Workspace ONE UEM powered by AirWatch provides you with a robust set of mobility management solutions for enrolling, securing, configuring, and managing your Android device deployment. Through the Workspace ONE UEM console, you have several tools and features at your disposal for managing the entire life cycle of corporate and employee owned devices.
The guide explains how to integrate Workspace ONE UEM as your Enterprise Mobility Manager (EMM) with Android devices.
These key terms associated with Android will help you in understanding how to configure and deploy settings to your users.
Before deploying Android devices, consider the following pre-requisites, requirements for enrollment, supporting materials, and helpful suggestions from the Workspace ONE UEM team.
Android 5.X.X (Lollipop)
Note: LG Service Application is no longer supported on LG devices running Android 9 and later with Android (Legacy) deployments. If you are using LG devices on Android 9 or later using the Android Legacy enrollment method, consider migrating to Android Enterprise.
Note: Customers will experience an updated privacy conscious feature set when a COPE enrolled device is upgraded from Android 10 to Android 11. A summary of the key features and functionality of COPE devices can be found in Understanding Android Device Modes.
Note: If your organization requires more time to complete testing, there are two options to delay your devices upgrading to Android 11. See Manage System Updates for Android Devices.
If your devices do not support Google Play EMM Integration, refer to Android (Legacy) deployment or use AOSP/Closed Network configuration.
For more information on AOSP/Closed Network, see Understanding Android Device Modes.
Workspace ONE UEM supports devices running Android GO in Work Managed mode only. For these, all device management capabilities for the Work Managed mode are supported with the exception of the following:
End-user devices must be able to reach certain endpoints for access to apps and services. The Network Requirements for Android is a list of known endpoints for current and past versions of enterprise management APIs.
To reach all the endpoints successfully, a direct connection is required. If the devices are connected behind a proxy, the direct communication is not possible and certain functions fail.
|play.google.com,android.com,google-analytics.com, *.googleusercontent.com,*gstatic.com,*gvt1.com*, *ggpht.com,dl.google.com,dl-ssl.google.com, android.clients.google.com,*gvt2.com,*gvt3.com||TCP/443TCP,UDP/5228-5230||Google Play and updatesgstatic.com,* googleusercontent.com - contains User Generated Content (e.g. appicons in the store)*gvt1.com, *.ggpht, dl.google.com,dl-ssl.google.com,android.clients.google.com -Download apps and updates, PlayStore APIs, gvt2.com and gvt3.com are usedfor Play connectivity monitoring fordiagnostics.|
|*.googleapis.com||TCP/443||EMM/Google APIs/PlayStore APIs|
|accounts.google.com, accounts.google.[country]||TCP/443||Authentication For accounts.google.[country], use your local top-level domain for [country]. For example, for Australia use accounts.google.com.au, and for United Kingdom use accounts.google.co.uk.|
|fcm.googleapis.com, fcm-xmpp.googleapis.com||TCP/443,5228-5230||Firebase Cloud Messaging (e.g. Find My Device, EMM Console <-> DPC communication, like pushing configs).This does not work with proxies (see details here).|
|pki.google.com, clients1.google.com||TCP/443||Certificate Revocation list checks for Google-issued certificates|
|clients2.google.com, clients3.google.com. clients4.google.com, clients5.google.com, clients6.google.com||TCP/443||Domains shared by various Google backend services such as crash reporting, Chrome Bookmark Sync, time sync (tlsdate), and many others|
|android.clients.google.com||TCP/443||CloudDPC download URL used in NFC provisioning|
|connectivitycheck.android.com www.google.com||TCP/443||Connectivity check prior to CloudDPC v470 Android connectivity check starting with N MR1 requires https://www.google.com/generate _204 to be reachable, or for the given WiFi network to point to a reachable PAC file. Also required for AOSP devices running Android 7.0 or later.|
|www.google.com, www.google.com/generate_204||AOSP devices runnning Android 7.0 or later|
|android-safebrowsing.google.com, safebrowsing.google.com||TCP/443||Android application verification.|
The Workspace ONE UEM Device Services application uses Google’s SafetyNet Attestation API to verify the integrity of Android devices and ensure they are not compromised. To do so, it makes outbound API calls to Google servers. In On-Premise environments, organizations may choose to only allow the Device Services application to make outbound connections via a proxy. In these cases, besides configuring the proxy settings at the application level via the Workspace ONE UEM Console, customers must also configure this outbound proxy at the system level for the Windows server that hosts the Device Services application. If the Windows server is unable to make outbound connections to the required Google endpoints, SafetyNet Health Attestation will fail.
If an EMM console is located on-premise, the destinations below need to be reachable from the network in order to create a Managed Google Play Enterprise and to access the Managed Google Play iFrame.
These requirements reflect current Google Cloud requirements and are subject to change.
|play.google.com, www.google.com||TCP/443||Google Play Store Play Enterprise re-enroll|
|fonts.googleapis.com*, .gstatic.com||TCP/443||iFrame JS, Google fonts, User Generated Content (e.g. appicons in the store)|
|accounts.youtube.com, accounts.google.com, accounts.google.com.*||TCP/443||Account Authentication, Country-specific account authdomains|
|apis.google.com, ajax.googleapis.com||TCP/443||GCM, other Google web services, and iFrame JS|
|clients1.google.com, payments.google.com, google.com||TCP/443||App approval|
|ogs.google.com||TCP/443||iFrame UI elements|
Each Android device in your organization’s deployment must be enrolled before it can communicate with Workspace ONE UEM and access internal content and features. The following information is required prior to enrolling your device.
If an email domain is associated with your environment – If using Auto Discovery:
If an email domain is not associated with your environment - If not using Auto Discovery:
If a domain is not associated with your environment, you are still prompted to enter your email address. Since auto discovery is not enabled, you are then prompted for the following information:
To download the Workspace ONE Intelligent Hub and subsequently enroll an Android device, you need to complete one of the following:
Enrollment restrictions allows you to provision enrollment such as restricting enrollment to known users, user groups, and number of enrolled devices allowed.
These options are available by navigating to Groups & Settings > All Settings > Devices & Users > General > Enrollment and choosing the Restrictions tab allows you to customize enrollment restriction policies by organization group and user group roles.
You can create enrollment restrictions based on:
Android manufacturer and model to ensure only approved devices are enrolled into Workspace ONE UEM. When an Android device is enrolled, smart group and enrollment restriction criteria is updated to include the new make and model of the device.
Note: Some devices are manufactured by other vendors. You can create a policy with the actual manufacturer of the device for policies to come into effect.The following are some ways to identify the device manufacture:
adb shell getprop | grep "manufacturer".
Blacklist or whitelist devices by UDID, IMEI, and serial number.
Note: When enrolling Android 10 or later devices into Work Profile mode, the devices are held in a pending status until the UEM console is able to retrieve the IMEI or Serial Number from the the devices to see if they are whitelisted or black listed. Until this is verified, the device will not be fully enrolled nor any work data sent until enrollment is complete.
Android’s built-in management features enable IT admins to fully manage devices used exclusively for work.
Android offers several modes depending on the ownership of the device being used within your organization:
Applications in the Work Profile are differentiated by a red briefcase icon, called badged applications, and are shown in a unified launcher with the user’s personal applications. For example, your device shows both a personal icon for Google Chrome and a separate icon for Work Chrome denoted by the badge. From an end-user perspective, it looks like two different applications, but the application is only installed once with business data stored separately from personal data.
The Workspace ONE Intelligent Hub is badged and exists only within the Work Profile data space. There is no control over personal applications and the Workspace ONE Intelligent Hub does not have access to personal information.
There are a handful of system applications that are included with the Work Profile by default such as Work Chrome, Google Play, Google settings, Contacts, and Camera – which can be hidden using a restrictions profile.
Certain settings show the separation between personal and work configurations. Users see separate configurations for the following settings:
When devices are enrolled in Work Managed Device mode, a true corporate ownership mode is created. Workspace ONE UEM controls the entire device and there is no separation of work and personal data.
Important things to note for the Work Managed mode are:
If you are using Workspace ONE UEM on Android Open Source Project (AOSP) devices, non- GMS devices, or using closed networks within your organization, you can enroll your Android devices using the Work Managed Device enrollment flow without Google Play Services. You can host apps on your organization’s intranet and use OEM specific enrollment methods for deployment.
You will need to specify in the UEM console that you are using AOSP/Closed Network during Android EMM Registration.
Things to consider when using Work Managed Device Without Google Play Services on AOSP/Closed Network deployments:
When devices are enrolled using COPE mode, you still control the entire device. The unique capability with COPE mode is that it allows you to enforce two separate sets of policies, such as restrictions, for the device and inside a Work profile.
COPE mode is only available on Android 8.0+ devices. If you enroll Android devices below Android 8.0, the device automatically enrolls as Fully Managed Device.
There are some caveats to consider when enrolling devices into COPE mode:
For new enrollments, using Android 11 must use Workspace ONE Intelligent Hub 20.08 for Android and Workspace ONE UEM console 2008. For specific information, see Changes to Corporate Owned Personally Enabled (COPE) in Android 11.
Pin Based encryption and Workspace ONE UEM Single Sign On by using SDK is not supported for Corporate Owned Personally Enabled devices. A work passcode can be enforced to ensure that the use of work applications requires the use of a passcode.