Create Managed Google Accounts for Android Enterprise

Note! This setup method is currently not available for Android devices from version 12. 

Is Workspace by Google used in your enterprise? Do your employees already have Google accounts with the company email address and already use other services? If that’s the case, it is a good idea to use Google Accounts to manage your Android devices with the Cortado server. 

Creating Google service account and Google APIs

Transferring Google settings to the Administration Portal

Configuring Android enterprise in the Google Admin console

Creating Google service account and Google APIs

Prerequisite: You need a domain registered with Google with an administrator account. For more information, see https://support.google.com.

• Open the Google Cloud Console: https://console.cloud.google.com/ and login to Google with your Google account (which you also use for the administration of Google Workspace). 

Create project

• First select your organization (left arrow in illus.). This is your primary domain, which must also be entered later in the Cortado Administration Portal.
• Now set up an API project by clicking on New project (right arrow in illus.).

• Enter a project name and click on Create. Wait until a new project has been created. 

• Then select your newly created project (arrow in illus.).

Create service account (incl. P12 certificate)

• Click on the menu (upper arrow in illus.) and select IAM & Admin→ Service accounts (lower arrow in illus.). 

• Now create a Service Account (arrow in illus.). 

• Enter a Service account name (upper arrow in illus.). The Service account ID will be generated in the form of an email address (lower arrow in illus.). It must be entered in the Administration Portal later, under Service account e-mail address (see below).
• Then click on Create and continue (lower arrow in illus.).

• Select the role Owner (upper arrow in illus.) and then click on Continue (lower arrow in illus.).

• In the next window, don't make any further settings. Just click Done (arrow in illus.).

• Select your new service account now (left arrow in illus.) and click Manage keys (lower arrow in illus.) under Actions in the menu on the right (right arrow in illus.).

• In the next window click Add key (upper arrow in illus.) and then Create new key (lower arrow in illus.).

• Select the Key typ: P12 (upper arrow in illus.).
• Then click on Create (lower arrow in illus.).

• This creates a pair that comprises a public and a private key for your service account. Save it in a safe place, because there is no other copy of this key (right arrow in illus.).
• In addition, you will be shown the password of the private key once here (left arrow in illus.). Note the password.
• Then click on Done.
• Certificate and Password must be entered in the Administration Portal later, under Certificate and Password (see below).

Note! This Service Account can be used for both setting up the MDM and also for App Store Account. Alternatively, you can create two separate service accounts. 

Activate APIs

• In the menu (left arrow in illus.) select API Manager and from there under APIs & Services→Library (right arrow in illus.). 

• The API Library will then be displayed.
• Enter Admin SDK in the search bar (arrow in illus.).

• Select Admin SDK in the search results and then click on Enable (arrow in illus.). 

• Then search for the Google Play EMM API in the API Library and add this in the same way.

Note! If you are using two separate service accounts, enable API Admin SDK for the account you use to manage the MDM and enable API Google Play EMM for the account dedicated to App Store Account.

Transferring Google settings to the Administration Portal

• Go to Administration Portal and select Administration→ Settings→ Android Enterprise→ Configure.
• If you are using Google Firebase Cloud Messaging (FCM), copy the server key and the sender ID into the Administration Portal under Server key und Sender ID (upper arrow in illus.).
• As an alternative to FCM, you can define an interval under Device synchronization at which the users’ devices will be regularly synchronized. Policies and profiles will then be pushed to the devices at the specified interval.

Note! Use either Google Firebase Cloud Messaging or the device synchronization.

• Make the following settings for the User account type→ Google Accounts:

• Primary domain: Enter the company domain here that you use for Google Workspace.
• Super admin e-mail address: Enter the email address of the Google Admin account that you also use for Google Workspace.
• Service account e-mail address: Enter the service account ID here.
• Certificate/Password: Here you select the certifikate (.p12) generated during creation of the service account, and enter the corresponding password (notasecret).
• Auto enable users for Android Enterprise while import: Clear this check box if the users are not to be automatically enabled for Android Enterprise during import. This is useful if, for example, email addresses with subdomains are being used or if only some of the users are using Android Enterprise. You have the alternative option to manually enable the users for Android Enterprise under Administration→ Users→ Enable Android Enterprise.
• Create Google account using AD email address: Only mark this checkbox if you want to activate users for Android Enterprise who do not yet have a Google account. A Google account will be created for each of those users during the configuration. The users’ email addresses from the AD are used for this. The email addresses used for the import must have the same Primary Domain as specified above. A subdomain may not be used. You can then manually enable the users for Android Enterprise later, under Administration→ Users→ Enable Android Enterprise.
• Initial Google account password: Set an initial password here for the newly created Google accounts.
• Alternative e-mail address template: Select an alternative here if you don’t want to use the email addresses from the AD for creating the Google accounts.
• If all of the users already have an existing Google account (with the AD email address), you can clear the Create Google account using AD e-mail address checkbox and enable the Auto enable users for Android enterprise while import checkbox.
• SafetyNet: Pleases find this information in our help article: How to configure the Google SafetyNet check.

Configuring Android enterprise in the Google Admin console

• Open the Google Cloud Console (https://console.cloud.google.com) and login with your Google account, that you also use for Google Workspace.
• In the menu, select IAM & admin→ Service accounts (left arrow in illus.).
• Then click in your Service account under Actions on Manage details (upper arrow in illus.).

• Copy the Unique ID into clipboard. 

• Log in to the Admin console under https://admin.google.com with your Google account, that you also use for Google Workspace.
• In the left column click on Security→ Access and data control→ API controls (left arrows in illus.) and then on Manage domain-wide delegation (right arrows in illus.).

• Then click on Add new (arrow in illus.). 

• Now enter the Unique ID in the Client ID field.

• Enter the following fields (comma separated) in the OAuth scopes field:

https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/androidenterprise

Note! If you are using two separate service accounts, use

https://www.googleapis.com/auth/admin.directory.group

and

https://www.googleapis.com/auth/admin.directory.user

for the account you use to manage the MDM and

https://www.googleapis.com/auth/androidenterprise

for  App Store Account.

• In the menu select Devices→ Mobile and endpoints→ Settings→ Third-party integration (left arrows in illus.).
• Click on the pen button on the right side (right arrow in illus.).

• The Enable third-party Android Mobile Management checkbox must not be enabled (left arrow in illus.).
• Click on Add EMM provider (right arrow in illus.).

• Generate Token (arrow in illus.) and then copy it to the clipboard.

Note! Send this token, along with your Service account email address and your primary domain name by e-Mail to: support@cortado.com. We will send you an Enterprise ID. 

Once Cortado has activated MDM for your account, Cortado Mobile Solutions GmbH will appear as your Android EMM provider in the Google Admin Portal (arrow in illus.).

• Enter the Enterprise ID under Administration→ Apps→ App Store Account→ Create→ Android. Please find further information in our help article Create/edit the App Store account for Android apps.