html?hl=groups



9. Next we need to select the task bundle for the device that we created in steps 3 - 5 which will enroll the device into Android Enterprise full device management and apply our policy.



10. Lastly, we are given the QR code that we can scan using our Android device.






Preparing and enrolling the Android device

1. Firstly, for full device management the device in question must be factory reset in order to enroll it (On most android devices, you can factory reset the device through the settings app however this may be slightly different per manufacturer).


2. Run through the WIFI setup screen to connect the device to the network. Then skip the 'copy data' screen (Data transfer from devices is not possible with Android Enterprise).

3. Once you are at the google account screen enter afw#sophos in the email address field. This will then request you to set up the phone under Sophos Mobile management. Once you have accepted this prompt the device will install the mobile control app.










4. After the permissions have been accepted, the mobile control app will then open allowing you to scan the QR code that we generated for our device.





5. After a minute or so the enrollment will complete, and you will be prompted with the message in the add device wizard stating this.






The device should now be fully enrolled into Sophos mobile.



Edit title and spacing
[edited by: TechvidsJelan at 5:49 PM (GMT -8) on 13 Jan 2022]

Top Replies

  • FormerMember
    FormerMember

    This article is really amazing. Thanks for the sharing.

  • This is the best solution I have seen. Thanks for sharing. Btw, do you know about the correct enrollment method for iOS?

  • A high level over-view can be found in the following link.
    Use the Add device wizard

    You will first want to have a Device policy for iOS created. Install the Sophos Mobile Control application onto the iOS device and use the "Add device wizard" to being the enrollment process. 

    For a more basic enrollment you can choose "Enroll device" when you get to the "Enrollment type" step of the wizard. Scan the QR code shown from the wizard using the Sophos Mobile Control application. 

    A prompt will be shown on the iOS device advising that a profile will be downloaded. Proceed through the prompts and the web browser will open. Once the download completes, ensure to navigate into the Settings app to approved the downloaded profile. 

    At a later date we will be releasing more Recommended Read and video content to better highlight this process.

    Kushal Lakhan
    Global Community Support Engineer
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Thanks for sharing. Does it work the same for Intercept X for Mobile enrolment?

  • To enroll the Intercept X Mobile application with Sophos Central I recommend using the following steps. 

    - First Create a Mobile Threat Defense policy
    - From the Devices page select "Add > Add Device Wizard"
    - Assign a user and proceed through to "Enrollment Type"
    - Select either of the following two options:
       - Enroll Sophos Intercept X for Mobile with task bundle 
       - Enroll Sophos Intercept X for Mobile with policy

    On the mobile device, open the Intercept X Mobile application and tap on "Corporate management > Enroll > Scan QR Code".

    Kushal Lakhan
    Global Community Support Engineer
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Are there any known issues with Android v10? - I have two tablets that I setup, (one tablet running v10 of Android and the other tablet running v11 of Android) - the tablet running v11 of Android seems to work flawlessly w/Android Enterprise Management. The tablet running v10 appears to 'work', however, there seem to be some serious quirks with it. The tablet in question that is running the v10 of Android (it's a Galaxy 1Tab A 10.5") and it almost seems broken compared to the other tablet running v11 of Android (Galaxy Tab S5E)..

    The tablet running v10 of Android cannot be upgraded to v11 of Android. Admittedly, it's an older tablet and we will likely replace it soon. I was just a bit concerned with how v10 of Android handled the Enterprise Mgmt. and whether or not there were any known issues (?)