Android for Work - Managing Device Settings

8 Managing Device Settings

8.3 Android for Work

Android for Work is Google's enterprise mobility management (EMM) platform that lets companies deliver a secure, productive, and rich mobile experience to their employees. SAP HANA Cloud Platform, mobile service for security provides seamless support for it.

Android for Work offers the following benefits:

● Security and data separation – ensure business data is safe from malware and seperate from personal data, using hardware-based encryption and admin-managed policies.

● Support for both employee-owned and company-provisioned devices – users can safely use a single Android device for business and personal use, and companies can provision devices they own or configure work profiles on employee-owned devices.

● Remote management – administrators can remotely control all work-related policies, applications, and data.

● Seamless user experience – delivers a consistent experience across all devices, and lets users intuitively and effortlessly switch between work and personal applications. Business applications and personal applications appear together in the launcher and recent applications list, but business application icons are clearly distinguished by the badge icon.

Note

Android for Work is supported on Android devices running Lollipop (currently the Google Nexus 5, 6, or 9 (tablet)).

Google has introduced a new approach which authorizes the EMM provider to enroll SAP HCP, mobile service for security accounts for Android for Work.

For information about configuring the settings for new Android for Work setup, see

SAP HANA Cloud Platform, mobile service for security Administration Guide Managing Device Settings

P U B L I C

If you already have Android for Work configured, you can unenroll the enterprise from the existing setup and reenroll it, to comply with Google's new approach for setting up Android for Work. For more information, see .

Note

It is not mandatory to unenroll the enterprise from the existing Android for Work setup and reenroll it. Existing setups will continue to work successfully.

8.3.1 Configuring Android for Work (Mobile Service for Security, Existing Setup)

Only to be used if you have enrolled with a previous version of the product and, on subsequent logins to the SAP HANA Cloud Platform, mobile service for security portal, the Android for Work Settings tab redirects you to the Enroll Enterprise page. You then need to unenroll and enroll again to comply with Google’s revised approach to Android for Work setup.

Context

You have already completed your domain verification with Google, which you need to do only once during configuration. On subsequent logins to the SAP HCP, mobile service for security portal, the Android for Work Settings tab redirects you to the Enroll Enterprise page. Here, to comply with Google’s new approach for configuring the Android for Work setup, you must first unenroll, then reenroll.

Procedure

1. Log in to SAP HANA Cloud Platform, mobile service for security, then go to Account Device Setup Android for Work Settings .

2. Click Unenroll.

3. Log in to https://console.developers.google.com using the administrator credentials created during your initial registration of the Mobile Place domain.

Note

If you have the client ID, p12 key, p12 key password, and service account email address from your initial setup, you can use the same credentials.

a. Select the existing project created during the initial Android for Work setup.

b. Go to Products & Services (hamburger icon) API Manager Overview . Search for Google Play EMM API using the search field. Enable the API.

c. In the left pane, select Credentials. In the right pane, click Add credentials Service account key .

P U B L I C

SAP HANA Cloud Platform, mobile service for security Administration Guide Managing Device Settings

d. Select New service account from the drop-down list. Enter a name for your service account. The Service account id is generated automatically. Choose P12 as the key type and click Create.

If you do not see the option to select a new service account and provide a name, just choose P12 as the key type and click Create. Both the service account name and service account id are automatically generated.

Google downloads a .p12 key file (Public-Key Cryptography Standards #12 format) to your local system.

Copy or save the p12 passphrase from the popup window and click Close.

e. Click Manage service accounts Options Edit . Select Enable Google Apps Domain-wide Delegation and click Configure consent screen.

f. Update the OAuth consent screen and click Save.

Table 13: Fields in OAuth Consent Screen

Field Name Field Description Field Type

Email address Select the Google admin account email address

Required

Product name shown to users Provide SAP Mobile Secure

Homepage URL Provide your homepage URL Optional

This information appears on the mo

bile device for Mobile Place users dur

ing the Android for Work setup (when the user installs an Android for Work app on the device for the first time).

Product logo URL Provide your product logo URL

g. Click Save in the Edit service account window.

h. Go back to Credentials Manage service accounts Options View client id . Copy and save the Client ID and service account email address in a secure location.

4. Log in to https://admin.google.com using the administrator credentials created during your initial registration of the Mobile Place domain.

a. Navigate to Security Advanced Settings Manage API client access (If Advanced Settings is not seen, click on Show More).

b. Paste the Client ID from the earlier step in Client Name.

c. Paste the https://apps-apis.google.com/a/feeds/domain/ , https://www.googleapis.com/auth/

admin.directory.user , and https://www.googleapis.com/auth/androidenterprise URLs in One or more API scopes.

d. Click Authorize.

5. In the SAP HCP, mobile service for security portal, navigate to Device Settings Android for Work( Settings Enroll Enterprise and enter the following:

○ Service account email address

○ Administrator email address (Created during the initial registration of your Mobile Place domain. You can retrieve it by going to https://admin.google.com and clicking on your profile on the top right corner of the page.

○ p12 key password

SAP HANA Cloud Platform, mobile service for security Administration Guide Managing Device Settings

P U B L I C

Upload the .p12 key file that is saved on your local system.

6. Select I understand that the Mobile Place APIs will use my credentials below to create users in my Google Directory with the same username, First Name and Last Name as in Mobile Place in order to enable Single-Sign-On.

7. Click Enroll.

Status: Configuration Completed appears at the top of the screen.

You can now enroll Android Lollipop devices with Android for Work support at https://

<account>.sapmobileplace.com/. All users are authenticated by Google as part of the enrollment process and before they can access the Android for Work features.

Note

You may experience a delay of up to an hour for Android for Work support to be enabled for your account.

If you experience a delay, wait a little while and try again.

After you enroll the enterprise, the EMM provider's name appears in https://admin.google.com , under Security Android for Settings .

Note

Once an enterprise token is used, it cannot be used again. To generate a new token, first unenroll your domain from the Google account using the Unenroll button in the Android for Work Settings tab in the SAP HCP, mobile service for security portal.

8.3.2 Setting up Android for Work (Mobile Service for Security, New Setup)

If you are setting up Android for Work for the first time, use SAP HANA Cloud Platform, mobile service for security to register your Mobile Place domain with Google. You can start deploying Android Work Apps after completing the setup.

Prerequisites

We strongly recommend that you use a text editor, to copy and paste information from the Google website to SAP HCP, mobile service for security, as described in the steps below. The specific information to be copied consists of:

● Google account administrator credentials:

○ Username (in the form of an email address)

○ Password

● Google verification code

● Google meta-tag value

P U B L I C

SAP HANA Cloud Platform, mobile service for security Administration Guide Managing Device Settings

● Google enterprise token

● Google Client ID

● Google service account email address

● p12 key password

Context

Setup consists of:

● Verifying the ownership of the Mobile Place domain

● Acquiring a Google enterprise token and enrolling the enterprise

After that, the information appears in the Afaria administration console on the Server Configuration Google Services page.

From the Google Services page, you can also view and accept permissions for the Afaria client and Google productivity apps on behalf of your users. If you accept these permissions, these apps are silently installed in the Android for Work managed profile and no user intervention is required. The Afaria client and Google productivity apps are also automatically and silently updated whenever a new version is posted to Google Play. If the

permissions change, an error is logged in the server logs and you must accept the new permissions in this page before the update can proceed.

After completing these two phases, users can enroll their Android devices with OS versions Lollipop or higher with Android for Work support through Mobile Place.

Procedure

1. Log in to SAP HANA Cloud Platform, mobile service for security, go to Account Device Setup and select the Android for Work Settings tab.

2. On the Create a Google account page, click https://www.google.com/a/signup/?

enterprise_product=ANDROID_WORK .

3. Provide the required details in the Google form and create a Google account for your Mobile Place domain.

○ Phone – a valid mobile phone number.

○ Business name – the company's name.

○ Business domain address – use the domain name provided in the Android for Work Settings tab.

○ Username – use the SAP HCP, mobile service for security admin account user name. This will be the user name for your Google admin account as well.

○ Password – a secure, strong password made up of more than 8 alphanumeric characters and symbols.

This is the password for your Google account administrator credentials.

Make a note of these credentials as you will need them later.

4. Sign in to the Google account using the administrator email address and password you just created.

You may need to verify your credentials by providing the Google verification code sent to your mobile number.

5. Click Start to start the domain verification process.

SAP HANA Cloud Platform, mobile service for security Administration Guide Managing Device Settings

P U B L I C

6. Copy the complete meta-tag value, that is, <meta name="google-site-verification" content="[…]" />, from the Google portal to the Meta Tag text box in the Android for Work Settings tab in the SAP HCP, mobile service for security portal. Click Save Meta Tag.

The meta-tag is added to your home page for Google to verify that you are the domain owner.

After obtaining the meta-tag value, if you choose to complete the remaining configuration later, note down the meta-tag value as you will need it to complete the configuration.

7. Return to the Google portal, select I have added the meta tag to my homepage. and proceed with the verification. Google verifies that the meta-tag information has been added to your domain home page.

Perform the domain verification process only once during the initial Android for Work configuration. After that, on subsequent logins to the SAP HCP, mobile service for security portal, the Android for Work Settings tab redirects you to the Enroll Enterprise page.

Once the domain is verified, Google generates a token. Copy this token to the Enterprise Token text box on the Android for Work Settings Enroll Enterprise page.

Until you enroll the enterprise, the unused token appears in https://admin.google.com , under Security Android for Settings for 30 days from the time you generate the token. If the token expires, use Generate Token in the same location to generate a new token.

8. To enable single sign-on for simplified authentication for users, navigate to Device Settings Android for Work Settings Enroll Enterprise . Status: Configuration Incomplete appears at the top of the screen.

9. Log in to https://console.developers.google.com using the administrator credentials created during your initial registration of the Mobile Place domain.

a. Go to Select a project Create a project and create a project to generate a service account.

b. In the left pane of the Google console, navigate to Products & Services (hamburger icon) API Manager Overview . The right pane now displays the Google APIs. Select Admin SDK and click Enable API.

c. Go back to Products & Services (hamburger icon) API Manager Overview . Search for Google Play EMM API using the search field. Enable the API.

d. In the left pane, select Credentials. In the right pane, click Add credentials Service account key . e. Select New service account from the drop-down list. Enter a name for your service account. The Service

account id is generated automatically. Choose P12 as the key type and click Create.

Google downloads a .p12 key file (Public-Key Cryptography Standards #12 format) to your local system.

Copy or save the p12 passphrase from the popup window and click Close.

f. Click Manage service accounts Options Edit . Select Enable Google Apps Domain-wide Delegation and click Configure consent screen.

g. Update the OAuth consent screen and click Save.

P U B L I C

SAP HANA Cloud Platform, mobile service for security Administration Guide Managing Device Settings

Table 14: Fields in OAuth Consent Screen

Field Name Field Description Field Type

Email address Select the Google admin account email address

Required

Product name shown to users Provide SAP Mobile Secure

Homepage URL Provide your homepage URL Optional

This information appears on the mo

bile device for Mobile Place users dur

ing the Android for Work setup (when the user installs an Android for Work app on the device for the first time).

Product logo URL Provide your product logo URL

h. Click Save in the Edit service account window.

i. Go back to Credentials Manage service accounts Options View client id . Copy and save the Client ID and service account email address in a secure location.

10. Log in to https://admin.google.com using the administrator credentials created during your initial registration of the Mobile Place domain.

a. Navigate to Security Advanced Settings Manage API client access (If Advanced Settings is not seen, click on Show More).

b. Paste the Client ID from the earlier step in Client Name.

c. Paste the https://apps-apis.google.com/a/feeds/domain/ , https://www.googleapis.com/auth/

admin.directory.user , and https://www.googleapis.com/auth/androidenterprise URLs into One or more API scopes.

d. Click Authorize.

11. In the SAP HCP, mobile service for security portal, navigate to Device Settings Android for Work( Settings Enroll Enterprise and enter the following:

○ Service account email address

○ p12 key password

Upload the .p12 key file that is saved on your local system.

12. Select I understand that the Mobile Place APIs will use my credentials below to create users in my Google Directory with the same username, First Name and Last Name as in Mobile Place in order to enable Single-Sign-On.

13. Click Enroll.

Status: Configuration Completed appears at the top of the screen.

14. To ensure the Afaria client and Google productivity apps are updated in the Android for Work managed profile, go to Server Configuration Google Services in the Afaria Admin portal, view the application permissions using the links provided and then select Accept Permissions next to each app.

SAP HANA Cloud Platform, mobile service for security Administration Guide Managing Device Settings

P U B L I C

Now that you have enrolled the enterprise and enabled single sign-on with Google, SAP HCP, mobile service for security administrators can create users within the Google directory on-demand, as users enroll their devices within Mobile Place. The User name, First Name, and Last Name are the same in Google as they are in SAP HCP, mobile service for security. The email address format is

<username>@<account>.sapmobileplace.com. Each user is created with a random, strong password that is not saved anywhere.

You can now create Android for Work configuration policies and link them to the All Devices group in order to start enrolling Android devices with Android for Work support (at https://

<account>.sapmobileplace.com/). See Creating a Configuration Policy for Android for Work on page 8 for further instructions.

All users are authenticated by Google as part of the enrollment process and before they can access Android for Work features.

Note

You may experience a delay of up to an hour for Android for Work support to be enabled for your account.

If you experience a delay, wait a little while and try again.

After you enroll the enterprise, the EMM provider's name appears in https://admin.google.com , under Security Android for Settings .

Note

P U B L I C

SAP HANA Cloud Platform, mobile service for security Administration Guide Managing Device Settings

In document PUBLIC SAP HANA Cloud Platform, mobile service for security Administration Guide (Page 57-65)