Android Enterprise full device management enrollment
IntroductionAs of Android 10, device administrator management (legacy) is no longer possible due to google depreciating the usage of this on the OS. Android Enterprise device management is Google's new initiative to allow companies to manage Android devices within the workplace. Within Sophos mobile we currently offer two Android Enterprise management modes: • Android Enterprise full device management: This allows you to fully control the device using the settings and policies google gives access to. This is commonly used for devices that a company purchased to distribute to their users.• Android Enterprise Work profile management: This allows you to manage a dedicated workspace that is given on a user’s device. This is commonly used for a "Bring Your Own Device" setup as you can only control the restrictions within the created workspace on the phone. (This doesn't allow the administrator to control the entire phone)Goals • Understand how to prepare Android Enterprise full device management enrollment.• Understand how to successfully enroll a device into Sophos mobile using Android Enterprise full device management. Prerequisites• Android Enterprise has already been set up under the google setup tab. For information on this please see: https://docs.sophos.com/central/Mobile/help/en-us/esg/Sophos-Mobile/tasks/SetupAfWManagedGooglePlayAccount.html• A user you are prepared to assign the device to. For more information on users please see: https://docs.sophos.com/central/Mobile/help/en-us/esg/Sophos-Mobile/concepts/Users.html Android Enterprise Full device management Preparing enrollment for the device: 1. Start by heading into the 'Android Policies' section within your mobile dashboard and create a new Android Enterprise Device Policy. 2. Once created you will be able to edit the configuration for the policy there. For a full list of the configurations please see the following page: https://docs.sophos.com/central/Mobile/help/en-us/esg/Sophos-Mobile/concepts/ConfigurationsAfWDO.html3. After you have finished your configurations, save the policy then head to the 'Task bundles' section on the left-hand pane and select Android. Once at the Android task bundles page click on the 'Create' box and select to create a new task bundle.
4. Within your newly created task bundle, name the task bundle then click 'add task' and select "Enroll". 5. From here you will want to select 'full device' for the type of enrollment, then select the policy we created in step 2.
6. Save the task bundle then head into the 'Devices' section on the left-hand pane. From here click 'Add' then 'Add device wizard' which will run through an enrollment wizard.
7. Running through the add device wizard, the first section will be to assign a user to the device. For Android enterprise enrollment a user must be assigned to the device.
8. Next you can select the device details such as the name you want to give the device within your mobile dashboard as well as the group you wish for the device to be assigned to. For more information on device groups please see: https://docs.sophos.com/central/Mobile/help/en-us/esg/Sophos-Mobile/concepts/DeviceGroups-1.html?hl=groups
9. Next we need to select the task bundle for the device that we created in steps 3 - 5 which will enroll the device into Android Enterprise full device management and apply our policy. 10. Lastly, we are given the QR code that we can scan using our Android device. Preparing and enrolling the Android device 1. Firstly, for full device management the device in question must be factory reset in order to enroll it (On most android devices, you can factory reset the device through the settings app however this may be slightly different per manufacturer). 2. Run through the WIFI setup screen to connect the device to the network. Then skip the 'copy data' screen (Data transfer from devices is not possible with Android Enterprise). 3. Once you are at the google account screen enter afw#sophos in the email address field. This will then request you to set up the phone under Sophos Mobile management. Once you have accepted this prompt the device will install the mobile control app. 4. After the permissions have been accepted, the mobile control app will then open allowing you to scan the QR code that we generated for our device. 5. After a minute or so the enrollment will complete, and you will be prompted with the message in the add device wizard stating this. The device should now be fully enrolled into Sophos mobile.
This is the best solution I have seen. Thanks for sharing. Btw, do you know about the correct enrollment method for iOS?
A high level over-view can be found in the following link.- Use the Add device wizard
You will first want to have a Device policy for iOS created. Install the Sophos Mobile Control application onto the iOS device and use the "Add device wizard" to being the enrollment process.
For a more basic enrollment you can choose "Enroll device" when you get to the "Enrollment type" step of the wizard. Scan the QR code shown from the wizard using the Sophos Mobile Control application.
A prompt will be shown on the iOS device advising that a profile will be downloaded. Proceed through the prompts and the web browser will open. Once the download completes, ensure to navigate into the Settings app to approved the downloaded profile.
At a later date we will be releasing more Recommended Read and video content to better highlight this process.