Comment thread for the following:
Android Enterprise FAQ | Jason Bayton
Comment thread for the following:
Great stuff Jason. Here are some FAQs that I get almost every day:
Q. Does Zero Touch cost anything?
A. No, it costs zero, from Google at least. Reseller partners can choose to charge for this service, or bundle it part of other offerings if they choose to do so.
Q. If I have Zero Touch from Google, do I still need an EMM?
A. Yes of course. Zero Touch is just a provisioning method that deploys an EMM agent to your device, over the air (OTA) to enrol into a Fully Managed Device profile using Android Enterprise (not legacy Device Admin) APIs. Google do not provide a free EMM solution.
Q. If I want to use Android Enterprise do I need to buy G Suite and register my domain?
A. No. Unless you are already a G Suite customer, you can use your EMM console to register a new Android Enterprise organisation and your EMM will create unique and generic Managed Google Play service accounts on each Android device, that allow you to sign into the Google Play Store and receive EMM policies. These accounts are silently added to the device. You do not need to configure your domain, create users, or manage the authentication to services like Active Directory.
Q. If I already have devices that I have purchased and I want to configure them later for Zero Touch, can I upload these myself to the Zero Touch portal?
A. No. Only a reseller has the ability to upload devices since it is their obligation to ensure that the device identifiers (IMEI or serial) are correct and that you own the devices, not another organisation or an employee. If you do own these devices, can prove this, and can supply acccurate device identifiers, please discuss this with your preferred reseller for assistance. It is up to the reseller if they wish to peform this for you since there are consequences for resellers who upload incorrect data to the Zero Touch portal.
Q. I use Samsung Knox does this mean I can’t use Android Enterprise?
A. No. Since Android 5.x (Lollipop), like all other OEMs, you have been able to deploy a free Work Profile or enrol into a Fully Managed Device using Samsung devices and your preferred EMM solution. Since Android 8.0, Samsung have further improved this integration by having the Knox Workspace container use the Android Enterprise “Profile Owner” APIs to create the Workspace. This avoids having two competing container solutions on Samsung Android devices, simplify choices for customers. Customers can optionally select to activate a Knox Platform for Enterprise license to enable premium features to the device. Knox PfE contains all of the APIs from the previously separate Knox Standard, Knox Custom and Knox Premium SDKs.
Q. Samsung does not support Zero Touch, so does that mean I can’t enrol an Samsung device over the air into Android Enterprise?
A. No, Knox Mobile Enrolment has full support for Android Enterprise, so you don’t need to use Zero Touch on a Samsung Device. WIth supported EMMs and the mininum Knox version, you can use KME to deploy an Android Enterprise Fully Managed Device.
Q. Can I use Zero Touch to configure my employee owned BYOD devices?
A. No, Zero Touch is only for corporate owned devices.
Fully integrated these @Gerard_Kennedy, thanks!
Also merged the ZT FAQ into this one.
It appears under ZT that there is no explicit opting into the Google Terms of Service or Privacy Statement. Is this somehow implicit? Is there a Google public statement regarding this? Thanks.
Good question! It’s an all-or-nothing tied in with the terms provided by the organisation. No opt out as of right now. I’ll update when I know more.
Jason, Do you know if it is possible to see the location of device(s) when they are enrolled in Android Enterprise? And also the timeline activity of the device(s)? And if so, how is it done?
Two points from my side to help you keep the FAQ content up to date:
- VMware suppoprts Device Administrator to Android Enterprise migration as of version Workspace ONE UEM 1907 | July 18 2019 (Android (Legacy) Device Administrator Migration)
- VMware supports SSO for legacy Kerberos/IWA apps on Android with Mobile SSO and with Identity Bridging feature on Unified Access Gateway. No 3rd party software is necessary. (Configuring Web Reverse Proxy and Identity Bridging in VMware Unified Access Gateway: VMware Workspace ONE Operational Tutorial | VMware)
Updated the first question, but VMware isn’t native kerberos, nor is it vendor agnostic. All the same it’s mentioned here so folks will see VMware has a solution.
Great stuff! Thanks for summing up so much useful info.
One question: what about backup/restore procedures for COPE devices? I see that backup of personal profile is straightfoward, but what about work profile data? Any good solution there,in case an employee needs to replace his phone?