JumpCloud Community

urvashi · ‎11-16-2023

Key Takeaways

Android EMM (Enterprise Mobility Management) offers flexibility for various customer needs, including privacy-conscious BYOD (Bring Your Own Device) and fully managed, locked-down use cases.
Phase one of Android EMM introduced work profiles with policies and application management, while phase two focused on dedicated and fully managed device management modes, supported by QR code enrollment.
Enhanced policies, such as kiosk mode, battery mode, and networking configurations, were introduced to cater to dedicated and fully managed devices.
The configuration experience for administrators is evolving, with improved insights into the Android fleet and the upcoming release of an enhanced QR code creation process.
Android zero-touch enrollment is a new feature aimed at streamlining the onboarding process for end-users, with specific requirements, including device procurement through authorized Google resellers and EMM provider configuration.
You can find more information and resources related to JumpCloud's Android EMM in the JumpCloud Android EMM Community Forum.

Introduction

Sergey Belous, Principal Product Manager for Mobility at JumpCloud, delivers an overview of the Android Enterprise Mobility Management (EMM) journey and highlights key developments in the EMM ecosystem. Sergey discusses the evolution of Android EMM, emphasizing its flexibility to cater to diverse customer needs, ranging from privacy-conscious BYOD to fully managed and dedicated devices.

Sergey outlines the phases of Android EMM's development, including the introduction of work profiles and the expansion into dedicated and fully managed device management modes through QR code enrollment. He also discusses enhanced policies and configurations aimed at optimizing the administrative experience.

You can find the full video recording here: The IT Hour | Product Panel 10.20.2023

Speakers

Sergey Belous, Principal Product Manager, JumpCloud

Urvashi H.V., Technical Community Champion, JumpCloud

Transcript

Overview of Android EMM Journey

Sergey Belous:

Hey everyone. Sergey Belous here, Principal Product Manager for Mobility. I want to do a very, very quick overview of where we are in our Android EMM journey and really focus the bulk of my discussion today on the things that we announced in our press release as well as the aspects that we alluded to in terms of Coming Soon.

Android EMM Flexibility

So just a little bit of a disclaimer, but at a high level, Android EMM offers a ton of flexibility. We started off evaluating which ones would be most pertinent to our customers, whether you're on the very privacy conscious side with BYOD or really on a control, fully managed, lock it down to explicitly your use case, fully managed device, or a dedicated device.

Phase One: Work Profile

Well, with phase one, which went GA in about June, we launched Work Profile, so that's your BYOD and corporate use cases. We built a ton of policies that followed a lot of commands associated with it. You can actually drive device compliance through that as well as a fairly robust application management approach.

Phase Two: Dedicated and Fully Managed

However, customers were eager to see that and were asking for more. So that's where our phase two came about. So from there, really, we honed in on the other two management modes that's dedicated and fully managed. So there's different use cases that fall into this umbrella. Typically if you're a knowledge-based worker with a company-issued device or if it's a device that may be specific for unique use cases, digital signage, kiosks, or whatnot, that's where this conversation comes into play very effectively.

QR Code Enrollment and Enhanced Policies

So we ended up supporting these two enrollment or management modes through the QR code enrollment. And with that, there was an accompanying of a ton of policies. So a number of our policies were enhanced, so your device-level restrictions, app-level restrictions were enhanced, and net new ones were completely built.

So kiosk mode, battery mode, really tailored towards our dedicated devices factor, recent protections for any company-owned devices as well as a number of networking configurations and restrictions policies.

Admin Configuration Experience

With that, we needed to actually expand what that looks like for an admin in their configuration experience. So you'll see something evolving in the Google tab. So you'll see now you can enable and select fully managed and dedicated devices for those enrollments. You'll have insights into the Android fleet that you have, and with a soon-coming release, we have an enhanced enrollment token or the QR code creation process. I'll allude to that in a second.

Enrollment Token Customization

And with this expansive UI, we are also incorporating Zero Touch. So a number of the enrollment token enhancements came about based on customer feedback. So some of you were letting us know that we are currently making very hard-coded decisions for you.

“It's a set limit of expiry, I can't really use it as efficiently for my use cases.” I'd love to see some granularity. So with that, we're actually introducing the ability for you to curate that enrollment for your use case, whether that's single-use, multi-use, how long you need it to be valid for before it expires. Is it a zero-touch enrollment token, or is it a general fully managed actual device enrollment token?

And a little bit of an effort there is, well, if I'm enrolling manually a couple of devices, I'd love to be able to have a corporate Wi-Fi network actually built into that QR code so I don't have to keep entering the SSID and the password. So we are delivering that, and you'll be able to experience that here very, very shortly.

Policy Highlights

With that, some of the policies to highlight: software updates, you'll now be able to define for company-owned devices the ability to, when those updates kick into effect, if there are maintenance windows or freeze periods, that they are respected, and with some of the notions of using dedicated devices - kiosk mode.

So you are now able to either define into a single app mode or into what would be called a launcher experience where you can define a number of applications along with those corresponding restrictions.

Android Zero-Touch Enrollment

The thing that you may have seen in the press releases coming here in this quarter is Android Zero-Touch enrollment. So a number of you may have experienced Zero-Touch enrollment or similar experiences with Apple or ABM. This is a sort of a Google reflection of that. So there are some unique requirements that Google has in place. One, there's some OS level restrictions you have to be aware of. You have to have a EMM provider configured that supports fully managed and dedicated devices for that process. As well as you'll have to procure those devices through a authorized Google reseller. There's a particular flow you have to follow.

But once you have that in place and you've checked off all those boxes, you're streamlining that onboarding experience for each of your end users. So this is sort of the process we call out, you have to make sure you go through all these steps accordingly, you'll purchase through a reseller. We have links accordingly in our documentation to all the Gold/Silver rated Google resellers.

Zero-Touch Enrollment Process

Once those devices are procured, there will be a customer account that will be generated for you and zero touch portal. You'll associate that portal in our JumpCloud EMM tenant and then you'll be able to define some of those configurations using those enrollment token configurations that I alluded to previously. So just to showcase a slight demo, what that looks like in real life. So this is a staging environment to showcase IT experience. Historically, you may have seen just an ability to select either a company owned work profile experience and you would click on this and it would generate you a QR code.

Customization and Download Options

Now you're actually able to clarify that a little bit more specifically. So if you wanted to just generate a typical one, just a single use token. We won't specify wifi. You click create, we spin up that QR code. We have that token. If you happen to not have the ability to use a camera on your device and you'll be able to click on this, you can even go through the process of downloading it. If you are trying to generate it for Zero Touch and just flag that accordingly, specify the information. When we generate that particular token, we'll give you a couple of things. One, you have the ability to copy that JSON formatted information. Just grab it and go and put it into the Zero Touch portal. Or if you don't have the ability to do that at the moment you want to download it for feature use, go ahead and grab it, save it and according to however you named it, we'll save that particular JSON file for you. At that point, because we're generating a number of these tokens and they may be a long lived period, we're actually surfacing up those tokens for you. You have the full capacity to be able to delete them. If you so desire, you can minimize how many active tokens, should you need to cycle those out. And once you have an accordingly JSON blob, you hop into the Zero Touch portal and are able to configure that, and get your devices bulk onboarded. It's really a high level presentation for myself. Any particular questions, comments? Happy to take those away for you guys.

Wrap Up

Urvashi H.V.:

Let's see those questions friends, thank you Sergey. There is also a longer deeper dive into this, which we'll link in the show notes. So we're going to pause for questions going once, going twice. Alright, Sergey was super thorough. I think you've already answered everyone's possible questions.