For many Android devices (from version 5.0), you can create a certificate and profile-based MDM. You can find a list of all the supported devices via the following link.
Is G Suite by Google Cloud used in your enterprise? Do your employees already have Google accounts with the company email address and already use Gmail, Google Docs, Google Drive etc.? If that’s the case, it is a good idea to use Google Accounts to manage your Android devices with the Cortado server.
Creating Google service account, Google APIs and Firebase server key
- Open the Google developer console: https://code.google.com/apis/console and login to Google with your Google account (that you also use for G Suite).
- Select your organization (left arrow in illus.)
- Now, set up an API project by clicking on Create project (right arrow in illus.).
- Enter a project name and click on Create. Wait until a new project has been created.
The OAuth consent screen will be shown to users whenever you request access to their private data using your Unique ID.
- Next open the API manager. Do this in the menu (left arrow in illus.) by clicking on OAuthconsent screen (right arrow in illus.) under APIs & Services.
- Set the application type to Internal (upper arrow in illus.).
- Enter at least the product name that will be shown to the users (lower arrow in illus.) and then save the data.
Create service account (incl. P12 certificate)
- Click on the menu (upper arrow in illus.) and select IAM & Admin→ Service accounts (lower arrow in illus.).
- Now create a Service Account.
- Enter a Name or (upper arrow in illus.). The Service account ID will be generated in the form of an email address (lower arrow in illus.). It must be entered in the Management console later, under Service account e-mail address (see below).
- Then click on Create.
- Select the role Owner and then click on Continue.
- Select Create key and as Key typ: P12 (right arrow in illus.).
- Then click on Create.
- This creates a pair that comprises a public and a private key for your service account. Save it in a safe place, because there is no other copy of this key (right arrow in illus.).
- In addition, you will be shown the password of the private key once here (left arrow in illus.). Note the password.
- Then click on Done.
- Certificate and Password must be entered in the Management console later, under Certificate and Password (see below).
Note! This Service Account can be used for both setting up the MDM and also for Android VPP. Alternatively, you can create two separate service accounts.
- In the menu (left arrow in illus.) select API Manager and from there under APIs & Services→Library (right arrow in illus.).
- The API Libary will then be displayed.
- Enter Admin SDK in the search bar (arrow in illus.).
- Select Admin SDK in the search results and then click on Enable.
- Then search for the Google Play EMM API in the API Libary and add this in the same way.
Note! If you are using two separate service accounts, enable API Admin SDK for the account you use to manage the MDM and enable API Google Play EMM for the account dedicated to Android VPP.
Generate Firebase Cloud Messaging Server key
Firebase Cloud Messaging (FCM) (formerly Google Cloud Messaging (GCM)) is a free service with which data can be sent from servers to Android apps. Android used it for its MDM. To use FCM you need a server key.
Note for Cortado MDM! Creating a Google Firebase project is an option. Google Firebase Cloud Messaging (FCM) can be used to immediately push policies and profiles to the users’ devices. If FCM is not used, the user devices can be synchronised at intervals determined by you (Automatic Intervall Sync).
To obtain such a key, follow these steps:
- Open the website https://console.firebase.google.com and login with your Google admin account for Android Enterprise.
- Then select or import a Google project (arrow in illus.).
- Select your project and your country and then click on Add Firebase.
- Select the Settings (left arrow in illus.) and then click on Project settings (right arrow in illus.).
- Under Cloud Messaging you can find your Server key and your Sender ID. Copy it for Cortado Management Console.
- In the next step enter the Server key under Google Cloud Messaging API key and the Sender ID under Project number.
Transferring Google settings to the management console
- Go to Management console and select Control Panel→ General Settings→ MDM→ Configure→ Android MDM.
- If you are using Google Firebase Cloud Messaging (FCM), copy the server key and the sender ID into the management console under Server key und Sender ID (upper arrow in illus.).
- As an alternative to FCM, you can define an interval under Automatic Interval Sync (AIS) at which the users’ devices will be regularly synchronised. Policies and profiles will then be pushed to the devices at the specified interval.
Note! Use either Google Firebase Cloud Messaging or Automatic Interval Sync.
Note! The Automatic Interval Sync (AIS) option is not yet available for Cortado Server. Cortado Server users can continue using FCM and enter the Server key and Sender ID in the management console.
- Make the following settings for the User account type→ Google Accounts:
- Primary domain: Enter the company domain here that you use for G Suite.
- Super admin e-mail address: Enter the email address of the Google Admin account that you also use for G Suite.
- Service account e-mail address: Enter the service account ID here.
- Certificate/Password: Here you select the certifikate (.p12) generated during creation of the service account, and enter the corresponding password (notasecret).
- Auto enable users for Android Enterprise while import: Clear this check box if the users are not to be automatically enabled for Android Enterprise during import. This is useful if, for example, email addresses with subdomains are being used or if only some of the users are using Android Enterprise. You have the alternative option to manually enable the users for Android Enterprise under Control Panel→ Users→ Enable Android Enterprise.
- Create Google account using AD email address: Only mark this checkbox if you want to activate users for Android Enterprise who do not yet have a Google account. A Google account will be created for each of those users during the configuration. The users’ email addresses from the AD are used for this. The email addresses used for the import must have the same Primary Domain as specified above. A subdomain may not be used. You can then manually enable the users for Android Enterprise later, under Control Panel→ Users→ Enable Android Enterprise.
- Initial Google account password: Set an initial password here for the newly created Google accounts.
- Alternative e-mail address template: Select an alternative here if you don’t want to use the email addresses from the AD for creating the Google accounts.
- If all of the users already have an existing Google account (with the AD email address), you can clear the Create Google account using AD e-mail address checkbox and enable the Auto enable users for Android enterprise while import checkbox.
- SafetyNet: How to configure SafetyNet settings for Google can be found here.
Configuring Android enterprise in the Google Admin console
- Open the Google developer console (https://code.google.com/apis/console) and login with your Google account, that you also use for G Suite.
- In the menu, select IAM & admin→ Service accounts (left arrow in illus.).
- Then click in your Service account under Actions on Edit (right arrow in illus.).
- Copy the Unique ID into clipbord.
- Log in to the Admin console under https://admin.google.com with your Google account, that you also use for G Suite.
- Click on Security.
- Then select Advanced settings→ Manage API client access.
Now copy the Unique ID that you will find in the Google Developer console under IAM & Admin→ Service accounts in your service account details and enter it in the Admin console under Client Name.
- Enter the following fields (comma separated) in the API field:
Note! If you are using two separate service accounts, use https://www.googleapis.com/auth/admin.directory.group and https://www.googleapis.com/auth/admin.directory.user for the account you use to manage the MDM and https://www.googleapis.com/auth/androidenterprise for Android VPP.
- In the menu, select: Security→ Show more→ Manage EMM provider for Android. Generate Token and then copy it to the clipboard.
Note! Send this token, along with your Service account ID and your domain name by e-Mail to: firstname.lastname@example.org. We will send you an Enterprise ID.
- Enter the Enterprise ID under Control Panel→ Apps & Docs→ VPP Accounts→ Create→ Android.
- After the Android VPP account has been created in the Cortado Management console, your Service account e-mail address is displayed in the Google Admin console (upper arrow in illus.).
Note! Please be aware that the Enforce EMM policies on Android devices checkbox must not be checked (lower arrow in illus.).