[Product Update] Signup and Device Enrollment: New Features and upcoming plans
Hello everyone, As we kickstart a new year, we are pleased to update you on enhancements we’ve made in the areas of signup and device enrollment and give you an advanced look at some features we’ll be adding in the near future. Background We’ve heard from many customers that they prefer being able to administer Android management capabilities (e.g signing up for Android Enterprise, logging into the Managed Play store, etc.) using their corporate email address rather than a gmail address. This provides increased security, along with better administrative capabilities including self-service fixes for lost account credentials and changing access when team members change. We’ve also heard that for knowledge worker devices, customers prefer being able to log in to their devices with their work email, and being able to have the convenience of shared experiences across their phone and desktop. (More details can be found in this Android Enterprise blog post) To improve the experience for both IT admins and end users, we’ve been working on changes in signup and enrollment that emphasize the use of work email accounts, and minimize Managed Google Play accounts except for dedicated devices that don't have logged in users. Here is an update on our recent announcements as well as our plans for the next few quarters: 1) Improved signup Flow (Launched and rolled out to all EMMs) In Q2 2024, we announced a new signup flow that encourages all new customer IT admins to sign up with their corporate email rather than a gmail account. We also made it possible to bind multiple EMM instances to a customer’s domain to allow for using multiple EMMs simultaneously in testing and in production. As of July 2024, all of our EMM partners have adopted this new flow so new customer signups should use managed Google Domains by default. 2) New Android Enterprise enrollment flow In early Q3 2024 for EMM partners with solutions based on Android Management API, we added the ability to enable “Authenticate using Google” which allows managed Google Accounts with work email addresses to be enrolled for end users. In addition, we added a new enrollment method, which is the ability to trigger enrollment by adding managed Google accounts directly from the Settings>Accounts section in Android OS. Enabling “Authenticate using Google” requires our EMM partners to make some changes to allow userless dedicated devices to enroll without being prompted to add a work account, but all AMAPI partners should be working to adopt these changes and all EMMs will be enabled by Q1 2025. For EMM Partners that build custom solutions based on Play EMM API, similar new enrollment capabilities will be available to begin development starting in Q1 2025. 3) Upgrade Managed Google Play Enterprises to Managed Google Domains (Q1 2025) Next, following up on our new signup flow from earlier in the year, we are making it possible for ALL organizations to upgrade their Managed Google Play accounts enterprises, and have their binding moved to their managed Google domain. This will involve switching out the gmail addresses used by IT admins for currently bound enterprises and replacing them with work email addresses associated with a managed Google domain. 4) Upgrading users to Managed Google accounts (later 2025) Finally, later in 2025, we’re going to be offering the capability to upgrade end user Managed Google Play accounts installed on devices to managed Google accounts corresponding to user email addresses. Stay tuned for more details in the coming quarters. We extend our thanks to the AE community for your continued support and collaboration. As we continue to enhance the signup and device enrollment experience, we encourage you to stay tuned for more updates and exciting developments in the coming quarters. Plus, feel free to let us know below if you are interested in hearing more about any of the above. The Android Enterprise Team
Stronger management of company-owned devices with Android 15 for business
15th October, 2024 For company-owned devices, Android 15 empowers you with advanced management capabilities to help you take control, optimize your fleet of devices, and safeguard your business – on your terms. Explore new tools to navigate the modern workplace with Android 15. Streamline eSIM management for managed devices Android 15 streamlines adding, removing and provisioning eSIMs on both company-owned devices and managed BYOD devices. Simple eSIM management* on managed devices makes it easier to onboard and offboard employees. This means IT admins can spend less time setting up eSIM devices, and more time on impactful work. *For all devices, eSIM management is conducted via the EMM. Additionally, for BYOD devices, the device’s owner is responsible for using and activating the eSIM, and the user can delete the eSIM at any point. Secure personal profiles and private spaces on COPE devices Extend your existing personal app policies to the private space on company-owned devices. IT admins have better control over the device’s security posture with a limited set of privacy preserving security restrictions* for selected apps outside the Work Profile on company-owned devices. An additional set of privacy safe security configurations for core apps will be made available at a later date. *AMAPI managed devices will have the ability from Android 15 onward. Managed configurations apply only to company-owned, personally enabled (COPE) devices. Enforce the default apps for personal profile on company-owned devices IT admins can now enforce the default dialer, messaging app, and browser* in the personal profile when setting up company-owned devices to add an extra layer of security without compromising user experience. * Available only on company-owned, personally enabled (COPE) devices. IT admins can only make an app the default if it’s already in the user’s personal profile. To ensure OEM defaults for dialer and browser are set, this feature should be configured prior to set up. Enable seamless searching for your teams with Circle to Search Forget juggling multiple apps. With new admin controls for Circle to Search* on both fully managed devices and within the Work Profile, IT can confidently empower employees to search directly from their work apps. They can simply circle, scribble, or tap content for more information. *Circle to Search requires internet connection and compatible apps and surfaces. Results may vary depending on visual matches. For Android Enterprise managed devices, the feature is available on fully managed devices and devices with Android Work Profile. For company-owned, personally enabled (COPE) devices, Circle to Search is subject to the IT admin’s ability to turn off screen capture, which will disable the feature. For employee-owned devices with an Android Work Profile, Circle to Search within the personal profile remains unaffected by IT admin policies. Available on Pixel P8, P8 Pro, P6 series, P7 series, Pixel Fold, Pixel Tablet, Samsung S24 series, S23 series (incl. FE), S22 series, S21 series, Z Flip 3/4/5, Tab S9 series, Tab S8 series. Extend battery life with screen brightness and timeout controls Android 15 introduces screen brightness and timeout period controls* for company-owned devices. IT admins can adjust settings to optimize device efficiency for frontline staff, extending battery life to help them power through a shift without any device downtime. *Available on company-owned, personally enabled (COPE) devices, fully managed devices, and dedicated devices. Read Enhanced employee and device protection with Android 15 for business next. Learn more in our Help Center FAQ. Register for the community to access and download these images and an Android 15 slide deck. How helpful will these new features be to your business? We’d love to hear your thoughts and feedback below!Enhanced employee and device protection with Android 15 for business
15th October, 2024 Flexibility and productivity go hand-in-hand in the era of modern work. But so can security risks. Designed for the modern workplace, Android 15 introduces new ways to protect company devices and shield sensitive data - for both employees and companies - wherever the working day leads. Here’s how Android 15 can strengthen digital defenses. Secure stolen devices with Android theft protection Too often the cost of theft extends beyond hardware. That’s why Android theft protection* focuses on locking down your device should it fall into the wrong hands, helping minimize the impact of stolen devices. Theft Detection Lock offers automatic protection the moment a device is stolen. It uses machine learning to detect any motion associated with theft, like snatching or driving away, and quickly locks the device to protect device data. Offline Device Lock is enabled once a device is stolen. If a stolen device is disconnected for a set period of time, the device screen automatically locks to prevent unauthorized access, even when off-grid. Remote Lock empowers employees to act quickly once their devices are gone. As an extra, immediate precaution when a device is lost or stolen, employees can lock the missing device at android.com/lock using just their phone number. *Theft Detection Lock, Offline Device Lock, and Remote Lock requires Android 10+ and an internet connection. Android Go devices are not supported. Support may vary based on your device model. The user must be using the phone while it is unlocked. All theft protection features will be available in October. Offer employees a private space within their personal profile Personally enabled devices balance convenience and usability, with enhanced controls to protect business data. Now, employees are able to create a private space* for personal profile data - a folder locked with a separate password or biometrics - to store apps containing sensitive information, like banking or healthcare. Employees can work with peace of mind, knowing that personal apps and activities are hidden and secure when working on the go or when sharing the screen with co-workers. *Private space on COPE devices are subject to the same security requirements as the personal profile. Admins will be able to block the user from having a Private Space and remove an existing Private Space in COPE. Review security logs easily with the latest NIAP logging requirements Android 15 is enhancing device security with new logging capabilities that meet the latest NIAP regulations. Administrative changes are logged and stored in the SecurityLog - and data backup events are migrated from Logcat to the SecurityLog for easier upload and streamlined management. Now IT teams can more easily identify and address potential security threats. Read Stronger management of company-owned devices with Android 15 next. Learn more about what’s new in our Help Center FAQ. Register for the community to access and download these images and an Android 15 slide deck. Enjoyed this introduction? Feel free to drop a kudos and join the discussion below - we’d love to know how these new features might impact your business strategy.[Product Update] Introducing the Improved Signup Experience for Android Enterprise
Updated: July 2024 to include link to blog article* Hello everyone, We’re excited to announce improvements to our signup process for new Android Enterprise users. With this new signup experience, we've made it easier and more intuitive for businesses to deploy multiple Google products alongside Android Enterprise. Key benefits include: Simplified IT Admin Experience: IT admins can now sign up using their corporate email address, eliminating the need for Gmail accounts. This streamlined process reduces the risk of lost or deleted accounts and improves the overall management of credentials. Centralized Setup: Setup tasks, such as syncing users and configuring single sign-on (SSO), can now be performed centrally through the Google Admin console. These changes apply to multiple Google product deployments, saving you time and ensuring consistency across your IT environment. Seamless Upgrade Process: If you wish to add additional Google products (e.g Chrome Enterprise Upgrade for Chromebooks, Chrome Browser Cloud Management, Google Workspace) to your existing deployment, you can do so seamlessly without the need for separate registrations. Simply select the products you want to enable in Google Admin Console, and the products will be automatically enabled to your organization’s account. Enhanced flexibility and control: This improved signup experience allows you to bind multiple EMM instances to your customer account. This enables parallel testing of pre-production environments or phased migrations to a new EMM, providing greater flexibility and control over your IT infrastructure. As we continue our commitment to delivering exceptional customer experiences, this improved signup process is designed to help your organization get the most out of Google’s enterprise products. Stay tuned for further updates from your EMM partner as this enhancement is rolled out for new Android Enterprise customers over the coming months. *Learn more about this new sign-up flow in this Android Enterprise blog article: How we are making Android Enterprise signup and access to Google services better Thanks, The Android Enterprise Team[Product Update] Lock and locate Corporate devices with Lost Mode
Lock lost corporate devices and get real-time location updates to recover them. Android Enterprise admins, have you discovered Lost Mode? It’s a new management feature designed to safeguard your organisation's data and recover misplaced devices. No more frantic "phone-finding" missions or compromised sensitive information - Lost Mode empowers you to take control in challenging situations. Lost Mode empowers device management through: Remote lock down: Instantly lock lost or stolen devices. Gone are the days of helplessly hoping lost devices remain untouched; Lost Mode helps prevent unauthorised access beyond incoming and emergency calls, securing your data, and peace of mind. If the need arises, enrolled devices can also be remotely wiped. Real-time location tracking: Track the location of a lost device in real-time. Whether nestled under a colleague's desk or left in a taxi, Lost Mode can remotely pinpoint a device's whereabouts for hassle-free recovery. Lock screen message: Communicate company contact information directly on the lock screen. If found by a passerby, the pre-set company message will tell them where to return it. Or they’ll have the option to ‘Call owner’ on your chosen contact number with a press of a button, making good deeds a breeze. Audible locator: Turn your device into a beacon. When Lost Mode is activated, the device begins to ring on full volume, guiding you, or a helpful passerby, towards its hidden location. It’s a step up from breadcrumbs or wasting time aimlessly retracing your steps - follow the audible trail and reclaim your missing tech. How does it work? IT admins can easily put a device into Lost Mode from their EMM console. Once the missing device is found, and is back in the right hands, employees can simply exit lost mode with their device passcode and resume business as usual. Or, IT Admins can exit Lost Mode from their EMM console. Beyond immediate recovery, having this security measure in place enables quick action, minimising the risk of data breaches, improving employee peace of mind and eliminating wasted time searching for misplaced devices. Next steps Lost Mode is exclusive to EMMs that use Android Management API, and is currently available for both Work Profile on company-owned devices running Android 13 or later, and fully managed devices on Android 11 or later. To check if this feature has been made available in their console, please contact your EMM. For a step by step on how to enable Lost Mode on company-owned devices, check out this article in the Help Center. Otherwise it would be great to hear from you, have you or do you plan to implement Lost Mode into your device strategy? Which feature do you think will be most useful?[Product Update] Dynamic duo: improved dual-SIM support in Android zero-touch
Note: this article has been updated on 03.04.2024 to reflect improvements to the process of provisioning dual-SIM devices via zero-touch. Please see the below steps for best practice. As individual tools, both zero-touch enrollment and dual-SIM devices offer a wealth of business benefits. But until recently, the two IMEI numbers - one for each SIM card - in a dual-SIM device meant integrating dual-SIM with zero-touch was unreliable and dependent on SIM configuration. The good news: we’ve enhanced dual-SIM support in zero-touch, improving the reliability of dual-SIM enrollment, and simplifying management. What does this mean? This improved integration addresses the known issues some users have previously experienced when provisioning dual-SIM devices with zero-touch. It means dual-SIM devices don’t need to be registered as two separate devices to be reliably managed. It also minimises the risk of devices being missed during provisioning and getting stuck in a reset loop, or randomly undergoing factory reset. There is no action required to activate this fix, and you’ll only be visibly impacted if you’ve experienced the issues above. Otherwise, we’d recommend you continue to follow the steps below as best practice. Here's how it works: Lead with the lowest IMEI: For zero-touch to recognise and configure dual-SIM devices, the device initially needs to be registered with the numerically lowest IMEI. For example, if the two IMEI numbers are 000000000000001 and 000000000000002, you would register the first. Zero-touch to go: Upon boot up zero-touch will detect the device and provision it, applying your preconfigured settings and apps. Cue smooth sailing. Tips for a smooth two-step Be aware: If your device is preinstalled with a version of Google Play Services prior to 24.07.12, after setup zero-touch will detect the device, register its serial number, and prompt a factory reset. The next time you set up your device, it will be provisioned through zero-touch. Communicate with your reseller: Make sure they understand the importance of registering with the lowest IMEI for dual-SIM devices. Test, test, test: When integrating dual-SIM devices with zero-touch, begin with a test batch to identify and troubleshoot any hiccups. You may also wish to check this documentation for any known issues. Documentation is key: Clearly document the specific steps for dual-SIM zero-touch deployment so users know what to expect when setting up. For more details including prerequisites, configurations and a getting started guide, check out this zero-touch enrollment for IT admins article. Now, it's your turn to share your thoughts. Do you currently use a dual-SIM device? If so, how do you use it? Was it provisioned through zero-touch?[Product Update] Configure and bind multiple Android Enterprise Mobility Management providers
Hey everyone, The new Multi EMM feature is now available. This feature will now allow an IT admin to bind multiple EMMs to their customer managed Google domain account, giving more flexibility and control over how you manage your organization's Android devices. Multi EMM binding in Google management console Here are some of the benefits it provides: More flexibility: you can choose the right EMM for each user group in your organization. For example, you can use one EMM for engineers and another for retail staff. Enhanced control: you can now have multiple instances of the same EMM provider, for example a cloud instance and an on-premise instance, to manage different sets of users or test pre-production features Easier migrations: you can now run multiple EMMs in parallel, allowing you to perform phased migrations from an old EMM to the new EMM over time. Here are some new capabilities to be aware of: Binding multiple EMMs with your Workspace account using the admin console: To get started, simply go to the Admin console and navigate to Devices > Mobile & endpoints > Settings > Third-party integrations > Manage EMM providers. From here you can generate an enrollment token and use it to bind with one or more EMMs. Visit the Help Center to learn more about binding multiple EMM providers and enable it for your organizational units. Enrolling a device with a Google account: you can select the EMM to use for enrollment by choosing from the dropdown for the OU (Organization Units) in the admin console. All accounts from that OU will have the EMM pushed to their device when they log in. App install by setting policy for the enrolled device: with multi EMM, if a private app is published to any EMM binding ID, then that app is automatically also available to use through other bindings as well. You can find more information in our Help Center regarding creating web apps and distributing private apps. If you are binding multiple EMMs to a managed Google domain account, you will use the EMM iframe and not play.google.com/work to access the managed Google Play store. Unbinding the EMM through the admin console is done through the Manage EMM providers page. Availability Now available to all managed Google domain accounts, and Google Workspace customers. If you have any questions or want to provide any feedback, please add a comment below. Thank you, Android Enterprise Customer Community Team[Product Update] Android zero-touch enrollment now supports service accounts
Hello everyone, We are excited to announce that we are now supporting the use of service accounts with the zero-touch enrollment customer API. This feature allows the zero-touch enrollment customer API to be used with continuously-running automated services, whereas previously it was only suitable for interactive services. The functionality of the API is not changing, but by accessing it using a service account you will be able to deploy new services, such as: Automatically assign the correct configuration to newly-registered devices Monitor your registered devices for changes, e.g. new or removed devices Automatically change the configuration assigned to a device when an employee switches teams or changes location Automatically unregister a device when it is no longer in use If you are interested in getting started with using the zero-touch enrollment customer API in this way, please complete this form with details of your service account and your zero-touch customer account. If you have any questions around this, please do reply in the comments below. Thanks, Lizzie
