How to Deploy Corporate Owned Android Devices on a Closed Network

You can configure Workspace ONE UEM to manage your corporate owned Android devices that are enrolled and deployed within a closed network. A closed network here refers to one in which devices cannot connect to Google services. The environment can simply be an intranet or deployment in a region where Google services are not available. This page covers corporate-owned device deployments on a closed network, not BYOD devices.

How it works

When enrolling a Work Managed device, the Intelligent Hub adds a managed Google account to the device. The managed Google account is used to push public applications and related policies through the Managed Play Store.

When Workspace ONE UEM is set up for a closed network deployment, the managed Google account is not added on the device. Therefore, devices need not connect to Google to complete enrollment. Profiles (with the exception of Public App Auto Update), Products, and Internal Applications (uploaded to the Workspace ONE UEM console) can be pushed to the device since these resources are delivered from Workspace ONE to the device directly without Google connectivity.

Closed Network Considerations

When deploying corporate owned devices on a closed network without connection to Google services, consider the following:

• Only Work Managed enrollment is possible. Corporate Owned Personally Enabled (COPE) is not available without Google connectivity.
• Public applications cannot be deployed as there is no access to the Play Store. By extension, Public App Auto Update profiles also cannot be applied.
• Applications must be uploaded to the Workspace ONE UEM console as an internal app for deployment to devices on closed networks.
• If you wish to set up only a portion of your devices in a closed network, you must complete the Android EMM Registration using Managed Google Accounts.
• You must use AirWatch Cloud Messaging to manage your Android devices in real time. Firebase Cloud Messaging is not supported as devices cannot connect to these servers.
• For Samsung Android devices and accessing advanced Knox capabilities, a Knox License Key must be activated on the device. Samsung offers on-premise installations of the Knox license activation servers for closed network deployment since activation requires public internet.

Supported Enrollment Methods

Barcode Staging - Zebra only

For organizations managing Zebra devices, Barcode Staging enrollment methods using the StageNow are supported in closed networks.

If your organization deploys applications only through Product Provisioning, there are no additional PAC file setup requirements.

If your organization deploys applications uploaded to the Apps & Books > Applications section of the Workspace ONE UEM Console:

• A PAC file must be hosted on an http/https endpoint within the closed network to skip Google connectivity checks performed by the Android Download Manager during enrollment and application provisioning. Please see the Configure and host a PAC file for network configuration for the recommended PAC file configuration.
• For any Wi-Fi configurations added to the device manually or through profiles, add an “Auto” Proxy configuration using this PAC file.

QR Code Enrollment

For all other devices, the only supported enrollment method is QR Code enrollment. Organizations using this method need to meet the following requirements:

• The Workspace ONE Intelligent Hub for Android application must be hosted on an http/https endpoint within the closed network so the device can download the app during enrollment.
• A PAC file must be hosted on an http/https endpoint within the closed network to skip Google connectivity checks performed by the Android Download Manager during enrollment and application provisioning.
• For any Wi-Fi configurations added to the device manually or through profiles, add an “Auto” Proxy configuration using this PAC file.

Certificate Provisining

The certificate provisioning DPC extra provides a way for Hub to install a certificate before enrollment, which is ideal for closed network environments that use self signed certificates.

If this DPC extra is included in the QR code, then Hub will automatically proceed as Device Owner (fully managed) mode, install the certificate, and then enroll.

Note If the UEM console is configured for COPE mode, enrollment fails on Android 11+.

Follow these steps to obtain the encoded certificate data

1. Upload the certificate to an Android Credentials profile
2. Save the profile. Do not assign it to any devices
3. Select the Profile and view the Profile XML. The ‘CertificateData’ in the profile XML is what is used in the JSON below.
4. Add the following key to the Admin Extras Bundle in the QR Code provisioning JSON: “workManagedCertData”:“encoded certificate data”

{

   "android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME":"com.airwatch.androidagent/com.airwatch.agent.DeviceAdministratorReceiver",
   "android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM":"6kyqxDOjgS30jvQuzh4uvHPk-0bmAD-1QU7vtW7i_o8=",
   "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION":"",
   "android.app.extra.PROVISIONING_SKIP_ENCRYPTION":false,
   "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":

{       "serverurl":"",       "gid":"",       "un":"",       "pw":"",      "workManagedCertData":"encodedcertificatedata"    }
}

Configure Android EMM Settings in the Workspace ONE UEM Console

The Workspace ONE UEM Console configuation varies based on whether all or some of your Android devices are connected to a closed network.

If all managed Android devices are connected to a closed network

You do not need to complete the Android EMM Registration. This configuration may apply to organizations operating in areas with restricted access to Google services, such as China.

1. Navigate to Groups & Settings > All Settings > Devices & Users > Android > Android EMM Registration at the customer-type Organization Group.
2. Enable “Deploy without Google registration if you are operating on a closed network or are unable to communicate with Google Play”.

If some managed Android devices are connected to a closed network

Configure Workspace ONE to enroll Work Managed devices without a Google account in a specific Organization Group. The instructions below assume that you already setup Android Enterprise by registering with Google using Managed Google Accounts.

1. Navigate to the organization group under which devices for closed network will be configured.
2. Navigate to Groups & Settings > All Settings > Devices & Users > Android > Android EMM Registration.
3. Under the Enrollment Settings tab, set the Work Managed Enrollment Type to AOSP/ Closed Network.

Enable AirWatch Cloud Messaging for Push Notification Capabilities

VMware AirWatch Cloud Messaging (AWCM) provides secure communication to your back-end systems with the VMware AirWatch Cloud Connector (ACC). The ACC uses AWCM to securely communicate with Workspace ONE UEM powered by AirWatch. AWCM streamlines the delivery of messages and commands from the UEM console to devices by eliminating the need for end users to access the public Internet or use consumer accounts, such as Google IDs. AWCM serves as a comprehensive substitute for Firebase Cloud Messaging (FCM) for Android devices when operating within a closed network. Detailed installation guidance is available here.

Once AWCM has been installed:

1. Navigate to Group & Settings > All Settings > Devices & Users > Android > Intelligent Hub settings > AirWatch Cloud Messaging.
2. Enable Use AWCM instead of FCM As Push Notification Service.

Enroll Samsung Devices on Closed Network

Workspace ONE UEM uses a built-in ‘ELM’ (standard) license key, which is activated on all Samsung devices by default. In closed network environments, this key cannot be activated because it requires activation on public internet. Samsung offers on-premise installations of the Knox license activation server. This setup requires custom license keys specific to the your environment. To operate on a closed network, bypass the ELM license activation by including a Backward Compatible Key (BCK) in addition to the Knox License Key in the UEM console Hub settings.

To enroll:

1. In the Workspace ONE UEM console, navigate to Settings > Devices & Users > Android > Intelligent Hub Settings.

2. In the Knox License Key field, enter the key in the following format: KLM#url,BCK.

   Key	Description
   KLM	The Knox License Key provided by Samsung.
   URL	The custom URL of the on-premise license activation server.
   BCK	The Backward Compatible Key provided by Samsung.

During enrollment, the Workspace ONE Intelligent Hub for Android activates both keys to unlock the premium Knox Platform for Enterprise capabilities and will proceed with enrollment.