To start managing Android devices, you’ll need to register Workspace ONE UEM as your Enterprise Mobility Management (EMM) provider with Google. The Getting Started page in the Workspace ONE UEM console provides a step by step solution to help configure the enterprise management tools needed to secure and manage your device fleet.
There are two ways to configure Android: by using a Managed Google Play account (preferred) or using a managed Google domain (recommended by Google for G Suite customers). A Managed Google Play account is used when your business does not use G Suite and allows for multiple configurations of Android within your organization using a personal Google account. Workspace ONE UEM manages this account and requires no Active Directory sync or Google verification.
Setting up Android using managed Google domain (G Suite) requires your enterprise to set up a Google domain and must follow a verification process to prove that you own the domain. This domain can only be linked to one verified EMM account. The setup includes creating a Google Service Account and configuring Workspace ONE UEM as your EMM provider. Consider creating a Google account specifically for Android for your organization to use so as not to conflict with any existing Google accounts.
Important: When you create a Google account for the managed Google domain it is considered the administrator account for your domain. Consider adding additional users (Google accounts) to help you manage tasks in managed Google Play. Adding more Google accounts is useful in the event the primary Google account becomes inactive. If this happens, you can still access the managed Google domain and avoid unwanted behaviors. Furthermore, do not delete the Google Admin Account or EnterpriseID associated to your Android EMM Registration. Deleting may result in Android EMM Registration errors or failure.
You can create and assign roles for your managed Google domain. See Assign Roles in Enterprises.
The Google Service Account is a special Google account that is used by applications to access Google APIs and is required when setting up Android using the managed Google domain method for your business. The Google Service Account credentials are automatically populated when configuring Android Accounts when registering using managed Google play account. If you encounter an error while setting Android Accounts, clear your settings in the Workspace ONE UEM console and try again or create the account manually. For Google Accounts, consider creating your Google Service Account before either setup method.
To change the Google account or make changes to your admin settings, you have to unbind the account from the Workspace ONE UEM console.
Important: The setup of Android includes the integration of third-party tools that is not managed by VMware. The information in this guide for the Google Admin Console and Google Developer Console has been documented with the available version as of January 2018. Integration with a third-party product is not guaranteed and is dependent upon the proper functioning of the third-party solutions.
The Workspace ONE UEM console allows you to complete a simplified setup process to bind the UEM console to Google as your EMM provider.
If the Android EMM Registration page is blocked, make sure you select the Google URLs in your network architecture to communicate with internal and external endpoints.
Navigate to Getting Started > Workspace ONE > Android EMM Registration.
Select Configure and you are redirected to the Android EMM Registration page.
SelectRegister with Google. If you are already signed in with your Google credentials, you are directed to the Google “Get Started” page.
If your organization uses more than one domain, you will need to register separate domains.
Select Sign In if you are not already, and enter your Google credentials and then select Get Started.
Enter your Organization Name. The Enterprise Mobility Manager (EMM) provider field populates automatically as VMware Workspace ONE UEM.
Select Confirm > Complete Registration. You are redirected to the Workspace ONE Console, and your Google Service Account credentials are automatically populated.
Select Save > Test Connection to ensure the service account is set up and connected successfully.
If your settings in the UEM console have been cleared, when you navigate to register with Google, you will see a message that prompts you to complete setup. You are redirected back to the Workspace ONE UEM console to finish setup.
Setting up your account with managed Google domain requires the organization to set up a Google domain if they do not already use one. You will also complete several manual tasks, such as verifying domain ownership with Google, obtaining an EMM token, and creating an enterprise service account to use this type of setup.
Navigate to Getting Started > Workspace ONE > Android EMM Registration.
Select Register to be redirected to the Android Setup Wizard to complete three steps:
Generate Token: Obtain your enterprise token by registering your enterprise domain with Google.
Upload Token: Enter the EMM Token into the Android setup wizard.
Setup Users: Configure how users will be created for your entire enterprise.
Select Go To Google. You are redirected to the G Suite site.
Register your enterprise and verify your domain.
The Google Service Account is a special Google account that is used by applications to access Google APIs. You should create this account after you generate your EMM token so you can upload all information at one time.
Navigate to the Google Cloud Platform- Google Developers Console.
Sign in with your Google credentials.
The Google Admin credentials do not have to be associated with your business domain. Consider creating a Google account specifically for Android for your organization to use so as not to conflict with any existing Google accounts.
Note: Consider adding additional accounts so that if one account becomes inactive, you will have additional accounts to log in and access your Google Service Account.
Use the drop-down menu from the Select a project menu and select New project.
Enter a Project Name to create your API project in the New project window. Consider using Android EMM-CompanyName as the naming convention.
Agree to the terms and conditions and select Create.
Your project generates and the Google Developer Console redirects you to the API Manager page.
Select Enable APIS and Services for Android from the APIs & Services Dashboard.
Search and activate the following APIs: Google Play EMM API and Admin SDK.
After creating your project and enabling APIs, create your service account in the Google Developer’s Console.
Navigate to APIs & Services > Credentials > Create Credentials > Service Account Key > New Service Account.
Define the Service Account name for your service account. Consider following the Android naming convention and be sure to note the name you choose as you will need it in further steps. Service Account ID is automatically generated. Click Create and Continue.
Use the drop-down menu to select the Role > Project as Owner and select Continue.
You can skip step 3 shown to grant other users access to service account. Select Done.
Select the service account created. Go to Keys tab and select Add Key > Create New Key. Select P12 and select Create.
The identity certificate gets automatically created and downloaded to your local drive. Be sure to save your identity certificate and password for when you upload the certificate into the Workspace ONE UEM console.
Select Manage service accounts from the Service Account page. Under Advanced Settings, there is a link there to Learn More About Domain Wide Delegation Follow steps there to turn on domain-wide delegation.
To delegate domain-wide authority to a service account, a super administrator of the Google Workspace domain must complete the following steps: 1. From your Google Workspace domain’s Admin console, go to Main menu menu > Security > Access and data control > API Controls. 2. In the Domain wide delegation pane, select Manage Domain Wide Delegation. 3. Click Add new. 4. In the Client ID field, enter the service account’s Client ID. You can find your service account’s client ID in the Service accounts page. 5. In the OAuth scopes (comma-delimited) field, enter the list of scopes that your application should be granted access to: https://www.googleapis.com/auth/admin.directory.user 6. Click Authorize.
Back in Advanced Settings of your service account created in the Google Admin console, take note/ copy the email and Unique ID in Service account details. You will use these later when doing Android EMM registration.
The Google Admin Console is where administrators manage Google services for users in an organization. Workspace ONE UEM uses the Google Admin Console for integration with Android and Chrome OS.
The Manage API client access page allows you to control custom internal application and third-party application access to supported Google APIs (scopes).
Login to the Google Admin Console and navigate to Security > Advanced Settings > Manage API Client Access.
Fill in the following details:
|Client Name||Enter the Client ID generated when creating your Google Service Account|
|One or More API Scopes||Copy and paste the following Google API scopes for Android: Android: https://www.googleapis.com/auth/admin.directory.user|
Your unique EMM token binds your domain for Android management to the Workspace ONE UEM powered by AirWatch. You are directed to the G Suite setup site after selecting Go to Google from the previous task to begin.
The steps in outlined in task are for generating an EMM token for a new domain. The task to generate the EMM token is different depending on if you are registering with a new or existing domain.
If you are generating a token for an existing domain, simple navigate to Security > Managed EMM Provider for Androidand select Generate EMM Token and proceed to step 5.
Complete the following fields:
About You – Enter your admin contact information.
About Your Business – Fill out your company information.
Your Google Admin Account – Create a Google admin account.
Finishing Up – Enter the security verification data.
Select Accept & create your account after reading and agreeing to terms set by Google.
Follow the remaining prompts to Verify domain ownership and Connect with your provider. Once verified, this becomes your managed Google domain.
To verify domain ownership, the following options are available: add a meta tag to your homepage, add a domain host record, or upload HTML file to your domain site. Configure settings for the available options.
Select Verify to proceed. If this process is successful, the Connect with your provider section displays your EMM token. This token is valid for 30 days. If you encounter problems during this step, refer to Google support using the number and unique PIN listed.
Copy the generated EMM token and select Finish.
Workspace ONE UEMrecommends that you create your Google Service Account before you return to the Workspace ONE UEM console to upload the EMM token, so that you can upload all credentials at one time.
Your unique EMM token binds your domain for Android management to the Workspace ONE UEM powered by AirWatchWorkspace ONE UEM powered by AirWatch. For existing domain, you are directed to the Google Admin Console to generate the EMM token. The steps in outlined in task are for generating an EMM token for an existing domain. The task to generate the EMM token is different depending on if you are registering with a new or existing domain. For information on generating an EMM token for a new domain, see . Log into the Google Admin Console using your Google Admin credentials.Navigate to Security > Managed EMM Provider for Android and select Generate EMM Token.Copy and paste the token into the Workspace ONE UEM console.
The steps in outlined in task are for generating an EMM token for an existing domain. The task to generate the EMM token is different depending on if you are registering with a new or existing domain.
Log into the Google Admin Console using your Google Admin credentials.
Navigate to Security > Managed EMM Provider for Androidand select Generate EMM Token.
Copy and paste the token into the Workspace ONE UEM console.
Enter the information you obtained from Google during registration. This includes the registered domain, Enterprise Token, and the Google Admin Email Address you created.
You can also get your enterprise token by logging into https://admin.google.com with your Google Admin Email Address under Security→Manage EMM Provider for Android.
Navigate to Getting Started > Workspace ONE > Android EMM Registration. If you have closed the window or are not automatically redirected back to Workspace ONE UEM.
Select Register to be redirected to the Android Setup Wizard.
Select Upload Token from the Android Setup wizard.
This is also referred to as the Enterprise Token.
Complete the following fields:
|Domain||Domain claimed for enabling Android associated with your enterprise.Important: If your domain has already been registered with another EMM provider, you will not be allowed to upload a new EMM token.|
|Enterprise EMM Token||Token generated in Google Admin Console.|
|Google Admin Email Address||This is the admin account used for domain registration, Google Developers Console, and the Google Admin Console.|
|Client ID||Client ID generated when creating your Google Service Account. This ID is retrieved from the Google Developer Console Settings.|
|Google Service Account Email Address||Email generated from Google Service Account creation. This ID is retrieved from the Google Developer Console Settings.|
|Certificate ID||Upload the P12 certificate created when generating Google Service Account. Requires a password. This ID is retrieved from the Google Developer Console Settings.|
Select Next to set users.
All users in your enterprise using Android need Google accounts created to connect with their devices. This final step in the Android EMM Registration wizard allows you to determine which setup method you prefer for creating users.
You have two options for creating users under Android:
The format for the user name is username@<your_enterprise_domain>.com.
Turn on one of the following options to determine how users are set up:
Use the Test Connection option which checks for proper communication with Google.
VMware suggests that you create users for Android automatically during enrollment. The Android setup wizard allows you to specify if you want to automatically create user accounts during enrollment, and if so, to use SAML to authenticate the accounts. If you have not set up SAML previously, the wizard will display a link that directs you to configure your settings.
Select Yes to Create Google accounts during enrollment based on enrolled user’s email.
Select Yes to Use SAML endpoint to authenticate accounts.
If you have not setup SAML, the wizard will prompt you to configure SAML authentication settings.
Select Yes to Use SAML for Google Account Authentication which requires you to configure single sign-on in the Google Admin Console.
Select Save to complete Android setup.
You can manually create user accounts for your entire enterprise outside of the Workspace ONE UEM console by either using either the Google Cloud Directory Sync (GCDS) tool or the Google Admin Console. To access the Google Admin Console , you can click the link provided in the setup wizard. You will need to contact Google for further instructions on how to use the console.
The GCDS method requires you to use similar settings as the AirWatch Directory Services. Access the Directory Services settings by navigating to Groups & Settings ► All Settings ► System ► Enterprise Integration ► Directory Services.
You can access the GCDS tool by clicking the link posted in the setup wizard or by downloading the tool directly to your computer from the Google Support page.
The GDCS tool allows you to manually create Google accounts for every employee in your enterprise in one bulk creation. The accounts are created by synchronizing with the information stored from your VMware Workspace ONE Directory Services.
Note: The information discussed here is up to date as of latest version of GCDS v4.4.0 for March 2017.
Select the link from the setup wizard or download the GDCS tool directly from Google.
Open the tool from your desktop and select User Accounts and Groups to synchronize.
Select the Google Domain Configuration tab and enter the following:
Enter Primary Domain Name.
Select to Replace domain names in LDAP email address (of users and groups) with this domain name. This will ensure that all user email addresses match the domain name.
Select the Authorize Now button.
Follow the steps to continue the authorization process when the Authorize Google Apps Directory Sync dialog displays.
Sign-in to your Android admin account.
Enter the verification received in email.
Select Validate to confirm these settings.
Select the LDAP Configuration tab to enter the connection settings to sync the AirWatch Directory Services with Google. From here, you can enter the same settings saved in the AirWatch Directory Services to sync with this tool. To access these settings, navigate to Groups & Settings ► All Settings ► System ► Enterprise Integration ► Directory Services.
Select Test Connection. If the sync is successful, this will auto create the linked Active Directory accounts and corporate Google accounts in Google.
You will be directed back to the setup wizard to finish setup.
You can unbind the Android admin account in the Workspace ONE UEM console in the event you need to make a change or change Google accounts.
Navigate to Devices > Device Settings > Devices & Users > Android > Android EMM Registration
Select Clear Settings from the Android EMM Registration page.