Jump to content
Welcome to our new Citrix community!
  • 0

Android for Work - Prevent adding Google Account


Guest Laz Ravelo

Question

Guest Laz Ravelo

Just got to setting up Android for Work for the first time. I had some trouble getting the enrollment to work but finally did and thus far I haven't had any issues. Now, I've noticed that, despite provisioning the phone using afw#xenmobile after a factory reset, that I'm still able to add a Google account after the fact which would basically circumvents what I'm trying to do which is prevent users from adding apps that I don't want them to add. Nothing in the XenMobile documentation about this. I'm running XenMobile Server 10.7 and I'm testing this on Android 8.1 on a Google Pixel. Can anyone tell me if what I'm trying to do is within the realm of possibility with XenMobile?

Link to comment

9 answers to this question

Recommended Posts

Hi there,

 

Setting up Android for Work is how you can get a 'work profile' setup on an Android device. This 'work profile' is a separate app container for your business apps to be delivered in to. This action alone (that is to say, adding a 'work profile') does not restrict or have any effect on the regular 'user profile' which your users have figured out that they can still use on the device for their personal apps.

 

Instead, your devices could make use of 'Kiosk Mode' which is a way to 'lock' the devices in to a specific list of authorised business apps. Other methods also exist to restrict the list of apps that can be added to an Android device, though Kiosk Mode is one typical way that this is done.

See https://docs.citrix.com/en-us/xenmobile/server/policies/kiosk-policy.html for more information on using Kiosk Mode on Samsung SAFE compatible Android devices.

 

Thanks,

David

Link to comment
2 hours ago, David Egan1709157332 said:

Hi there,

 

Setting up Android for Work is how you can get a 'work profile' setup on an Android device. This 'work profile' is a separate app container for your business apps to be delivered in to. This action alone (that is to say, adding a 'work profile') does not restrict or have any effect on the regular 'user profile' which your users have figured out that they can still use on the device for their personal apps.

 

Instead, your devices could make use of 'Kiosk Mode' which is a way to 'lock' the devices in to a specific list of authorised business apps. Other methods also exist to restrict the list of apps that can be added to an Android device, though Kiosk Mode is one typical way that this is done.

See https://docs.citrix.com/en-us/xenmobile/server/policies/kiosk-policy.html for more information on using Kiosk Mode on Samsung SAFE compatible Android devices.

 

Thanks,

David

so even if you provision the phone from scratch using afw#xenmobile, there is no way to accomplish this if you don't have Samsung SAFE compatible devices???  Is this a limitation of XenMobile or Android EMM?  I do see some reference to being able to do this in Android EMM Development documentation https://developers.google.com/android/work/requirements/work-managed-device and also https://developer.android.com/reference/android/os/UserManager#DISALLOW_MODIFY_ACCOUNTS

 

How can I contain this?  I need to find a way to prevent users from downloading whatever apps they please for corporate owned devices.

Link to comment

Originally this could be achieved by allowing enterprise apps only but that was de-supported by citrix, then it could be achieved with android 6 or lower via the App Lock device policy, creating a whitelist of apps allowed to run. Unfortunately this no longer works on android 7 or 8.

 

As far as I'm aware xenmobile cannot do this although I believe other emm products can (InTune, Samsung Knox Configure).

Link to comment

You might be interested in how we setup our shared Android tablets for shift workers - fully restricted and kiosk'd devices (demo below), and we automated their setup. That might be too much for what you're looking for. For assigned Androids you could stick with Samsung Android and use their KNOX API to restrict apps (including Google service apps), which you can do with XenMobile. Otherwise for vanilla Android, you'd be looking for Android for Work/Enterprise. If you need more than that, then you could look into using 'Corporate Owned Single Use' (COSU) mode. I have never tried it but XenMobile apparently supports COSU: https://docs.citrix.com/en-us/xenmobile/xenmobile-service/provision-devices/android-for-work.html (do a find for COSU, near bottom).

 

Shift Worker Tablet Setup Demo: https://youtu.be/Nk9df5KJGnw 

Link to comment
On 23.7.2018 at 5:47 PM, Ryan Tsamouris said:

You might be interested in how we setup our shared Android tablets for shift workers - fully restricted and kiosk'd devices (demo below), and we automated their setup. That might be too much for what you're looking for. For assigned Androids you could stick with Samsung Android and use their KNOX API to restrict apps (including Google service apps), which you can do with XenMobile. Otherwise for vanilla Android, you'd be looking for Android for Work/Enterprise. If you need more than that, then you could look into using 'Corporate Owned Single Use' (COSU) mode. I have never tried it but XenMobile apparently supports COSU: https://docs.citrix.com/en-us/xenmobile/xenmobile-service/provision-devices/android-for-work.html (do a find for COSU, near bottom).

 

Shift Worker Tablet Setup Demo: https://youtu.be/Nk9df5KJGnw 

Man that is super cool, are you using adb shell scripts or what exactly to automate the configuration ?

And what kiosk mode is that ? Is it a third party kiosk launcher or samsung kiosk mode ?

Link to comment
2 hours ago, Kim Madsen1709157613 said:

Man that is super cool, are you using adb shell scripts or what exactly to automate the configuration ?

And what kiosk mode is that ? Is it a third party kiosk launcher or samsung kiosk mode ?

 

This might be a longer answer than you wanted but the setup gets pretty complex. We presented on it at Synergy 2017 as we had some interest from others in our industry. Since we have locations all over the world we wanted to automate the entire tablet setup process without Local IT having to go through a 30-page document. So we use the Receiver USB Redirection to send the tablet to our XenApp environment. From there it pulls up a PowerShell script that uses ADB (via batch scripts) to pull info off the tablet (e.g. Model, Version, Serial, etc), and based on that info it will setup the device using our standard config (e.g. set brightness, volume, install apps, etc). Behind the ADB scripts it also uses MonkeyRunner to simulate finger touches on the screen using X/Y coordinates. We took it to the next level and allow the IT group to input their location, which will pass back a variable to ADB and MonkeyRunner so we could create custom configs for each location. To get each site to have a good setup experience we also use a CDN to distribute all the scripts, APKs, and setup files to every site.

 

At the very end it enrolls into a third-party cloud service that we use for our Android Launcher/kiosk, which is highly customizable (message me if you're interested). Then it caps off with enrollment into XenMobile as a shared device. It's about 15 minutes from out-of-box to ready for deployment.

 

I could talk all day about the pros/cons, but it should be noted that Samsung KNOX Mobile Enrollment and KNOX Configure do a lot of this work. They also have a service to do the X/Y coordinate stuff like MonkeyRunner (I forget what Samsung calls it). The downside with KNOX is that if you have Wi-Fi only tablets you may then have a chicken-and-the-egg problem with having to first configure them for Wi-Fi (install certs, setup PIN, join Wi-Fi, etc), which was a no-go for us. We had to have a system that could configure devices out-of-the-box, as well as support non-Samsung Android devices. The future will be better with more Android 7/8/9 devices and more KNOX options so we won't have to automate these things ourselves.

 

I'd be lying if I said it was simple. But anything we can do to offload work from Local IT and maintain a consistent Android image was a big win for us.

 

image.thumb.png.1824daaf2848826d0477c9870e002fdb.png

Link to comment
15 hours ago, Ryan Tsamouris said:

 

This might be a longer answer than you wanted but the setup gets pretty complex. We presented on it at Synergy 2017 as we had some interest from others in our industry. Since we have locations all over the world we wanted to automate the entire tablet setup process without Local IT having to go through a 30-page document. So we use the Receiver USB Redirection to send the tablet to our XenApp environment. From there it pulls up a PowerShell script that uses ADB (via batch scripts) to pull info off the tablet (e.g. Model, Version, Serial, etc), and based on that info it will setup the device using our standard config (e.g. set brightness, volume, install apps, etc). Behind the ADB scripts it also uses MonkeyRunner to simulate finger touches on the screen using X/Y coordinates. We took it to the next level and allow the IT group to input their location, which will pass back a variable to ADB and MonkeyRunner so we could create custom configs for each location. To get each site to have a good setup experience we also use a CDN to distribute all the scripts, APKs, and setup files to every site.

 

At the very end it enrolls into a third-party cloud service that we use for our Android Launcher/kiosk, which is highly customizable (message me if you're interested). Then it caps off with enrollment into XenMobile as a shared device. It's about 15 minutes from out-of-box to ready for deployment.

 

I could talk all day about the pros/cons, but it should be noted that Samsung KNOX Mobile Enrollment and KNOX Configure do a lot of this work. They also have a service to do the X/Y coordinate stuff like MonkeyRunner (I forget what Samsung calls it). The downside with KNOX is that if you have Wi-Fi only tablets you may then have a chicken-and-the-egg problem with having to first configure them for Wi-Fi (install certs, setup PIN, join Wi-Fi, etc), which was a no-go for us. We had to have a system that could configure devices out-of-the-box, as well as support non-Samsung Android devices. The future will be better with more Android 7/8/9 devices and more KNOX options so we won't have to automate these things ourselves.

 

I'd be lying if I said it was simple. But anything we can do to offload work from Local IT and maintain a consistent Android image was a big win for us.

 

image.thumb.png.1824daaf2848826d0477c9870e002fdb.png

 

Thanks for sharing Ryan, this is truly awesome and yeah I suspected its pretty complicated.

 

I tried to see if I could find a recording of your Synergy session but could not find it, let me know if it exists.

Link to comment

I have been trying to integrate AFE as well with one of the desired results to remove Google accounts

There is a policy within Android Enterprise restrictions which disables account management, this works and stops users from creating Google accounts, however it also stops them from creating a Secure Mail account as well!

This has been logged with Citrix to see if there can be some more gradually within this option!

Link to comment

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...