14 DAY FREE TRIAL

No Search Results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Enrolling Devices
  3. Android Enterprise

Category filter

How to configure Android Enterprise using Google Workspace (G Suite)

Jump To

Android Enterprise is a program that creates a work container on your device, thus separating the work app/data from your personal app/data. Hexnode’s integration with Google Workspace further simplifies the Android Enterprise enrollment process.

You can integrate your organization’s Google Workspace account, thus facilitating the users/user groups in your Google Workspace domain to sync with Hexnode UEM.

To enable Android Enterprise enrollment using Google Workspace, your organization should create a service account with Google, and provide specific API access to apply the configurations to the managed devices.

To enroll your devices in Android Enterprise using Google Workspace,

  1. Enroll your organization in Android Enterprise using Google domain.
  2. Enroll devices either in Profile Owner or Device Owner mode.
  3. Apply configurations to the managed devices.
Notes:

Your Organization should have a Google Workspace Account.

Enroll your organization in Android Enterprise using Google domain

To enroll your organization in Android Enterprise using Google Workspace domain, your organization requires a service account.

Create Service Account

Your organization requires a service account with Google to configure Android Enterprise using Google Workspace. Hexnode UEM uses this service account to push the Android Enterprise based configurations to the devices.

  1. Using the Google Workspace admin credential, login to Google Cloud Console.
  2. Click on Create Project.
  3. Create a New Project by providing the following details.
    • Project Name: Provide a suitable project name and a corresponding project ID will be generated.
  4. From the Navigation Menu on the left pane, select APIs and Services > Credentials.
  5. Click on Create Credentials and from the drop-down list that appears select Service account.
  6. Select New service account and provide the following details.
    • Service account name: Provide a suitable name for the service account.
    • Service account ID: An account ID will be automatically generated. If required, you can edit it.
    • Service account description: Provide a suitable description for your service account.
    • Click on Create and Continue.
  7. Optional: Grant the service account access to the project created above. Select a role from the drop-down list. Click on Select a role. Choose Service Accounts > Service Account Admin, and click Continue.
  8. Click Done
  9. Click on the email address corresponding to the newly created service account.
  10. Select the Advanced settings dropdown and copy the generated Client ID.
  11. At the top, navigate to Keys. Click on Add Key > Create new key and choose the key type as JSON and click on Create.
  12. A JSON key will be downloaded. This key is later uploaded on to Hexnode MDM server.
  13. Go back to APIs & Services interface from the Navigation menu. Select Enabled APIs & Services and click on +ENABLE APIS AND SERVICES.
  14. In the search box that appears, type Admin SDK API and select the same from the search results.
  15. Click on Enable to enable Admin SDK API.

Manage API Client Access for MDM

This process provides the MDM with a specific API access to apply Android Enterprise configurations to the managed devices. Ensure to Enable API access in the Admin console.

  1. Using your Google Workspace Admin credentials, log in to Google Admin Console and click on Security.
  2. From API Controls, click on MANAGE DOMAIN WIDE DELEGATION under Domain wide delegation, and click on +Add new.
  3. Authorize the API clients by providing the following details.
    • Client ID: Copy the unique ID from the downloaded JSON file or from the Google Cloud console.
    • OAuth scopes: Copy and paste the link https://www.googleapis.com/auth/admin.directory.user – To sync individual users.
    • https://www.googleapis.com/auth/admin.directory.group – To sync user groups.
    • https://www.googleapis.com/auth/admin.directory.domain – To fetch the domain.
    • Click on AUTHORIZE.
    4. Note:

    • To sync users, user groups and domains from your Google Workspace account to the Hexnode console, you need to provide the OAuth scopes separated by a comma.
    • The directory domain scope
      https://www.googleapis.com/auth/admin.directory.domain is mandatory. If this scope is not entered, the domain sync will fail and an error message “Google Workspace domain names could not be retrieved.” will be displayed in the portal.
    • To manage access to services that aren’t shown in the Admin console:
      1. Login to the Google Workspace Admin console and click on Apps > Additional Google services.
      2. In the top-right corner of the page, click on Change.
      3. Set the Service status to “ON for everyone”.

      Not enabling the Service status can cause app installation to get failed on devices enrolled into the Android Enterprise program configured using the Google Workspace account.

  4. Navigate to Devices > Mobile & endpoints > Settings > Third-party integrations > Android EMM.
  5. Click on Add EMM providers.
  6. Under Token Generator, click on GENERATE TOKEN and copy the token.

Integration of Google Workspace with Hexnode UEM Server

  1. Login to your Hexnode UEM portal.
  2. Navigate to Enroll > Platform – Specific > Android > Android Enterprise.
  3. Select Enrollment type as Google Domain.
  4. Click on Configure Google Workspace.
    You will have the following options to configure.
    • Google Workspace Admin Email: Enter the Google Workspace admin email address of the domain that you want to synchronize with Hexnode.
    • Google Workspace key(.json): Upload the JSON key previously downloaded.
  5. Click on Next to configure Google Workspace.
  6. Now, 2 new options will be displayed:
    • Sync across all domains: Checking this option will sync all the users and/or user groups across all domains. When new domains are created in Google Workspace, they will be automatically synced during the next sync.
    • Choose Domain(s): Only the users and/or user groups present in the selected domains will be synced with Hexnode UEM.
  7. Click on the Save button to save the configuration.
  8. Provide the Token and click on Enroll.
  • Token: Paste the EMM token generated from Google Admin Console.

Integration is automatically completed when the details are provided.

Notes:

  • You can verify whether the integration is completed or not from the Google Admin Console.
  • Go to Devices > Mobile & endpoints > Settings > Third-party Integrations > Android EMM > Manage EMM providers.
  • If the binding is successful, your EMM provider will be listed there.
  • The Google Workspace sync can be configured by navigating to Admin > Google Workspace > Actions > Modify > Scheduled Scan. Scheduled scan has two options to choose from, namely, Daily (It will initiate the Google Workspace sync at the specified time every day) and Weekly (It will initiate the Google Workspace sync at the specified time on the specified days).
  • Click on the Refresh Domains button if a newly added domain is not displayed in the portal.


Once your organization is configured, you can start Enrolling Devices in Android Enterprise using Google Workspace (G Suite).

Removing EMM provider from Google Admin Console

Businesses can remove the integrated EMM provider to disenroll the Android Enterprise program directly from the Google Admin Console. To unbind the EMM provider:

  1. Sign in to Google Admin Console.
  2. Go to Devices > Mobile & endpoints > Settings > Third-party Integrations > Android EMM > Manage EMM providers.
  3. Choose your EMM provider and click Remove.

Unbind emm provider from google admin console

Removing the EMM provider also removes the Android Enterprise account integrated with Hexnode. Further, the organizations may choose to either reconfigure the Android Enterprise account or disenroll from the Android Enterprise program using Hexnode UEM.

Re-enroll Android Enterprise account

To re-configure the Android Enterprise account:

  1. Sign in to Google Admin Console.
  2. Go to Devices > Mobile & endpoints > Settings > Third-party Integrations > Android EMM > Manage EMM providers.
  3. Click on Add EMM Provider.
  4. Click on GENERATE TOKEN, and copy the token.
  5. Log in to the Hexnode UEM console.
  6. Navigate to Enroll > Platform-Specific > Android > Android Enterprise.
  7. Click on Re-Enroll.
  8. Paste the token in the Token field.
  9. Click Enroll.

Disenroll from Android Enterprise program

To disenroll from the Android Enterprise program after the EMM provider is removed from the Google Admin console:

  1. Log in to the Hexnode UEM console.
  2. Navigate to Enroll > Platform-Specific > Android > Android Enterprise.
  3. Click on Disenroll. It removes all the devices enrolled in the Android Enterprise program and other related data from Hexnode UEM.

Disenroll from Android Enterprise

Need more help?
Raise a Ticket Raise a Ticket
Ask Community Ask Community
Chat With us Chat With us
  • Enrolling Devices
  • Managing 'Android Enterprise' Devices