This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Android EMM Setup

JCDavid
Iron II
Iron II
‎04-10-2024 10:51 AM

JumpCloud provides cross-OS device management with integrated identity and access control (IAM). You can bring your own identity from an Identity Provider like Okta or Active Directory. Automations and workflows help to ensure that every device is in the appropriate state. Android devices are popular in the workplace for their apps, features, and security. JumpCloud is an Enterprise Mobility Management (EMM) provider and offers several deployment options. We’re continually adding new pre-built policies to ensure seamless device onboarding to distribute and manage corporate-liable, employee-owned, and dedicated Android devices.

Demo Overview

droid.png

This walkthrough will demonstrate how to get started with Android EMM through JumpCloud. You'll learn about how to add Android devices to JumpCloud, and will see how Android EMM works. You will also learn how to manage Android devices using policies, and manage the software on Android devices.

Prerequisites

Not every step here is necessary to complete this tutorial, but you’ll be doing these things anyway if you want to experience your trial as if you’re implementing the product.

  1. To complete this tutorial, we recommend that you have completed the following walkthroughs (or have set up your instance with the appropriate assets on your own):

Demo Walkthrough

Check out this simulation for a visual overview:

Step 1: Registering for Android EMM

Before you are able to add Android devices in JumpCloud, you must first complete the Android EMM registration. You will initiate this via JumpCloud Administrator Console and for part of this, you will be redirected to Google.

To register, you need to have a Google Admin account. You may already have a Google Admin account if you use Google Workspace, Chrome Browser Cloud Management, or other Google services. If you do not have one, you can sign up during the Android EMM registration process.

  • In the Admin Portal, in the left hand navigation under Device Management, select MDM.
  • Select the Google tab and hit the Begin Registration button
  • Enter your Google Admin Account credentials
  • Click Continue to Admin console to permit JumpCloud to server as your EMM Provider
  • Hit the Checkout button and then Place Order to complete the process. You’ll then be prompted to allow Jumploud to manage your Android devices. It may take a few minutes to complete the process. You’ll be redirected to the JumpCloud admin portal when it’s finished.

Resources:

Set up Android EMM

Get Started with Android EMM

Adding Android Devices using EMM (Tutorial)

Step 2: Device Enrollments

You must create enrollment tokens that will be used to enroll devices before adding them to your EMM instance. To create a new enrollment token:

  • In the Create Enrollment Token editor, configure the following:
  •  

    create-enrollment-token-editor

End users can enroll the following Android devices:

  • Personal devices:
    • Personal devices are owned by the employee. You enable user enrollment of a device owned by an employee, and the user enrolls the device via the User Portal. You have full management and control of the apps, data, and settings in the device’s work profile, but there is no visibility or access to the device’s personal data. This distinct separation gives you control over corporate data and security without compromising employee privacy.
  • Company-owned devices:
    • Mixed Use – A work profile can enable work and personal use on a company-owned device. Your organization can have full control of the apps, data, and settings in an encrypted work profile, and can enforce policies to control settings for WiFi and block USB file transfers or disallow software apps that apply to a device’s personal data. Any personal data on a company-owned device isn’t visible or accessible to your organization.  
    • Fully Managed – The device is used exclusively for work and you control and manage the entire device. This device does not use a work profile.
    • Dedicated – This device is a subset of fully managed devices and is used for simple workflows. You can lock down the usage of the device to a single app or small set of apps, such as ticket printing or inventory management. This device does not use a work profile.

Enroll Company Owned Devices

To enroll a company-owned Android device:

  • Log in to the JumpCloud Admin Portal.
  • Go to Device Management > Devices, then select the Devices tab.
  • Click Add Device, then select the Android tab.
  • Under Admin Android Configuration, select the enrollment type for the company-owned device.
  • Click View QR Code to start the enrollment process. An Enroll Your Company-Owned Android Device screen appears.
  • On the new or factory-reset (if using an existing company device) device, tap the screen six times in the same spot to trigger a prompt to scan the QR code.

Scan the QR code in the Admin Portal with the company-owned device. If QR scanning is not possible, manually enter the enrollment token to proceed.

enrollment-token-qr

On the mobile device, tap ACCEPT & CONTINUE and follow the on-screen instructions to create a work profile.

AndroidAcceptContinueCorporate

Note: Your screens might look slightly different, depending on the Android OEM (for example, Google, Samsung, LG, or Huawei).

After the device updates and registers the profile, the work profile appears. This action might take a few minutes.

AndroidWorkProfileCorporate

Verify that the device appears in the Admin Portal by going to Device Management > Devices, selecting the Devices tab, and checking the device’s status:

AndroidNAStatusActive – The device is enrolled and is under JumpCloud management.

AndroidInactiveStatusInactive – The device is not currently reporting or was manually disabled.

 

Enroll Personal Devices

You can give your end users the ability to add Android devices to JumpCloud from the User Portal. Work Profiles make it possible for users to leverage a personal device.

Let’s get started. First, return to the Admin Portal.

  • Click on MDM and the Google tab
  • Scroll down to User Android Configuration and select the checkbox to allow users to access Enroll Your Android Device in the user portal.
  • Select the Device Group to which enrolled devices will be automatically added
  • (If you wish to make a brand new Device Group for your Android devices, you can do so and then come back to this screen.)

Resources:

Add and Manage Android Devices

Enroll Your Personal Android Devices

Step 3: Managing Devices

To manage Android devices:

  • Log in to the JumpCloud Admin Portal.
  • Go to Device Management > Devices.
  • Select the Devices tab and review the list of Android devices. You can filter how device information is displayed and perform additional actions:
    • Select a device, then select the Device Groups tab.
    • Bind the device to a device group by selecting the Device Groups tab, then selecting the checkbox next to an existing group. If you have not yet created a device group, see Getting Started: Device Groups.
    • Click save device.
    • Lock Device – Click Lock Device to remotely lock a lost Android device, then click Yes, Lock. For devices enrolled with a work profile, the work profile passcode is locked and the container will remain locked until the end user enters the Work Profile passcode.
    • Reset Passcode – Click Reset Passcode to create a new passcode, which must have a minimum of 8 alphanumeric characters and include at least one special character. You must enter the new passcode, then click Save. For devices enrolled with a work profile, the passcode that is reset is the work profile passcode.
    • Restart Device – Click Restart to immediately restart this Android device. Any unsaved work on the device will be lost.
    • Erase Device or Remove Work Profile – Depending on the type of device, one of these buttons is visible:
    • Click the OS column to reorder the devices by OS type or click filter by and choose Android to only view Android devices.
    • After you select at least one device, click more actions to Add MFA to a JumpCloud User  or System Insights on multiple devices.
    • You can’t remove a device’s status and name from the Devices list, but you can customize the other columns to show only the information you want to see. For example, instead of showing Last Contact, click the columns down arrow and choose Agent Version or another column name. You can select up to eight columns.
    • Select a device, then select the device’s Details tab to view more information, such as OS version, serial number, model, and storage usage. 
    • (Optional) Bind a device to a device group.
    • (Optional) Add a security policy to a device to make it more secure by selecting the Policies tab and assigning a policy to the device. If you have not created Android policies yet, see Configure Settings for Android Policies.
    • (Optional) If needed, you can remotely execute these management commands on a device by selecting the device in the Devices tab:
  • Erase Device – Click Erase to permanently remove all data from this corporate-owned device. The device will be reset to factory settings and you’ll no longer manage the device. If you’re troubleshooting an issue, erase the device only after trying other solutions. To manage this device in the future, the end user must re-enroll the device and enter predefined security information.
  • Remove Work Profile – Click Remove to permanently delete the work profile on a personal Android device. This deletes all company data, apps, and policies in the work profile. To use this personal device to access company information in the future, you’ll need to re-enroll the device.
     

Resources

Configure Settings for Android Policies

Bonus Simulations

Registering for Android EMM (Simulation) 

Configuring JumpCloud MDM for Apple (Tutorial)

Install the Agent on Windows Devices (Simulation)

Install the Agent on Linux Devices (Simulation)

Conditional Access: Device Trust (Tutorial)

Final Results

Your Android devices are now being managed under a single pane of glass among the rest of your fleet, with the added value and admin efficiency that JumpCloud’s dynamic groups provide.

Dynamic groups automate provisioning with device attributes (and even some logic), which provides the assurance that every Android device will be operating with a standardized device posture. JumpCloud also helps to ensure that only managed devices can access your resources through Conditional Access policies that provide frictionless, yet secure, single sign-on (SSO).

Get prepped now

Learn about Dynamic Groups

 

0 Kudos
You Might Like

New to the site? Take a look at these additional resources:

Community created scripts

Keep up with Product News

Read our community guidelines

Ready to join us? You can register here.

Popular Articles