Android Enterprise

Android Enterprise is a set of tools and services provided by Google as an enterprise management solution for Android devices. With Android Enterprise:

• You use XenMobile to manage company-owned Android devices and bring your own device (BYOD) Android devices.

• You can manage the entire device or a separate profile on the device. The separate profile isolates business accounts, apps, and data from personal accounts, apps, and data.

• You can also manage devices dedicated to a single use, such as inventory management. For an overview of Android Enterprise capabilities from Google, seeAndroid Enterprise Management.

Resources:

• For a list of terms and definitions related to Android Enterprise, seeAndroid Enterprise terminologyin the Google Android Enterprise developers guide. Google updates these terms frequently.

• For Android operating systems supported for XenMobile, seeSupported device operating systems.

• For information about the outbound connections to consider when setting up network environments for Android Enterprise, see the Google support article,Android Enterprise Network Requirements.

When you integrate XenMobile with managed Google Play to use Android Enterprise, you create an enterprise. Google defines an enterprise as binding between the organization and your enterprise mobile management (EMM) solution. All the users and devices that the organization manages through your solution belong to its enterprise.

An enterprise for Android Enterprise has three components: an EMM solution, a device policy controller (DPC) app, and a Google enterprise app platform. When you integrate XenMobile with Android Enterprise, the complete solution has these components:

• XenMobile:The Citrix EMM. XenMobile is the unified XenMobile solution for a secure digital workspace. XenMobile provides the means for IT administrators to manage devices and apps for their organizations.
• Citrix Secure Hub:The Citrix DPC app. Secure Hub is the launchpad for XenMobile. Secure Hub enforces policies on the device.
• Managed Google Play:A Google enterprise app platform that integrates with XenMobile. The Google Play EMM API sets app policies and distributes app.

This illustration shows how administrators interact with these components and how the components interact with each other:

Using managed Google Play with XenMobile

Note:

You can use either managed Google Play or Google Workspace to register Citrix as your EMM provider. This article discusses using Android Enterprise with managed Google Play. If your organization uses Google Workspace to provide access to apps, you can use it with Android Enterprise. See遗留的安卓Enterprise for Google Workspace (formerly G-Suite) customers.

When you use managed Google Play, you provision managed Google Play Accounts for devices and end users. Managed Google Play Accounts provide access to managed Google Play, allowing users to install and use the apps you make available. If your organization uses a third-party identity service, you can link managed Google Play Accounts with your existing identity accounts.

Because this type of enterprise is not tied to a domain, you can create more than one enterprise for a single organization. For example, each department or region within an organization can enroll as a different enterprise to manage separate sets of devices and apps.

XenMobile管理员、管理谷歌玩combines the user experience and app store features of Google Play with a set of management capabilities designed for enterprises. You use managed Google Play to add, buy, and approve apps for deployment to the Android Enterprise workspace on a device. You can use Google Play to deploy public apps, private apps, and third-party apps.

For users of managed devices, managed Google Play is the enterprise app store. Users can browse apps, view app details, and install them. Unlike the public version of Google Play, users can only install apps from managed Google Play that you make available for them.

Device deployment scenarios and modes of operation

Device deployment scenario refer to who owns the devices you deploy and how you manage them. Device profiles refer to how the DPC manages and enforces policies on devices.

A work profile isolates business accounts, apps, and data from personal accounts, apps, and data. For more details about work profiles, see the Google Android Enterprise help topic,What is a work profile.

Important:

When Android Enterprise devices update to Android 11, Google will migrate devices managed as “fully managed with a work profile” to a new security-enhanced work profile experience. For more information, seeChanges ahead for Android Enterprise’s Fully Managed with Work Profile.

* Users can share a dedicated device. When a user signs on to an app on a dedicated device, the state of their work is with the app, not the device.

** XenMobile does not support Zebra devices as in BYOD work profile mode. XenMobile supports Zebra devices as fully managed devices and in device legacy mode (also called device admin mode).

For information on migrating from legacy mode to device owner or profile owner mode, seeMigrate from device administration to Android Enterprise.

Authentication methods

Enrollment profiles determine whether Android devices enroll in MAM, MDM, or MDM+MAM, with the option for users to opt out of MDM.

For information about specifying the level of security and required enrollment steps, seeConfigure enrollment security modes.

XenMobile supports the following authentication methods for Android devices enrolled in MDM+MAM. For information, see the articles underCertificates and authentication.

• Domain
• Domain plus security token
• 客户端certificate
• 客户端certificate plus domain
• Identity providers:
  • Azure Active Directory
  • Citrix Identity provider

Another rarely used authentication method is client certificate plus security token. For information, seehttps://support.citrix.com/article/CTX215200.

Requirements

Before you start using Android Enterprise, you need:

• Accounts and credentials:

  • To set up Android Enterprise with managed Google Play, a corporate Google account
  • To download the latest MDX files, a Citrix customer account
  • To deploy private apps (optional), a Google developer account

• Firebase Cloud Messaging (FCM) configured for XenMobile. SeeFirebase Cloud Messagingfor instructions.

• For Samsung Knox Mobile Enrollment (optional), Knox premium licenses.

Connecting XenMobile to Google Play

企业为组织设立Android, register Citrix as your EMM provider through managed Google Play. That setup connects managed Google Play to XenMobile and creates an enterprise for Android Enterprise in XenMobile.

You need a corporate Google account to sign in to Google Play.

1. In the XenMobile console, click the gear icon in the upper-right corner. TheSettingspage appears.

2. Go toSettings > Android Enterprise.

1. ClickConnect. Google Play opens.

1. Sign in to Google Play with your corporate Google account credentials. Enter your organization name and confirm Citrix is your EMM provider.

2. An enterprise ID is added for Android Enterprise. To enable Android Enterprise, slideEnable Android EnterprisetoYes.

   

Your Enterprise ID appears in the XenMobile console.

Your environment is connected to Google and is ready to manage devices. You can now provide apps for users.

XenMobile可以用来为用户提供Citrixmobile productivity apps, MDX apps, public app store apps, web and SaaS apps, enterprise apps, and web links. For more information on these types of apps and providing them to users, seeAdd apps.

The following section shows how to provide mobile productivity apps.

Providing Citrix mobile productivity apps to Android Enterprise users

Providing Citrix mobile productivity apps for Android Enterprise users requires these steps.

1. Publish the apps as MDX apps. SeeConfigure apps as MDX apps.

2. Configure the rules for the security challenge your users use to access the work profiles on their devices. SeeConfigure security challenge policy.

The apps you publish are available to devices enrolled in your Android Enterprise enterprise.

Note:

When you deploy an Android Enterprise public app store app to an Android user, that user is automatically enrolled in Android Enterprise.

Configure apps as MDX apps

To configure a Citrix productivity app as an MDX app for Android Enterprise:

1. In the XenMobile console, clickConfigure > Apps. TheAppspage appears.

   

2. ClickAdd. TheAdd Appdialog box appears.

   

3. ClickMDX. TheApp Informationpage appears.

4. On the left side of the page, selectAndroid Enterpriseas the platform.

5. On theApp Informationpage, type the following information:

   • Name:Type a descriptive name for the app. This name appears underApp Nameon theAppstable.
   • Description:Type an optional description of the app.
   • App category:Optionally, in the list, click the category to which you want to add the app. For more information about app categories, seeAbout app categories.

6. ClickNext. TheAndroid Enterprise MDX Apppage appears.

7. ClickUploadand navigate to the file location of the .mdx files for the app. Select the file and clickOpen.

8. The UI notifies you if the attached application requires approval from the managed Google Play store. To approve the application without leaving the XenMobile console, clickYes.

   

9. When the managed Google Play store page opens, clickApprove.

   

10. ClickApproveagain.

11. SelectKeep approved when app requests new permissions. ClickSave.

    

12. When the app is approved and saved, more settings appear on the page. Configure these settings:

    • File name:Type the file name associated with the app.
    • App Description:Type a description for the app.
    • Product track:Specify which product track you want to push to user devices. If you have a track designed for testing, you can select and assign it to your users. The default is Production.
    • App version:Optionally, type the app version number.
    • Package ID:The URL of the app in the Google Play store.
    • Minimum OS version:Optionally, type the oldest operating system version that the device can run to use the app.
    • Maximum OS version:Optionally, type the most recent operating system that the device must run to use the app.
    • 排除设备:Optionally, type the manufacturer or models of devices that cannot run the app.

13. Configure theMDX Policies. For more information about app policies for MDX apps, seeMDX Policies at a GlanceandMAM SDK overview.

14. Configure the deployment rules. For information, seeDeploy resources.

15. ExpandStore Configuration. This setting doesn’t apply to Android Enterprise apps, which appear only in managed Google Play.

    

    Optionally, you can add an FAQ for the app or screen captures that appear in the app store. You can also set whether users can rate or comment on the app.

    • Configure these settings:
      • App FAQ:Add FAQ questions and answers for the app.
      • App screenshots:Add screen captures to help classify the app in the app store. The graphic you upload must be a PNG. You cannot upload a GIF or JPEG image.
      • Allow app ratings:Select whether to permit a user to rate the app. The default isON.Allow app comments:Select whether to permit users to comment about the selected app. The default isON.

16. ClickNext. TheApprovalspage appears.

    

    You use workflows when you need approval when creating user accounts. If you don’t want to set up approval workflows, you can skip to Step 15.

    Configure these settings to assign or create a workflow:

    • Workflow to Use:In the list, click an existing workflow or clickCreate a new workflow. The default isNone.
    • If you selectCreate a new workflow, configure these settings. For more information, seeApply workflows.
    • Name:Type a unique name for the workflow.
    • Description:Optionally, type a description for the workflow.
    • Email Approval Templates:In the list, select the email approval template to be assigned. When you click the eye icon to the right of this field, a dialog box appears where you can preview the template.
    • Levels of manager approval:In the list, select the number of levels of manager approval required for this workflow. The default is 1 level. Possible options are:
      • Not Needed
      • 1 level
      • 2 levels
      • 3 levels
    • Select Active Directory domain:In the list, select the appropriate Active Directory domain to be used for the workflow.
    • Find additional required approvers:Type the name of the additional required person in the search field and then clickSearch. Names originate in Active Directory.
    • 当这个名字出现在现场,选择切ck box next to the name. The name and email address appear in theSelected additional required approverslist.
      • To remove a person from theSelected additional required approverslist, do one of the following:
        • ClickSearchto see a list of all the persons in the selected domain.
        • Type a full or partial name in the search box, and then clickSearchto limit the search results.
        • Persons in theSelected additional required approverslist have check marks next to their name in the search results list. Scroll through the list and clear the check box next to each name you want to remove.

17. ClickNext. TheDelivery Group Assignmentpage appears.

    

18. Next toChoose delivery groups, type to find a delivery group or select a group or groups in the list. The groups you select appear in the交付组织接收应用程序任务list.

19. ExpandDeployment Scheduleand then configure the following settings:

    • Next toDeploy, clickONto schedule deployment or clickOFF到上一页ent deployment. The default option isON.
    • Next to Deployment schedule, clickNoworLater. The default option isNow.
    • If you clickLater, click the calendar icon and then select the date and time for deployment.
    • Next toDeployment condition, clickOn every connectionor clickOnly when previous deployment has failed. The default option isOn every connection.

    • Next toDeploy for always-on connection, ensure thatOFFis selected. The default option isOFF. The always-on connections are not available for Android Enterprise if you began using XenMobile with version 10.18.19 or later. We don’t recommend the connections for customers who began using XenMobile before version 10.18.19.

      This option applies when you have configured the scheduling background deployment key inSettings > Server Properties.

      The deployment schedule you configure is the same for all platforms. Any changes you make apply to all platforms, except forDeploy for always-on connection.

20. ClickSave.

Repeat the steps to configure an MDX app for each mobile productivity app.

Configure security challenge policy

The XenMobile Passcode device policy configures the set of rules for the security challenges users to access their devices or the Android Enterprise work profiles on their devices. A security challenge can be a passcode or biometric recognition. For more information about the Passcode policy, seePasscode device policy.

• If your Android Enterprise deployment includes BYOD devices, configure the passcode policy for the work profile.
• If your deployment includes, company-owned, fully managed devices, configure the passcode policy for the device itself.
• If your deployment includes both types of devices, configure both types of passcode policy.

To configure the passcode policy:

1. In the XenMobile console, go toConfigure > Device Policies.

2. ClickAdd.

3. ClickShow filterto show thePolicy Platformpane. In thePolicy Platformpane, selectAndroid Enterprise.

4. ClickPasscodeon the right pane.

1. Enter aPolicy Name. ClickNext.

   

2. Configure the Passcode policy settings.
   • SetDevice passcode requiredtoOnto see the settings available for security challenges for the device itself.
   • SetWork profile security challengetoOnto see the settings available for work profile security challenges.

3. ClickNext.

4. Assign the policy to one or more delivery groups.

5. ClickSave.

Creating enrollment profiles

Enrollment profiles control how Android devices are enrolled if Android Enterprise in enabled for your XenMobile deployment. When you create an enrollment profile to enroll Android Enterprise devices, you can configure the enrollment profile to enroll new and factory reset devices as:

• Fully managed devices
• Dedicated devices (COSU devices)
• Fully managed devices with a work profile (COPE devices)

You can also configure each of these Android Enterprise enrollment profiles to enroll BYOD Android devices as work profile devices.

If Android Enterprise is enabled for your XenMobile deployment, all newly enrolled or re-enrolled Android devices are enrolled as Android Enterprise devices. By default, the Global enrollment profile enrolls new and factory reset Android devices as fully managed devices and enrolls BYOD Android devices as work profile devices.

When you create enrollment profiles, you assign delivery groups to them. If a user belongs to multiple delivery groups that have different enrollment profiles, the name of the delivery group determines the enrollment profile used. XenMobile selects the delivery group that appears last in an alphabetized list of delivery groups. For more information, seeEnrollment profiles.

You can use enrollment profiles to combine multiple use cases such as MDM only, MDM+MAM, and MAM only. Your XenMobile Server license type, reflected in the server property,xms.server.mode, determines the settings available inConfigure > Enrollment Profiles.

Add an enrollment profile for fully managed devices

The Global enrollment profile enrolls fully managed devices by default, but you can create more enrollment profiles to enroll fully managed devices.

1. In the XenMobile console, go toConfigure > Enrollment Profiles.

2. To add an enrollment profile, clickAdd. In the Enrollment Info page, type a name for the enrollment profile.

3. Set the number of devices that members with this profile can enroll.

4. SelectAndroidunderPlatformsor clickNext. The Enrollment Configuration page appears.

5. SetManagementtoAndroid Enterprise.

6. SetDevice owner modetoCompany owned device.

   

7. BYOD work profile允许您配置登记档案enroll BYOD devices as work profile devices. New and factory reset devices are enrolled as fully managed devices.

   • SetBYOD work profiletoOnto allow enrollment of BYOD devices as work profile devices. The default isOn.
   • SetBYOD work profiletoOffto restrict enrollment to fully managed devices.

8. Choose whether to enroll devices in Citrix MAM.

9. If you setBYOD work profiletoOn, configure user consent. To allow users of BYOD work profile devices to decline device management when they enroll their devices, setAllow users to decline device managementtoOn.

   IfBYOD work profileis set toOn, the default value ofAllow users to decline device managementisOn. IfBYOD work profileis set toOff, thenAllow users to decline device managementis disabled.

10. SelectAssignment (options). The Delivery Group Assignment screen appears.

11. Choose the delivery group or delivery groups containing the administrators who enroll fully managed devices. Then clickSave.

    The Enrollment Profile page appears with the profile you added.

    

Add a dedicated device enrollment profile

When your XenMobile deployment includes dedicated devices, a single XenMobile administrator or small group of administrators enroll many dedicated devices. To ensure that these administrators can enroll all the devices required, create an enrollment profile for them with unlimited devices allowed per user.

1. In the XenMobile console, go toConfigure > Enrollment Profiles.

2. To add an enrollment profile, clickAdd. In the Enrollment Info page, type a name for the enrollment profile. Ensure that the number of devices that members with this profile can enroll is set to unlimited.

3. SelectAndroidunderPlatformsor clickNext. The Enrollment Configuration page appears.

4. SetManagementtoAndroid Enterprise.

5. SetDevice owner modetoDedicated device.

   

6. BYOD work profile允许您配置登记档案enroll BYOD devices as work profile devices. New and factory reset devices are enrolled as dedicated devices. SetBYOD work profiletoOnto allow enrollment of BYOD devices as work profile devices. SetBYOD work profiletoOffto restrict enrollment to company-owned devices. Default isOn.

7. Choose whether to enroll devices in Citrix MAM.

8. If you setBYOD work profiletoOn, configure user consent. To allow users of BYOD work profile devices to decline device management when they enroll their devices, setAllow users to decline device managementtoOn.

   IfBYOD work profileis set toOn, the default value ofAllow users to decline device managementisOn. IfBYOD work profileis set toOff, thenAllow users to decline device managementis disabled.

9. SelectAssignment (options). The Delivery Group Assignment screen appears.

10. Choose the delivery group or delivery groups containing the administrators who enroll dedicated devices. Then clickSave.

    The Enrollment Profile page appears with the profile you added.

    

Add an enrollment profile for fully managed devices with a work profile

1. In the XenMobile console, go toConfigure > Enrollment Profiles.

2. To add an enrollment profile, clickAdd. In the Enrollment Info page, type a name for the enrollment profile.

3. Set the number of devices that members with this profile can enroll.

4. SelectAndroidunderPlatformsor clickNext. The Enrollment Configuration page appears.

5. SetManagementtoAndroid Enterprise. SetDevice owner modetoFully managed with work profile.

   

6. BYOD work profile允许您配置登记档案enroll BYOD devices as work profile devices. New and factory reset devices are enrolled as fully managed devices with a work profile. SetBYOD work profiletoOnto allow enrollment of BYOD devices as work profile devices. SetBYOD work profiletoOffto restrict enrollment to dedicated devices. Default isOff.

7. Choose whether to enroll devices in Citrix MAM.

8. If you setBYOD work profiletoOn, configure user consent. To allow users of BYOD work profile devices to decline device management when they enroll their devices, setAllow users to decline device managementtoOn.

   IfBYOD work profileis set toOn, the default value ofAllow users to decline device managementisOn. IfBYOD work profileis set toOff, thenAllow users to decline device managementis disabled.

9. SelectAssignment (options). The Delivery Group Assignment screen appears.

10. Choose the delivery group or delivery groups containing the administrators who enroll fully managed devices with a work profile. Then clickSave.

    The Enrollment Profile page appears with the profile you added.

    

Adding an enrollment profile for legacy devices

Google is deprecating the device administrator mode of device management. Google encourages customers to manage all Android devices in device owner mode or profile owner mode. (SeeDevice admin deprecationin the Google Android Enterprise developer guides.)

To support this change:

• Citrix makes Android Enterprise the default enrollment option for Android devices.
• If Android Enterprise is enabled for your XenMobile deployment, all newly enrolled or re-enrolled Android devices are enrolled as Android Enterprise devices.

Your organization might not be ready to begin managing legacy Android devices using Android Enterprise. In that case, you can continue to manage them in device administrator mode. For devices already enrolled in device administrator mode, XenMobile continues to manage them in device administrator mode.

Create an enrollment profile for legacy devices to allow new Android device enrollments to use device administrator mode.

To create an enrollment profile for legacy devices:

1. In the XenMobile console, go toConfigure > Enrollment Profiles.

2. To add an enrollment profile, clickAdd. In the Enrollment Info page, type a name for the enrollment profile.

3. Set the number of devices that members with this profile can enroll.

4. SelectAndroidunderPlatformsor clickNext. The Enrollment Configuration page appears.

5. SetManagementtoLegacy device administration (not recommended). ClickNext.

   

6. Choose whether to enroll devices in Citrix MAM.

7. To allow users to decline device management when they enroll their devices, setAllow users to decline device managementtoOn. Default isOn.

8. SelectAssignment (options). The Delivery Group Assignment screen appears.

9. Choose the delivery group or delivery groups containing the administrators who enroll dedicated devices. Then clickSave.

The Enrollment Profile page appears with the profile you added.

继续管理遗留设备在设备administrator mode, enroll or re-enroll them using this profile. You enroll device administrator devices similar to work profile devices, by having users download Secure Hub and providing an enrollment server URL.

Provisioning Android Enterprise work profile devices

Android Enterprise work profile devices are enrolled in profile owner mode. These devices do not need to be new or factory reset. BYOD devices are enrolled as work profile devices. The enrollment experience is similar to Android enrollment in XenMobile. Users download Secure Hub from Google Play and enroll their devices.

By default, theUSB Debugging and Unknown Sourcessettings are disabled on a device when it is enrolled in Android Enterprise as a work profile device.

When enrolling devices in Android Enterprise as work profile devices, always go to Google Play. From there, enable Secure Hub to appear in the user’s personal profile.

Provisioning Android Enterprise fully managed devices

You can enroll fully managed devices in the deployment you set up in the previous sections. Fully managed devices are company-owned devices and are enrolled in device owner mode. Only new or factory reset devices can be enrolled in device owner mode.

You can enroll devices in device owner mode using any of these enrollment methods:

• DPC identifier token:With this enrollment method, users enter the charactersafw#xenmobilewhen setting up the device.afw#xenmobileis the Citrix DPC identifier token. This token identifies the device as managed by XenMobile and downloads Secure Hub from the Google Play store. SeeEnrolling devices using the Citrix DPC identifier token.
• Near field communication (NFC) bump:The NFC bump enrollment method transfers data through between two devices using near-field communication. Bluetooth, Wi-Fi, and other communication modes are disabled on a new or factory-reset device. NFC is the only communication protocol that the device can use in this state. SeeEnrolling devices with NFC bump.
• QR code:QR code enrollment can be used to enroll a distributed fleet of devices that do not support NFC, such as tablets. The QR code enrollment method sets up and configures device profile mode by scanning a QR code from the setup wizard. SeeEnrolling devices using a QR code.
• Zero touch:Zero-touch enrollment allows you to configure devices to enroll automatically when they are first powered on. Zero-touch enrollment is supported on some Android devices running Android 9.0 or later. SeeZero-touch enrollment.
• Google Accounts:Users enter their Google Account credentials to initiate the provisioning process. This option is for enterprises using Google Workspace.

Enrolling devices using the Citrix DPC identifier token

Users enterafw#xenmobilewhen prompted to enter a Google account after powering on new or factory reset devices for initial setup. This action downloads and installs Secure Hub. Users then follow the Secure Hub set-up prompts to complete the enrollment.

In this enrollment method is recommended for most customers because the latest version of Secure Hub is downloaded from the Google Play store. Unlike with other enrollment methods, you do not provide Secure Hub for download from the XenMobile Server.

System requirements

• Supported on all Android devices running the Android OS.

To enroll the device

1. Power on a new or factory reset device.

2. The initial device setup loads and prompts for a Google account. If the device loads the home screen of the device, check the notification bar for aFinish Setupnotification.

3. Enterafw#xenmobilein theEmail or phonefield.

   

4. TapInstallon the Android Enterprise screen prompting to install Secure Hub.

5. TapInstallon the Secure Hub installer screen.

6. TapAllowfor all app permission requests.

7. TapAccept & Continueto install Secure Hub and allow it to manage the device.

8. Secure Hub is now installed and on the default enrollment screen. In this example, AutoDiscovery is not set up. If it was, the user can enter their username/email and a server would be found for them. Instead, enter the enrollment URL for the environment and tapNext.

   

9. The default configuration for XenMobile allows users to choose if they use MAM or MDM+MAM. If prompted in this way, tapYes, Enrollto choose MDM+MAM.

10. Enter the user name and password, then tapNext.

11. The user is prompted to configure a device passcode. TapSetand enter a passcode.

12. The user is prompted to configure a work profile unlock method. For this example, tapPassword, tapPIN, and enter a PIN.

    

13. The device is now on the Secure HubMy Appslanding screen. TapAdd apps from Store.

14. To add Secure Web, tapSecure Web.

    

15. TapAdd.

16. Secure Hub directs the user to the Google Play store to install Secure Web. TapInstall.

17. After Secure Web is installed, tapOpen. Enter a URL from an internal site in the address bar and verify that the page loads.

18. Go toSettings > Accountson the device. Observe that theManaged Accountcan’t be modified. The developer options for sharing screen or remote debugging are also blocked.

    

Enrolling devices with NFC bump

To enroll a device as a fully managed device using NFC bumps requires two devices: One that is reset to its factory settings and one running the XenMobile Provisioning Tool.

System requirements and prerequisites

• Supported Android devices.
• A new or factory-reset device, provisioned for Android Enterprise as a fully managed device. You can find steps to complete this prerequisite later in this article.
• Another device with NFC capability, running the configured Provisioning Tool. The Provisioning Tool is available in Secure Hub or on theCitrix downloads page.

Each device can have only one Android Enterprise profile, managed Secure Hub. Only one profile is allowed on each device. Attempting to add a second DPC app removes the installed Secure Hub.

Data transferred through the NFC bump

Provisioning a factory-reset device requires you to send the following data through an NFC bump to initialize Android Enterprise:

• Package name of the DPC app that acts as device owner (in this case, Secure Hub).
• Intranet/Internet location from which the device can download the DPC app.
• SHA1 hash of the DPC app to verify if the download is successful.
• Wi-Fi connection details so that a factory-reset device can connect and download the DPC app. Note: Android now does not support 802.1x Wi-Fi for this step.
• Time zone for the device (optional).
• Geographic location for the device (optional).

When the two devices are bumped, the data from the Provisioning Tool is sent to the factory-reset device. That data is then used to download Secure Hub with administrator settings. If you don’t enter time zone and location values, Android automatically configures the values on the new device.

Configuring the XenMobile Provisioning Tool

Before doing an NFC bump, you must configure the Provisioning Tool. This configuration is then transferred to the factory-reset device during the NFC bump.

You can type data into the required fields or populate them using a text file. The steps in the next procedure describe how to configure the text file and contain descriptions for each field. The app doesn’t save information after you type it, so you might want to create a text file to keep the information for future use.

To configure the Provisioning Tool by using a text file

Name the file nfcprovisioning.txt and place the file in the/sdcard/folder on the SD card of the device. The app can then read the text file and populate the values.

The text file must contain the following data:

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION=

This line is the intranet/internet location of the EMM provider app. After the factory-reset device connects to Wi-Fi following the NFC bump, the device must have access to this location for downloading. The URL is a regular URL, with no special formatting required.

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM=

This line is the checksum of the EMM provider app. This checksum is used to verify that the download is successful. Steps to obtain the checksum are discussed later in this article.

android.app.extra.PROVISIONING_WIFI_SSID=

This line is the connected Wi-Fi SSID of the device on which the Provisioning Tool is running.

android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE=

Supported values are WEP and WPA2. If the Wi-Fi is unprotected, this field must be empty.

android.app.extra.PROVISIONING_WIFI_PASSWORD = < wifipassword>

If the Wi-Fi is unprotected, this field must be empty.

android.app.extra.PROVISIONING_LOCALE=

Enter language and country codes. The language codes are two-letter lowercase ISO language codes (such as en) as defined byISO 639-1. The country codes are two-letter uppercase ISO country codes (such as US) as defined byISO 3166-1. For example, type en_US for English as spoken in the United States. If you don’t type any codes, the country and language are automatically populated.

android.app.extra.PROVISIONING_TIME_ZONE=

The time zone in which the device is running. Type anOlson name of the form area/location. For example, America/Los_Angeles for Pacific time. If you don’t enter a name, the time zone is automatically populated.

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME=

This data isn’t required, because the value is hardcoded into the app as Secure Hub. It’s mentioned here only for the sake of completion.

If there is a Wi-Fi protected by using WPA2, a completed nfcprovisioning.txt file might look like the following:

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION=https://www.somepublicurlhere.com/path/to/securehub.apk

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM=ga50TwdCmfdJ72LGRFkke4CrbAk\u003d

android.app.extra.PROVISIONING_WIFI_SSID=Protected_WiFi_Name

android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE=WPA2

android.app.extra.PROVISIONING_WIFI_PASSWORD=wifiPasswordHere

android.app.extra.PROVISIONING_LOCALE=en_US

android.app.extra.PROVISIONING_TIME_ZONE=America/Los_Angeles

If there is an unprotected Wi-Fi, a completed nfcprovisioning.txt file might look like the following:

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION=https://www.somepublicurlhere.com/path/to/securehub.apk

android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM=ga50TwdCmfdJ72LGRFkke4CrbAk\u003d

android.app.extra.PROVISIONING_WIFI_SSID=Unprotected_WiFi_Name

android.app.extra.PROVISIONING_LOCALE=en_US

android.app.extra.PROVISIONING_TIME_ZONE=America/Los_Angeles

To get the checksum of Citrix Secure Hub

The checksum of Secure Hub is a constant value:qn7oZUtheu3JBAinzZRrrjCQv6LOO6Ll1OjcxT3-yKM. To download an APK file for Secure Hub, use the following Google Play store link:https://play.google.com/managed/downloadManagingApp?identifier=xenmobile.

To get an app checksum

Prerequisites:

• Theapksignertool from the Android SDK Build Tools
• OpenSSL command line

To get the checksum of any app, follow these steps:

1. Download the app’s APK file from the Google Play store.

2. In the OpenSSL command line, navigate to theapksignertool:android-sdk/build-tools//apksignerand type the following:

   apksigner verify -print-certs  | perl -nle 'print $& if m{(?<=SHA-256 digest:) .*}' | xxd -r -p | openssl base64 | tr -d '=' | tr -- '+/=' '-_' 

   The command returns a valid checksum.

3. To generate the QR code, enter the checksum in thePROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUMfield. For example:

{ "android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME": "com.zenprise/com.zenprise.configuration.AdminFunction", "android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":"qn7oZUtheu3JBAinzZRrrjCQv6LOO6Ll1OjcxT3-yKM", "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION": "https://play.google.com/managed/downloadManagingApp?identifier=xenmobile", "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": { "serverURL": "https://supportablility.xm.cloud.com" } } 

Libraries used

The Provisioning Tool uses the following libraries in its source code:

• v7appcompatlibrary, Design support library, and v7 Palette library by Google under Apache license 2.0

  For information, seeSupport Library Features Guide.

• Butter Knifeby Jake Wharton under Apache license 2.0

Enrolling devices using a QR code

To enroll a fully managed device using a QR code, you generate a QR code by creating a JSON and converting the JSON to a QR code. Device cameras scan the QR code to enroll the device.

System requirements

• Supported on all Android devices running Android 9.0 and above.

Create a QR code from a JSON

Create a JSON with the following fields.

These fields are required:

Key: android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME

Value: com.zenprise/com.zenprise.configuration.AdminFunction

Key: android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM

Value: qn7oZUtheu3JBAinzZRrrjCQv6LOO6Ll1OjcxT3-yKM

Key: android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION

Value:https://play.google.com/managed/downloadManagingApp?identifier=xenmobile

These fields are optional:

• android.app.extra.PROVISIONING_LOCALE:Enter language and country codes.

  The language codes are two-letter lowercase ISO language codes (such as en) as defined byISO 639-1. The country codes are two-letter uppercase ISO country codes (such as US) as defined byISO 3166-1. For example, enter en_US for English as spoken in the United States.

• android.app.extra.PROVISIONING_TIME_ZONE:The time zone in which the device is running.

  Type anOlson name of the form area/location. For example, America/Los_Angeles for Pacific time. If you don’t enter one, the time zone is automatically populated.

• android.app.extra.PROVISIONING_LOCAL_TIME:Time in milliseconds since the Epoch.

  The Unix epoch (or Unix time, POSIX time, or Unix timestamp) is the number of seconds that have elapsed since January 1, 1970 (midnight UTC/GMT). The time doesn’t include leap seconds (in ISO 8601: 1970-01-01T00:00:00Z).

• android.app.extra.PROVISIONING_SKIP_ENCRYPTION:Set totrueto skip encryption during profile creation. Set tofalseto force encryption during profile creation.

A typical JSON looks like the following:

Validate the JSON that is created using any JSON validation tool, such ashttps://jsonlint.com. Convert that JSON string to a QR code using any online QR code generator, such ashttps://www.qr-code-generator.com.

This QR code gets scanned by a factory-reset device to enroll the device as a fully managed device.

To enroll the device

After powering up a new or factory reset device:

1. Tap the screen six times on the welcome screen to launch the QR code enrollment flow.

2. When prompted, connect to Wi-Fi. The download location for Secure Hub in the QR code (encoded in the JSON) is accessible over this Wi-Fi network.

   Once the device successfully connects to Wi-Fi, it downloads a QR code reader from Google and launches the camera.

3. Point the camera to the QR code to scan the code.

   Android downloads Secure Hub from the download location in the QR code, validate the signing certificate signature, install Secure Hub and sets it as the device owner.

For more information, see this Google guide for Android EMM developers:https://developers.google.com/android/work/prov-devices#qr_code_method.

Zero-touch enrollment

Zero-touch enrollment lets you set up devices to provision themselves as fully managed devices when they are powered on for the first time.

Your device reseller creates an account for you on the Android zero-touch portal, an online tool that lets you apply configurations to devices. Using the Android zero-touch portal, you create one or more zero-touch enrollment configurations and apply the configurations to the devices assigned to your account. When your users power up these devices, the devices are automatically enrolled in XenMobile. The configuration assigned to the device defines its automatic enrollment process.

System requirements

• Supported for zero-touch enrollment begins with Android 9.0.

Devices and account information from your reseller

• Devices eligible for zero-touch enrollment are purchased from an enterprise reseller or Google partner. For a list of Android Enterprise zero-touch partners, see theAndroid website.

• An Android Enterprise zero-touch portal account, created by your reseller.

• Android Enterprise zero-touch portal account login information, provided by your reseller.

Create a zero-touch configuration

When you create a zero-touch configuration, include a custom JSON to specify details of the configuration.

Use this JSON to configure the device to enroll on the XenMobile Server you specify. Substitute the URL of your server for ‘URL’ in this example.

{" android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": { "serverURL":"URL", } } 

You can use an optional JSON with more parameters to further customize your configuration. This example specifies the XenMobile Server and the user name and password that devices using this configuration use to log on to the server.

{" android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE": { "serverURL":"URL", "xm_username":"username", "xm_password":"password" } } 

1. Go to the Android zero-touch portal athttps://partner.android.com/zerotouch. Log in with the account information from your zero-touch device reseller.

2. ClickConfiguration.

3. Click+above the configuration table.

4. Enter your configuration information in the configuration window that appears.
   • Configuration name:Type the name you choose for this configuration.
   • EMM DPC:ChooseCitrix Secure Hub.
   • DPC extras:Paste your custom JSON text in this field.
   • Company name:Type the name you want to appear on your Android Enterprise zero-touch devices during device provisioning.
   • Support email address:Type an email address that your users can contact for help. This address appears on your Android Enterprise zero-touch devices before device provisioning.
   • Support phone number:Type a phone number that your users can contact for help. This phone number appears on your Android Enterprise zero-touch devices before device provisioning.
   • Custom Message:Optionally, add one or two sentences to help your users contact you or give them more details about what’s happening to their device. This custom message appears on your Android Enterprise zero-touch devices before device provisioning.

5. ClickAdd.

6. To create more configurations, repeat steps 2 through 4.

7. To apply a configuration to a device:

   1. In the Android zero-touch portal, clickDevices.

   2. Find the device in the list of devices and choose the configuration you want to assign to it.

   3. ClickUpdate.

You can apply a configuration to many devices using a CSV file.

For information on how to apply a configuration to many devices, see the Android Enterprise help topicZero-touch enrollment for IT admins. This Android Enterprise help topic contains more information on how to manage configurations and apply them to devices.

Provisioning dedicated Android Enterprise devices

Dedicated Android Enterprise devices are fully managed devices that are dedicated to fulfill a single use case. Dedicated devices are also known as corporate owned single use (COSU) devices. You restrict these devices to one app or small set of apps required to perform the tasks needed for this use case. You also prevent users from enabling other apps or performing other actions on the device.

Enroll dedicated devices using any of the enrollment methods used for other fully managed devices, as described inProvisioning Android Enterprise fully managed devices. Provisioning dedicated devices require more setup before enrollment.

To provision dedicated devices:

• Add an enrollment profile for XenMobile administrators that you allow to enroll dedicated devices to your XenMobile deployment. SeeCreating enrollment profiles.
• Allow the apps you want the dedicated device to access.
• Optionally, set the allowed app to allow lock task mode. When an app is in lock task mode, the app is pinned to the device screen when the user opens it. No Home button appears and the Back button is disabled. The user exits the app using an action programmed into the app, such as signing out.
• Enroll each device in the enrollment profile you added.

System requirements

• Support for enrolling dedicated devices begins with Android 6.0.

Allow apps and set lock task mode

The Kiosk device policy lets you allow apps and set lock task mode. By default, Secure Hub and Google Play services are allowed.

To add the Kiosk policy:

1. In the XenMobile console, clickConfigure > Device Policies. TheDevice Policiespage appears.

2. ClickAdd. TheAdd a New Policydialog box appears.

3. ExpandMoreand then, under Security, clickKiosk. TheKiosk Policypage appears.

4. Under Platforms, selectAndroid Enterprise. Clear other platforms.

5. In the Policy Information pane, type thePolicy Nameand an optionalDescription.

6. ClickNextand then clickAdd.

7. To allow an app and allow or deny lock task mode for that app:

   Select the app you want to allow from the list.

   ChooseAllowto set the app to be pinned to the device screen when the user starts the app. ChooseDenyto set the app not to be pinned. Default isAllow.

   

8. ClickSave.

9. To allow another app and allow or deny lock task mode for that app, clickAdd.

10. Configure deployment rules and choose delivery groups. For more information, seeDevice policies.

To enroll the device

1. ClickNextor selectAndroidunderPlatforms. The Enrollment Configuration page appears.

2. SetManagementtoAndroid Enterprise.

3. SetDevice owner modetoCompany-owned device.

   

4. SelectAssignment (options). The Delivery Group Assignment screen appears.

5. Choose the delivery group or delivery groups containing the administrators who enroll dedicated devices. Then clickSave.

If you enabledBYOD work profilein the enrollment profile, devices that are not new or factory reset are enrolled as work profile devices. SeeProvisioning Android Enterprise work profile devices.

Provision Android Enterprise fully managed devices with a work profile (COPE devices)

Fully managed devices with a work profile, formerly called COPE devices, are company-owned devices that are used for both work and personal purposes. Your organization manages the entire devices. You can apply one set of policies to the device and a separate set of policies to the work profile.

In the XenMobile console, fully managed devices with a work profile appear with these terms:

• The device ownership is “Corporate”.

• The device Android Enterprise install type is “Corporate Owner Personally Enabled”.

System requirements

• Support for enrolling fully managed devices with work profiles begins from Android 9.0 to Android 10.x.

Add an enrollment profile for fully managed devices with work profiles

Create an enrollment profile for enrolling fully managed devices with work profiles. The administrators in the delivery groups assigned to this enrollment profile can enroll fully managed devices with work profiles. To ensure that these administrators can enroll all the devices required, create an enrollment profile for them with unlimited devices allowed per user. Assign this profile to a delivery group containing the administrators who enroll fully managed devices with work profiles.

1. In the XenMobile console, go toConfigure > Enrollment Profiles.

2. To add an enrollment profile, clickAdd. In the Enrollment Info page, type a name for the enrollment profile. Ensure that the number of devices that members with this profile can enroll is set to unlimited.

3. ClickNextor selectAndroid EnterpriseunderPlatforms. The Enrollment Configuration page appears.

4. SetEnrollment Typeto one of the following:
   • Fully managed/Work profile:New devices or factory reset devices enroll fully managed. BYOD devices enroll with only a work profile managed by you.
   • COPE/Work profile:New devices or factory reset devices enroll fully managed with a work profile. BYOD devices enroll with only a work profile managed by you.

   

5. SelectAssignment (optional)or clickNext. The Delivery Group Assignment screen appears.

6. Choose the delivery group or delivery groups containing the administrators who enroll dedicated devices. Then clickSave.

   The Enrollment Profile page appears with the profile you added.

   

If a user belongs to multiple delivery groups that have different enrollment profiles, the name of the delivery group determines the enrollment profile used. XenMobile selects the delivery group that appears last in an alphabetized list of delivery groups.

To enroll the device

New and factory reset devices enroll as fully managed devices with a work profile using the DPC identifier token, near field communication (NFC) bump, or QC code methods. SeeEnrolling devices using the Citrix DPC identifier token,Enrolling devices with NFC bump, orEnrolling devices using a QR code.

Devices that are not new or factory reset enroll as work profile devices as described inProvisioning Android Enterprise work profile devices.

Viewing Android Enterprise devices in the XenMobile console

1. In the XenMobile console, go toManage > Devices.

2. Add theAndroid enterprise Enabled Device?column by clicking the menu on the right of the table on this page.

3. To view available security actions, select a fully managed device and clickSecure. When the device is fully managed, theFull Wipeaction is available butSelective Wipeis not. That difference is because the device only allows apps from the managed Google Play store. There is not an option for the user to install applications from the public store. Your organization managed all the content on the device.

   

Configure Android Enterprise device and app policies

For an overview of the policies controlled at both the device and app levels, seeSupported device policies and MDX policies for Android Enterprise.

What to know about policies:

• Data loss protection:The XenMobile MAM container technology secures apps with encryption and other mobile Data Loss Prevention (DLP) technologies. Use the Citrix MAM SDK or MDX Toolkit to MDX-enable apps.

• 设备restrictions:Dozens of device restrictions let you control features such as:

  • Use of the device camera
  • Use of copy and paste between work and personal profiles

• Per-app VPN:Use the Managed configurations device policy to configure VPN profiles for Android Enterprise.

• Email policy:We recommend using the Managed configurations device policy to configure apps.

This table lists all device policies available for Android Enterprise devices.

Important:

For devices that enroll in Android Enterprise and use MDX apps: You can control some settings through MDX and Android Enterprise. Use the least restrictive policy settings for MDX and control the policy through Android Enterprise.

Device policies for fully managed devices with work profile (COPE devices)

For fully managed devices with work profiles (COPE devices), some device policies can be used to apply separate settings to the entire device and the work profile. You can use other device policies to apply settings only to the entire device or only to the work profile of fully managed devices with work profiles.

See also,Supported device policies and MDX policies for Android EnterpriseandMAM SDK overview.

Security actions

Android Enterprise supports the following security actions. For a description of each security action, seeSecurity actions.

Security action notes

• The locate security action fails unless the Location device policy sets the location mode for the device toHigh AccuracyorBattery Saving. SeeLocation device policy.

• On work profile devices that are running versions of Android earlier than Android 9.0:

  • The lock and reset password action isn’t supported.

• On work profile devices with Android 9.0 or greater:

  • The passcode sent locks the work profile. The device itself isn’t locked.
  • If no passcode is set on the work profile:
    • If no passcode is sent, or the passcode sent doesn’t meet passcode requirements: The device is locked.
  • If a passcode is set on the work profile:
    • If no passcode is sent, or the passcode sent doesn’t meet passcode requirements: The work profile is locked but the device itself isn’t locked.

• On fully managed devices with work profiles (COPE devices):

  • You can apply the Lock security action separately to the device or the work profile

Unenroll an Android Enterprise enterprise

If you no longer want to use your Android Enterprise enterprise, you can unenroll the enterprise.

Warning:

After you unenroll an enterprise, Android Enterprise apps on devices already enrolled through it reset to their default states. Google no longer manages the devices. If you enroll into a new Android Enterprise enterprise, you must approve apps for the new organization from managed Google Play. You can then update the apps from the XenMobile console.

After the Android Enterprise enterprise is unenrolled:

• Devices and users enrolled through the enterprise have the Android Enterprise apps reset to their default state. Managed Configurations policies previously applied no longer affect operations.
• XenMobile manages devices enrolled through the enterprise. From the perspective of Google, those devices are unmanaged. You can’t add new Android Enterprise apps. You can’t apply Managed Configurations policies. You can apply other policies, such as Scheduling, Password, and Restrictions, to these devices.
• 如果你试图注册设备Android对策系统rise, they are enrolled as Android devices, not Android Enterprise devices.

Unenroll an Android Enterprise enterprise using the XenMobile Server console and XenMobile Tools.

When you perform this task, XenMobile opens a popup window for XenMobile Tools. Before you begin, ensure that XenMobile has permission to open popup windows in the browser you are using. Some browsers, such as Google Chrome, require you to disable popup blocking and add the address of the XenMobile site to the popup block allow list.

To unenroll an Android Enterprise enterprise:

1. In the XenMobile console, click the gear icon in the upper-right corner. The Settings page appears.

2. On the Settings page, clickAndroid Enterprise.

3. ClickUnenroll.