Advanced Mobile Device Management and Zero Touch Deployment in Google Workspace
At NextNovate, we’ve always been interested in more secure device deployments, with less friction. With Google Workspace Enterprise, we’re able to achieve this for both iOS and Android devices. In this blog, we like to share the learnings on both the high-end Mobile Device Management (MDM) solutions from Google Workspace and the availability of Zero Touch deployments.
Pim van der Meer (Project & Change Manager @NextNovate)
Why use Google’s MDM?
There are some good reasons to start using Google Mobile Device Management:
Make things easier:
Do you have a need for employees to use certain apps or configurations for your networks? Advanced MDM can push this automatically to the devices. No need for lengthy and complex how-to documentation; just have your co-workers sign in to Google, and the rest is automated.
Control access to your data:
With MDM, you’ll get options to control which devices can get access to your company data. More specifically, you can require devices to adhere to certain configurations before they can access your data. It’s all about security!
Control rogue devices:
When you’re supplying pricey devices to your employees, of course, most of them value these devices and will take good care of them. But, in some cases, devices might get stolen or lost. With advanced MDM, you’re able to block these devices or put them in a state that freezes them with only your contact information shown to the user. Any data stored on the devices will not be retrievable.
Basic and advanced Mobile Device Management
When you consider using Google Workspace as your Go-To device manager for your fleet of mobile devices, you’ve probably stumbled across the Basic and Advanced configuration for either iOS or Android. Google does provide a great overview of the differences between Basic and Advanced mobile management. In short:
Basic MDM doesn’t require any agent or policy to be installed on the device but it also doesn’t give you controls on a device level. You do however get abilities on an account level. You can require a passlock to be set on a device before users can use their Workspace Apps, or wipe a Workspace account from a device.
Advanced MDM requires a device policy (app) to be installed. This gives admins full control over the device or work profile of a device. The admin can install or block applications and configure device policies like the allowance of certain device functionality. Device wipe is now part of your powers.
If we look at different MDM solutions, we see that almost all of them implement a similar feature set as Google proposes with Advanced MDM. After all, MDM providers are all leveraging the same integrations that Apple and Google have allowed for iOS/Android device management.
Google however has a few very interesting pros to using Workspaces MDM: It is free for any Google Workspace Enterprise or Business Plus organization, and it is user-based. The latter is particularly interesting to further explore.
Most MDMs require an admin to upload a policy, app, or agent on the device. This can either be done through Zero Touch deployments or manually. Once the agent is installed, the device is managed. Google however has an additional approach. If Advanced MDM is turned on for the Organizational Unit (OU) in which the Google Workspace user resides, any iOS / Android device the user tries to access Google Workspace data on will require the installation of the policy. And this is a task the user can easily accomplish themselves.
Why is this interesting, you say? With one (free) feature, you now manage ANY mobile device accessing your valuable company data. We reckon this will score you some points with the security department 😉
Basic configuration is a must-have for any Google organization
As you now know, the configuration of the basic setting for Google’s MDM has no user impact; the user does not need to install anything on their device. The only requirement you set is that the mobile device is protected by a screen lock. That being said, Basic MDM does give you some great insights into which devices are connecting with your Google Workspace data, and allows you to wipe the Google Workspace accounts from devices. So, even when you’re not considering using Google’s Advanced MDM, we still recommend to configure the basic MDM option!
Mobile Device Management Approaches
iOS and Android have different approaches to MDM within Google Workspace.
With Android, a device can be a work or private device. In the case of a work device, a Google Workspace account is always required to sign in to the main profile on the device. If the account used is under Advanced MDM, Android will install the Android Device Policy and adhere to the configuration set in the Google Admin. Other accounts can be added on an app level; e.g. a private mail account can be added to Gmail.
Is the Android device configured as a private device? In that case, the ‘main’ profile can be signed in with both a private Google account or a Google Workspace account that is not under advanced MDM. If the user wants to sign in to a private Android device with a Google Workspace account under Advanced MDM, Android creates a so-called Work profile. A work profile separates the private and work apps and is a great option for a user-owned device.
Within iOS, there is no separation between business-owned or private devices if the device is user-enrolled into Advanced MDM (meaning no Zero Touch deployments are involved). iOS does not use Work profiles. Instead, any Google App has the ability to change ‘spaces’. You can view your Gmail from your private space (and only see your private email), or you can change it with a swipe to your business mail. Some apps, like Gmail, can also combine information from both spaces. This approach allows for a uniform experience for any business or user-owned device.
If the iOS device is enrolled through Zero Touch, however, the administrator gains ‘Supervision’ rights over the device. Apple uses Supervision to give even more options to administrators. Examples of features that are only available under Supervision can be found here.
Configuration of Advanced MDM in Google Workspace
For both Android and iOS, it is important to understand that when you turn on Advanced MDM for any OU, the users in that OU fall under Advanced MDM immediately with any iOS or Android device they are using. For this reason, we recommend strong communication upfront – before enabling any Advanced MDM features.
The main reason for clear communication upfront is to minimize employees’ worries regarding granted powers to administrators by enabling Advanced MDM. When advanced MDM is installed on a Bring Your Own Device (BYOD), the administrator gets the power to remotely wipe an employee’s private device. Proper communications are a must in defining which powers IT gains and how they will be deployed.
The configuration of Advanced MDM itself starts with understanding your needs; what is it that you want to incorporate using Advanced MDM? For iOS, you’ll need to create an Apple ID from which you register Apple Push Notification Service certificates. This is an easy and free service, but it’s required to manage Apple devices.
Once the prerequisites to start with MDM are met, you can turn on Advanced MDM. This action itself is actually a flick-of-a-switch. Once on, any mobile device trying to access first-party Google Workspace apps will require the MDM profile to be installed.
Zero Touch Deployments
The actual pinnacle of MDM is obviously Zero Touch deployment. Zero Touch allows you to ship devices directly from your vendors to your end-users, without IT ever touching the devices. Zero Touch devices are configured to gather their device configurations directly from the vendor upon device activation. This configuration is provided to the vendor from the MDM (Google Workspace in our case). Any time when the device is wiped, Zero Touch kicks in again and a configuration is retrieved from the vendor.
Both Android and iOS leverage a portal for admins to configure their Zero Touch device fleet. With Android, this is called the Android Zero Touch Portal. Apple leverages the Apple Business Manager (ABM) for similar purposes. In the vendor portals, the administrator can configure multiple zero-touch configurations and apply these to devices. The devices in these portals need to be added to the portals by your resellers (with an exception for devices added to ABM with Apple Configurator 2).
With Android, first, make sure that your current reseller is on the list of supported resellers. Reach out to your reseller and ask them to create an Android Zero Touch Portal instance for your organization. Also, request them to add any newly bought devices to the portal. Some resellers will be able to add previously bought devices to the console as well – if bought through them and sufficient proof is available for this.
Once you’ve gained access to the Zero Touch Portal, be sure to create a configuration for your Workspace domain. Apply the configuration to your devices. Be sure that the users using the Zero Touch configured devices have Advanced MDM enabled for them.
Once the user starts the device for the first time, the device is automatically configured as a “work device”. With Android Zero Touch, Work profiles are currently not supported. The user needs to sign in with a Google account from the domain specified in your configuration. If done correctly, the required configurations and applications are configured on the device. The device can be wiped from the Google admin console without activation lock requirements.
For iOS, make sure you’ve set up an Apple Business Account. Once set up, you need to make sure your devices are added to ABM. You also have to configure the Google MDM from here. Lastly, in ABM, make sure that you configure the MDM for the devices you want to be deployed through Google Workspace MDM. Make sure that Google Advanced MDM is turned on for any person receiving a device configured for zero-touch.
Once the user starts the device for the first time, he or she can configure the device to their liking – within the requirements set within the MDM. The administrator can configure which configurations are available to the end-user. During the setup process, the user is notified that the device is managed by your organization.
Once the setup process is completed, the only available app will be either the App Store (if the user hasn’t opted to sign in to an Apple ID), or the Google Device Policy App. The user needs to sign in to either. After signing in, all required apps will appear on the device and all configurations will be applied accordingly. iOS activation lock will be bypassed if the device is enrolled through zero-touch enrollment and wiped from the Google Admin Console.
To help you configure advanced mobile management for your organization on both iOS and Android, feel free to reach out to us! We can help you with a low-friction deployment of MDM in your organization.