Set up Android Enterprise (Managed Google Domain scenario)

If you already have a Managed Google Domain or if you want to manage the accounts of your Android Enterprise users outside Sophos Mobile, set up Android Enterprise with the Managed Google Domain scenario.

Note

If you don’t already have a Managed Google Domain, we recommend you set up Android Enterprise with the Managed Google Play Account scenario. See Set up Android Enterprise (Managed Google Play Account scenario).

Restriction

If your organization has multiple domains added to their Google Workspace account, you can bind only one to Sophos Mobile. Users with an email address at one of the other domains can’t enroll devices with Sophos Mobile.

To set up Android Enterprise with the Managed Google Domain scenario, do as follows.

Register domain with Google

Skip this step if you already have a Managed Google Domain, for example, because you signed up for Google Workspace.

Sign up for Google’s Cloud Identity Free service. See Sign up for Cloud Identity Free.
Sign in to the Google Admin console.
Go to Billing > Get more services > Devices & Browser and add the Android management service.

The following screenshot shows the location of the items to select.
Optional: Go to Billing > Subscriptions and cancel the Cloud Identity subscription.

Create Google service account

A Google service account is a special type of Google account for an application. This account is used by Sophos Mobile to communicate with the Google APIs.

Create a project

Sign in to the Google Cloud console with your domain administrator account.
In the header bar of the Google Cloud console, click Select a project > New project.

If there’s already a project selected, click its name and then New project.
In the New project dialog, enter a project name, for example Android Enterprise, and then click Create.
Optional: If the header bar shows another project, click its name and then select the new project.

Enable the Admin SDK API

Click the Navigation menu button in the top left corner and then APIs & Services > Library.
On the Welcome to the API Library page, enter the string admin sdk in the search field.
In the search result list, click Admin SDK API.
On the Admin SDK API page, click Enable.

Enable the Google Play EMM API

On the Welcome to the API Library page, enter the string emm in the search field.
In the search result list, click Google Play EMM API.
On the Google Play EMM API page, click Enable.

Create a service account

In the left-hand menu of the Google Play EMM API page, click Credentials.
Click Create credentials > Service account.
Under Service account details, enter a name to identify the service account, for example Android Enterprise.
Click Create and continue.
Under Grant this service account access to the project, click Continue.
Under Grant users access to this service account, click Done.
In the Actions column of the service accounts list, click Manage keys next to the account you just created.
Click Add key > Create new key.
Select JSON and click Create.

The private key for your service account is generated and saved to your computer in a JSON file.

Store the JSON file in a secure location. You need it to bind Sophos Mobile to your Managed Google Domain.
Click Close.

Configure API access

Sign in to the Google Admin console with your domain administrator account.
Click Security > Access and data control > API controls.
Under Domain wide delegation, click Manage domain wide delegation.
Click Add new.
Open the JSON file in a text editor and copy the client_id value into the Client ID field.

For example, if your JSON file contains a line "client_id": "123456789", then enter 123456789 in the Client ID field.
In OAuth scopes, enter the following (without line break):

https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/androidenterprise
Click Authorize.

Configure mobile management in Google Admin

In Google Admin, you must configure mobile management and generate a binding token for Sophos Mobile.

On the Google Admin console start page, click Devices.
In the left-hand pane, click Mobile and endpoints > Settings > Universal settings.
Expand General.
Check that Mobile management is Basic or Unmanaged.
If Mobile management is Basic: Click Edit next to Password requirements.
Turn off Require users to set a password.
In the left-hand pane, click Mobile and endpoints > Settings > Third-party integrations.
Click Edit next to Android EMM.
Turn on Enable third-party Android mobile management.
Click Add EMM providers.
Click Generate token.
Click Copy next to the token to copy it to the clipboard.
Save the token temporarily. Later in this procedure, you must enter it in Sophos Mobile Admin.
Click Close in the top left of Manage EMM providers.
Click Save.
Click Save anyway.

Bind Sophos Mobile to your Managed Google Domain

In Sophos Central Admin, go to My Products > Mobile.
On the menu sidebar, select Setup > Google setup and then the Android Enterprise tab.
Click Configure.
Select “Managed Google Domain” scenario and then click Next.
Configure the following settings:
- Business domain: Your Managed Google Domain that has been verified to Google.
- Domain administrator: The name of your domain administrator account. This is the administrator that you created when you registered your domain with Google.
- EMM token: The token that you generated in Google Admin.
Click Upload a file and select the JSON file that you downloaded from Google when creating the service account.

The JSON file that you select must have an extension .json.
Click Bind.

Sophos Mobile contacts the Google web service to bind itself as an EMM provider to your Managed Google Domain.