Set Up Android EMM

To remotely manage Android mobile devices for your users, you’ll need to register an enterprise in JumpCloud’s Android Enterprise Mobility Management (EMM) solution. Android EMM and JumpCloud let IT Admins securely control access to company resources like email, calendar and contacts, and other company apps and data, while keeping personal user data private and secure. You can enroll and manage Android devices through the JumpCloud Admin Portal (and your end users can enroll via the JumpCloud User Portal), and you can also lock, wipe, and reset Android devices. Policies keep your devices secure and in compliance.

JumpCloud supports these types of Android devices: 

• Personal devices:
  • Personal devices are owned by the employee. You enable user enrollment of a device owned by an employee, and the user enrolls the device via the User Portal. You have full management and control of the apps, data, and settings in the device's work profile, but there is no visibility or access to the device's personal data. This distinct separation gives you control over corporate data and security without compromising employee privacy.
• Company-owned devices:
  • Mixed Use - A work profile can enable work and personal use on a company-owned device. Your organization can have full control of the apps, data, and settings in an encrypted work profile, and can enforce policies to control settings for WiFi and block USB file transfers or disallow software apps that apply to a device's personal data. Any personal data on a company-owned device isn’t visible or accessible to your organization.  
  • Fully Managed - The device is used exclusively for work and you control and manage the entire device. This device does not use a work profile.
  • Dedicated - This device is a subset of fully managed devices and is used for simple workflows. You can lock down the usage of the device to a single app or small set of apps, such as ticket printing or inventory management. This device does not use a work profile.

Prerequisites:

• You must have an email account to register with Google:
  • Recommended: Enterprise Google Administrator Account (@work_domain.com)
  • Accepted, but not recommended: Managed Google Play Account (i.e. @gmail.com)

Registering Your Org for Android EMM

Follow the instructions in the applicable section below, depending on whether you have an existing Enterprise Google Admin account.

With an existing Enterprise Google Admin account

To register your org for Android EMM:

1. Log in to the JumpCloud Admin Portal.
2. Go to DEVICE MANAGEMENT > MDM.
3. On the MDM Home page, select the Google tab.
   
4. Click Begin Registration. A new browser tab opens.
   
5. Under Create Admin Account, enter your Enterprise Google Admin account email address and click Next.
6. On the Add Android Enterprise screen, click Continue to Admin console.
7. On Review your payment plan, click CHECKOUT to add Android Enterprise to your org. Note: This is free, and you will not have to submit an actual payment.
8. Click PLACE ORDER.
9. You're asked if you want to manage your Android Enterprise devices using your enterprise domain. This binds your Google account to your JumpCloud instance. Click Allow.
10. When the Google loading screen clears, you are directed back to the JumpCloud Admin Portal and can begin managing Android devices.

Without an Enterprise Google Admin account

To register your org for Android EMM:

1. Log in to the JumpCloud Admin Portal.
2. Go to DEVICE MANAGEMENT > MDM.
3. On the MDM Home page, select the Google tab.
   
4. Click Begin Registration. A new browser tab opens.
   
5. Under Create Admin Account, enter your work email address and click Next.

6. You will receive an email to the address entered above to verify your account. In the email, click Verify email address.
   
7. Once your email has been verified, return to the Google sign-up flow (you may be redirected back automatically) to enter your contact information and communication preferences.
8. Create an account password.
9. Click Allow and create account to confirm that you want to bind your org to Android Enterprise and create your account on the Google Admin console.
   
10. Once your account is created, you are redirected to the JumpCloud Admin Portal from the loading screen.
11. From the JumpCloud Admin Portal, you can verify that the connection between JumpCloud and Google is working by clicking Test Connection. The status should return CONNECTED.
    
    

Configuring Device Authentication (Optional)

If you used an Enterprise Google account during EMM Registration, you have the option to enable end user authentication during the device enrollment.

Considerations:

• This functionality is limited to JumpCloud Android EMM tenants registered with an Enterprise Google Admin Account. It does not apply to Managed Google Play (i.e. @gmail.com) accounts.
  • Google is working on the ability to upgrade Managed Google Play (MGP) enterprises (which use Gmail accounts) to Managed Google domains (which use work email addresses) to bring enhanced security. JumpCloud expects this functionality to become available in 2025.

There are four pieces to configure this functionality:

1. Verify your domain with Google - Watch Domain verification walkthrough to see how to verify your domain within the Google Workspace Admin Console.
2. Enable identity sync in JumpCloud - See Get Started: Google Workspace Integration for instructions on how to integrate Google Workspace with JumpCloud.
3. Configure SSO with Google Workspace in JumpCloud - This allows your users to access Google services on their device seamlessly using their existing work credentials. See SSO with Google Workspace for instructions.
4. Enable Authenticate Using Google - Watch Enable Google Authentication walkthrough to see how to enable this setting in the Google Workspace Admin Console.
   • When enabled, the Authenticate Using Google setting applies to new device enrollments only. Previously enrolled devices are not affected.
   • Enrollments of personal or company-owned devices with a work profile and fully managed devices can authenticate using Google.
     • Authentication does not apply to Dedicated Device enrollments because there is no singular user identity associated with the device.

The Authenticate Using Google setting is reflected in the Android EMM Registration section of the JumpCloud Admin Portal:

When the end user enrolls, their experience will be based on this authentication setting:

• Authenticate Using Google is not enabled - User is not authenticated as enrollment is completed, and an @android-for-work.gserviceaccount.com user account is generated for the enrollee.
  • Following enrollment, users manually enter and authenticate with their work credentials each time they want to access Google services.
• Authenticate Using Google is enabled - User is prompted to authenticate during enrollment, and they enter their work credentials.
  • Following enrollment, the user identity is already linked to the device, and the user can seamlessly access Google services.

Deleting Your EMM Registration

To delete your Android EMM Registration:

1. Log in to the JumpCloud Admin Portal.
2. Go to DEVICE MANAGEMENT > MDM.
3. Select the Google tab, then click Delete under Android EMM Registration.
4. Enter the number that appears in the dialog.
5. Click Delete.