The latest release of the VMware AirWatch admin console – AirWatch v9.1 – boasts impressive new Android enterprise enrollment flows. While new functionality is always exciting, evaluating all of the options can be a bit confusing and overwhelming. What’s an admin to do? Today’s post uses a “Wizard of Oz” analogy to review all of the currently available enrollment options for Android enterprise, and make the workflows easier to evaluate.
Android Enterprise Enrollment Flows
Each Android device in your organization’s deployment requires enrollment to communicate with VMware AirWatch and access network resources. Android has two enterprise-focused enrollment modes: work managed device enrollment and work profile enrollment. This section explains the various enrollment workflows, and compares them to the Wizard of Oz.
If you want to skip the explanation, jump straight to:
Getting Started with Android Enterprise Enrollment.
Android Enterprise Modes
Before going into specific configurations and how-to steps, it is really important to understand the available enterprise modes for Android devices. Since the modes are as different as Kansas and Oz, use your organization’s device ownership structure to determine the best fit.
In this analogy, I think of the personal side of the device as Kansas, and the work side of the device as Oz. Devices in work profile mode live in two worlds at once, but devices in work managed mode are all Oz, all the time. See Understanding Android Enterprise Device Modes for more information. Warning, fancy analogy not included in reference material.
We’re Not in Kansas Anymore – Work Profile Device Enrollment
Work profile enrollment, also known as profile owner, is one of the older enterprise enrollment flows. It secures a connection between Android devices and your AirWatch environment. The process begins by downloading the AirWatch Agent from the Google Play Store. Then, the AirWatch Agent facilitates enrollment. Once enrolled, access relevant information and manage devices in real-time.
[Related: VMware AirWatch Android Enterprise Enhancements]
[box type=”shadow”][one_third]
[/one_third][two_third_last]
Dorothy and Work Profile Enrollment
For me, the post-enrollment device bears a strong resemblance to our tornado hopping friend – Dorothy Gale. In the Wizard of Oz, Dorothy experiences a dual reality. **SPOILER ALERT** At the same time she is in Kansas, she is also in Oz (in her dreams). In a similar way, a device enrolled into the work profile has a dual persona, because it exists as a work device and a personal device.
To review the enrollment procedure, see Enrolling Android Devices into Work Profile Mode.[/two_third_last][/box]
We’re Off to See the (Android Setup) Wizard – Work Managed Device Enrollment
In situations where devices require strict monitoring and management, use the work managed device mode to provision devices with the data necessary to maintain end-user productivity. There are several ways to enroll work managed devices. However, each option makes use of the Android Setup Wizard in some capacity. Since these workflows all rely on a wizard, I thought immediately of Dorothy’s pals, who also rely on a wonderful wizard.
Lions, and Tinmen, and Scarecrows, Oh My!
Each of the available work managed enrollment workflows exhibits a behavior that reminds me of a specific member of Dorothy’s crew. This section explains the available options, and follows the explanation with a brief Wizard of Oz comparison.
“If I only had a brain” – AirWatch Relay with NFC Bump
The AirWatch Relay enrollment method is one of the older enterprise enrollment options. It involves the admin downloading and using the AirWatch Relay application to stage Android devices. Enrollment gets completed in two steps referred to as a NFC bump. Bump one configures region, Wi-Fi, and any applicable advanced settings that apply to all the devices in your fleet. Bump two configures the enrollment settings and automates the enrollment process.
[box type=”shadow”]
[one_third]
[/one_third][two_third_last]
Scarecrow and AirWatch Relay Enrollment
The Scarecrow’s famous refrain is “if I only had a brain,” but ironically, he was the wisest of all of his friends. In a similar bit of irony, relay enrollment is almost a completely brainless experience for end-users. However, the actual enrollment procedure is more complicated than any of the others. How can this be? Well, relay enrollment is a staging enrollment. This means you, the IT admin, enroll the device for the end user.
To review the enrollment procedure, see Provisioning Work Managed Device with AirWatch Relay.[/two_third_last][/box]
“If I Only had a Heart” – AirWatch Identifier
AirWatch identifier is one of the new enrollment methods introduced in AirWatch Console v9.1. It simplifies the enrollment procedure for administrators by having end users enter a simple identifier, or hash value that pulls the AirWatch Agent to their devices.
AirWatch identifier = afw#airwatch
[box type=”shadow”]
[one_third]
[/one_third][two_third_last]
Tinman and AirWatch Identifier Enrollment
The Tinman’s famous refrain is “If I only had a heart.” As the Scarecrow’s foil, Tinman has the most heart out of all his companions. I compare AirWatch identifier enrollment to the Tinman, because this workflow requires the end user to have some heart. While there is a staging configuration available for this workflow, the basic workflow involves the end-user entering a number of inputs. While the information they need to remember isn’t exactly rocket science, they will have to care enough to read the email they get that has the AirWatch identifier in it.
To review the enrollment procedure, see Enrolling Work Managed Devices Using AirWatch Identifier[/two_third_last][/box]
“I even scare myself” – QR Code
QR code based enrollment is another method introduced in AirWatch Console v9.1. It sets up and configures work managed device mode by scanning a QR code from the setup wizard. This enrollment flow is ideal for an admin staging multiple devices before deploying to users or for end users enrolling their own devices with the QR code provided by an IT admin.
[box type=”shadow”][one_third]
[/one_third]
[two_third_last]
QR’dly Lion and QR Code Enrollment
This enrollment flow analogy is a bit of a stretch, and I’ll be honest, I really just like the turn of phrase QR’dly Lion. However, for those of you who need a better reason, here’s a what I came up with. The Cowardly Lion’s willingness to take action despite suffering from crippling fear makes him the bravest of them all. Therefore, the QR code is for an admin who is afraid of their end-users messing up the enrollment process, but who isn’t going to let that stop them from giving devices to end-users. The QR code makes enrollment pretty user-friendly, so fear not! This workflow only requires a tiny amount of bravery. To review the enrollment procedure, see Enrolling Work Managed Device Mode Using a QR Code[/two_third_last] [/box]
Getting Started with Android Enterprise Enrollment
[learn_more caption=”Android Enterprise Enrollment Flow Requirements”]
Before deploying Android devices, be sure to meet the Requirements for Deploying Android.To simplify the available information, I compiled requirements for the Android enterprise enrollment methods into a table:
[/learn_more]
[learn_more caption=”Requirement: Complete AirWatch Console Setup”]
Android requires account integration in the AirWatch Console before devices can be configured with enterprise functionality. Integrating with Android accounts is the simplest and easiest method. Alternatively, G Suite customers can use the legacy method and integrate with Google accounts.
To integrate Android Accounts:
1. Navigate to Settings > Devices & Users > Android > Android for Work.
2. Configure the settings, and provide gmail address as the Google Admin Email.
3. Google makes this Gmail account the admin for enterprise.
4. Google redirects to AirWatch Console, and set up completes – the status reports as Successful.[/learn_more][learn_more caption=”AirWatch Identifier Enrollment for Work Managed Devices”]
To enroll using the AirWatch identifier:
- On a factory reset device, tap Get Started.
- Establish a Wi-Fi connection on the device.
- When prompted to add a Google account, enter the identifier afw#airwatch.
- The setup wizard pulls the AirWatch Agent from the Google Play Store to the device.
- Tap Install, beginning installation. When complete, the Agent opens.
- Select an Authentication Method to continue enrollment. There are two options:
[tooltip text=”Uses an user email addresses autodiscovery system to enroll devices to environments and organization groups (OG). For example, end users enter [email protected].”]Email Address[/tooltip] or [tooltip text=”Your organization’s unique enrollment environment and the Group ID that associates devices with the appropriate corporate role.”]Server Details[/tooltip]. - Follow the remaining prompts to complete enrollment.
- Post-enrollment, profiles and applications begin pushing to the device.
- Navigate to Devices > Details View > Summary and view the Security section of the page to view the installation status. A green check indicates success.[/learn_more][learn_more caption=”QR Code Enrollment for Work Managed Devices”]
To enroll using a QR Code:
- Power on the device.
- When prompted by the setup wizard, tap the Welcome screen six times in the same place.
- Connect to Wi-Fi.
- The setup wizard downloads a QR code reader app which automatically starts once download completes.
- Scan the QR code.
- The setup wizard downloads the AirWatch Agent configured with Server URL and Group ID information.
- Enter the user credentials.
- Follow the remaining prompts to complete enrollment.
- Post-enrollment, profiles and applications begin pushing to the device.
- Navigate to Devices > Details View > Summary and view the Security section of the page to view the installation status. A green check indicates success.[/learn_more]
