How to setup Android for Work in SAP Mobile Secure

In this document, you’ll learn how to configure Android for Work in SAP Mobile Secure.

Google’s Android for Work provides a dedicated work profile, hardware-based encryption and sharing restrictions ensure business data – calendars, contacts, files and apps – are separate and safe from malware while personal information stays private.  Giving IT full control of all work related policies, profiles and data – from distributing apps to wiping business information – and the standard Enterprise Mobility Management (EMM) framework delivers a consistent experience across all devices.  In addition, IT can deploy business apps easily with Google Play and create apps quickly with the Android app framework. Seamlessly integrate with existing IT systems like Microsoft Exchange, IBM Notes and Google Apps for Work.

Requirements

• SAP Mobile Secure 2.7 (start your free 30-day trial)

Let’s get started!

1. Browse and login to SAP Mobile Secure (input account, username, password)

2. Click Devices > Settings

3. Configure Android for Work Settings (by default you will be on Domain Registration page).  There are three steps to configure Google’s Business Domain.

Step 1 – Create a Google account – Follow the link https://www.google.com/a/signup/?enterprise_product=ANDROID_WORK and fill out the form using Domain listed in this section (e.g. account.sapmobileplace.com)

Fill out About you information:

Fill out About your business section (use your account domain):

Fill out your Google admin account information:

Complete security verification, click agree, and click Accept & create your account:

Step 2 – Verify Domain Ownership – Once you submit the Google account form, you’ll be prompted to verify domain ownership. Click Start to begin…

As part of this process, copy the complete meta-tag value.

Paste the Meta Tag (in SAP Mobile Secure AfW Domain Registration settings) and click Save Meta Tag:

Once the value is saved, click the “I have added the meta tag to my homepage” option in the Google verification step and click Verify.

Step 3 – Bind the Enterprise Domain – Once you complete the domain verification process, you need to bind the current account with Google: copy the token generated by Google (from connect with your provider window).

Copy the token:

Paste the token and click Bind to complete registration.

Click Finish (on google wizard).  If you run into any issues, call the number provided in the window.

You’re all set! (leave this window open)

4. Configure Android for Work – Technical Settings

To enable automatic user creation and to perform Single-Sign-On configuration in the Mobile Place Google account, follow the steps described below and use the administrator credentials you created during your initial registration of the Mobile Place domain.

End-users use Mobile Place to self-enroll and each user must first be added to the Google Directory of the bound Google account in Mobile Secure to access Android for Work within Mobile Place. By providing the credentials fetched from Google using the procedure below, Mobile Secure will be able to create users within the Google Directory on demand as your users enroll their devices using Mobile Place.

Users included in the Google Directory of the bound Google account are created with the same username listed in Mobile Secure, along with their first and last name. The email address these users will use will be <username>@account.sapmobileplace.com, instead of the Mobile Secure email address. Each user is provided with a randomized, strong password that is not saved anywhere.

Step 1 – Create project on Google Developer’s Console

Logon to Google Developer’s Console – https://console.developers.google.com

Create a project:

Input Project name, click agree, Create.

Enable Admin SDK and Google Play EMM API

Click APIs & auth > APIs > Google Apps APIs > Search “Admin” > select Admin SDK

Click Enable API (now go back to previous step and enable Google Play EMM API)

Navigate to APIs & auth > Credentials > Create new Client ID within the newly created project.

Choose Service account as the Application type and click Create Client ID

At first, you’ll be promoted to download and save .json file… you can cancel download (as it is not required).

Click “Okay, got it” on key pair alert dialog box

Click Generate new P12 key (and save this file to your local system)

You may leave this window open or retain the service account email address and Client ID for further configuration below.

Step 2 – Complete configuration on Google Admin Console

Logon to https://admin.google.com (if you have previous Google Business Domain wizard window open, navigate to it and click admin.google.com, else open new browser window to it).

Navigate to Security -> Advanced Settings -> Manage API client access

Click Show more…

Click Advance Settings

Click Manage API Access

Manage API client access

• Client Name – Project Services Account Client ID from Google Developer Project
• API Scopes – URLs from SAP Mobile Secure AfW Technical Settings #2C
• Click Authorize

Once it’s authorized, you will see client name and API Scopes listed below.

Step 3 – Acknowledge SSO agreement

and

Step 4 – Input Service A/C Email, Admin Email, upload P12 Cert, and click Save

This completes setup of Android for Work in SAP Mobile Secure.  Your (cloud or AD configured) users will be able to enroll from SAP Mobile Place and Android for Work profile will be inflated on the device along with any AfW App and Configuration policies that are pre-configured.

About: SAP Mobile Secure Cloud, Android for Work

About me: Dhimant Patel | LinkedIn | SCN