In this document, you’ll learn how to configure Android for Work in SAP Mobile Secure.


Google’s Android for Work provides a dedicated work profile, hardware-based encryption and sharing restrictions ensure business data – calendars, contacts, files and apps – are separate and safe from malware while personal information stays private.  Giving IT full control of all work related policies, profiles and data – from distributing apps to wiping business information – and the standard Enterprise Mobility Management (EMM) framework delivers a consistent experience across all devices.  In addition, IT can deploy business apps easily with Google Play and create apps quickly with the Android app framework. Seamlessly integrate with existing IT systems like Microsoft Exchange, IBM Notes and Google Apps for Work.

Requirements

Let’s get started!

1. Browse and login to SAP Mobile Secure (input account, username, password)

/wp-content/uploads/2015/04/1_login_690763.png

2. Click Devices > Settings

/wp-content/uploads/2015/04/1a_login_690769.png

3. Configure Android for Work Settings (by default you will be on Domain Registration page).  There are three steps to configure Google’s Business Domain.

/wp-content/uploads/2015/04/1b_afw_settings_690776.png

Step 1 – Create a Google account – Follow the link https://www.google.com/a/signup/?enterprise_product=ANDROID_WORK and fill out the form using Domain listed in this section (e.g. account.sapmobileplace.com)

Fill out About you information:

2_Google1.png

Fill out About your business section (use your account domain):

3_Google2.png

Fill out your Google admin account information:

4_Google3.png

Complete security verification, click agree, and click Accept & create your account:

5_Google4.png

Step 2 – Verify Domain Ownership – Once you submit the Google account form, you’ll be prompted to verify domain ownership. Click Start to begin…

6_Google5.png

As part of this process, copy the complete meta-tag value.

7_Google6.png

Paste the Meta Tag (in SAP Mobile Secure AfW Domain Registration settings) and click Save Meta Tag:

8_Metatag.png

Once the value is saved, click the “I have added the meta tag to my homepage” option in the Google verification step and click Verify.

9_Google7.png

10_Google8.png

Step 3 – Bind the Enterprise Domain – Once you complete the domain verification process, you need to bind the current account with Google: copy the token generated by Google (from connect with your provider window).

Copy the token:

11_Google9.png

Paste the token and click Bind to complete registration.

/wp-content/uploads/2015/04/12_token_bind_690794.png

Click Finish (on google wizard).  If you run into any issues, call the number provided in the window.

/wp-content/uploads/2015/04/13_google10_finish_690795.png

You’re all set! (leave this window open)

/wp-content/uploads/2015/04/14_google11_allset_690796.png

4. Configure Android for Work – Technical Settings

To enable automatic user creation and to perform Single-Sign-On configuration in the Mobile Place Google account, follow the steps described below and use the administrator credentials you created during your initial registration of the Mobile Place domain.

End-users use Mobile Place to self-enroll and each user must first be added to the Google Directory of the bound Google account in Mobile Secure to access Android for Work within Mobile Place. By providing the credentials fetched from Google using the procedure below, Mobile Secure will be able to create users within the Google Directory on demand as your users enroll their devices using Mobile Place.

Users included in the Google Directory of the bound Google account are created with the same username listed in Mobile Secure, along with their first and last name. The email address these users will use will be <username>@account.sapmobileplace.com, instead of the Mobile Secure email address. Each user is provided with a randomized, strong password that is not saved anywhere.

Step 1 – Create project on Google Developer’s Console

Logon to Google Developer’s Console – https://console.developers.google.com

/wp-content/uploads/2015/04/15_googledev1_690801.png

Create a project:

/wp-content/uploads/2015/04/16_googledev2_690803.png

Input Project name, click agree, Create.

/wp-content/uploads/2015/04/17_googledev3_690804.png

Enable Admin SDK and Google Play EMM API

Click APIs & auth > APIs > Google Apps APIs > Search “Admin” > select Admin SDK

/wp-content/uploads/2015/04/18_googledev4_690807.png

Click Enable API (now go back to previous step and enable Google Play EMM API)

/wp-content/uploads/2015/04/19_googledev5_690809.png

Navigate to APIs & auth > Credentials > Create new Client ID within the newly created project.

/wp-content/uploads/2015/04/20_googledev6_690815.png

Choose Service account as the Application type and click Create Client ID

/wp-content/uploads/2015/04/21_googledev7_690814.png

At first, you’ll be promoted to download and save .json file… you can cancel download (as it is not required).

/wp-content/uploads/2015/04/22_googledev8_690816.png

Click “Okay, got it” on key pair alert dialog box

/wp-content/uploads/2015/04/23_googledev9_690817.png

Click Generate new P12 key (and save this file to your local system)

You may leave this window open or retain the service account email address and Client ID for further configuration below.

/wp-content/uploads/2015/04/24_googledev10_690818.png

Step 2 – Complete configuration on Google Admin Console

Logon to https://admin.google.com (if you have previous Google Business Domain wizard window open, navigate to it and click admin.google.com, else open new browser window to it).

/wp-content/uploads/2015/04/25_googledev11_690819.png

Navigate to Security -> Advanced Settings -> Manage API client access

/wp-content/uploads/2015/04/26_googleadmin1_690820.png

Click Show more…

/wp-content/uploads/2015/04/27_googleadmin2_690824.png

Click Advance Settings

/wp-content/uploads/2015/04/28_googleadmin3_690825.png

Click Manage API Access

/wp-content/uploads/2015/04/29_googleadmin4_690826.png

Manage API client access

  • Client Name – Project Services Account Client ID from Google Developer Project
  • API Scopes – URLs from SAP Mobile Secure AfW Technical Settings #2C
  • Click Authorize

/wp-content/uploads/2015/04/30_googleadmin5_690832.png

Once it’s authorized, you will see client name and API Scopes listed below.

/wp-content/uploads/2015/04/31_googleadmin6_690833.png

Step 3 – Acknowledge SSO agreement

and

Step 4 – Input Service A/C Email, Admin Email, upload P12 Cert, and click Save

/wp-content/uploads/2015/04/32_mobsec_finish_690835.png

This completes setup of Android for Work in SAP Mobile Secure.  Your (cloud or AD configured) users will be able to enroll from SAP Mobile Place and Android for Work profile will be inflated on the device along with any AfW App and Configuration policies that are pre-configured.

About: SAP Mobile Secure Cloud, Android for Work

About me: Dhimant Patel | LinkedIn | SCN

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply