This article explains how to integrate AirWatch and Android for Work, including automatic Google user creation by AirWatch.

The official AirWatch documentation for Android for Work integration contains the essential steps, but does not provide details on how to setup automatic Google user creation. This article gives step by step instructions on how to do the integration with the focus on automatic user generation in Google.

UPDATED 04/2017: NOTICE: The below instructions are only needed for AirWatch versions below 8.4. Any newer versions of AirWatch can take advantage of an extremely simplified integration with Android for Work, which AirWatch has documented in the following guide:
https://resources.air-watch.com/view/lv7j39pblynp9df39bph/en

Also have a look at our Android for Work enrollment videos.

Chapter 1 - Overview

Android for Work allows organizations to manage their Android 5.x devices’ corporate data and apps with the AirWatch platform, without gaining access to the personal data of users.
The benefit is a clear separation between private and corporate data in which the corporation only gains access and control of the business data and apps. A work badge icon is automatically placed on all Android for Work apps and allows a simple and clear differentiation between the private and the corporate version of an app.

Technically an app is only installed once, but the corporate data is stored in a different container from the private data. Whenever the device is “enterprise wiped”, only the work data is deleted.
Functionality of Android for Work includes:

  • Per-app VPN
  • Silent/automatic distribution of apps from the public app store without the need for a Google ID on the device
  • Setup of restrictions for work managed apps
  • Enforcement of device encryption
  • Distribution of corporate e-mail, calendar, address book

Chapter 2 - Difference between Android for Work and Google Apps

Android for Work is a FREE offering by Google. An organization can sign up and use Android for Work without initial or monthly costs.
Google Apps includes Android for Work, but comes with a monthly cost.
This document reflects the setup, integration and functionality of the free Android for Work product.

Chapter 3 - Signup and setup for Android for Work

3.1. Creation of free Android for Work account

Sign-up for Android for Work by filling in the following form:
Android for Work sign-up page

In the next step click on START to verify the domain ownership. Select the method that works best for you to validate the domain.
Once the domain validation is complete, the webpage displays a token which is valid for 30 days. Copy this token to the clipboard, as it is going to be needed for the integration with AirWatch.
The token is also sent via e-mail to the registered administrator and can be reviewed from the Google portal.

AirWatch and Android for Work 

3.2 Creation of an API project to automatically create user accounts in Android for Work

Whenever an AirWatch user (domain user) enrolls an Android device by using Android for Work, AirWatch can automatically create the according Android for Work account.
To do so, AirWatch needs to call an API which creates the according account. The following step is needed to create the according API and approve it in the Android for Work portal.
1. Login to https://console.developers.google.com/ with the Google account created above.

2. Click on the “Select a project” drop-down and select “Create a project…”

AirWatch and Android for Work 

3. Type a project name (for example: AirWatchCn503), open the ADVANCED options and select the App Engine location which is closest to you, accept the Terms of Service and click on CREATE.

The project will be automatically loaded; wait until progress bar has stopped.

4. In the left navigation frame click on “APIs & auth” > API. Then search in the right frame for the term “EMM”. This finds the “Google Play EMM API”.

AirWatch and Android for Work 

Click on “Google Play EMM API” and click on “Enable API” on the next screen.

AirWatch and Android for Work 

5. Click again on “APIs” in the left frame and then search for “Admin SDK” in the right frame:

AirWatch and Android for Work 

Click on “Admin SDK” and then select “Enable API”.

6. In the left frame click on “Credentials” under “APIs & auth”, then in the right frame click on “Add credentials” and “Service account”.

AirWatch and Android for Work 

7. In the “Create service account” page select “P12” and click on “Create”.

AirWatch and Android for Work 

8. Save the downloaded file and notice that the password for it has been set to “notasecret”.

9. On the next page you will be presented with the created Service account. Click on the Email address to get into the details:

AirWatch and Android for Work 

10. Copy the values “Client ID” and “Email address”, as you will need them later in the AirWatch integration part.

AirWatch and Android for Work 

3.3. Configuration of Android for Work in Google Admin Portal

Logon to the admin portal via: https://admin.google.com with the account that you created in the above step.
1. In the Admin Console click on “MORE CONTROLS” (at the bottom of the Home page) and then drag and drop the “Security” icon into the main screen. Once done, click on “Security”.

AirWatch and Android for Work 

2. In the Security section click on “API reference” and ensure that “Enable API access” is enabled.

3. Scroll down and select “Advanced settings” and then click on “Manage API client access”.

AirWatch and Android for Work 

4. In the field “Client Name” copy and paste the data from the “Client ID” field as visible in the above chapter in step 10 (it has the format of xyz.apps.googleusercontent.com).

In the “One or More API Scopes” write the following URL:
https://www.googleapis.com/auth/admin.directory.user

Click the “Authorize” button.

AirWatch and Android for Work 

Chapter 4 - Integration of Android for Work with AirWatch

Logon to your AirWatch Admin Console with an account which is at least “Console Admin” Security Role member to do the below configuration.

NOTICE: Once this integration is successful, ALL Android devices which support Android for Work will automatically enroll via Android for Work (if the user’s e-mail domain is the same e-mail domain which has been registered with Android for work) and require the according Android for Work profiles, apps, etc.
It is highly suggested to test the entire process in a TEST ORGANIZATION GROUP FIRST!

1. Navigate to > Devices > Device Settings > Android > Android For Work >> Click “Configure”

2. Click “Upload Token”

3. In the domain field provide the e-mail domain which you have registered with Android for Work (example: aerion.fi)

In the “Enterprise Token” field provide the EMM Token which you have received via e-mail from Google and got to see in the “Connect with your provider screen” (alternatively you can retrieve the token from the Google Admin Portal via > Security > Android for Work settings).

Click “Next”.

AirWatch and Android for Work 

4. Select “Yes” in the field “Create Google account during enrollment based on enrolled user’s email address”.

Select “No” in the field “Use SAML for Google account authentication”.

In the field “Service Account Email Address” paste the Email address which you have retrieved in chapter 3.2 in step 10 (it ends with @developer.gserviceaccount.com).

In the field “Google Admin Email Address” type the e-mail address of the Google Admin Account you created in chapter 3.1. when signing up with Android for Work (it ends with your e-mail domain).

Click on the “Upload” button and upload the .p12 certificate which you downloaded in chapter 3.2 step 8. The password is: notasecret

Click the “Finish” button.

AirWatch and Android for Work 

Chapter 5 - User Creation and Device Enrollment for Android for Work

To test the Android for Work enrollment process and automatic user creation, either a directory or basic user account with the same e-mail domain which has been setup for Android for Work is needed.
For the following steps I have created a basic user account in AirWatch with username and e-mail of Tämä sähköpostiosoite on suojattu spamboteilta. Tarvitset JavaScript-tuen nähdäksesi sen.. This account currently does not exist in Google/Android for Work, but should be automatically created.

My test device is already encrypted. If you should be using a device which is not currently encrypted, the enrollment process will pause until the device has been encrypted. Only then the enrollment can continue (this only applies to Android for Work enrollment and not native AirWatch enrollment).

1. Download and install the AirWatch MDM Agent from the Play Store or side load the AirWatch MDM Agent by using the .apk file.

2. Open the AirWatch MDM Agent and provide either the e-mail address or server details to start the authentication process.

3. Type the username and password of the user and click CONTINUE.

4. The agent will check, if such Google Account already exists. If it does not, the following prompt appears. Click “Create Account”.

AirWatch and Android for Work 

5. The e-mail address is automatically populated. To create the account, the user needs to define a password. To avoid this step, it is possible to enable SAML authentication.
For this example, I define a password for the Google Account.

AirWatch and Android for Work 

6. The Android for Work profile setup begins. Click SETUP and then OK to accept the terms.

7. To validate the account, the user needs to login to Android for Work. In the following screen click “Login”.

8. Type the password for the automatically created Google Account and click NEXT and then NEXT again.

AirWatch and Android for Work 

9. If additional (AirWatch) configuration is required, the MDM Agent will prompt for the according actions. Once all steps are completed, the user should end up in the AirWatch MDM Agent which confirms successful enrollment.

AirWatch and Android for Work 

The user will now see all of the work badged applications at the end of his application list.

AirWatch and Android for Work 

Questions?

To get help with any implementation questions, please CONTACT US.

 

About the author
Peter Giesa is AirWatch Certified Technical Post-Sales On-Prem Expert and works as Solution Architect & Senior Consultant for Aerion Solutions.

About Aerion Solutions
Aerion Solutions is AirWatch Elite Partner and VMware Enterprise Solution Provider in Finland with certified consultants and provides consulting and training services for AirWatch and VMware on-premise and SaaS implementations.