Configuring mobile device management for Android devices

Perform the following tasks to complete the end-to-end process of configuring mobile device management in BMC Client Management:

For more information about mobile device management capabilities, see Mobile-device-management.

Before you begin

Ensure that the following prerequisites are met before configuring mobile device management:

• At least one computer (physical or virtual) with internet access to serve as the mobile device manager. This computer is used to manage enrollment, notifications, and other communication with the managed mobile devices or external Clouds.

• A Google account to setup a project and obtain a Service Account Key for Android devices. For more information about the Google account, see Google Cloud Console.

• At least one directory server configured for authentication. The directory server must be able to authenticate the users who are enrolling their mobile devices. For more information about the directory server, see Directory-servers.
• An email system set up for sending and receiving emails. For more information about email settings, see Managing-email-settings.
• Email addresses defined in the directory server for the users who will enroll their mobile devices. The users receive the invitation on this email address and they must enroll their mobile devices using that email address.

To define and configure the mobile device manager

After verifying the prerequisites, the first step in configuring mobile device management is to define and configure a mobile device manager.

1. In the left pane, click Mobile Device Management.
2. Right-click Mobile Device  Managers , and select Add Device  .
3. In the Add a new Mobile Device Manager dialog box, search or browse to select the computer, and click OK.
   The computer is defined as the mobile device manager.
4. In the left pane, select the newly defined mobile device manager.
5. In the right pane, right-click any row and select Properties .
6. In the Properties dialog box, specify the parameters:
   • Select at least one Mobile Device Manager.
   • Configuration of additional parameters is optional.

7. (Optional) Specify a Server Name for the mobile device manager.

   Note

   It is strongly recommended that you specify a server name. If you have specified the server name, the enrollment URL uses the specified server name. Using the server name means that the URL does not change and the enrolled mobile devices have continuous access to the mobile device manager, even if the IP address of the server changes.

8. (Optional) Specify a different Server Port.
   The default port is 1661.

   Note

   Once assigned, the port number must not be changed. If the port number is modified, the enrollment URL changes accordingly and the enrolled mobile devices will not be able to connect to the mobile device manager.

9. (Optional) Specify the Server Certificate and Signing Certificates names.
   
   • If these certificates are already installed, the certificate names are automatically populated.
   • If these certificates are already available but not installed, you can put the certificate in appropriate folder on the master server and specify the certificate file names in these fields. You can also select the option to install the certificates.

   • If you do not have certificates, you can purchase and install the new certificates. If the server certificate is not configured, a temporary certificate is issued each time the agent service starts up. The temporary certificate is issued by the currently configured BCM Certificate Authority (CA).

     Notes

     When purchasing new certificates, ensure that the Server Name matches the Certificate Subject Name or the Subject Alternative Name attributes in the certificate. These certificate attributes are used when the mobile device connects with the mobile device manager.

     For more information about preparing and installing the certificates, see Adding an SSL certificate.

10. (Optional) Specify the number of notification threads to be opened in  Notification Thread Count .
    The default value is 2. To disable notification, specify the value as 0. If two or more mobile device managers are configured with a value greater than 0, only one mobile device manager is used for notification.
11. Click OK.
    The mobile device manager is defined and configured.

To create and install a Google Service Account Key 

After at least one mobile device manager is defined and configured, you need to complete settings for Google Cloud APIs.

• In the Google Cloud Console, log in using your Google account, preferably a company-owned account.

• Configure the Project to use. To do so, go to Enabled APIs & services.

  • If the project is to be dedicated to Android device management, you should create a new Project.
  • If you want to reuse an existing Project, select it from the Project list.
  • Enable the Android Management API on the newly created or reused project.

• To set the Google Service Account for Android Management API, see the Google documentation for instructions. You must set the Android Management API role on the service account. This role authorizes the service account to perform Android management operations.

• To create a Key, go to the Google documentation for instructions. BMC Client Management requires a JSON key.

To install a Google Service Account Key

1. In the left pane select Mobile Device Management > Configuration > Android.
2. Right click in the right hand pane and select Install Service Account.
3. Locate the Service Account Key file that was saved to you computer earlier. Browse the directory hierarchy to the file's location and select it.
4. Click Open.
   The Service Account Key is imported and the account is linked to your Mobile Device Manager. 

To add an authorized email domain

Configured users and users group are shared between Apple and Android platforms. That means that a user configured through the Apple configuration panel is also configured and available in the Android configuration panel, but information may be incomplete:

• If you configure the user through Apple, you need to add Enterprise and Profile settings for Android.
• If you configure the user through Android, set the terms and conditions afterwards for Apple device. 

To enroll for mobile device management, users need an email address registered in the directory server. The email domain of this registered email address must be listed in the Authorized Email Domain list. For example, if the email domain of a user's registered email address in the directory server is bmc.com, then bmc.com must be listed in the Authorized Email Domains list.

The user must select the appropriate email domain from the list during enrollment. For example, if bmc.com , gmail.com , and yahoo.com are listed as authorized email domains and a user with email in the bmc.com domain is enrolling, the user needs to select bmc.com from the drop-down list.

1. In the left pane, select Mobile Device Management > Configuration > Android > Enrollment.
2. In the right pane, right-click in the Authorized Email Domains tab, and select Add Email Domain .
3. In the Add an Authorized Email Domain window, specify the domain name that you want to authorize, and click OK.
   The email domain is added as an authorized email domain.

To create terms and conditions

For Android devices, the terms and conditions are only displayed for the enrollment of personally-owned devices.

You can create multiple instances of the terms and conditions depending on your requirements. For example, you can create separate instances of the terms and conditions for users in different countries.

1. In the left pane, select Mobile Device Management > Configuration > Terms and Conditions.
2. Right-click Terms and Conditions, and select Create new Terms and Conditions .
3. In the Properties window, specify the terms and conditions details, and click OK.
   The newly created instance of terms and conditions is created.
4. In the left pane, select the newly created instance of the terms and conditions. 
5. Go to the Content tab and type or paste the text for the terms and conditions.
   The text box supports plain text and HTML.
6. Click Save.
   The content of the terms and condition is saved.

To create an Enterprise

1. Go to Mobile Device Management > Configuration > Android > Enterprises.
2. Right click Enterprises and select Create Enterprise . 
3. Name your Enterprise. All other attributes are optional. 
4. To read the Google Android Management API terms and conditions, follow the link that is provided in the UI. 
5. Check that you have read and accepted Google Android Management API conditions.
6. Click OK.
   A new Enterprise is created in BMC Client Management.

Once the Enterprise is created in BMC Client Management, the mobile device manager requests that the operation is also executed in the cloud. The Enterprise, and each of the other Android Management API resources, has a status. The status indicates the operation's status in the cloud. 

To create an enrolment profile 

The profile contains all the rules that govern the management of the Android devices linked to this profile. An Android device cannot be enrolled in more than one profile. The enrolled device becomes part of the Enterprise that owns the profile. You can change the existing profile using Commands. 

1. Go to Mobile Device Management > Profiles.
2. Right click on the right window pane. 
3. Select Create Mobile Profile. 
4. Set the Properties to your Profile: name it, select a platform (Android), select an Enterprise from a drop-down list. 

The profile is created in Client Management but the operation is not executed in the cloud until the profile has been configured at least once.

To add users (or user groups) to authorized users (or authorized user groups) list

Before you can invite users to enroll for mobile device management, you need to authorize them. From the directory server, you can either add individual users or add user groups to the list of authorized users or user groups respectively.

1. In the left pane, select Mobile Device Management > Configuration >  Android > Enrollment.
2. In the right pane, right-click in the Authorized Users (or Authorized User Groups) tab, and select Add User  (or Add User Group ).
3. In the Select a User (or Select a User Group) dialog box, search or browse to select the users (or user groups) you want to authorize for enrollment.
4. Select an Enterprise, and from that Enterprise, select a profile.
5. Click OK.
   The selected users (or members of the user group) are authorized to enroll their mobile devices.

To invite users or user groups to enroll

After completing the preceding configuration steps, you can start inviting users to enroll for mobile device management. To enroll, the user must have an active account in directory server with a valid email address. Also, the email domain of the registered email address must be added to the authorized email domains list.

1. In the left pane, select Mobile Device Management > Configuration > Android > Enrollment.
2. In the right pane, click the Authorized Users (or the Authorized User Groups) tab.
3. Right-click the user (or the user group) you want to invite to enroll, and select Send Enrollment Email .
   The Mail Settings dialog box is displayed.
4. Select a Mobile Device Manager from the list.
   The mobile devices enrolled using this invitation are enrolled on this mobile device manager. Also, all future communications with the enrolled mobile device are managed by this mobile device manager.
5. Select the Language for the email.
   The user receives the enrollment invitation email in the selected language.
6. Click OK.
   An enrollment invitation email with a link to complete the mobile device enrollment is sent to the users.

Where to go from here

Enrolling-mobile-devices

Viewing-information-about-managed-mobile-devices

Managing-configuration-profiles-for-managed-mobile-devices

Managing-mobile-applications-for-Apple-devices

Performing-remote-operations-on-managed-mobile-devices