Set up Android Enterprise (Managed Google Domain scenario)

If you already have a Managed Google Domain or if you want to manage the accounts of your Android Enterprise users outside Sophos Mobile, set up Android Enterprise with the Managed Google Domain scenario.

To set up Android Enterprise with the Managed Google Domain scenario, do as follows.

Register domain with Google

Note If you already have a Managed Google Domain, for example because you have signed up for G Suite (formerly Google Apps), you can skip this step.
  1. Open Google’s Sign up for Android Enterprise web page.

    You can find the link in related information.

  2. Enter the required information.
    • Under What’s your business’s domain name?, enter the domain that will be used as the Managed Google Domain. For example, you could use the domain of your Sophos Mobile server.
    • Under How you’ll sign in, enter the credentials for a new domain administrator.
      Note Make a note of the credentials as you will need them later in the setup procedure.
  3. Click the button to create the domain administrator account.
    This opens the Google Admin console.
  4. In the Google Admin console, start the procedure to verify your domain ownership.
    Follow the instructions provided by Google to verify your domain.
After your domain ownership is verified, you receive a token to connect your Managed Google Domain with your third-party EMM provider, that is, with Sophos Mobile.

Create Google service account

A Google service account is a special type of Google account for an application. This account is used by Sophos Mobile to communicate with the Google APIs.

Create a project:
  1. Sign in to the Google API console with your domain administrator account.

    You can find the link in related information.

  2. In the header bar of the Google API console, click Select a project > New project.
    If there’s already a project selected, click its name and then New project.
  3. In the New project dialog, enter a project name, for example Android Enterprise, and then click Create.
  4. Optional If the header bar shows another project, click its name and then select the new project.
Enable the Admin SDK API:
  1. Click the Navigation menu button in the top left corner and then APIs & Services > Library.
  2. On the Welcome to the API Library page, enter the string admin sdk in the search field.
  3. In the search result list, click Admin SDK.
  4. On the Admin SDK page, click Enable.
Enable the Google Play EMM API:
  1. On the Welcome to the API Library page, enter the string emm in the search field.
  2. In the search result list, click Google Play EMM API.
  3. On the Google Play EMM API page, click Enable.
Create a service account:
  1. On the Google Play EMM API page, click Create credentials.
  2. In step one of the Add credentials to your project page, click the service account link.
  3. On the Service Accounts page, click Create Service Account.
  4. In Service account name, enter a name to identify the service account, for example Android Enterprise.
  5. Click Create.
  6. On the Service account permissions page, click Continue.
  7. On the Grant users access to this service account page, click Create key.
  8. Select JSON and then click Create.

    The private key for your service account is generated and saved to your computer in a JSON file.

    Store the JSON file in a secure location. You need it to bind Sophos Mobile to your Managed Google Domain.

  9. Click Done.
  10. On the Service accounts page, click the email address of the service account you’ve created.
  11. On the Service account details page, click Edit.
  12. Expand the Show domain-wide delegation section and then select Enable G Suite Domain-wide Delegation.
  13. In Product name for the consent screen, enter for example Sophos Mobile.
  14. Click Save.
Configure API access:
  1. Sign in to the Google Admin console with your domain administrator account.

    You can find the link in related information.

  2. Click Security > Advanced settings.

    You may need to click Show more to display Advanced settings.

  3. Click Manage API client access.
  4. Open the JSON file in a text editor and copy the client_id value into the Client Name field.
    For example, if your JSON file contains a line "client_id": "123456789", then enter 123456789 in the Client Name field.
  5. In One or more API Scopes, enter the following (without line break):

    https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/androidenterprise

  6. Click Authorize.

Bind Sophos Mobile to your Managed Google Domain

  1. Sign in to Sophos Central Admin and go to Mobile.
  2. On the menu sidebar, under SETTINGS, select Setup > Android setup and then the Android Enterprise tab.
  3. Click Configure.
  4. Select “Managed Google Domain” scenario and then click Next.
  5. Configure the following settings:
    OptionDescription
    Business domain Your Managed Google Domain that has been verified to Google.
    Domain administrator The name of your domain administrator account. This is the administrator that you created when you registered your domain with Google.
    EMM token The token that you received from Google after you verified your domain ownership.

    You can view the token when you sign in to the Google Admin console with your domain administrator account and go to Security > Manage EMM provider for Android.
  6. Click Upload a file and select the JSON file that you downloaded from Google when creating the service account.
    The JSON file that you select must have an extension .json.
  7. Click Bind.
Sophos Mobile contacts the Google web service to bind itself as an EMM provider to your Managed Google Domain.

Configure Google EMM settings

  1. Sign in to the Google Admin console with your domain administrator account.

    You can find the link in related information.

  2. Click Security and then click Manage EMM provider for Android.

    You may need to click Show more to display Manage EMM provider for Android.

  3. Under General Settings, select Enforce EMM policies on Android devices.