Skip to content

Set up Android Enterprise (Managed Google Domain scenario)

If you already have a Managed Google Domain or if you want to manage the accounts of your Android Enterprise users outside Sophos Mobile, set up Android Enterprise with the Managed Google Domain scenario.

Note

If you don’t already have a Managed Google Domain, we recommend you set up Android Enterprise with the Managed Google Play Account scenario. See Set up Android Enterprise (Managed Google Play Account scenario).

Restriction

If your organization has multiple domains added to their Google Workspace account, you can bind only one to Sophos Mobile. Users with an email address at one of the other domains can’t enroll devices with Sophos Mobile.

To set up Android Enterprise with the Managed Google Domain scenario, do as follows.

Register domain with Google

Skip this step if you already have a Managed Google Domain, for example, because you signed up for Google Workspace.

  1. Sign up for Google’s Cloud Identity Free service. See Sign up for Cloud Identity Free.
  2. Sign in to the Google Admin console.
  3. Go to Billing > Get more services > Devices & Browser and add the Android management service.

    The following screenshot shows the location of the items to select.

    A screenshot of the Google Admin console with the items to select highlighted.

  4. Optional: Go to Billing > Subscriptions and cancel the Cloud Identity subscription.

Create Google service account

A Google service account is a special type of Google account for an application. This account is used by Sophos Mobile to communicate with the Google APIs.

Create a project

  1. Sign in to the Google Cloud console with your domain administrator account.
  2. In the header bar of the Google Cloud console, click Select a project > New project.

    If there’s already a project selected, click its name and then New project.

  3. In the New project dialog, enter a project name, for example Android Enterprise, and then click Create.

  4. Optional: If the header bar shows another project, click its name and then select the new project.

Enable the Admin SDK API

  1. Click the Navigation menu button in the top left corner and then APIs & Services > Library.
  2. On the Welcome to the API Library page, enter the string admin sdk in the search field.
  3. In the search result list, click Admin SDK API.
  4. On the Admin SDK API page, click Enable.

Enable the Google Play EMM API

  1. On the Welcome to the API Library page, enter the string emm in the search field.
  2. In the search result list, click Google Play EMM API.
  3. On the Google Play EMM API page, click Enable.

Create a service account

  1. In the left-hand menu of the Google Play EMM API page, click Credentials.
  2. Click Create credentials > Service account.
  3. Under Service account details, enter a name to identify the service account, for example Android Enterprise.
  4. Click Create and continue.
  5. Under Grant this service account access to the project, click Continue.
  6. Under Grant users access to this service account, click Done.
  7. In the Actions column of the service accounts list, click Manage keys next to the account you just created.
  8. Click Add key > Create new key.
  9. Select JSON and click Create.

    The private key for your service account is generated and saved to your computer in a JSON file.

    Store the JSON file in a secure location. You need it to bind Sophos Mobile to your Managed Google Domain.

  10. Click Close.

Configure API access

  1. Sign in to the Google Admin console with your domain administrator account.
  2. Click Security > Access and data control > API controls.
  3. Under Domain wide delegation, click Manage domain wide delegation.
  4. Click Add new.
  5. Open the JSON file in a text editor and copy the client_id value into the Client ID field.

    For example, if your JSON file contains a line "client_id": "123456789", then enter 123456789 in the Client ID field.

  6. In OAuth scopes, enter the following (without line break):

    https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/androidenterprise

  7. Click Authorize.

Configure mobile management in Google Admin

In Google Admin, you must configure mobile management and generate a binding token for Sophos Mobile.

  1. On the Google Admin console start page, click Devices.

    The Devices button.

  2. In the left-hand pane, click Mobile and endpoints > Settings > Universal settings.

    The Universal settings menu entry.

  3. Expand General.

    The Expand General button.

  4. Check that Mobile management is Basic or Unmanaged.

    Mobile Management is Basic.

  5. If Mobile management is Basic: Click Edit next to Password requirements.

    The Edit button.

  6. Turn off Require users to set a password.

    The Require users to set a password setting.

  7. In the left-hand pane, click Mobile and endpoints > Settings > Third-party integrations.

    The Third-party integrations menu entry.

  8. Click Edit next to Android EMM.

    The Edit button.

  9. Turn on Enable third-party Android mobile management.

    The Enable third-party Android mobile management setting.

  10. Click Add EMM providers.

  11. Click Generate token.
  12. Click Copy next to the token to copy it to the clipboard.

    The Copy button.

  13. Save the token temporarily. Later in this procedure, you must enter it in Sophos Mobile Admin.

  14. Click Close in the top left of Manage EMM providers.

    The Close button.

  15. Click Save.

    The Save button.

  16. Click Save anyway.

    The Save anyway button.

Bind Sophos Mobile to your Managed Google Domain

  1. In Sophos Central Admin, go to My Products > Mobile.
  2. On the menu sidebar, select Setup > Google setup and then the Android Enterprise tab.
  3. Click Configure.
  4. Select “Managed Google Domain” scenario and then click Next.
  5. Configure the following settings:

    • Business domain: Your Managed Google Domain that has been verified to Google.
    • Domain administrator: The name of your domain administrator account. This is the administrator that you created when you registered your domain with Google.
    • EMM token: The token that you generated in Google Admin.
  6. Click Upload a file and select the JSON file that you downloaded from Google when creating the service account.

    The JSON file that you select must have an extension .json.

  7. Click Bind.

Sophos Mobile contacts the Google web service to bind itself as an EMM provider to your Managed Google Domain.