|
|
To utilize Managed Google Play features and configurations, you have to setup Managed Google Play in MDM. Managed Google Play can be configured using either a G Suite account or a Google account. The differences between these methods are explained below:
| PARAMETER | USING G SUITE | WITHOUT G SUITE |
| Admin account to be used for configuring Managed Google Play | G Suite account used by the organization. |
Any Google account |
| User account creation | Created by the IT Administrator, as a part of G suite |
Automatic creation of accounts |
| User account addition | Requisite account to be manually added to the device |
Account gets automatically added to the device |
| User account binding | Bound to the specific user and can be reused in other devices |
Bound to the specific device and cannot be reused |
| Association of configurations | Associated to the account |
Associated to the device |
| Ideally used in | Organizations extensively using G Suite, having employees who use multiple devices. |
Organizations without G Suite, having employees who use corporate devices |
| Example Scenario | Users already have device(s) with their G Suite account added. |
Organizations have given corporate devices to employees and want to automatically Google accounts to the devices and prevent users from adding their personal Google account. |
To configure AfW in MDM, you need the following:
|
|
To complete the Managed Google Play integration with MDM, you need to provide a few details, one among which is your Domain Admin Account. To know the same, follow the steps given below:
Login to Google Developers Console and click on Create Project
Create a project by providing a Project Name and then click on Create.
Once the project is created, click on the Notification icon and click on the project creation notification message.
Now, click on Explore and enable APIs available under Getting Started.
Click on the key icon present on the left. Then click on Create Credentials and select Service Account Key from the dropdown.
Click on the dropdown below Service Account and select New Service Account. Provide a service account name and for the parameter Role, select Service Account from the dropdown and select Service Account Admin.
Ensure the key type is set as JSON and then click on Create. Now, a JSON token is downloaded. This needs to be uploaded on the MDM server. After downloading the token, click on Close
Obtaining the EMM token
After clicking on Close, click on Manage Service Accounts. Now, click on the ellipsis icon present against the service account name and click on Edit.
Copy the 21-digit numeric sequence present under Unique ID and then click on View Domain Wide Delegation Client ID.
For Product Name for the consent screen, provide the product name Mobile Device Manager Plus and click on Save.
Click on the hamburger icon and click on APIs and Services from the menu and select Dashboard.
Click on Enable APIs and Services to enable device management using Managed Google Play.
Type in Google Play EMM API on the search box and click on the search icon
Now select Google Play EMM API from the search results and Enable the API.
Similarly, type in Admin SDK on the search bar and Enable Admin SDK from the search results.
Now, login to Google Admin Console and click on Security.
Scroll down and select Advanced Settings and click on Add New.
Paste the Unique ID you copied previously and paste it as Client Name and provide this URL, https://www.googleapis.com/auth/admin.directory.user for the parameter One or More API Scopes.
Now, go back to the home page, and click on Devices.
Click on Mobile & Endpoints -> Settings -> Third Party Integrations found on the left side on the page.
Click on Android EMM , Add EMM providers, and save the changes.
Choose Generate token, and copy the token that is displayed.
Now that you have obtained the EMM token and the JSON file, go to the MDM web console, and click on the Admin tab. Select Configure Managed Google Play present under Managed Google Play Settings. Now, select the option Register without G Suite and provide the required details to configure AfW.
NOTE: For each Organizational Unit, a single EMM token can be used to manage devices.
The next step before starting with Android for Work is to create user accounts. This step is required for pushing Managed Google Play-based configurations to devices. The user must login with the created user account in Google Play Store to have all the AfW-pushed apps and configurations applied in the managed device. For devices enrolled as Profile Owner, the user must login with the created user account in the Google Play Store present in the Work profile.
For Google apps users, user accounts can be created by manually adding users or adding users by importing a CSV. (Recommended for small organizations).
Creating users without a Google apps account can be done using Google Active Directory Sync(GADS). (Recommended for large organizations)
For organizations without G Suite, Managed Google Play can be configured with any Google Account, which is not associated with any G Suite service or EMM services. It is recommended to use the Google account of the organization, as this account will be used for provisioning all Managed Google Play-based features and configurations to the managed devices. Configuring Managed Google Play without G Suite can be done only if MDM is running in HTTPS. If not, an error message is displayed in the browser which is to be ignored. A major advantage in this method is automatic creation and association of the user accounts to the devices.
On the MDM Server, click Admin tab and select Configure Managed Google Play under Managed Google Play settings. Click on Register without G Suite and follow the on-screen instructions.
On being redirected to Google for Play | Work, sign in with a Google account, not associated with any EMM service.
Provide the name of your organization in less than 50 characters. Verify whether the EMM vendor is specified correctly and click on Confirm to proceed with the registration.
Click on Complete Registration to finish the registration on which you will be redirected to MDM Server. After the redirection, Managed Google Play is setup in the server, with the specified details.
|
|
|
|
