Skip to content

Set up Android Enterprise (Managed Google Domain scenario)

If you already have a Managed Google Domain or if you want to manage the accounts of your Android Enterprise users outside Sophos Mobile, set up Android Enterprise with the Managed Google Domain scenario.

Restriction

If your organization has multiple domains added to their Google Workspace account, you can bind only one to Sophos Mobile. Users with an email address at one of the other domains can’t enroll devices with Sophos Mobile.

Note

After you’ve set up Android Enterprise you can’t change the user management mode, for example from internal user management to an external LDAP directory.

To set up Android Enterprise with the Managed Google Domain scenario, do as follows.

Register domain with Google

If you already have a Managed Google Domain, for example because you have signed up for Google Workspace, you can skip this step.

Note

If you want to configure Android Enterprise for more than one customer in Sophos Mobile, you need a separate domain for each customer.

  1. Open Google’s Sign up for Android Enterprise web page.
  2. Enter the required information.

    • Under What’s your business’s domain name?, enter the domain that will be used as the Managed Google Domain.

      For example, you could use the domain of your Sophos Mobile server.

    • Under How you’ll sign in, enter the credentials for a new domain administrator.

      Make a note of the credentials as you will need them later in the setup procedure.

  3. Click the button to create the domain administrator account.

    This opens the Google Admin console.

  4. In the Google Admin console, start the procedure to verify your domain ownership.

    Follow the instructions provided by Google to verify your domain.

Create Google service account

A Google service account is a special type of Google account for an application. This account is used by Sophos Mobile to communicate with the Google APIs.

Create a project

  1. Sign in to the Google API console with your domain administrator account.
  2. In the header bar of the Google API console, click Select a project > New project.

    If there’s already a project selected, click its name and then New project.

  3. In the New project dialog, enter a project name, for example Android Enterprise, and then click Create.

  4. Optional: If the header bar shows another project, click its name and then select the new project.

Enable the Admin SDK API

  1. Click the Navigation menu button in the top left corner and then APIs & Services > Library.
  2. On the Welcome to the API Library page, enter the string admin sdk in the search field.
  3. In the search result list, click Admin SDK API.
  4. On the Admin SDK API page, click Enable.

Enable the Google Play EMM API

  1. On the Welcome to the API Library page, enter the string emm in the search field.
  2. In the search result list, click Google Play EMM API.
  3. On the Google Play EMM API page, click Enable.

Create a service account

  1. In the left-hand menu of the Google Play EMM API page, click Credentials.
  2. Click Create credentials > Service account.
  3. Under Service account details, enter a name to identify the service account, for example Android Enterprise.
  4. Click Create and continue.
  5. Under Grant this service account access to the project, click Continue.
  6. Under Grant users access to this service account, click Done.
  7. In the Actions column of the service accounts list, click Manage keys next to the account you just created.
  8. Click Add key > Create new key.
  9. Select JSON and click Create.

    The private key for your service account is generated and saved to your computer in a JSON file.

    Store the JSON file in a secure location. You need it to bind Sophos Mobile to your Managed Google Domain.

  10. Click Close.

Configure API access

  1. Sign in to the Google Admin console with your domain administrator account.
  2. Click Security > Access and data control > API controls.
  3. Under Domain wide delegation, click Manage domain wide delegation.
  4. Click Add new.
  5. Open the JSON file in a text editor and copy the client_id value into the Client ID field.

    For example, if your JSON file contains a line "client_id": "123456789", then enter 123456789 in the Client ID field.

  6. In OAuth scopes, enter the following (without line break):

    https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/androidenterprise

  7. Click Authorize.

Configure mobile management in Google Admin

In Google Admin, you must configure mobile management and generate a binding token for Sophos Mobile.

  1. On the Google Admin console start page, click Devices.

    The Devices button

  2. In the left-hand pane, click Mobile and endpoints > Settings > Universal settings.

    The Universal settings menu entry

  3. Expand General.

    The Expand General button

  4. Check that Mobile management is Basic or Unmanaged.

    Mobile Management is Basic

  5. If Mobile management is Basic: Click Edit next to Password requirements.

    The Edit button

  6. Turn off Require users to set a password.

    The Require users to set a password setting

  7. In the left-hand pane, click Mobile and endpoints > Settings > Third-party integrations.

    The Third-party integrations menu entry

  8. Click Edit next to Android EMM.

    The Edit button

  9. Turn on Enable third-party Android mobile management.

    The Enable third-party Android mobile management setting

  10. Click Add EMM providers.

  11. Click Generate token.
  12. Click Copy next to the token to copy it to the clipboard.

    The Copy button

  13. Save the token temporarily. Later in this procedure, you must enter it in Sophos Mobile Admin.

  14. Click Close in the top left of Manage EMM providers.

    The Close button

  15. Click Save.

    The Save button

  16. Click Save anyway.

    The Save anyway button

Bind Sophos Mobile to your Managed Google Domain

  1. Sign in to Sophos Mobile Admin.
  2. On the menu sidebar, under SETTINGS, select Setup > Google setup and then the Android Enterprise tab.
  3. Click Configure.
  4. Select “Managed Google Domain” scenario and then click Next.
  5. Configure the following settings:

    • Business domain: Your Managed Google Domain that has been verified to Google.
    • Domain administrator: The name of your domain administrator account. This is the administrator that you created when you registered your domain with Google.
    • EMM token: The token that you generated in Google Admin.
  6. Click Upload a file and select the JSON file that you downloaded from Google when creating the service account.

    The JSON file that you select must have an extension .json.

  7. Click Bind.

Sophos Mobile contacts the Google web service to bind itself as an EMM provider to your Managed Google Domain.