Configure Google service account

In the second stage of the setup procedure for Android for Work, you create and configure a Google service account.

Prerequisite: You have a domain administrator account for your Android for Work domain.

A Google service account is a special type of Google account for an application. This account is used by Sophos Mobile Control to communicate with the Google Android for Work API.

Create a project:

  1. Click the following link https://console.developers.google.com/apis/library to open the Google API console. Log in with the credentials of your domain administrator account.
  2. In the header bar of the Google API console, click Project > Create project.
    If you already have a project, the header bar shows the project name instead of the word Project.
  3. In the New project dialog, enter a project name, for example Android for Work, and then click Create.

Enable the required APIs:

  1. On the menu sidebar, click Library, and then enter the string admin sdk in the search field.
  2. In the search result list, click Admin SDK.
  3. At the top of the Admin SDK page, click Enable.
  4. Click Library again and repeat the previous three steps for the Google Play EMM API.
    This time, use emm as a search string.

Create a service account:

  1. On the Google Play EMM API page, click Go to Credentials.
  2. In step one of the Add credentials to your project page, click the service account link.
  3. On the Service Accounts page, click Create Service Account.
  4. In the Create service account dialog box, enter the following settings:
    1. In Name, enter a name to identify the service account, for example Android for Work.
    2. Select Furnish a new private key and then select JSON.
    3. Select Enable G Suite Domain-wide Delegation.
    4. In Product name for the consent screen, enter for example Android for Work.
    When you click Create, the private key for your service account is generated and saved to your computer in a JSON file.
    Note: Store the JSON file in a secure location. You need it to bind Sophos Mobile Control to your Android for Work domain.

Configure API access:

  1. Click the following link https://admin.google.com to open the Google Admin console and log in with the credentials of your domain administrator account.
  2. Click Security and then click Advanced settings.
    Tip: You may need to click Show more to display Advanced settings.
  3. Click Manage API client access.
  4. Open the JSON file in a text editor and copy the client_id value into the Client Name field.
    For example, if your JSON file contains a line
    "client_id": "123456789",
    then enter 123456789 in the Client Name field.
  5. In the One or more API Scopes field, enter the following two URLs, separated by a comma:
    https://www.googleapis.com/auth/admin.directory.user,
    https://www.googleapis.com/auth/androidenterprise
  6. Click Authorize.
You can now bind Sophos Mobile Control to your Android for Work domain. See Bind Sophos Mobile Control to your domain.