XenMobile with Android Enterprise

[Mahammad Kubaib Ibrahim]

I have a question regarding Android Enterprise

 

Currently we have 4k users enrolled with MDM+MAM mode,but we have planned to configure android enterprise mode to use public apps  along with secure MDX apps.

 

1.What is the impact for existing android enrolled Users ?

2.Will  the exisitng  users need to re-enroll after enabling Android enterprise on Xenmobile ?

 

[David Egan1709157332]

Hi there,

 

The following migration guide should help to answer these questions... https://docs.citrix.com/en-us/citrix-endpoint-management/device-management/android/migrate-from-device-administration-to-android-enteprise.html

 

Best regards,

David

 

[James Selix]

On 10/1/2019 at 6:20 AM, David Egan1709157332 said:

Hi there,

 

The following migration guide should help to answer these questions... https://docs.citrix.com/en-us/citrix-endpoint-management/device-management/android/migrate-from-device-administration-to-android-enteprise.html

 

Best regards,

David

 

 

David. Can Citrix support touch on if Samsung SAFE can be activated on Android Enterprise? I'm not seeing any way to get the ELM Macro key to push to Samsung devices running Android Enterprise via Xenmobile.  Is SAFE even supported with Android Enterprise and Work Profiles (aka managed google play, BYOD)? 

 

i've had a ticket sitting with support now for over two weeks about this and it seems no one at Citrix knows.   if it is supported, there is something very wrong w/the SAFE Policy; its like it never makes it to the android device via the console history and logs.

[David Egan1709157332]

On 10/11/2019 at 7:48 PM, James Selix said:

 

David. Can Citrix support touch on if Samsung SAFE can be activated on Android Enterprise? I'm not seeing any way to get the ELM Macro key to push to Samsung devices running Android Enterprise via Xenmobile.  Is SAFE even supported with Android Enterprise and Work Profiles (aka managed google play, BYOD)? 

 

i've had a ticket sitting with support now for over two weeks about this and it seems no one at Citrix knows.   if it is supported, there is something very wrong w/the SAFE Policy; its like it never makes it to the android device via the console history and logs.

 

Hi there,

 

I haven't tested this first hand any time recently (and both Android Enterprise and Samsung SAFE/KNOX have seen quite a lot of changes in the past year or so), though I would still suggest that the following advice might be useful.

 

Based on what is seen in the XenMobile Server console, only Samsung KNOX license keys can be deployed to the Android Enterprise platform devices. The console makes no provision for the Samsung SAFE macro to be entered here. See https://docs.citrix.com/en-us/xenmobile/server/policies/samsung-mdm-license-key-policy.html#android-enterprise-and-samsung-knox-settings for confirmation of 'where' I am referring to.

 

Based on this observation alone, I think this is confirmation that this is not something which is supported.

 

As an alternative method, you can still try to deploy the Samsung SAFE macro to Samsung devices as an MDM Device Policy. See this link for more details: https://docs.citrix.com/en-us/xenmobile/server/policies/samsung-mdm-license-key-policy.html#samsung-safe-settings.

 

This 'alternative method' is not expected to offer native integration in to Android Enterprise itself (Samsung KNOX is needed for this integration, as above). You might still want to try this method out anyway because although it won't necessarily offer more protection to the Android Enterprise user profile on the device, it will at least offer the use of more MDM API's to the device operating system itself. It's worth remembering that MDM enrolment is necessary to deploy any Device Policy settings from XenMobile Server, so perhaps this is not a good match for BYOD devices when they are only MAM enrolled with no MDM options available?

Best regards,
David

[James Selix]

@David Egan  i've actually found a much better approach to this.  eliminated SAFE and KNOX from the equation and went the full on Android Enterprise and Managed App Configuration route.  Citrix should really put a guide or entry about this.  Basically we were only use SAFE apis on the legacy device admin policies for one reason: to preconfigure an exchange profile for the native samsung email app.  with android enterprise this didn't seem possible or at least to me since i hadn't done much w/AE yet.

 

we run a BYOD setup for mobile users, they own the phones and we just let them have work email on it but have to have it managed w/secure hub.  i'm actually pretty impressed w/Android Enterprise and our use case scenerio.  it creates the personal and work profiles allow us to do an iPhone like selective wipe of all business information while leaving their personal data and apps alone.   what i did was add the Samsung Email app to our Google Managed Play Store. I then added the managed app to Xenmobile as a public app for AE.  This then let me create a managed app config that let me add an Exchange profile to the app.   Assign all to my delivery group and enroll and bam!! all my test user needs to do is enter their password.. HOWEVER, managed app config policies do not seem to take upon enrollment. i've noticed i've had to refresh device policies after enrolling and opening the Samsung Email app before the config applies.. however the device logs show the config being downloaded upon enrollment. i've been playing with deployment order to see if that matters (also another thing Citrix needs to make a document on; what is a recommended deployment order of policies, apps, managed configs, restrictions, automated actions, etc)

 

yea, i've been doing Xenmobile before it was Xenmobile and was.. Zenprise. ;)

[James Selix]

On 9/29/2019 at 5:21 AM, Mahammad Kubaib Ibrahim said:

I have a question regarding Android Enterprise

 

Currently we have 4k users enrolled with MDM+MAM mode,but we have planned to configure android enterprise mode to use public apps  along with secure MDX apps.

 

1.What is the impact for existing android enrolled Users ?

2.Will  the exisitng  users need to re-enroll after enabling Android enterprise on Xenmobile ?

 

 

1. nothing since device admin policies are there.

2. sadly, full re-enrollment from my testings from last month.  however enrollment can be WAY better, find a way to spin it.  we are enablng PIN auth for secure hub so our mdx wrapped apps will be so much easier to use (we also enabled caching of ad creds to encrypted container so pin replaces it making life so much better due to the complex password policy we have for pwds).

 

i assume your doing the BYOD route? thats the most confusing part of android enterprise is  the modes and what you need. For BYOD shops, Managed Google Play store is the route you want to go and you don't need a dev account or key or program. just managed google play account. i have a few posts on this stuff on here, hopefully they may help.

 

post to gmail managed config setup notes: https://discussions.citrix.com/topic/404936-byod-android-users-and-exchange-email-is-there-ever-going-to-be-a-way-to-configure-gmail-wexchange-info-in-citrix-endpoint/