Android device management api. API управления Android

Power Management using Power Manager API

This guide will walk you through creating an EMDK For Android application that will use MX features introduced in EMDK for Android API to perform device configurations. MX represents a suite of Enterprise Features on top of standard, commercially available Android Open Source Project. So this tutorial will FOCUS on Power Manager API, which allows user to perform Power Management operations on Zebra Android devices. Theses operations include setting the device in sleep mode, rebooting the device and updating device Operating System as follows: 1. Sleep Mode: This feature allows device to enter the sleep mode in order to conserve power. 2. Device Reboot: Device Reboot feature restarts the Zebra device from the app itself. 3. OS Update: This Power Manager feature allows you to update the operating system of your Zebra Android device. The user needs to provide path of update package (zip file) that resides in the device’s external SD Card. Based on the package (zip file), the user can perform following operations using OS Update feature:

Note: Copy the update package to external SD Card in order to make update OS work. If you copy update package to the internal SD card of the device, the OS Update feature won’t work.

  • Enterprise Reset: Resets the device data except MX Enterprise Packages.
  • Factory Reset: Resets the device data.
  • Full Device Wipe: Performs a full device wipe. Supported on Zebra devices with KitKat version.
  • OS Upgrade: Upgrades/Downgrades device’s Operating System.

In this tutorial, We would be implementing all three features of Power Manager to understand how they work.


  • Download the respective OS update/Factory Reset/Enterprise Reset package (zip file) from here and copy that file to external SD card of the device.

Note: This above link provides the Update Packages of TC55 device only, which we have used in this tutorial. If you are using some other Zebra Android device then download the respective update package from here

Creating The Project

Note: Provide MxPowerManagerTutorial as the project name for this tutorial.

Start by creating a new Android Studio project.

Adding The Power Manager Profile Feature

Note: You can provide any Profile Name but make sure to access it with the similar name in the Android code.

  • Now, you can see all these MX features on the left hand side of the Profile Editor window. Select the Power Manager feature from the list and click Right Arrow. Using this feature you can perform various Power Management operations through your apps on the Zebra device. These operations include setting the device into sleep mode. rebooting the device and updating OS of the Zebra Android devices as explained earlier.
  • Click on the Power Manager feature. The parameter list will be populated.
  • Now Click on the drop-down of the action field to see the supported features by Power Manager. There are different features shown in the drop down as explained earlier. As the name suggests, the feature Do Nothing does nothing. We would be configuring above mentioned three features from the application itself. Hence let us select the Reset Action in the wizard as Do Nothing.
  • Note: You could select any option you want in the wizard and the application will implement that feature on the launch.

    Note: Provide some name in the Name field (Ex. MyPowerManager) in order to refer that specific feature of Profile. You can also keep Name field empty.

  • Click Apply and Finish.
  • Click Close.
  • Note: Now the EMDKConfig.xml is created under \assets folder. This file will contain a definition of all of your profiles that you create.

    • 0. Do Nothing
    • 1. Sleep Mode
    • 4. Reboot
    • 5. Enterprise Reset
    • 6. Factory Reset
    • 7. Full Device Wipe
    • 8. OS Update

    Based on user selection, these values would be assigned against these parameters of the Power Manager feature in EMDKConfig file.

    Note: These values are useful when we modify Profile from the application using EMDK API, which we will see shortly in this tutorial.

    Enabling Android Permissions

    • Modify the Application’s Manifest.xml to use the EMDK library and to set permission for the EMDK. You must first enable permissions for ‘com.symbol.emdk.permission.EMDK’:

    When done, your manifest.xml should look like:

    Adding Some Code

    import com.symbol.emdk.; import com.symbol.emdk.EMDKManager.EMDKListener; import Android.widget.Toast;
    public class MainActivity extends Activity implements EMDKListener @Override public void onClosed // TODO Auto-generated method stub @Override public void onOpened(EMDKManager emdkManager) // TODO Auto-generated method stub

    We will now create some global variables to hold the profile name as well as instance objects of EMDKManager and ProfileManager. We will also create global variables to hold the UI elements and values that are required in this application. Some of the variables are used to hold the name, type and description in case of any errors. These variables would be used throughout the code.

    Note: Verify the Profile name in the code with the one created in the Profile Manager. They both should be identical.

    // Assign the profile name used in EMDKConfig.xml private String profileName = PowerManagerProfile; // Declare a variable to store ProfileManager object private ProfileManager profileManager = null; // Declare a variable to store EMDKManager object private EMDKManager emdkManager = null; // Text View for displaying status of EMDK operations private TextView statusTextView = null; // Radio Group to hold Radio Buttons for Power Manager Options private RadioGroup pwrRadioGroup = null; // Edit Text that allows user to enter the path of the update package from // external SD Card private EditText zipFilePathEditText; // String that gets the path of the OS Update Package from Edit Text private String zipFilePath; // Initial Value of the Power Manager options to be executed in the // onOpened method when the EMDK is ready. Default Value set in the wizard // is 0. // 0. Do Nothing // 1. Sleep Mode // 4. Reboot // 5. Enterprise Reset // 6. Factory Reset // 7. Full Device Wipe // 8. OS Update private int value = 0; // Contains the parm-error name (sub-feature that has error) private String errorName = ; // Contains the characteristic-error type (Root feature that has error) private String errorType = ; // contains the error description for parm or characteristic error. private String errorDescription = ; // contains status of the profile operation private String status = ;

    So the code looks like: In the onCreate method, we call getEMDKManager so that the EMDK can be initialized and checked to see if it is ready.

    //The EMDKManager object will be created and returned in the callback. EMDKResults results = EMDKManager.getEMDKManager(getApplicationContext, this); //Check the return status of getEMDKManager if (results.statusCode EMDKResults.STATUS_CODE.SUCCESS) // EMDKManager object creation success
    // EMDKManager object creation failed

    So far your code should look like:
    Now we need to use the onOpened method to get a reference to the EMDKManager. The EMDKListener interface will trigger this event when the EMDK is ready to be used. Hence we will update the status in the statusTextView. The EMDKListener interface must be implemented in order to get a reference to the EMDKManager APIs. This event will pass the EMDKManager instance and we assign it to the global variable emdkManager that we created in the previous steps. We then use that instance object to get an instance of ProfileManager and assign it to the global variable profileManager. This is how we will interface with the APIs in the rest of the code:

    // This callback will be issued when the EMDK is ready to use. statusTextView.setText(EMDK open success.); this.emdkManager = emdkManager; // Get the ProfileManager object to process the profiles profileManager = (ProfileManager) emdkManager.getInstance(EMDKManager.FEATURE_TYPE.PROFILE);

    Now that we have a reference to ProfleManager, we use it to install and activate the profile we built earlier using the processProfile method. We could have also performed this action at a different time, say when someone pressed a button, but we chose to do it as soon as the EMDK was ready:

    if (profileManager != null) String[] modifyData = new String[1]; // Call processPrfoile with profile name and SET flag to create the // profile. The modifyData can be null. EMDKResults results = profileManager.processProfile(profileName, ProfileManager.PROFILE_FLAG.SET, modifyData); if (results.statusCode EMDKResults.STATUS_CODE.CHECK_XML) else // Show dialog of Failure AlertDialog.Builder builder = new AlertDialog.Builder(this); builder.setTitle(Failure); builder.setMessage(Failed to apply profile. ).setPositiveButton(OK, new DialogInterface.OnClickListener public void onClick (DialogInterface dialog, int ID) ); AlertDialog alert = builder.create;;

    This processProfile method returns the result of applying a particular profile that we set using EMDK Profile Wizard in EMDKResults reference. If the profile is successfully processed, it returns the status as CHECK_XML and then we go on and parse the response to get further details whether the profile was applied successfully or not. Otherwise we display a Failure message in a dialog.

    Note: 1. There is a difference between processing a profile successfully and applying a profile successfully. Note: 2. If the status is other than CHECK_XML. we are simply displaying a failure message. You can actually go ahead and check different types of status and display the appropriate message accordingly, which is not in the scope of this sample tutorial.

    In case of CHECK_XML status, We retrieve XML response string from the result using getStatusString method. So we will call a method handleEMDKResult to handle this EMDKResults, which we will create in the next step.

    // Method call to handle EMDKResult handleEMDKResult(results);

    Your onOpened method should now look like this:
    It shows error as we have not yet declared handleEMDKResult method. So let us create this method, which would get the XML String response from EMDKResults, call the parseXML method to parse it and eventually call displayResults method to display output in a dialog, which we would be declaring in coming steps.

    // Method to handle EMDKResult by extracting response and parsing it public void handleEMDKResult(EMDKResults results) // Get XML response as a String String statusXMLResponse = results.getStatusString; try // Create instance of XML Pull Parser to parse the response XmlPullParser parser = Xml.newPullParser; // Provide the string response to the String Reader that reads // for the parser parser.setInput(new StringReader(statusXMLResponse)); // Call method to parse the response parseXML(parser); catch (XmlPullParserException e) e.printStackTrace; // Method call to display results in a dialog displayResults;

    Your handleEMDKResult method should now look like this:
    You will see few errors as we have not declared the respective methods to parse the response and display result. Lets do it one by one. In this step, we will create a method parseXML that uses XML Pull Parser to parse the XML string response and set the status and error parameters if any. In the response, we are supposed to capture name and desc for parm-error tag, type and desc for characteristic-error tag in case of any errors.

    // Method to parse the XML response using XML Pull Parser public void parseXML(XmlPullParser myParser) int event; try event = myParser.getEventType; while (event != XmlPullParser.END_DOCUMENT) String name = myParser.getName; switch (event) case XmlPullParser.START_TAG: // Get Status, error name and description in case of // parm-error if (name.equals(parm-error)) status = Failure; errorName = myParser.getAttributeValue(null, name); errorDescription = myParser.getAttributeValue(null, desc); // Get Status, error type and description in case of // parm-error else if (name.equals(characteristic-error)) status = Failure; errorType = myParser.getAttributeValue(null, type); errorDescription = myParser.getAttributeValue(null, desc); break; case XmlPullParser.END_TAG: break; event =; catch (Exception e)

    Your complete parseXML method should now look like:

  • You will still see one error as we need to declare displayResults method to display the result of profile operation in a dialog. Before displaying the results, we should form the content of the result to be shown first, specifically in case of errors. This could be done by creating buildFailureMessage method. In this method, the error message in case of error is formed using following way:
  • Name and description of error if the response contains parm-error.
  • Type and description of error if the response contains characteristic-error.
  • Name, type and description of error if the response contains both parm-error and characteristic-error.
  • The buildFailureMessage method would have following code to match the above mentioned criteria.

    // Method to build failure message that contains name, type and // description of respective error (parm, characteristic or both) public String buildFailureMessage

    buildFailureMessage method should look like:

    // Method to display results (Status, Error Name, Error Type, Error // Description) in a // dialog in case of any errors public void displayResults // Display dialog in case of errors else proceed. if (!TextUtils.isEmpty(errorDescription)) // Alert Dialog to display the status of the Profile creation // operation of MX features AlertDialog.Builder alertDialogBuilder = new AlertDialog.Builder( MainActivity.this); // set title alertDialogBuilder.setTitle(status); // call buildFailureMessage method to set failure message in // dialog alertDialogBuilder.setMessage(buildFailureMessage); alertDialogBuilder.setCancelable(false).setPositiveButton(OK, new DialogInterface.OnClickListener public void onClick(DialogInterface dialog, int ID) ); // create alert dialog AlertDialog alertDialog = alertDialogBuilder.create; // show it;

    The method displayResults should look like: You can see that all the errors are gone.
    Now let’s override the onDestroy method so we can release the EMDKManager resources:

    @Override protected void onDestroy // TODO Auto-generated method stub super.onDestroy; //Clean up the objects created by EMDK manager emdkManager.release;

    Your onDestroy method should now look like this:

  • Let us set the required layout/View for this tutorial. Remove all the code, inside res/layout/activity_main.xml.
  • Add the following code that has three radio buttons that enable user to select a specific Power Manager feature, an Edit Text that allows user to enter the external SD Card path to the OS update package (zip file), a Text View that displays the status of every operation the user performs and a Button that triggers the user selected Power Manager feature and configures the device based on that.
  • Note: Copy the update package to external SD Card in order to make update OS work. If you copy update package to the internal SD card of the device, the OS Update feature won’t work.

    The layout file ‘activity_main.xml’ should now look like:
    Get the reference of UI elements and make a call to ‘addSetButtonListener’ method in ‘onCreate’ method. We would add this method in the next step. The method ‘addSetButtonListener’ creates on Click Listener for the Set Button that implements Power Manager settings selected by user.

    // References of the UI elements statusTextView = (TextView) findViewById(R.ID.textViewStatus); pwrRadioGroup = (RadioGroup) findViewById(R.ID.radioGroupPwr); zipFilePathEditText = (EditText) findViewById(R.ID.et_zip_file_path); // Set on Click listener to the set button to execute Power Manager // operations addSetButtonListener;

    So the complete onCreate method looks like:
    It shows an error on the method call of ‘addSetButtonListener’ because we have not yet added this method. We would now add the ‘addSetButtonListener’ method that implements on click listener of the radio buttons that are assigned to each of the Power Manager feature. As explained earlier, it sets an integer code (1-Sleep, 4-Reboot or 8-OS Update) in the variable ‘value’ and then calls ‘modifyProfile_XMLString’ method that actually modifies the Profile settings based on this value and configures the device against that Power Manager feature.

    // Method to set on click listener on the Set Button private void addSetButtonListener // Get Reference to the Set Button Button setButton = (Button) findViewById(R.ID.buttonSet); // On Click Listener setButton.setOnClickListener(new OnClickListener @Override public void onClick(View arg0) // TODO Auto-generated method stub // Get Reference to the Radio Buttons that show various Power // Manager Options int radioid = pwrRadioGroup.getCheckedRadioButtonId; if (radioid R.ID.radioSuspend) value = 1; // 1. Suspend/ Sleep Mode (Set device to the // sleep mode) if (radioid R.ID.radioReset) value = 4; // 4. Perform Reset/Reboot (Reboot Device) if (radioid R.ID.radioOSUpdate) value = 8; // 8. Perform OS Update // Apply Settings selected by user modifyProfile_XMLString;

    So the method looks like:
    The above code would display error at the call of modifyProfile_XMLString method as we have not added that method yet. This is the method that actually modifies the Power Manager Profile Settings and configures the device with the user selected Power Manager feature (Sleep Mode, Reboot or OS Update). This method prepares the xml input for the processProfile method based on value attribute. If the value is 1 or 4 (Sleep Mode or Reboot), then the XML input remains the same except value attribute. If the value is 8 (OS Update), we need to add path to the OS Update package in XML input. So the XML input for this case would be different as explained in the If-Else condition of the code. We would capture that path from the Edit Text and store it to the zipFilePath variable. It then calls handleEMDKResult method and sets the profile by following similar steps as explained in case of onOpened method. Following is an example of XML input for OS Update feature of Power Manager where the zipFilePath variable contains the path of the update package.

    The processProfile method then sets the changes to Profile Manager and returns the result to the EMDKResults.

    // Method that applies the modified settings to the EMDK Profile based on // user selected options of Power Manager feature. private void modifyProfile_XMLString // Prepare XML to modify the existing profile String[] modifyData = new String[1]; if (value 8) zipFilePath = zipFilePathEditText.getText.toString; // If the OS Package path entered by user is empty then display // a Toast if (TextUtils.isEmpty(zipFilePath)) Toast.makeText(MainActivity.this, Incorrect File Path Toast.LENGTH_SHORT).show; return; // Modified XML input for OS Update feature that contains path // to the update package modifyData[0] = ?xml version=\1.0\ encoding=\utf-8\? characteristic type=\Profile\ parm name=\ProfileName\ value=\PowerManagerProfile\/ characteristic type=\PowerMgr\ parm name=\ResetAction\ value=\ value \/ characteristic type=\file-details\ parm name=\ZipFile\ value=\ zipFilePath \/ /characteristic /characteristic /characteristic;
    ); AlertDialog alert = builder.create;;

    You can see that the error is gone once we add this method. The method modifyProfile_XMLString method should look like:

  • If the EMDK is closed abruptly, a callback method onClosed gets called, where you could release your EMDKManager.
  • That’s it. We are done with all the coding and configuration part. Now let us run the application.

    Running the Application

  • Run the application. Since we have set Do Nothing parameter in the Profile Manager wizard, the app just loads and performs no operations. So you can see the main page with three radio button options (Sleep Mode, Reboot and OS Update).
  • Now we will select these options one by one. So select Suspend radio button and press the Set button. This will put your device into sleep mode by locking it. As you can see, the device has been locked. So unlock it and the app will be resumed.
  • So now select second option (Reboot) and press the Set button. This should reboot your Zebra Android device.
  • As the device was rebooted in the previous step, open the app again and select the third option (OS Update). Provide the path in the Edit Text to the external SD card where the OS Update Package is located. This package should be a zip file downloaded from this link (Ex. /sdcard/
  • Note: This above link provides the Update Packages of TC55 device only. If you are using some other Zebra Android device then download the respective update package from here

    This package could be an OS upgrade, Factory Reset or Enterprise Reset package as this feature allows you to perform all these operations. We will be using an update Package that has been downloaded from above link for TC55 device. Once the Set button is pressed, the phone will shut down for performing OS update with the respective update package.

    Note: In case of failure due to incorrect path, the app will display a failure message in the status Text View at the bottom.

    Finally the device reboots to configure and apply the OS update changes.

    Important Programming Tips

    //Include the permission for EMDK: //Use the EMDK library:. xml

    What’s Next

    Now that you have learned how to configure and perform Power Management operations on your Zebra Android devices through applications using MX Power Manager feature, let us try to understand and implement some of the other MX features. So in the next tutorial, we will concentrate on the Persist Manager feature and try to explore this feature by creating a tutorial.

    API управления Android

    Оптимизируйте свои подборки Сохраняйте и классифицируйте контент в соответствии со своими настройками.

    Примечание. Если вы в настоящее время используете Google Play EMM API. см. руководство для существующих партнеров EMM.

    Android Management API доступен как часть Android Enterprise — инициативы, предоставляющей разработчикам инструменты для создания решений, позволяющих организациям управлять парком своих устройств Android. Программа предназначена для поставщиков услуг по управлению мобильностью предприятия (EMM). Чтобы развернуть производственное решение, использующее Android Management API, EMM должны выполнить шаги, описанные в разделе Выпуск решения.

    Вы можете использовать Android Management API для поддержки рабочих профилей. полностью управляемых устройств и наборов решений для выделенных устройств.

    См. руководство по быстрому запуску, чтобы попробовать API.

    Как это работает

    Android Management API поддерживает полный жизненный цикл управления корпоративной мобильностью, от первоначальной регистрации клиента до настройки устройств и управления ими.

    Как разработчик EMM, вы предоставляете своим клиентам локальную или облачную консоль EMM. В вашей консоли ваши клиенты генерируют токены регистрации устройств и создают политики управления. Они используют токены для регистрации устройств и применения политик управления к зарегистрированным устройствам.

    В серверной части ваша консоль использует Android Management API для создания токенов регистрации, политик и других ресурсов управления. Во время регистрации на каждое устройство устанавливается сопутствующее приложение API — Android Device Policy. Когда политики связаны с устройством в API, Android Device Policy автоматически применяет параметры политики на устройстве.

    Примечание. Android Device Policy — это единственный контроллер политик устройств, совместимый с Android Management API.

    Ресурсы API

    В этом разделе описываются основные ресурсы, используемые в Android Management API.


    Ресурс enterprises обычно представляет одну организацию. Вы создаете предприятие как часть процесса онлайн-настройки, который ваши клиенты используют для привязки своей организации к вашему решению EMM. Политики, токены регистрации и устройства принадлежат предприятию.


    Android Management API следует модели, основанной на политике. Ресурс policies содержит группу параметров управления устройствами и приложениями, которые определяют поведение устройства. Диапазон и гибкость настроек, поддерживаемых policies позволяют настраивать устройства для различных вариантов использования.

    Токены регистрации

    Вы используете enrollmentTokens для привязки устройств к предприятию — процесс, называемый регистрацией и подготовкой. Токены регистрации могут дополнительно содержать дополнительные сведения (например, корпоративные учетные данные Wi-Fi), policyName. связанное с ресурсом policies. и идентификатор учетной записи пользователя.

    После создания маркера регистрации его можно передать на устройство с помощью одного из нескольких различных методов подготовки. Устройства устанавливают Android Device Policy в рамках процесса подготовки. Если в policyName указано имя политики, политика будет применена сразу после завершения подготовки.

    Android Management API упрощает управление пользователями — вы можете зарегистрировать устройство с указанием пользователя в токене регистрации или без него.

    • Если вы не укажете пользователя, новый пользователь будет создан автоматически.
    • Если вы укажете существующего пользователя, существующий пользователь будет связан с устройством. Вы можете связать пользователя с 10 устройствами.

    Дополнительную информацию см. в разделе Инициализация устройства.


    Ресурс devices создается, когда устройство успешно зарегистрировано. Ресурс содержит сведения об устройстве, доступные только для чтения, включая связанного с ним пользователя, политику и режим управления.

    Управление устройствами осуществляется через политику, но вы можете использовать enterprises.devices.issueCommand для блокировки, перезагрузки или сброса пароля на устройстве. Чтобы стереть устройство, вызовите enterprises.devices.delete.


    Протестируйте API — воспользуйтесь кратким руководством. чтобы настроить устройство за считанные минуты. Убедитесь, что вы понимаете шаги, необходимые для выпуска решения в производственной среде, прежде чем использовать руководство разработчика и справочник по API на этом сайте для создания своего решения.

    Если не указано иное, контент на этой странице предоставляется по лицензии Creative Commons С указанием авторства 4.0, а примеры кода – по лицензии Apache 2.0. Подробнее об этом написано в правилах сайта. Java – это зарегистрированный товарный знак корпорации Oracle и ее аффилированных лиц.

    Последнее обновление: 2023-02-03 UTC.

    Evolution of Android management for Enterprise use | Deep Dive with Joy

    Grab a cup of coffee to sip through while learning the developments of Android management over time.

    Evolution of Android management for Enterprise use – Overview

    Google introduced mobile device management capabilities for Android with Android 2.2 back in 2010 with the Android Device Administrator (DA) API set.

    Standing in 2020, we see that the way mobile devices are used in the enterprise landscape has changed dramatically over the period.

    Work is more mobile than ever and mobile devices are used to access organization data and get the work done on the go more than before, and quite often, the same device is used for both personal and work purposes.

    The Device Administrator (DA) API set failed to keep up with the requirements of this new mobile workforce which has emerged. As such, Google had to come up with a solution in order to keep Android relevant in the enterprise use-cases.

    The result, as we all know it today is Android Enterprise.

    In 2014, Google introduced a new set of modern device management APIs with Android Lollipop (5.x). We saw the introduction of two new management modes

    • Fully managed (device owner), and
    • Work profile (profile owner).

    Android Enterprise, as it was introduced back then was known as Android for Work and it marked the Device Administrator (DA) API as a legacy.

    With the release of Android Pie (9) in August 2018, several functionalities of the Device Admin (DA) API were marked deprecated by Google, with complete deprecation of the Device Admin (DA) API with the release of Android 10 in September 2019. [Check this link to know more]

    Though it is recommended to move to Android Enterprise. it is important to note that devices running Android versions till Oreo (Android 8) and currently managed via the legacy Device Administrator mode will continue to be managed and not be impacted.

    Evolution of Android management for Enterprise use – Dive into the details

    Android, from the beginning, has been an open-source platform, which is one of the primary reasons for Android being the choice of platform for OEMs producing mobile devices for the mass market.

    Account Transfer API for Android apps

    Commercially sponsored by Google, the Android Open Source Project (AOSP) primarily licensed under the Apache License enables an OEM to take the Android source code and customize it further to create their own mobile OS based on Android.

    They add their own apps, device drivers, a compactable UI, some custom features, and APIs (and yes, also some bloatware) on top of the stock Android image and create a completely new flavor of Android (ROM build) that they push in the chassis (device).

    The OEMs mostly do this to curate the end-user experience. This is why, even though the devices from different OEMs might run the same Android version, the look and feel (and some features) vary and thus we get Androids of different flavors in the market.

    android, device, management, управление

    Quick examples: Samsung devices run One UI, OnePlus devices run Oxygen OS, Oppo devices run Color OS, Vivo devices run FunTouch OS, and so on.

    The fact that Android is an open-source platform helped Google gain a substantial share of the mobile OS market, the same reason inadvertently became the Achilles Hill for Google when it came to using Android in enterprise use-cases.

    Understanding the problem with Device Admin API

    Any EMM (Enterprise Mobility Management) platform relies on APIs to communicate with and control managed devices.

    Android facilitated the same in the initial days with the Device Admin (DA) API however quickly it was well understood that its limited functionality was of no match to the evolving requirements of the modern mobile workforce.

    The Device Admin (DA) API set had a lot of shortcomings in terms of both usability as well as security, the most pronounced of them are listed below.

    • Separation of work content from personal content in BYOD devices
    • Secure app distribution
    • Setting factory reset protection (FRP) to ensure devices remain managed and can be recovered when employees leave.
    • Prevent removal of the device administrator.
    • Consistent manageability across multiple devices from various OEMs.

    Add to that, the now deprecated Device Admin API was never a standard part of the original Android source code and was very limited in its capabilities.

    Thus the OEMs while preparing their mobile OS by taking Android source code from AOSP and customizing it, had the option to either incorporate the Device Admin APIs or omit them all together in favor of their own custom APIs which they developed to form their own enterprise capabilities.

    Example: Samsung with their KNOX, Zebra with their Mx platform configurations.

    Considering the sheer number of OEMs producing Android devices, it takes a lot of effort from any EMM solution to partner with all the OEMs to get all their custom APIs incorporated natively.

    This is neither viable nor possible, as it would require the EMM solutions to maintain and manage every version of the APIs as developed by OEMs to maintain backward compatibility. On the other hand, if an EMM chooses not to implement the OEM APIs, then support for managing enterprise capabilities of devices from that OEM is understandably not available.

    Why an EMM may opt-out of implementing APIs varies from resource availability, budget or time constraints, absence of an OEM/EMM partnership, or other reasons.

    In the real world though, it was actually found that devices from different OEMs, and sometimes different device models of the same OEM, exhibited different results (if at all) when trying to manage a particular feature from an EMM solution.

    This caused the infamous “all or none” management approach with Device Admin API resulting in inconsistent manageability and thus poor trust from the IT Admins.

    How did Google actually solve the problem?

    The straight answer would be by introducing Android Enterprise.

    Android Enterprise is Google’s modern Android device management framework introduced to help overcome the shortcomings of the Device Admin API and make Android a suitable platform for enterprise use-cases.

    Android Enterprise as we know it today, originally debuted with the name Android for Work with Android Lollipop (5.x). But at the time of its release, it was still an optional solution made available to OEMs to include in their devices.

    However, this changed soon.

    With Android Marshmallow (6.0), Google made Android Enterprise a mandatory component for all GMS-certified devices.

    This ensured that even if your lineup of Android devices consists of devices from different OEMs if all the devices are GMS certified, they would still offer the same manageability and end-user experience.

    Getting to know Android Enterprise

    Android Enterprise is a set of robust management APIs that enables EMM solutions to confidently deploy and manage Android devices for enterprise use.

    Android Enterprise is a set of modern management APIs that suffices the enterprise use-cases, to be incorporated by all OEMs in their Android builds, thus becoming the sole set of APIs that an EMM Solution needs to implement for effective and efficient Android management irrespective of the device OEM, achieving the consistent manageability across OEMs.

    Multiple use-cases to support every enterprise’s requirements

    Android Enterprise supports multiple use-cases as shown below

    • Containerized managed work profile to separate work/personal space on BYOD devices
    • A fully managed device with no personal profile for complete corporate ownership (previously known as COBO)
    • Fully managed devices further locked down to specific use-case like Kiosk referred to as dedicated devices (previously known as COSU)
    • Work profile on a fully managed device to enable the corporate device for personal use (also known as COPE)

    Flexible provisioning

    Android Enterprise gives you the flexibility to choose from a variety of deployment methods for device provisioning as below.

    • Manual IT Admin or user-driven deployments
    • QR code or Enrollment Token
    • NFC bump
    • DPC Identifier
    • Fully automatic deployment
    • Zero Touch

    In addition, Android Enterprise gives you the below additional benefits.

    Easy and secure app deployment

    Managed Google Play allows for a standard and secure way for IT admins to whitelist apps for easy deployment, distribute private apps and perform silent app installs without requiring the need to enable app install from unknown sources.

    Google’s Play Protect suite of solutions helps protect devices from any Potentially Harmful Application (PHA)

    Guaranteed security updates

    Google releases monthly security updates to patch vulnerabilities and exploits in Android. However, except for Pixel devices, almost all other Android devices have to wait to get the security updates as and when made available by OEMs.

    With the introduction of the Android Enterprise Recommended program, devices covered under the program are mandated to receive the updates within 90 days of Google’s release. The Android One program compliments further by mandating security updates within 30 days of Google’s release.

    Though Android Enterprise is now the only recommended and modern way of managing Android devices in your enterprise landscape, however, you need to understand that Android Enterprise is officially supported on GMS certified devices only.

    What is GMS?

    While Android itself is an open-source project, the mobile device that ends up in users’ hands has some proprietary bits mixed in, particularly apps and services bundle from Google which is collectively known as the Google Mobile Services (GMS).

    The bundle varies from region to region, but typically includes the below.

    • Google Chrome
    • Google Search
    • YouTube
    • Google PlayStore
    • Gmail
    • Google Drive
    • Google Duo
    • Google Maps
    • Google Photos
    • Google Play Music
    • Google Play Speech

    In addition to the above proprietary Google apps, GMS also includes the all-important access to use Google Play services and the corresponding Google APIs (SafetyNet, Play Protect, Play EMM, etc.)

    Google has built GMS on top of the Android Open Source Project (AOSP) in a way that

    • the Android Open Source Project (AOSP) corresponds to the core Android OS and
    • the Google Mobile Services (GMS) which runs as an add-on and gives access to the Google-branded apps and services.

    Where the former is free and enables anyone to take the Android Source code and use it to build their own custom ROM to run on a device (facilitated mostly by the Apache license), the latter requires an OEM to obtain a GMS license, a.k.a the Mobile Application Distribution Agreement (MADA) from Google in order to pre-install Google apps and services on their devices.

    Understanding the difference between a GMS license and a GMS certification

    A MADA license entitles an OEM to include and use the Google proprietary apps and services on its devices, but it does not necessarily mean that every device model it produces/will produce is/will be GMS certified.

    To get GMS certified, the device needs to go through several compatibility tests and processes as designed by Google to ensure that it meets the performance requirements of Google and can properly run and use Google apps and services.

    What about devices that are not GMS certified?

    Non-GMS-certified devices, unfortunately, needs to be managed using the legacy and deprecated Device Admin API, provided they are running a supported Android version (up to Android Oreo).

    For non-GMS-certified devices running AOSP builds for Android version 10 or higher, since the core Android OS on these versions does not have the Device Admin API, they, unfortunately, can’t be managed the legacy way using Device Admin.

    A more recent example that you all may relate to would be the case of Huawei.

    Following an order by the United States (US) government, Google withdrew the Chinese telecom giant Huawei’s MADA license. The result. all present Huawei devices in the market denied receiving any further Android security updates from Google, and all upcoming devices from Huawei denied using Google’s proprietary apps and services. Since Huawei as an OEM would not be able to get its devices GMS certified any more, this eventually makes all upcoming Huawei devices unfit to be deployed and used in enterprise scenarios since the devices will not officially support Android Enterprise management. And if the Huawei decides to build Android OS (its own EMUI based on Android) based on the current versions of Android (10, 11) using AOSP, such devices won’t be manageable using legacy Device Admin since the Device Admin APIs have been deprecated with Android 10.

    Unofficially, non-GMS-certified modern Android devices do allow for a limited Android Enterprise management experience with an EMM that supports closed network or non-GMS management like VMWare Workspace One.

    Microsoft Intune (aka Microsoft Endpoint Manager) has no support for Closed Network AOSP Android management.

    Before we end for today…

    Recommending an Android device for enterprise use-case was a tough job a few years back, however, the scenarios have changed now for the better with Android Enterprise which guarantees reliable consistent manageability and user experience across OEMs.

    android, device, management, управление

    Further, Google has tried to help enterprise customers by launching programs like Android Enterprise Recommend (AER).

    What is Android Enterprise Recommended? How does it benefit enterprise customers?

    To help enterprise buyers confidently choose Android devices for their use-cases, which can be

    • easily deployed for enterprise use,
    • offer consistent end-user experience and excellent manageability
    • have a guaranteed period of OEM patch support

    Google came up with the Android Enterprise Recommended (AER) program back in 2018.

    To be listed as an Android Enterprise Recommended (AER) device, a device has to go through an additional series of thorough testing against the best practices and common requirements as laid down by Google, over and above the GMS certification requirements.

    Below listed are some of the essential requirements that the device needs to satisfy in order to be listed as an AER device.

    • Hardware specification to support at least Android 7.0
    • Support for Zero-Touch enrollment
    • Must adhere to standard provisioning screen flows
    • Must comply with the defined work profile experience
    • Support current release one major OS upgrade
    • Unlocked device must be available directly from the manufacturer or reseller

    Previously till Android 10, Google required an AER device to guarantee security patches within 90 days of Google’s release for a period of 3 years. However, with Android 11, Google has lifted off this requirement by instead mandating the OEM to publish security update information on its website and the period through which a device is guaranteed to receive security updates.

    In line with the above, Google’s Android Enterprise Recommended website now shows how long the manufacturer intends to support the device. Check the announcement below.

    When an enterprise decides to buy Android Enterprise Recommended devices, they can be assured that the devices have been tested to meet Google’s enterprise criteria and as such will exhibit seamless and consistent experience and manageability across OEMs, along with the peace of mind that the devices will be supported and patched by the OEM for the specified period of time thereby addressing the concerns of security, throughout the device lifecycle.

    Further improvements in Android management with OEMConfig

    Google has always clarified that Android Enterprise is only a base set of APIs which it will continue to develop and add new APIs over the year, as the OS continues to mature and to address the further upcoming new needs.

    This gives the OEMs an option to add further value to their devices by creating their own APIs to address and manage certain new functionalities, over and above Android Enterprise.

    But then, does not this brings us back to square one? The EMM solutions would again need to partner and work with the OEMs to incorporate these OEM-specific custom APIs to be able to utilize the capabilities.

    No. And this is where OEMConfig comes in.

    OEMConfig is a standard defined by Google which enables an EMM solution to manage OEM specific APIs built over and above Android Enterprise, without the need to incorporate these OEM specific APIs natively within the EMM, but still be able to manage these OEM specific features from your EMM by virtue of using configurations similar to app configuration profiles to configure and deliver device settings to an OEM developed application present on the device (pushed from EMM solution using Managed Play) which acts as the interface between the EMM and the OEM specific APIs and applies/enforces the delivered settings on the device.

    Each OEM has its own OEMConfig app which is available in the Google Play Store and acts as the interface between the EMM solution and the OEM-specific APIs on the device, and thus does not requires an EMM solution to do anything to support this.

    The onus is on the OEMs who need to develop their OEMConfig app and make it available and have configuration reference documents for the IT admins to be able to create app configuration profiles from the EMM solution.

    Here is a list of OEMs who have their OEMConfig apps in the Google Play store and can be onboarded to Intune to be used.

    OEMConfig is an incredibly powerful solution that makes an IT Admin able to manage new device features from day zero (again depends on OEM if they have updated their OEMConfig app in tandem with the new release), without requiring any complex development from the EMM side.

    To be Contd.

    Well, that was all for today.

    I hope this helps you in understanding the complete back story of Android management. As I said in the starting, this post marks the beginning of a series and as such there will be further upcoming posts.

    Do check out my other blogs on different Intune topics here.

    Stay tuned to this blog site. Subscribe to get notified of new posts and be a member of the How To Managed Devices (HTMD) community.

    Use the HTMD Forum to post your queries related to Intune/SCCM and get expert advice and answers from the HTMD community.

    Starting 1st Jan 2021, I have started my own blog site. You will find my latest posts here at

    Legacy Android Enterprise for Google Workspace (formerly G Suite) customers

    Google Workspace customers must use the legacy Android Enterprise settings to configure legacy Android Enterprise. Google recently renamed G Suite to Google Workspace.

    If your organization already uses Google Workspace to provide users access to Google apps, you can use Google Workspace to register Citrix as your EMM. If your organization uses Google Workspace, it has an existing enterprise ID and existing Google Accounts for users. To use Endpoint Management with Google Workspace, you sync with your LDAP directory and retrieve Google Account information from Google using the Google Directory API. Because this type of enterprise is tied to an existing domain, each domain can only create one enterprise. To enroll a device in Endpoint Management, each user must manually sign in with their existing Google Account. The account gives them access to managed Google Play in addition to any other Google services provided by your Google Workspace plan.

    Requirements for legacy Android Enterprise:

    • A publicly accessible domain
    • A Google administrator account
    • Android devices that have managed profile support
    • A Google account that has Google Play installed
    • A Work profile set up on the device

    To start configuring legacy Android Enterprise, click legacy Android Enterprise in the Android Enterprise page in Endpoint Management Settings.

    Create an Android Enterprise Account

    Before you can set up an Android Enterprise account, you must verify your domain name with Google.

    If you have already verified your domain name with Google, you can skip to this step: Set up an Android Enterprise service account and download an Android Enterprise certificate.

    • Navigate to The following page displays where you type your administrator and company information.
    • Type your administrator user information.
    • Type your company information, in addition to your administrator account information. The first step in the process is complete and you see the following page.

    Verify domain ownership

    Allow Google to verify your domain in one of the following ways:

    • Add a TXT or CNAME record to the website of your domain host.
    • Upload an HTML file to the web server of your domain.
    • Add a tag to your home page. Google recommends the first method. This article does not cover the steps to verify your domain ownership, but you can find the information you need here:
    • Click Start to begin the verification of your domain. The Verify domain ownership page appears. Follow the instructions on the page to verify your domain.
    • Click Verify.
    • Google verifies your domain ownership.
    • After successful verification, the following page appears. Click Continue.
    • Google creates an EMM binding token that you provide to Citrix and use when you configure Android Enterprise settings. Copy and save the token; you need it later in the setup procedure.
    • Click Finish to complete setting up Android Enterprise. A page appears, indicating that you’ve successfully verified your domain.

    After you create an Android Enterprise service account, you can sign in to the Google Admin console to manage your mobility management settings.

    Set up an Android Enterprise service account and download an Android Enterprise certificate

    To allow Endpoint Management to contact Google Play and Directory services, you must create a service account using the Google Project portal for developers. This service account is used for server-to-server communication between Endpoint Management and Google services for Android. For more information about the authentication protocol being used, go to

    • In a web browser, go to and sign in with your Google administrator credentials
    • In the Projects list, click Create Project.
    • In Project name, type a name for the project.
    • On the Dashboard, click Use Google APIs.
    • Click Library, in Search, type EMM and then click the search result.
    • On the Overview page, click Enable.
    • Next to Google Play EMM API, click Go to Credentials.
    • In the Add credentials to our project list, in step 1, click service account.
    • On the Service Accounts page, click Create Service Account.
    • In Create service account, name the account, and select the Furnish a new private key check box. Click P12, select the Enable Google Apps Domain-wide Delegation check box and then click Create. The certificate (P12 file) is downloaded to your computer. Be sure to save the certificate in a secure location.
    • On the Service account created confirmation page, click Close.
    • In Permissions, click Service accounts and then under Options for your service account, click View Client ID.
    • The details required for account authorization on the Google admin console display. Copy the Client ID and Service account ID to a location where you can retrieve the information later. You need this information, along with the domain name to send to Citrix support to add to an allow list.
    • On the Library page, search for Admin SDK and then click the search result.
    • On the Overview page, click Enable.
    • Open the Google admin console for your domain and then click Security.
    • On the Settings page, click Show more and then click Advanced settings.
    • Click Manage API client access.
    • In Client Name, type the client ID that you saved earlier, in One or API Scopes, type and then click Authorize.

    Binding to EMM

    Before you can use Endpoint Management to manage your Android devices, you must contact Citrix Technical Support and provide your domain name, service account, and binding token. Citrix binds the token to Endpoint Management as your enterprise mobility management (EMM) provider. For contact information for Citrix Technical Support, see Citrix Technical Support.

    • To confirm the binding, sign in to the Google Admin portal and then click Security.
    • Click Manage EMM provider for Android. You see that your Google Android Enterprise account is bound to Citrix as your EMM provider. After you confirm the token binding, you can start using the Endpoint Management console to manage your Android devices. Import the P12 certificate you generated in step 14. Set up Android Enterprise server settings, enable SAML-based single-sign-on (SSO), and define at least one Android Enterprise device policy.

    Import the P12 certificate

    Follow these steps to import your Android Enterprise P12 certificate:

    • In the Endpoint Management console, click the gear icon in the upper-right corner of the console to open the Settings page and then click Certificates. The Certificates page appears.
    • Click Import. The Import dialog box appears. Configure the following settings:
    • Import: In the list, click Keystore.
    • Keystore type: In the list, click PKCS#12.
    • Use as: In the list, click Server.
    • Keystore file: Click Browse and navigate to the P12 certificate.
    • Password: Type the certificate password. This is the private key password you created when setting up your Android Enterprise account.
    • Description: Optionally, type a description of the certificate.
    • Click Import.

    Set up Android Enterprise server settings

    • In the Endpoint Management console, click the gear icon in the upper-right corner of the console. The Settings page appears.
    • Under Platforms, click Android Enterprise. The Android Enterprise page appears. Configure the following settings and then click Save.
    • Domain name: Type your Android Enterprise domain name; for example,
    • Domain Admin Account: Type your domain administrator user name; for example, the email account used for Google Developer Portal.
    • Service Account ID: Type your service account ID; for example, the email associated in the Google Service Account ( ).
    • Client ID: Type the numerical client ID of your Google service account.
    • Enable Android Enterprise: Select to enable or disable Android Enterprise.

    Enable SAML-based single-sign-on

    • In the Endpoint Management console, click the gear icon in the upper-right corner. The Settings page appears.
    • Click Certificates. The Certificates page appears.
    • In the list of certificates, click the SAML certificate.
    • Click Export and save the certificate to your computer.
    • Sign in to the Google Admin portal by using your Android Enterprise administrator credentials. For access to the portal, see Google Admin portal.
    • Click Security.
    • Under Security, click Set up single sign-on (SSO) and then configure the following settings.
    • Sign-in page URL: Type the URL for users signing in to your system and Google Apps. For example: https:///aw/saml/signin.
    • Sign out page URL: Type the URL to which users are redirected when they sign out. For example: https:///aw/saml/signout.
    • Change password URL: Type the URL to let users change their password in your system. For example: https:///aw/saml/changepassword. If this field is defined, users see this prompt even when SSO is not available.
    • Verification certificate: Click CHOOSE FILE and then navigate to the SAML certificate exported from Endpoint Management.
    • Click SAVE CHANGES.

    Set up an Android Enterprise device policy

    Set up a Passcode policy so that users must establish a passcode on their devices when they first enroll.

    The basic steps to setting up any device policy are as follows.

    • In the Endpoint Management console, click Configure, and then click Device Policies.
    • Click Add and then on the Add a New Policy dialog box, select the policy you want to add. In this example, you click Passcode.
    • Complete the Policy Information page.
    • Click Android Enterprise and then configure the settings for the policy.
    • Assign the policy to a Delivery Group.

    Configure Android Enterprise account settings

    Before you can start managing Android apps and policies on devices, you must set up an Android Enterprise domain and account information in Endpoint Management. First, complete Android Enterprise setup tasks on Google to set up a domain administrator and to obtain a service account ID and a binding token.

    • In the Endpoint Management web console, click the gear icon in the upper-right corner. The Settings page displays.
    • Under Platforms, click Android Enterprise. The Android Enterprise configuration page appears.
    • On the Android Enterprise page, configure the following settings:
    • Domain Name: Type your domain name.
    • Domain Admin Account: Type your domain administrator user name.
    • Service Account ID: Type your Google Service Account ID.
    • Client ID: Type the client ID of your Google service account.
    • Enable Android Enterprise: Select whether to enable Android Enterprise or not.
    • Click Save.

    Set up Google Workspace partner access for Endpoint Management

    Some Endpoint Management features for Chrome use Google partner APIs to communicate between Endpoint Management and your Google Workspace domain. For example, Endpoint Management requires the APIs for device policies that manage Chrome features such as Incognito mode and Guest mode.

    To enable the partner APIs, you set up your Google Workspace domain in the Endpoint Management console and then configure your Google Workspace account.

    Set up your Google Workspace domain in Endpoint Management

    To enable Endpoint Management to communicate with the APIs in your Google Workspace domain, go to Settings Google Chrome Configuration and configure the settings.

    • Google Workspace domain: The Google Workspace domain that hosts the APIs needed by Endpoint Management.
    • Google Workspace admin account: The administrator account for your Google Workspace domain.
    • Google Workspace client ID: The client ID for Citrix. Use this value to configure partner access for your Google Workspace domain.
    • Google Workspace enterprise ID: The enterprise ID for your account, filled in from your Google enterprise account.

    Enable partner access for devices and users in your Google Workspace domain

    • Log in into the Google admin console:
    • Click Device Management.
    • Click Chrome management.
    • Click User settings.
    • Search for Chrome Management. Partner Access.
    • Select the Enable Chrome Management. Partner Access check box.
    • Agree that you understand and want to enable partner access. Click Save.
    • In the Chrome management page, click Device Settings.
    • Search for Chrome Management. Partner Access.
    • Select the Enable Chrome Management. Partner Access check box.
    • Agree that you understand and want to enable partner access. Click Save.
    • Go to the Security page and then click Advanced Settings.
    • Click Manage API client Access.
    • In the Endpoint Management console, go to Settings Google Chrome Configuration and copy the value of G Suite Client ID. Then, return to the Manage API client Access page and paste the copied value to the Client Name field.
    • In One or API Scopes, add the URL:
    • Click Authorize. The message “Your settings have been saved” appears.

    Enrolling Android Enterprise devices

    If your device enrollment process requires users to enter a user name or user ID, the format accepted depends on how the Endpoint Management server is configured to search for users by User Principal Name (UPN) or SAM account name.

    If the Endpoint Management server is configured to search for users by UPN, users must enter a UPN in the format:

    If the Endpoint Management server is configured to search for users by SAM users must enter a SAM in one of these formats:

    To determine which type of user name your Endpoint Management server is configured for:

    • In the Endpoint Management server console click the gear icon in the upper-right corner. The Settings page appears.
    • Click LDAP to view the configuration of the LDAP connection.
    • Near the bottom of the page, view the User search by field:
    • If it is set to userPrincipalName, Endpoint Management server is set for UPN.
    • If it is set to sAMAccountName, Endpoint Management server is set for SAM.

    Unenrolling an Android Enterprise enterprise

    You can unenroll an Android Enterprise enterprise using the Endpoint Management server console and Endpoint Management Tools.

    When you perform this task, the Endpoint Management server opens a popup window for Endpoint Management Tools. Before you begin, ensure that the Endpoint Management server has permission to open popup Windows in the browser you are using. Some browsers, such as Google Chrome, require you to disable popup blocking and add the address of the Endpoint Management site to the popup allow list.

    After the Android Enterprise enterprise is unenrolled:

    • Devices and users enrolled through the enterprise have the Android Enterprise apps reset to their default state. App permissions and Managed configurations policies previously applied no longer have an effect.
    • Devices enrolled through the enterprise are managed by Endpoint Management, but are unmanaged from Google perspective. No new Android Enterprise apps can be added. No App permissions or Managed configurations policies can be applied. Other policies, such as Scheduling, Password, and Restrictions can still be applied to these devices.
    • If you attempt to enroll devices in Android Enterprise, they are enrolled as Android devices, not Android Enterprise devices.

    To unenroll an Android Enterprise enterprise:

    • In the Endpoint Management console, click the gear icon in the upper-right corner. The Settings page appears.
    • On the Settings page, click Android Enterprise.
    • Click Remove Enterprise.
    • Specify a password. You’ll need this for the next step to complete the unenrollment. Then click Unenroll.
    • When the Endpoint Management Tools page opens, enter the password you created in the previous step.
    • Click Unenroll.

    Provisioning fully managed devices in Android Enterprise

    Only company-owned devices can be fully managed devices in Android Enterprise. On fully managed devices the entire device, not just the work profile, is controlled by the company or organization. Fully managed devices are also known as work-managed devices.

    Endpoint Management supports these methods of enrollment for fully managed devices:

    • afw#xenmobile: With this enrollment method, the user enters the characters afw#xenmobile when setting up the device. This token identifies the device as managed by Endpoint Management and downloads Secure Hub.
    • QR code: QR code provisioning is an easy way to provision a distributed fleet of devices that do not support NFC, such as tablets. The QR code enrollment method can be used on fleet devices that have been reset to their factory settings. The QR code enrollment method sets up and configures fully managed devices by scanning a QR code from the setup wizard.
    • Near field communication (NFC) bump: The NFC bump enrollment method can be used on fleet devices that have been reset to their factory settings. An NFC bump transfers data through between two devices using near-field communication. Bluetooth, Wi-Fi, and other communication modes are disabled on a factory-reset device. NFC is the only communication protocol that the device can use in this state.


    The enrollment method is used after powering on a new or factory reset devices for initial setup. Users enter afw#xenmobile when prompted to enter a Google account. This action downloads and installs Secure Hub. Users then follow the Secure Hub set-up prompts to complete the enrollment.

    This enrollment method is recommended for most customers because the latest version of Secure Hub is downloaded from the Google Play store. Unlike with other enrollment methods, you do not provide Secure Hub for download from the Endpoint Management server.

    QR code

    To enroll a device in device mode using a QR code, you generate a QR code by creating a JSON and converting the JSON to a QR code. Device cameras scan the QR code to enroll the device.

    Create a QR code from a JSON

    Create a JSON with the following fields.

    These fields are required:

    These fields are optional:

    • Enter language and country codes. The language codes are two-letter lowercase ISO language codes (such as en) as defined by ISO 639-1. The country codes are two-letter uppercase ISO country codes (such as US) as defined by ISO 3166-1. For example, enter en_US for English as spoken in the United States.
    • The time zone in which the device is running. Type the database name of the area/location. For example, type America/Los_Angeles for Pacific time. If you don’t type a name, the time zone automatically populates.
    • Time in milliseconds since the Epoch. The Unix epoch (or Unix time, POSIX time, or Unix timestamp) is the number of seconds that have elapsed since January 1, 1970 (midnight UTC/GMT). The time doesn’t include leap seconds (in ISO 8601: 1970-01-01T00:00:00Z).
    • Set to true to skip encryption during profile creation. Set to false to force encryption during profile creation.

    A typical JSON looks like the following:

    Validate the JSON that is created using any JSON validation tool, such as Convert that JSON string to a QR code using any online QR code generator.

    This QR code gets scanned by a factory-reset device to enroll the device as fully managed devices.

    To enroll the device

    To enroll a device as a fully managed device, the device must be in factory reset state.

    • Tap the screen six times on the welcome screen to launch the QR code enrollment flow.
    • When prompted, connect to Wi-Fi. The download location for Secure Hub in the QR code (encoded in the JSON) is accessible over this Wi-Fi network. Once the device successfully connects to Wi-Fi, it downloads a QR code reader from Google and launches the camera.
    • Point the camera to the QR code to scan the code. Android downloads Secure Hub from the download location in the QR code, validate the signing certificate signature, install Secure Hub and sets it as device owner.

    For more information about provisioning devices using the QR code method, see the Google API documentation for Android EMM developers.

    NFC bump

    To enroll a device as a fully managed device using NFC bumps requires two devices: One that is reset to its factory settings and one running the Endpoint Management Provisioning Tool.

    • Supported Android devices
    • Endpoint Management enabled for Android Enterprise
    • A new or factory-reset device, provisioned for Android Enterprise as a fully managed device. You can find steps to complete this prerequisite later in this article.
    • Another device with NFC capability, running the configured Provisioning Tool. The Provisioning Tool is available in Secure Hub or on the Citrix downloads page.

    Each device can have only one Android Enterprise profile, managed by an enterprise mobility management (EMM) app. In Endpoint Management, Secure Hub is the EMM app. Only one profile is allowed on each device. Attempting to add a second EMM app removes the first EMM app.

    Data transferred through the NFC bump

    Provisioning a factory-reset device requires you to send the following data through an NFC bump to initialize Android Enterprise:

    • Package name of the EMM provider app that acts as device owner (in this case, Secure Hub).
    • Intranet/Internet location from which the device can download the EMM provider app.
    • SHA-256 hash of EMM provider app to verify if the download is successful.
    • Wi-Fi connection details so that a factory-reset device can connect and download the EMM provider app. Note: Android now does not support 802.1x Wi-Fi for this step.
    • Time zone for the device (optional).
    • Geographic location for the device (optional).

    When the two devices are bumped, the data from the Provisioning Tool is sent to the factory-reset device. That data is then used to download Secure Hub with administrator settings. If you don’t enter time zone and location values, Android automatically configures the values on the new device.

    Configuring the Endpoint Management Provisioning Tool

    Before doing an NFC bump, you must configure the Provisioning Tool. This configuration is then transferred to the factory-reset device during the NFC bump.

    You can type data into the required fields or populate them via text file. The steps in the next procedure describe how to configure the text file and contain descriptions for each field. The app doesn’t save information after you type it, so you might want to create a text file to keep the information for future use.

    To configure the Provisioning Tool by using a text file

    Name the file nfcprovisioning.txt and place the file in the /sdcard/ folder on the SD card of the device. The app can then read the text file and populate the values.

    The text file must contain the following data:

    This line is the intranet/internet location of the EMM provider app. After the factory-reset device connects to Wi-Fi following the NFC bump, the device must have access to this location for downloading. The URL is a regular URL, with no special formatting required.

    This line is the checksum of the EMM provider app. This checksum is used to verify that the download is successful. Steps to obtain the checksum are discussed later in this article.

    This line is the connected Wi-Fi SSID of the device on which the Provisioning Tool is running.

    Supported values are WEP and WPA2. If the Wi-Fi is unprotected, this field must be empty.

    If the Wi-Fi is unprotected, this field must be empty.

    Enter language and country codes. The language codes are two-letter lowercase ISO language codes (such as en) as defined by ISO 639-1. The country codes are two-letter uppercase ISO country codes (such as US) as defined by ISO 3166-1. For example, type en_US for English as spoken in the United States. If you don’t type any codes, the country and language are automatically populated.

    The time zone in which the device is running. Type the database name of the area/location. For example, type America/Los_Angeles for Pacific time. If you don’t type a name, the time zone automatically populates.

    This data isn’t required, because the value is hardcoded into the app as Secure Hub. It’s mentioned here only for the sake of completion.

    If there is a Wi-Fi protected by using WPA2, a completed nfcprovisioning.txt file might look like the following:

    Android Device Management for Beginners

    If there is an unprotected Wi-Fi, a completed nfcprovisioning.txt file might look like the following:

    To get the checksum of Citrix Secure Hub

    The checksum of Secure Hub is a constant value: qn7oZUtheu3JBAinzZRrrjCQv6LOO6Ll1OjcxT3-yKM. To download an APK file for Secure Hub, use the following Google Play store link:

    To get an app checksum

    • The apksigner tool from the Android SDK Build Tools
    • OpenSSL command line

    To get the checksum of any app, follow these steps:

    android, device, management, управление
    • Download the app’s APK file from the Google Play store.
    • In the OpenSSL command line, navigate to the apksigner tool: Android-sdk/build-tools//apksigner and type the following:

    apksigner verify.print-certs | perl.nle ‘print if m(?=SHA-256 digest:).’ | xxd.r.p | openssl base64 | tr.d ‘=’ | tr.- ‘/=’ ‘-_’

    Libraries used

    The Provisioning Tool uses the following libraries in its source code:

    • v7 appcompat library, Design Support library, and v7 palette support library For information, look for the Support Library Features Guide in the Android developers documentation.
    • Butter Knife by Jake Wharton under Apache license 2.0

    Provision work profile devices in Android Enterprise

    On work profile devices in Android Enterprises, you securely separate the corporate and personal areas on a device. For example, BYOD devices can be work profile devices. The enrollment experience for work profile devices is similar to Android enrollment in Endpoint Management. Users download Secure Hub from Google Play and enroll their devices.

    By default, the USB Debugging and Unknown Sources settings are disabled on a device when it is enrolled in Android Enterprise as a work profile device.


    When enrolling devices in Android Enterprise as work profile devices, always go to Google Play. From there, enable Secure Hub to appear in the user’s personal profile.

    The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.




    このサービスには、Google が提供する翻訳が含まれている可能性があります。Google は翻訳について、明示的か黙示的かを問わず、精度と信頼性に関するあらゆる保証、および商品性、特定目的への適合性、第三者の権利を侵害しないことに関するあらゆる黙示的保証を含め、一切保証しません。