12.3 Enrolling Devices

12.3.1 Prerequisites

Before enrolling the devices in the work profile mode, you need to ensure the following:

Mandatory Settings

Optional Settings

  • Invite users to enroll their devices.

12.3.2 Creating and Assigning Android Enterprise Enrollment Policy

While assigning this policy, you need to ensure that it is assigned to the same set of users who are part of the user context associated with the Android Enterprise Subscription. To create an Android Enterprise Enrollment Policy:

  1. Click Policies in the left hand pane in ZCC.

  2. Click New > Policy.

  3. Select Mobile and click Next.

  4. Select Android and click Next.

  5. Retain the default selection, Android Enterprise Enrollment Policy, and click Next.

  6. Specify a policy name, a policy folder and a short description of the policy. Click Next.

  7. Review the summary page and click Finish.

To assign this policy to relevant users:

  1. In the Policies panel, select the policy you want to assign.

  2. Click Action > Assign to User.

  3. Follow the prompts to assign the policy.

When you complete the wizard, the assigned users are added to the policy’s Relationships page. You can click the policy to view the assignments.

12.3.3 Inviting Users to Enroll Devices

You can send an invite email to users to have them enroll their devices to ZENworks in the work profile mode. Before sending this invite, ensure that an SMTP server is configured in the zone. To do this:

  1. Click Users in the left hand pane in ZCC.

  2. Select a user folder or a specific user. The invite email cannot be sent to a user group.

  3. Click Action > Invite User.

    You can preview the email notification in different languages by selecting the appropriate language from the Preview Language drop down. However, the email will be sent in the language set in the Mobile Enrollment Policy, which should be assigned to the selected users. For more information, see Creating a Mobile Enrollment Policy.

    The contents of the pre-configured email can be customized to suit your requirements. You can edit the content by navigating to Configuration > Event and Messaging > Email Notifications > Invite Users. For more information, see Managing Email Notifications.

    Before clicking the Send button, you can also select the MDM Server to which the users should enroll their devices. This MDM Server will be resolved to the macro variable $HOSTNAME$ present in the pre-configured email. All macro variables will be resolved when the email is sent to the user.

12.3.4 Enrolling devices in the work profile mode

The scenario elaborated in this section is meant for users who are enrolling their devices to ZENworks for the first time. For users who have already enrolled their devices in the basic mode (Android App only) and want to enroll in the work profile mode, see Work Profile Enrollment for Existing Users.

IMPORTANT:Work profile enrollment fails if the device is connected over a Virtual Private Network (VPN).

Procedure

  1. The user installs the ZENworks Agent App from Google Play Store. Alternatively, the user can follow the procedure mentioned in the invite letter to download the ZENworks Agent app.

  2. After installation, the user clicks Open. A brief description of the ZENworks Agent is displayed. The user clicks Continue.

  3. The user clicks Activate this Device Administrator to enable device management using the app.

  4. The user logs into the app by specifying the following:

    Username, Password, Domain, Server URL: Specify the username, password, and registration domain (if Allow Simple Enrollment is disabled for the user) along with the server URL of the ZENworks MDM Server.

  5. If you configured the Mobile Enrollment policy to allow the user to specify the device ownership (corporate or personal), the user is prompted for that information. Tap OK.

    Follow the prompts appearing in the remaining screens and the device will automatically set up a work profile and enroll to ZENworks. The following screens are displayed during work profile setup.

    NOTE:Ensure that you do not interrupt the work profile setup process.

  6. The ZENworks Agent App Home screen is displayed that shows the device as enrolled and active.

  7. The device information can now be viewed in ZCC. Click Devices > Mobile Devices (or navigate to the folder as configured in the Mobile Enrollment Policy) from the left hand navigation pane in ZCC. Click the appropriate device and view its details in the Summary page. The enrollment mode is displayed as Android App and Work Profile Mode is also enabled.

  8. After your device is enrolled, a Badge icon attached to the ZENworks Agent App icon and other system apps will help differentiate work apps from personal apps.

Using managed configurations, you can remotely configure the corporate email account within the work profile of a device using apps such as Gmail. Therefore, it is recommended that you do not assign a Mobile Email Policy to devices that are to be enrolled in the work profile mode. Also, the ActiveSync account should directly communicate with the configured ActiveSync server rather than using ZENworks as the proxy.

Ensure that you approve the ZENworks Agent app, installed within the work profile, in managed Google Play and assign it to all the users. This ensures that the user is notified of any updates made to the ZENworks Agent app and these updates are applied automatically.

Work Profile Enrollment for Existing Users

For users who have already enrolled to ZENworks using the basic mode of enrollment (Android App only) and now want to be enrolled in the work profile mode, assign the Android Profile Enrollment Policy to these users.

NOTE:If you have already configured an ActiveSync account, then it is recommended that you remove this account. With managed configurations, you can remotely configure the corporate email account within the work profile of a device using apps such as Gmail. The ActiveSync account should directly communicate with the configured ActiveSync server rather than using ZENworks as the proxy.

For users who have already enrolled in the basic mode, it is recommended that you enable the Allow Manual Reconciliation by User setting in the assigned Mobile Enrollment Policy, till all the users are enrolled in the work profile mode. This will allow users to manually reconcile their devices to the existing device objects present in ZCC, if required,

After assigning the Android Enterprise Enrollment Policy, the users receive a notification on their devices to set up a work profile when they open the ZENworks Agent app.

The user clicks Set Up and follows the prompts to set up the work profile. The device will automatically set up the work profile. You can view Work Profile Mode enabled in the device’s information page in ZCC (Devices > Mobile Devices ><Click the device> > Summary).

12.3.5 Enrolling devices in the work-managed device mode

To enroll an Android device as a work-managed device, the user needs to start up the device. For an existing user or if the user has already turned the device on and completed device setup, a factory reset of the device will be required.

Procedure

  1. Follow the initial setup screens such as language setup and Wi-Fi configuration.

  2. Specify the AFW identifier (afw#zenworks) in the Email field in the Add your Account setup screen.

  3. Click Next in the Android for Work page to proceed with the ZENworks App installation.

    The ZENworks agent app will be automatically downloaded on the device.

  4. Click Install to install the app on the device and follow the prompts to complete setting up the device.

  5. Follow the prompts appearing in the remaining screens to set up a work-managed device. The following screens are displayed:

  6. The device is now setup but is yet to be enrolled as a work-managed device. The user needs to login to the app with the following details:

    Username, Password, Domain, Server URL: Specify the username, password, and registration domain (if Allow Simple Enrollment is disabled for the user) along with the server URL of the ZENworks MDM Server.

    NOTE:If instead of the login screen, the device’s home screen is displayed, then open the ZENworks Agent App from the Applications Menu on your device.

    The work-managed device is automatically setup on the device.

  7. The device information can now be viewed in ZCC. Click Devices > Mobile Devices (or navigate to the folder as configured in the Mobile Enrollment Policy) from the left hand navigation pane in ZCC. Click the appropriate device and view its details in the Summary page. The enrollment mode is displayed as Android App and Work-managed Device Mode is also enabled.

You can now distribute work apps, such as Gmail, to the device. Unlike in the work profile mode, a badge icon will be not be attached to work apps distributed to work-managed devices.