Cortado MDM – Manual

Configure Android Enterprise

207 views October 4, 2018 October 24, 2019 0

For many Android devices (v5.0 and later), you can set up a certificate-based MDM . A list of all supported devices can be found under this link. Before you can take advantage of its features, a few operations need to be carried out. You must first decide whether you want to use Google Accounts or Managed Google Play Accounts. We recommend the latter, as they can be configured far more quickly and easily. Managed Google Play Accounts allow you to quickly manage your users’ devices and their apps.

Note! However, if G Suite3 (from Google Cloud) is used in your company, meaning that each user has a Google account (with corporate domain), you have the option to use Google Accounts. How to set up Android Enterprise for Google Accounts is shown in our manual for Cortado Server.

To successfully configure Android Enterprise for your business, follow these two steps:

Register with Google for Android Enterprise

If you want to use the Managed Google Play Accounts for your Android MDM, select in the management console Control Panel→ Global Settings→ MDM→ Enroll Android Enterprise.

Start configuration of Android Enterprise

Start configuration of Android Enterprise

  •    In the next window, click on Get started.
start registration

start registration

  • You will need a Google account for the registration Simply create a new account if you don’t have one already.
  • Now use your Google account to sign in.
sign in with Google Account or create a new account

sign in with Google Account or create a new account

  • Now enter your company name and then click on Next.
enter the name of the organisation and confirm

enter the name of the organisation and confirm

  •  Now provide the names and contact details of the data protection officer and the EU representative in your company.
enter contact details

enter contact details

  • Then click on Complete Registration.
complete registration

complete registration

Registration is now complete, create your Goolge Firebase project.

Registration at Android Enterprise was successful

Registration at Android Enterprise was successful

Creating Google Firebase project

  • Create a Google Firebase project with the appropriate Google server key and sender ID.
  • To do so, open the following link: https://console.firebase.google.com.
  • Login with your Google account.
  • Then select Add project (arrow in illus.).
 add a new project

add a new project

  • Enter a project name and select your country (arrows in illus.).
  • Then select Create project.
enter project name and country

enter project name and country

  • Your new project is ready. Proceed by clicking on Continue.
click on Continue

click on Continue

  • Select the Settings (left arrow in illus.) and then click on Project settings (right arrow in illus.).
open Project settings

open Project settings

  • Under Cloud Messaging you can find your Server key and your Sender ID.
Server key and Sender ID

Server key and Sender ID

  • Open the Cortado Management console under Control Panel→ Glo­bal Settings→ MDM→ Configure→ Android MDM.
  • Copy the Server key and the Sender ID into the Management console (upper arrows in illus.).
enter to management consol

enter to management consol


Under Android Enterprise (lower arrow in illus.) you can also see the data that has been automatically stored:

  • User account type: Managed Google Play Accounts
  • Enterprise ID
  • Service account e-mail address
  • Certificate
  • Password

Additionally, Cortado has automatically generated a self-signed SCEP certificate for you and uses it for identification with the MDM. If you prefer instead to integrate your own SCEP server, proceed as described in the section Integrating a SCEP Server.

Additional settings

In the Cortado Managementkonsole under Control Panel→ Glo­bal Settings→ MDM→ Configure→ Android MDM you can make further settings.

The checkbox Auto enable users for Android enterprise while import (lower arrow in illus.) was activated automatically. Clear this check box if the users are not to be automatically enabled for Android Enterprise during import. This is useful if, for example if only some of the users are using Android enterprise. You have the alternative option to manually enable the users for Android Enterprise under Control Panel→ Users→ Enable Android Enterprise.

make further settings

Basic Integrity failure action/CTS Profile Match failure action: Specify here what ought to happen during and after configuration of the Android devices if and when they fail Google’s SafetyNet test.

While configuring a device, and then every 10 minutes thereafter, Cortado MDM asks Google if any security breaches have occurred on the device. The following security irregularities are considered relevant according to Google:

Quelle: https://developer.android.com/training/safetynet/attestation#possible-results

Source: https://developer.android.com/training/safetynet/attestation#possible-results

If Google reports such a violation to the Cortado management console, you can specify here how it must proceed:

  • Do Nothing: There is no reaction to a safety violation during the SafetyNet check. In addition, an already locked device can be unlocked again by changing the setting from Lock to Do Nothing.
  • Lock: All managed apps will be blocked (see also the section Lock Android Enterprise).
  • Wipe: Fully managed devices can be reset to factory default settings (full wipe). For devices that have a work profile, the work profile is deleted from the device (partial wipe).

It is generally sufficient to select the Lock option and then check the user’s device to determine what the problem is.

Locked devices can be selected under Control Panel→ Devices and unlocked with Unlock Work Profile. However, the lock is repeated after 10 minutes if the cause of the lock has not been removed.

You can also put these settings in place in the Android Enterprise policies and thus determine different settings for selected users, groups, or devices. Depending on the circumstances, it may take up to 10 minutes after configuring the devices for these policies to take effect. If settings are set up in the policies, they will have a higher priority than settings made in the global settings. The latter will then be applied only to those users for whom no policies have been created and distributed.

Was this helpful?