Setting up Android for Work

To utilize Android for Work(AfW) features and configurations, you have to setup Android for Work in MDM. Android for Work can be configured using G Suite or a Google account as explained below:

Admin account to be used for configuring AfW

G Suite account used by the organization.

Any Google account

User account creation

Created by the IT Administrator, as a part of G suite

Automatic creation of accounts

User account addition

Requisite account to be manually added to the device

Account gets automatically added to the device

User account binding

Bound to the specific user and can be reused in other devices

Bound to the specific device and cannot be reused

Association of configurations

Associated to the account

Associated to the device

Ideally used in

Organizations extensively using G Suite, having employees who use multiple devices.

Organizations without G Suite, having employees who use the corporate devices

Using G Suite


Before setting up AfW, the following prerequisites are to be completed.

Create Service Accounts

Ensure the G Suite account being used is not associated with any other EMM service.

This procedure creates a service account for your organization with Google. This Service Account is used by MDM to push AfW-based configurations to devices.

  1. Login to Google Developers Console using the admin credentials created previously in the Android for Work portal.

  2. Click Create Project from the top menu.

  3. Create a project by providing the requisite details.

  4. Once the project has been created, click on the notification icon on top and then select the create project from the dropdown.

  5. Now, click on Enable APIs and get credentials like keys present under the Getting Started section.

  6. Click on Credentials from left pane and click on Create Credentials.

  7. Click on Service Account Key from the dropdown.

  8. Select New Service Account under Service Account and provide a Service account name as well as a service account ID. For Role, select Service Accounts and then select Service Account Admin. Select JSON as Key type and click on Create.

  9. A JSON key is downloaded, which is to later uploaded in MDM to configure Android for Work.

  10. Click on the ellipsis present against the service account and select Edit.

  11. Select the Enable Google Apps Domain-wide Delegation checkbox. Once the checkbox is selected, provide Product name for the consent screen and click on Save.

  12. Click the View Client ID link, and copy the Client ID.

  13. Now click on Dashboard from the left pane and then select Enable APIs and Services.

  14. .

  15. Search for EMM API on the searchbox and select it from the search results.

  16. Click Enable to enable Google Play EMM API.

  17. Similarly, type 'Admin' in the searchbox and select Admin SDK . Click Enable to enable Admin SDK API.

  18. Manage API Client access for MDM

    This procedure allows MDM to be given specific API access to apply AfW-based features in the managed devices. Refer this to know about managing API Client access.

  19. Login to Google Admin Console using your Android for Work Admin credentials and click on Security.

  20. Click on Advanced Settings and select the Manage API client access.

  21. Paste the Client ID copied in Step 11 in the space provided for Client Name and paste in the space provided for One or More API Scopes and click Authorize.

  22. Now go back to Security and click on Manage EMM provider for Android. Copy the EMM token present here.

  23. Follow the steps to complete the integration on the MDM server:

  24. Go to MDM Server, click Admin tab and select Android for Work and choose Register using G Suite. Specify the domain registered, admin E-mail address, the EMM token copied and the upload the downloaded JSON file. Ensure you select the checkbox

  25. Once the details are provided, the integration is automatically completed. You can also verify using Google Admin Console. Go to Google Admin Console and click on Security. click on Manage EMM provider for Android and if the EMM provider is listed as ManageEngine EMM, the binding has been successful.

Creating user accounts

The next step before starting with Android for Work, is to create user accounts. This step is required for pushing AfW-based configurations to devices. The user must login with the created user account in Google Play Store to have all the AfW-pushed apps and configurations applied in the managed device. For devices enrolled as Profile Owner, the user must login with the created user account in the Google Play Store present in the Work profile.

Identifying Domain Admin account

To complete the AfW integration with MDM, you need to provide a few details, one among which is your Domain Admin Account. To know the same, follow the steps given below:

Without G Suite

For organizations without G Suite, AfW can be configured with any Google Account, which is not associated with any G Suite service or EMM services. It is recommended to use the Google account of the organization, as this account will be used for provisioning all AfW-based features and configurations to the managed devices. Configuring AfW without G Suite can be done only if MDM is running in HTTPS. If not, an error message is displayed in the browser which is to be ignored. A major advantage in this method, is automatic creation and association of the user accounts to the devices.

  • Click here to know how to install apps silently on devices without having manually add accounts in Play Store.

  • In case you want the users to add their personal accounts in addition to the arbitrary managed account, refer to this.

Copyright © 2019, ZOHO Corp. All Rights Reserved.