Cortado Server – Manual

Using Google Accounts

101 views January 21, 2019 December 19, 2019 0

Is G Suite by Google Cloud used in your enterprise? Do your employees already have Google accounts with the company email address and already use Gmail, Google Docs, Google Drive etc.? If that’s the case, it is a good idea to use Google Accounts to manage your Android devices with the Cortado server.

Creating Google service account, Google APIs and Firebase server key

login to Google

login to Google

Create project

  • Select your organization (left arrow in illus.)
  • Now, set up an API project by clicking on Create project (right arrow in illus.).
select organization and create project

select organization and create project

  • Enter a project name and click on Create. Wait until a new project has been created.
enter project name

enter project name

Configure OAuth

The OAuth consent screen will be shown to users whenever you request access to their private data using your Unique ID.

  • Next open the API manager. Do this in the menu (left arrow in illus.) by clicking on OAuthconsent screen (right arrow in illus.) under APIs & Services.

open API Manager

    open API Manager
  • Set the application type to Internal (upper arrow in illus.).
  • Enter at least the product name that will be shown to the users (lower arrow in illus.) and then save the data.
configure OAuth consent screen

configure OAuth consent screen

Create service account (incl. P12 certificate)

  • Click on the menu (upper arrow in illus.) and select IAM & Admin→ Service accounts (lower arrow in illus.).
select Service accounts

select Service accounts

  • Now create a Service Account.
create service account

create service account

  • Enter a Name or (upper arrow in illus.). The Service account ID will be gen­erated in the form of an email address (lower arrow in illus.). It must be entered in the Management console later, under Service account e-mail address (see below).
  • Then click on Create.
enter name

enter name

  • Select the role Owner and then click on Continue.
select Owner role

select Owner role

  • Select Create key and as Key typ: P12 (right arrow in illus.).
  • Then click on Create.
Creating a certificate with a private key

Creating a certificate with a private key

  • This creates a pair that comprises a public and a private key for your service account. Save it in a safe place, because there is no other copy of this key (right arrow in illus.).
  • In addition, you will be shown the password of the private key once here (left arrow in illus.). Note the password.
  • Then click on Done.
  • Certificate and Password must be entered in the Management console later, under Certificate and Password (see below).
save certificate, note password

save certificate, note password

Note! This Service Account can be used for both setting up the MDM and also for VPP (see section Create Android VPP account). Alternatively, you can create two separate service accounts.

Activate APIs

  • In the menu (left arrow in illus.) select API Manager and from there under APIs & Services→ Library (right arrow in illus.).
select Libary

select Libary

  • The API Libary will then be displayed.
  • Enter Admin SDK in the search bar (arrow in illus.).
search for Admin SDK

search for Admin SDK

  • Select Admin SDK in the search results and then click on Enable.
enable Admin SDK

enable Admin SDK

  • Then search for the Google Play EMM API in the API Libary and add this in the same way.
enable Google Play EMM API

enable Google Play EMM API

Note! If you are using two separate service accounts, enable API Admin SDK for the account you use to manage the MDM and enable API Google Play EMM for the account dedicated to VPP (see section Create Android VPP account).

Generate Firebase Cloud Messaging Server key

Firebase Cloud Messaging (FCM) (formerly Google Cloud Messaging (GCM)) is a free service with which data can be sent from servers to Android apps. Android used it for its MDM. To use FCM you need a server key.

To obtain such a key, follow these steps:

  • Open the website https://console.firebase.google.com and login with your Goo­gle admin account for Android Enterprise.
  • Then select or import a Google project (arrow in illus.).
select import Google project

select import Google project

  • Select your project and your country and then click on Add Fire­base.
select project and country

select project and country

  • Select the Settings (left arrow in illus.) and then click on Project settings (right arrow in illus.).
open project settings

open project settings

  • Under Cloud Messaging you can find your Server key and your Sender ID. Copy it for Cortado Management Console.

copy Server key and Sender ID

copy Server key and Sender ID

  • In the next step enter the Server key under Google Cloud Messaging API key and the Sender ID under Project number.

Transferring Google settings to the management console

  • Go to Management console and select Control Panel→ General Settings→ MDM→ Configure→ Android MDM.
  • Make the following settings:
Management console: configure Android MDM

Management console: configure Android MDM

  • Server key: Enter the appropriate Server key here (see above).
  • Sender ID: Enter the corresponding Sender ID here (see above).
  • User account type: Select Google Accounts here.
  • Primary domain: Enter the company domain here that you use for G Suite.
  • Super admin e-mail address: Enter the email address of the Google Admin account that you also use for G Suite.
  • Service account e-mail address: Enter the email address of the Google Admin account that you also use for Service Account).
  • Certificate/Password: Here you select the certifikate (.p12) generated during creation of the service account, and enter the corresponding password (notasecret).
  • Auto enable users for Android Enterprise while import: Clear this check box if the users are not to be automatically enabled for Android Enterprise during import. This is useful if, for example, email addresses with subdomains are being used or if only some of the users are using Android Enterprise. You have the alternative option to manually enable the users for Android Enterprise under Con­trol Panel→ Users→ Enable Android Enterprise (see section Activate Google Accounts users manually for Android Enterprise).
  • Create Google account using AD email address: Only mark this checkbox if you want to activate users for Android Enterprise who do not yet have a Google account. A Google account will be created for each of those users during the configuration. The users’ email addresses from the AD are used for this. The email addresses used for the import must have the same Primary Domain as specified above. A subdomain may not be used. You can then manually enable the users for Android Enterprise later, under Con­trol Panel→ Users→ Enable Android Enterprise (see section Activate Google Accounts users manually for Android Enterprise).
  • Initial Google account password: Set an initial password here for the newly created Google accounts.
  • Alternative e-mail address template: Select an alternative here if you don’t want to use the email addresses from the AD for creating the Google accounts.
  • If all of the users already have an existing Google account (with the AD email address), you can clear the Create Google account using AD e-mail address checkbox and enable the Auto enable users for Android enterprise while import checkbox.
  • SafetyNet: Please find a description in the section Additional Settings.

Configuring Android enterprise in the Google Admin console

  • Open the Google developer console (https://code.goo­gle.com/apis/console) and login with your Google account, that you also use for G Suite.
  • In the menu, select IAM & admin→ Service accounts (left arrow in illus.).
  • Then click in your Service account under Actions on Edit (right arrow in illus.).
select Edit

select Edit

  • Copy the Unique ID into clipbord.
copy Unique ID

copy Unique ID

  • Log in to the Admin console under https://admin.google.com with your Google account, that you also use for G Suite.
  • Click on Security.
select Security

select Security

  • Then select Advanced settings→ Manage API client access.
Admin console: Manage API client access

Admin console: Manage API client access

  • Now copy the Unique ID that you will find in the Google Developer console under IAM & Admin→ Service accounts in your service account details and enter it in the Admin console under Client Name.
  • Enter the following fields (comma separated) in the API field:

https://www.googleapis.com/auth/admin.directory.group,

https://www.googleapis.com/auth/admin.directory.user,

https://www.googleapis.com/auth/androidEnterprise

Admin console: manage client ID

Admin console: manage Unique ID

Note! If you are using two separate service accounts, use https://www.googleapis.com/auth/admin.directory.group and https://www.googleapis.com/auth/admin.directory.user for the account you use to manage the MDM and https://www.googleapis.com/auth/androidenter­prise for VPP (see section Create Android VPP account).

  • In the menu, select: Security→ Show more→ Manage EMM provider for Android. Generate Token and then copy it to the clipboard.
Admin console: generating and copying a token

Admin console: generating and copying a token

Note! Send this token, along with your Service account ID and your domain name by e-Mail to: support@cortado.com. We will send you an Enterprise ID.

  • Enter the Enterprise ID under Control Panel→ Apps & Docs→ VPP Accounts→ Create→ Android (see section Create Android VPP account).
  • After the Android VPP account has been created in the Cortado Management console, your Service account e-mail address is displayed in the Google Admin console (upper arrow in illus.).
Admin console: Cortado and Android enterprise are linked

Admin console: Cortado and Android enterprise are linked

Note! Please be aware that the Enforce EMM policies on Android devices checkbox must not be checked (lower arrow in illus.).

Was this helpful?