Enroll Android Enterprise devices in closed networks with Workspace ONE

As more customers migrate from the legacy Device Admin to Android Enterprise, I get more often questions about networks that have no Internet access (mostly rugged devices in retail, logistics, manufacturing, or high security cases such as police or healthcare IoT). So I think I’ll leave a quick guide/FAQ here.

  1. How does closed network enrollment work?
  2. How to set it up in Workspace ONE UEM?
  3. Any caveats and other things to be aware of?

How does closed network enrollment work?

Android Enterprise has two modes: Work Profile (Profile Owner) and Work Managed (Device Owner). The third mode, COPE, is technically a combination of the above two and will change drastically in Android 11 (Google Post here, VMware post here).

Work Profile always requires connection to Google servers for one simple reason: it only accepts apps from Managed Google Play. Thus it cannot be used in closed networks. Additionally, it is part of Google Mobile Services (GMS). If you are interested in Managed Google Play, I wrote a series of articles on it here.

Work Managed mode, however, does not rely on Google Services, since it is baked directly into AOSP (Android Open Source Project) code, and thus may work even of devices without GMS. In addition, applications may be deployed to work managed devices directly, w/o using the Managed Play Store (however, with recently announced enhancement to Managed Play, I would recommend that whenever possible). Most importantly, this makes it the only Android Enterprise mode that can function without Internet Access! (Though there are things to beware and I can’t guarantee that all MDMs can support this).

How does this work?

Typically, when a device is enrolled into Android Enterprise, a Managed Play Account is created for the device. This procedure, however, is handled by the MDM agent. Thus, we can instruct the agent to skip it – that is all there is to it! Since the rest of AE Work Managed is baked into AOSP, there is not much to worry about (during enrollment, that is). The result is a Work Managed device, enrolled and fully functional, but without Play Store. This means no public apps, but you will not need them in a closed network, will you?

How to set it up in Workspace ONE UEM?

Remember I said that the account creation is handled by the agent? This means that we can control in two different ways: via the UEM console (for specific Organizational Groups) or via QR code/NFC during device enrollment (for specific devices, regardless of the console settings).

Configure the UEM console for closed network enrollment – existing Play integration

If you already have console integrated with Managed Play (via EMM Registration) you will see an additional parameter in Devices & Users -> Android -> Android EMM Registration -> Enrollment Settings called “AOSP / Closed Network”. It comes with a handy description. Also note that COPE mode is disabled (since Work Profile requires Managed Play and Internet).

Enable closed network enrollment for a specific OG

To protect yourself from accidental errors, you may additionally disable Work Profile enrollment for this OG whatsoever in the Enrollment Restrictions tab.

Disable Work Profile enrollment for a specific OG

That’s it! Remember, you can configure it per OG, so your “normal” devices can enjoy the Managed Play Store, while your “closed network” device can also work in a different OG – all in one instance!

Configure the UEM console for closed network enrollment – fresh tenant

If your tenant is fresh, you can completely skip the Play integration by selecting the appropriate checkbox..

Warning! This setting is irreversible! If you do it at a Customer (top) level OG – you will lock yourself out of any future use of the Managed Play Store, Work Profile, COPE etc.

Thus, I’d recommend implementing the Play Integration and then using the previously described method to override a specific OG and keep your options open in the future!

Completely disabling Google Play integration (usually a bad idea)

 Enroll a specific device in Closed Network mode

As mentioned before, since the process is controlled by the MDM agent, we can also embed a setting into the enrollment QR code. Just select this option when creating the enrollment QR code in Devices -> Lifecycle -> Staging -> [+ Configure Enrollment].  

That’s it! It will ignore the console setting and always enroll into closed network.

Enabling closed network enrollment in the QR code

If you are using NFC enrollment, generate the QR code, scan it with any QR scanner and you will see this Admin Extra at the end.

"aospEnrollment": "True"

Any caveats and other things to be aware of?

Yes!

  1. Public apps will not work (for obvious reasons), but Internal apps will not work too, if you have a device running Android 8.0 or newer! Basically, the app installer always checks connectivity to http://www.google.com (see the full KB here). The workaround is to use Product Provisioning (which uses Workspace ONE own installer without this check) or fool the device into thinking that the connectivity exists by redirecting www.google.com via your DNS to your own web server serving the HTTP 204 code. Basically, use Product Provisioning (not every MDM has such functionality, however)
  2. I want to stress again, that if you are configuring a fresh tenant and disable Play integration via “Deploy without Google Registration” – you will not be able to use it later! So better integrate, and then override. Costs you nothing.
  3. I would finally remind that more and more valuable Android features migrate to GMS and Play, so unless you absolutely have to, consider at least limited Internet access via a transparent proxy or firewall. You can check the list of ports and hosts here: https://ports.vmware.com/home/Workspace-ONE-UEM (type “Android” in the search bar)
  4. In my experience, some devices have hardcoded communications with Internet services (Google’s or device vendor’s) and thus they can’t finish enrollment. In some cases a chat with vendor and a subsequent patch helped. In other the devices had to be enrolled over Internet-enabled network and only then moved to a closed production network. So, test before you buy!

Summary

Now you know how what closed network enrollment is, how it works, how to configure it globally / for an OG / for an individual device, and what to be aware of.

Useful or not? Let me know your thoughts in commends and on LinkedIn!

One thought on “Enroll Android Enterprise devices in closed networks with Workspace ONE

Add yours

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: