Android Enterprise On Premise Enrollment

Android Enterprise On Premise Enrollment

Hello,

is there any possible way to enroll fully managed android enterprise devices without having the device connect to google services?

We do not want to give Networks / Devices direct access to Google-Services, maybe Stagingcradles with Ethernet are possible but the best Solution for us at the moment would be direct enrollment through our on premise mobicontrol server or a dedicated mobicontrol service.

And are there options next to the token identifier afw#mobicontrol to install the agent as fully managed except for nfc/barcode etc.?

Kind Regards John

12 Answers

Order By:   Standard | Newest | Votes
Raymond Chan | posted this 11 April 2019

Do you need any apps from Managed Google Play store to be deployed to your devices? 

 

What about upgrades for bundled Google's apps, Android Enterprise support modules and MobiControl device agent?

  • 0
  • 0
John Doe | posted this 12 April 2019

Are Device Agentupgrades and Enterprise Modules updated ota by google?

Currently we have no need for managed googleplay or any other app available in playstore.

Its just that we may have to use android enterprise because of newer devices available.

We are running an all COSU-Environment.

 

Thanks for helping Raymond

Kind Regards John

  • 0
  • 0
Raymond Chan | posted this 12 April 2019

As far as I know, AE module and device agent upgrade currently have to be done via Google's Portal, though I am checking with Soti support team for some limited workarounds.

 

If the above upgrade is not a concern at least in the short run, then in principle, you can have a device enrolled into  Android-Enterprise Device-Owner mode without access to the Google network.  This is confirmed when I talked to a Samsung technical guy from mainland China two days ago.  As the whole mainland China is blocked by government firewall from accessing Google's portal, I have to take his word for it, rather than setting up a closed network in Hong Kong to test things out myself. 

 

The only limitation is that only NFC enrollment can be used because afw#mobicontrol hashtag or QR code approach rely on QR-code reader module downloaded from Google portal.  Also, the  "" option  should be checked in Android Management" tab of your Add-Devices rule in order to prevent any repeated prompts/notifications about "Managed Google Play account" set-up on the enrolled device.

 

If your devices do not have NFC, and you can live with allowing the device to get on-line during the initial enrollment, then things are much simpler.  For example, use a mobile phone and tether as a Wifi hotspot temporarily for the device to get connected to Google's portal to complete the enrollment.  After the enrollment is completed, use feature control and other policies to block the devices from any access outside your closed corporate network.  You can also use this approach to allow upgrades of Android Enterprise modules and device agent via a temporary network connection maybe once every few months.

 

 

  • 1
  • 0
John Doe | posted this 12 April 2019

So if i understood correctly i need to get 1 Staging device ready as fully managed device in the traditional way.

After that i can nfc bump other devices withouth having them connect to google services?

Kind Regards John

  • 0
  • 0
Raymond Chan | posted this 12 April 2019

Yes, you need an Android  provisioning device with MobiControl Stage app installed.  The flow should work according to what the Samsung guy told me two days ago.  I haven't tried that out myself.   Needless to say, your device to be enrolled should have NFC hardware, and you have to confirm that its NFC is turned on by default after factory reset, as this might not be the case for many earlier models.

 

Also, please note that if in the future you find that you need to download apps from Managed Google Play store,  you MIGHT need to factory reset the device and re-enroll again with an MGP account, as I am not aware of any documented mechanism to push an MGP account to an already enrolled AEDO device.

  • 1
  • 0
John Doe | posted this 12 April 2019

Ill test this and will report back any time soon.

Thanks for helping!

Kind Regards John

  • 0
  • 0
Raymond Chan | posted this 23 April 2019

I've completed tests and confirmed that AEDO device on a closed network can be enrolled successfully using NFC-bumping.

 

  • 2
  • 0
Matt Dermody | posted this 23 April 2019

What devices are being managed in this environment? If Zebra Android devices you can also leverage StageNow based enrollment to enroll as AEDO without needing to go through the Google setup wizard based enrollment. This could be an alternative option if you don't have the option of using NFC, which is still likely the cleanest enrollment method in this situation. With that said, devices like the VC80x from Zebra don't have NFC so for those devices you have to leverage StageNow based AEDO enrollment in firewalled environments.

  • 1
  • 0
Scott | posted this 29 May 2019

Have a closely related question but will create a new topic if necessary.  We are Zebra TC5X (7.1.2 GMS) shop currently using A+ agent.  Devices are all on completely private APN with 0 internet access.  However, some applications have dependency on webview that necessitates me upgrading some Google components.  It is ugly and messy.  Have read all I can on AEDO and it sounds like it could take care of some of that unpleasantness but...

I can't seem to find an actual network diagram or description of the device update process.  Can GMS/Play component updates occur via the MDM if the devices themselves only have access to the MDM, ie., no Internet?  If the devices need to have Internet access in order to get GMS updates then that model is probably DOA for me as our corporate security policy mandates that for Android devices.

  • 0
  • 0
Matt Dermody | posted this 29 May 2019

You might be able to update some of the GMS system applications by pulling them from APK mirror sites but that would not be recommended in an enterprise setting and would be arguably a bigger risk than opening your network up to Google Play. If you just need some of the GMS services and features like a WebView or Location service then you may be able to get away with not updating them and leaving them on whatever version the base OS has after enrollment. Zebra also provides updates to the base OS in the form of LifeGuard updates that can be distributed via SOTI in a firewalled On Premise environment so you could potentially leverage those to keep your GMS app semi up to date. 

Unfortunately for us, most of the investment that Google is putting into Android Enterprise and its management capabilities are being made specific to the GMS versions. It will be increasingly difficult to avoid leveraging GMS in the coming future as compelling features like NFC,QR,DPC, and ZTE enrollment and Managed Configurations and OEMConfigurations are going to require GMS and AE. 

  • 0
  • 0
Scott | posted this 29 May 2019

Yeah that's what I'm doing now and it's ugly.  Unfortunately, the Zebra LifeGuard updates don't update things like com.google.android.webview or com.android.chrome.  I am on Lifeguard v18 and the version of those apps is the same as base 7.1.2

Do you know if the devices can be configured to get to Google via proxy?  I might be able to make that work.

  • 0
  • 0
Ken Yamamoto | posted this 17 June 2019

I was so encouraged with Raymond's report on April 23, 2019.
However, regardless of NFC-bumping, I have not able to enroll
my device in closed network as AEDO.
Could anyone explain me how the device in the closed network
can get AE agent in case of NFC-bumping?
Best Regards

  • 0
  • 0

Give us your feedback
Give us your feedback
Feedback