For many Android devices (v5.0 and later), you can set up a certificate-based MDM . A list of all supported devices can be found under this link. Before you can take advantage of its features, a few operations need to be carried out. You must first decide whether you want to use Google Accounts or Managed Google Play Accounts. We recommend the latter, as they can be configured far more quickly and easily. Managed Google Play Accounts allow you to quickly manage your users’ devices and their apps.
Note! However, if G Suite3 (from Google Cloud) is used in your company, meaning that each user has a Google account (with corporate domain), you have the option to use Google Accounts. How to set up Android Enterprise for Google Accounts is shown in our manual for Cortado Server.
To successfully configure Android Enterprise for your business, follow these two steps:
Register with Google for Android Enterprise
If you want to use the Managed Google Play Accounts for your Android MDM, select in the management console Control Panel→ Global Settings→ MDM→ Enroll Android Enterprise.
- In the next window, click on Get started.
- You will need a Google account for the registration Simply create a new account if you don’t have one already.
- Now use your Google account to sign in.
- Now enter your company name and then click on Next.
- Now provide the names and contact details of the data protection officer and the EU representative in your company.
- Then click on Complete Registration.
Registration is now complete, create your Goolge Firebase project.
Creating Google Firebase project
- Create a Google Firebase project with the appropriate Google server key and sender ID.
- To do so, open the following link: https://console.firebase.google.com.
- Login with your Google account.
- Then select Add project (arrow in illus.).
- Enter a project name and select your country (arrows in illus.).
- Then select Create project.
- Your new project is ready. Proceed by clicking on Continue.
- Select the Settings (left arrow in illus.) and then click on Project settings (right arrow in illus.).
- Under Cloud Messaging you can find your Server key and your Sender ID.
- Open the Cortado Management console under Control Panel→ Global Settings→ MDM→ Configure→ Android MDM.
- Copy the Server key and the Sender ID into the Management console (upper arrows in illus.).
- User account type: Managed Google Play Accounts
- Enterprise ID
- Service account e-mail address
Additionally, Cortado has automatically generated a self-signed SCEP certificate for you and uses it for identification with the MDM. If you prefer instead to integrate your own SCEP server, proceed as described in the section Integrating a SCEP Server.
In the Cortado Managementkonsole under Control Panel→ Global Settings→ MDM→ Configure→ Android MDM you can make further settings.
The checkbox Auto enable users for Android enterprise while import (lower arrow in illus.) was activated automatically. Clear this check box if the users are not to be automatically enabled for Android Enterprise during import. This is useful if, for example if only some of the users are using Android enterprise. You have the alternative option to manually enable the users for Android Enterprise under Control Panel→ Users→ Enable Android Enterprise.
Basic Integrity failure action/CTS Profile Match failure action: Specify here what ought to happen during and after configuration of the Android devices if and when they fail Google’s SafetyNet test.
While configuring a device, and then every 10 minutes thereafter, Cortado MDM asks Google if any security breaches have occurred on the device. The following security irregularities are considered relevant according to Google:
If Google reports such a violation to the Cortado management console, you can specify here how it must proceed:
- Do Nothing: There is no reaction to a safety violation during the SafetyNet check. In addition, an already locked device can be unlocked again by changing the setting from Lock to Do Nothing.
- Lock: All managed apps will be blocked (see also the section Lock Android Enterprise).
- Wipe: Fully managed devices can be reset to factory default settings (full wipe). For devices that have a work profile, the work profile is deleted from the device (partial wipe).
It is generally sufficient to select the Lock option and then check the user’s device to determine what the problem is.
Locked devices can be selected under Control Panel→ Devices and unlocked with Unlock Workspace. However, the lock is repeated after 10 minutes if the cause of the lock has not been removed.
You can also put these settings in place in the Android Enterprise policies and thus determine different settings for selected users, groups, or devices. Depending on the circumstances, it may take up to 10 minutes after configuring the devices for these policies to take effect. If settings are set up in the policies, they will have a higher priority than settings made in the global settings. The latter will then be applied only to those users for whom no policies have been created and distributed..