Managing Android devices

With KACE Cloud, you can manage your organization's Android devices and ensure they are secure and compliant with your policies, and also to prevent their data from being exposed to unauthorized users. This topic provides high-level instructions that allow you to start managing your Android devices.

KACE Cloud uses an agent to interact with managed Android devices. There are two types of agents that you can use, each requiring a specific enrollment path:

  • AMAPI enrollments use a Google Android Agent interacts with KACE Cloud through the Android Management API (AMAPI). This path requires a valid AMAPI configuration in Google Console and some additional setup steps in KACE Cloud.
  • EMM enrollments use a KACE Cloud Android agent interacts with KACE Cloud through the KACE Cloud app that must be installed on managed Android apps.

You can choose one or both enrollment paths, as needed.

After completing the steps associated with the desired enrollment path, you have an option to integrate with other enrollment providers and configurations, as required, such as integration with the KACE Systems Management Appliance. Finally, configure your email accounts, device passcodes, and other elements to comply with your organization requirements. You can link these configurations with KACE Cloud Policies to automate applicable processes and ensure your compliance requirements are in place at all times, to prevent any unpredictable issues.

The following procedure summarize the steps for getting started to manage your target devices:

  1. Ensure that your devices are supported by KACE Cloud.

    See the list of supported platforms for complete details.

  2. Ensure that you have access to KACE Cloud portal.

    When your subscription is provisioned, you will receive two emails from KACE Cloud that allow you to get started. See detailed instructions here.

  3. Optional. Add external users from your corporate account, if applicable.

    See LDAP Sync Service and Single-Sign On (SSO).

  4. Ensure that the device user accounts are properly configured in KACE Cloud.

    To enable new users to enroll their devices, you must ensure that their user account exists in KACE Cloud, and that the account has the Device User role. See detailed instructions here.

  1. Create a Google account.

    You must create the following accounts with Google:

    • An account to use the Google Play services, such as the Play Store and enrolling devices using the traditional Enterprise Mobility Management (EMM) Device Policy Controller (DPC) Android agent, also known as KACE Agent.
    • An account to use with the Google Android Management API (AMAPI). This account is necessary to use the newer Google-provided Android agent.

    See this topic for more details.

  2. Enroll Android devices by following the appropriate path (AMAPI or EMM).

    KACE Cloud uses an agent to interact with managed devices. The steps you need to complete before the actual enrollment process depend on the selected agent and the way the agent interacts with KACE Cloud. You can configure KACE Cloud to have one or both of the available paths (AMAPI and/or EMM) available to you, as needed. To switch from one enrollment path to another, you must unenroll and then enroll a device using a desired path.

    AMAPI enrollments
    1. Set up a Google Console project.

      The Android Management API integration requires a Google Console project that you must set up using your Google account. See detailed instructions here.

    2. Configure Android Management API.

      Specify the details needed to integrate KACE Cloud with the Google Android Management API. You need to provide some information from your Google Console project, such as your Project ID, Service Account Name, Secret Key, and Enterprise ID. See detailed instructions here.

    3. Optional: Integrate with automated enrollment providers.

      If your organization uses automated enrollment providers, you can integrate with them through KACE Cloud. For example:

    4. Ensure that the device user accounts are properly configured in KACE Cloud.

      To enable new users to enroll their devices, you must ensure that their user account exists in KACE Cloud, and that the account has the Device User role. See detailed instructions here.

    5. Enroll Android devices.

      There are different types of Android enrollments based on different scenarios. You can enroll personal devices and company-owned devices. To better understand the available enrollment scenarios, review this topic. Then, follow the enrollment instructions for the desired device type, as applicable.

    6. Optional: Install the KACE Cloud AMAPI Companion app on managed Android devices.

      Complete this step only if your target devices use digital certificates. Digital certificates allow administrators to identify devices and grant them access to your organization's resources. The KACE Cloud AMAPI Companion app extends the Google agent's functionality, allowing you to manage certificates on AMAPI-enrolled devices. See this topic for more details.

    EMM enrollments
    1. Link your Google Play organization with KACE Cloud.

      Linking your Managed Google Play Organization with KACE Cloud is a prerequisite for enabling Android enrollment and Android app management. See detailed instructions here.

    2. Optional: Configure silent authentication for Android devices.

      Complete this step only if you want to enroll Samsung Knox and Android Zero Touch devices without prompting their users for access credentials. To do that, generate a certificate in KACE Cloud to sign the initial enrollment request. See detailed instructions here.

    3. Optional: Integrate with automated enrollment providers.

      If your organization uses automated enrollment providers, you can integrate with them through KACE Cloud. For example:

    4. Ensure that the device user accounts are properly configured in KACE Cloud.

      To enable new users to enroll their devices, you must ensure that their user account exists in KACE Cloud, and that the account has the Device User role. See detailed instructions here.

    5. Enroll Android devices.

      There are different types of Android enrollments based on different scenarios. You can enroll personal devices and company-owned devices. To better understand the available enrollment scenarios, review this topic. Then, follow the enrollment instructions for the desired device type, as applicable.

  1. Specify common configuration settings.

    After enrolling your mobile devices, you can create and apply desired configuration changes. KACE Cloud maintains a configuration Library that you can use to create and manage your settings. For example:

    • Email: Email can be configured through an existing user account. The auto deploy option can be checked during the setup process. See Managing email accounts.
    • Device passcodes: Set up passcode defaults by selecting one or more devices under the Devices section, then choosing Passcode Rules in the right panel. Passcode rules can also be applied to one or more devices using a policy. Passcodes can then be managed by editing rule sets in the library. See Managing passcode rules.
    • VPN: There are unique VPN setup processes for the supported device OS types.
    • Wi-Fi: New Wi-Fi configurations can be added in KACE Cloud, then applied directly to a device or devices. The configuration can be added to the Wi-Fi Library for future installation, and the auto deploy option can be checked during the setup process. See Managing Wi-Fi configurations.

    See this topic for more details.

  2. Set up default policies.

    KACE Cloud policies allow you to automatically apply desired configurations in your dynamic environment, to enforce your compliance requirements. See this topic for more details.

  3. Optional: Finalize your setup by integrating with other configurations.

    If you are already a KACE SMA customer, you can configure the integration between KACE Cloud and KACE SMA. See detailed instructions here.