I’m sharing a simple guideline on how to enroll Android Enterprise with EMM using Managed Google Account as the identity.
Before we start, there are a few things that you need to prepare:
- Create/Own a domain and have admin access to it.
- Create an email account with your domain for G Suite administrator account
Make sure that this email account is not registered to any Google Account - Have an EMM that support Managed Google Account
For my case I’ll use VMWare Workspace One UEM as an example - Android device, browser and Internet
Alright, let’s do it here step by step:
- Register a G suite account using an email account on your domain that you have created for G Suite Administrators.
- Continue to verify your Domain, click go to setup and login with your administrator account and follow instructions on the screen.
You need to have access to your domain admin console - Once your domain is verified, now generate your EMM token then go to Admin Console.
We’ll create the user later, as there are settings that need to be done beforehand. - We need to create users, so let’s turn on Cloud Identity service.
From menu → billing → get more services → Cloud Identity
In this example i’m using a free Cloud Identity - Now we are good to create users, let’s check it out.
From Menu → Directory → Users then click on ‘Add new user’ - Let’s do some setup in GCP Console, login using the same administrator account.
Then create a new project: - Still in GCP, let’s create a service account. Select the project that you just created.
From menu → IAM & Admin → Service accounts then click ‘CREATE SERVICE ACCOUNT’ - Click on the newly Service Accounts details, click edit at the top then enable Domain-wide Delegation and create a key:
Key type depends on your EMM, for VMWare Workspace UEM, you can select P12
The key will be downloaded to your machine, and make sure you remember the password. - Once Domain-Wide Delegation enabled, the key created and downloaded, go back to the Service Account page and click view client ID.
Take note on the Client ID and Service Account Email, as it required when you setup the EMM - Now we need to turn on EMM Play API.
From menu → APIs & Services → Library search for ‘Google Play EMM API’ then enable it. - Now go back to Google Admin Console
From menu → Devices → Mobile & endpoints → settings → 3rd party integrations
Click on Third Party Android Mobile Management → Add EMM Provider then copy the Token - Ok, let’s go to the EMM console, for this example, I’m using VMware Workspace One UEM, but you can use any other EMM that supports Managed Google Account.
In this example we don’t cover account authentication and sync with Google, so first we need to create EMM users.
The EMM users not necessarily have to be the same with Google Account, but it’s recommended to make it the same for administration purposes. - Let’s do the EMM integration now:
Go to settings → Android → Android EMM Registration, Click ‘Click here’ then Click ‘UPLOAD TOKEN’ - Fill up all the information that you obtained earlier from Google, and upload the certificate key that you got when you create a service account.
- If everything good you should see screen as follow:
You can click on ‘TEST CONNECTION’ to see the connectivity to Play API established
If it’s not Success, please check on Google Play API Enablement step earlier. - Alright now it’s time to test.
Now, let’s test it out:
- Get your Android device Ready
In my example I’m going to use Zero Touch Enrollment and Knox Mobile Enrollment for Samsung Device. - In Zero Touch or Knox Mobile Enrollment, set up the respective EMM and optionally you can assign an enrollment user, please use the Google Account that you created earlier in step above.
- Let’s check it out below:
