Get Started: Android EMM

Overview

As a JumpCloud IT Admin, you and your end users can enroll and can monitor Android devices and apps in your organization and control these devices. JumpCloud’s Android EMM solution provides flexibility for your users by allowing them to work securely remotely and access company files, directories, work apps, and other data.

Android EMM uses a work profile, a separate self-contained space on the device that stores corporate apps, data, and management policies. The work profile ensures that the same device can be used securely for work purposes or for personal use. A user’s personal apps and data remain on the device's primary profile and are never accessible or visible to the IT Admin or the EMM.

JumpCloud supports these types of Android devices and enrollment:

• Company-owned devices:
  • Mixed Use – A work profile can enable work and personal use on a company-owned device. Your organization can have full control of the apps, data, and settings in an encrypted work profile, and can enforce policies to control settings for WiFi and block USB file transfers or disallow software apps that apply to a device’s personal data. Any personal data on a company-owned device isn’t visible or accessible to your organization.  
  • Fully Managed – The device is used exclusively for work and you control and manage the entire device. This device does not use a work profile.
  • Dedicated – This device is a subset of fully managed devices and is used for simple workflows. You can lock down the usage of the device to a single app or small set of apps, such as ticket printing or inventory management. This device does not use a work profile.
• Personal devices – The Admin enables enrollment of a device owned by an employee, and the user enrolls the device via the User Portal. Work data and personal data are automatically separated.

Understanding the Technology

The data for JumpCloud’s Android EMM is fetched dynamically as needed and is cached if necessary. JumpCloud uses Google Cloud APIs that enable EMM providers to integrate with Android’s Enterprise solution.

The JumpCloud agent is not installed on the Android mobile device. Instead, to initiate enrollment you will use the Android Device Policy application. 

Using the Features

• Enroll an enterprise into Android EMM.
• Enroll company-owned devices into Android EMM.
  • Fully managed – Devices that are used exclusively for work
  • Dedicated – Devices that can be locked down to a single app or a small set of apps for a specific workflow
• Enroll personal devices into Android EMM.
• Manage personal and company-owned devices with a work profile:
  • View enrolled device details.
  • Apply policies to a device:
    • Passcode policy.
    • Runtime Permissions policy.
    • Custom Payload policy.
    • Application-based Restrictions policy. 
    • Location Services policy.
    • VPN Restrictions policy.
    • Device Restrictions policy.
    • Account Restrictions policy.
    • Bluetooth Restrictions policy.
    • WiFi Configuration policy.
    • Hardware Security policy.
    • Lock Screen Restrictions policy.
    • Work & Personal Usage policy.
    • Common Criteria policy.
    • WiFi Restrictions policy.
    • Cellular Restrictions policy.
    • Battery Mode policy.
    • Kiosk Mode policy.
    • Factory Reset Protection policy.
    • System Updates policy.
  • Add an enrolled device to a device group.
  • Send security commands to an enrolled device:
    • Remotely lock a lost Android device.
    • Relinquish management by erasing the work profile. 
    • Reset a passcode.
    • Restart Device – New command that immediately restarts a device.
    • Erase Device – Improved commands to erase data from a company-owned device or remove a work profile from a mixed use device.
• Add and manage Android software apps:
  • Add a new public, private, or web app.
  • Configure these granular application properties:
    • App Configuration.
    • Application Install Mode.
    • Application Update Mode.
    • Runtime Permissions.
  • Assign apps to Android devices

Prerequisites

• Android 5.1 (Lollipop) and later for employee-owned devices.
• Android 8.0 (Oreo) and later for company-owned, personally enabled devices used for work and personal use.

Getting Started

Follow these steps to set up Android EMM, enroll Android devices, add software apps and policies, and manage those devices:

1. Enroll your organization into JumpCloud’s Android EMM. See Set up Android EMM.
2. You’ll configure enrollment tokens to enable Android enrollment for company-owned and personal devices. See these articles:
   • Add and Manage Android Devices.
   • Configure Zero-Touch Enrollment for Android
3. The Admin or the end user enrolls Android devices in Android EMM. See these articles:
   • Add and Manage Android Devices
   • Users: Enroll Your Personal Android Device
4. Manage your Android devices (review device details and EMM status, apply policies, add devices to device groups, and use security commands). See these articles:
   • Add and Manage Android Devices
   • Configure Settings for Android Policies
   • Create an Android Passcode Policy
   • Create an Android Runtime Permissions Policy
   • Create an Android Custom Payload Policy
   • Create an Android Application-based Restrictions Policy
   • Create an Android Location Services Policy
   • Create an Android VPN Restrictions Policy
   • Create an Android Device Restrictions Policy
   • Create an Android Account Restrictions Policy
   • Create an Android Bluetooth Restrictions Policy
   • Create an Android WiFi Configuration Policy
   • Create an Android Hardware Security Policy
   • Create an Android Lock Screen Restrictions Policy
   • Create an Android Work & Personal Usage Policy
   • Create an Android WiFi Restrictions Policy
   • Create an Android Cellular Restrictions Policy
   • Create an Android Common Criteria Policy
   • Create an Android Battery Mode Policy
   • Create an Android Factory Reset Protection Policy
   • Create an Android System Updates Policy
   • Create an Android Kiosk Mode Policy
5. Perform software management for Android apps (add new public, private, or web apps, view apps and their details, configure app properties, assign apps to devices and device groups, and view app status). See Software Management: Android.

Submitting Feedback

Please direct all feedback to [email protected]. 

FAQ

Q: Why do I need to use a Gmail account to complete the Android EMM registration?

Google does not currently support G Suite/Google Workspace Admin accounts for the Android EMM setup using Android Management APIs. Google has indicated that this will be remedied in the future, but a timeline has not been defined. Therefore, use a Gmail account to establish the enterprise.

Q: I am unable to add an Android device. How do I troubleshoot?
Ensure that you have network connectivity when you add the device. Contact JumpCloud’s product team at [email protected].

Q: Which OS versions are supported?
See Prerequisites to learn which Android devices JumpCloud supports.

Q: Is there an additional fee to monitor and manage Android devices?
Android EMM will be aligned with the current iOS device management packaging (JumpCloud Platform, Platform+, or Device Management SKU). 

Q:  How do I migrate from another MDM/EMM/UEM solution to JumpCloud?
You’ll need to configure JumpCloud’s Android EMM with a Google account that does not have any other enterprise associated with it. Then you will have to unenroll from the other solution and follow the Admin or end user instructions described above to enroll anew into JumpCloud.

Q: How do I apply a managed configuration for Gmail to connect to my Google Workspace?

There is currently no configuration for Gmail that allows IT Admins to remotely add accounts other than Exchange ActiveSync. Therefore, end users will need to configure their Google email directly from Gmail or from Settings > Accounts.