Android Device Enrollment Methods

Android device enrollment can be a bit of a minefield and can get quite confusing, especially given the new Work Managed approach.

There are now two Enterprise Modes for managing Android devices and it is important to understand the differences, the first is called Work Profile and is similar to Android for Work that most MDM administrators are familiar with, the second is known as Work Managed.

This VMware article explains the differences in greater detail:

To help illustrate the main differences, I’ve lifted the graphic below from a separate VMware blog article by Karim Chelouati that describes the different enrollment flows in more detail and does so using lovely Wizard of Oz analogies:

Karim’s blog explains the workflows so nicely I’m just going to sum up each of the enrollment workflows and I highly recommend you take a look there after reading this blog.

Adma 2.png

Work Profile

The Work Profile allows both personal and corporate data to co-exist on the device and be completely segregated so is most suitable for BYOD scenarios.

Devices are enrolled via the Workspace ONE Intelligent Hub (formerly the AirWatch Agent).

Users can browse to and they will be directed to the Google Play app page for the Hub. Once installed there are three ways for the user to enroll:

  1. If email auto-discovery has been configured the users enters their email address and password and the agent will resolve the server address of the WS ONE UEM instance for their organisation and enrols the device.

  2. The User can manually enter the server address of the WS ONE UEM instance for their organisation and then use their username and password to authenticate and enroll.

  3. The user can scan a QR code emailed to them on a different device, this will populate the server address of the WS ONE UEM instance for their organisation and then use their username and password to authenticate and enroll.

Once enrolled, the device is compartmentalised into a Work area and a Personal area. This means that you end up with two versions of applications – the camera for example, you have the camera app that comes with the OS by default, once enrolled you get an identical camera app with the little red briefcase. The data for each application is stored separately such that photos taken with the Work Camera app will not be visible in the default Camera app; those same photos will however be visible to the other Android for Work apps on the device. The same goes for email, web browsers etc – so there is clear demarcation between corporate and personal apps and data. Because the data is compartmentalised, if the device is unenrolled or remote wiped, the corporate apps and data compartment is removed leaving the personal apps and data intact.

Work Managed

When Android devices are Work Managed they are essentially corporately owned and intended just for work usage – there is no segregation of data and users should be made aware that if they are used for personal data, then that data is potentially at risk should remote wipe commands be used potentially without notification.

Using the Work Managed profile also allows the corporate owner of the device a much greater degree of control and customisation of the device, such as is the case with Supervised iOS devices.

With Work Managed devices more enrollment options are available, since Work Managed enrollment gives control over the entire device enrollment takes place as a part of the initial setup or following a factory reset of the device rather than post-setup via the Intelligent Hub.

Work Managed enrollment methods:

  1. Using AirWatch Relay – also referred to as NFC Bump, this enrollment method is used when an administrator is bulk-enrolling multiple devices prior to issuing them to users. NFC contactless communication is uses a contactless connection to set up WiFi for the device, set up time/date/region, download the Intelligent Hub and enroll the device, once the user receives the device and authenticates using their credentials the device is associated with the user in the WS ONE UEM tenant.

  2. Using the AirWatch Identifier – This approach offers a simplified enrollment method, when the device is being initially setup, an identifier or hash (afw#hub) is entered at the point that the user is prompted to enter a Google account, the identifier set’s up a temporary Google account on the device that is used to download a Device Policy Controller (DPC), this in turn downloads the Intelligent Hub before the DPC removes itself. The user then enrols using the Intelligent Hub via email auto-discovery, server address or QR Code.

  3. QR Code Provisioning – During the initial setup the user taps the Welcome screen 6 times in the same location, this will prompt the camera to open, scan the generated QR code, you will be [prompted for WiFi details then the Intelligent Hub will be downloaded with the server address and group ID populated to facilitate enrollment.

  4. Zero Touch Deployment – ZTD is supported only on specific devices and offers an OOBE enrolment experience much like the DEP enrollment mechanism for Apple devices, you must work with the device provider prior to purchase to ensure that ZTD is supported for the devices you are purchasing.

With all the enrollment methods described above, once completed any applications and settings configured in the Workspace ONE UEM console for the device will be pushed down to it, in some cases reboots may be required.