The setup for the android phones are for the purpose of being able to add and remove applications quickly, and these devices are to be used for makerspaces, and by non device owners, so we want to make sure organization information and accounts can not be used or accessed unless it's something we want them to be able to allow. IE - No email access via app, restricting add/removing accounts. Allowing the use of the camera and connecting to a computer to transfer video/pictures.
First I'm going to go over the settings for the Cisco Meraki
first follow this guide Cisco has created. It is great documentation for setting up Android for work, up until you choose using a Google Managed Domain. This guide will cover setting up a Google Managed Domain with Meraki.
Step 1 - Go to Orgainization → MDM
Step 2 - Generate and Android EMM Provider selecting Google Managed domain.
Step 3 - To get the token you will need to login to your google admin and generate the token. Once you have done that you will add the domain and the token to your Meraki.
Step 4 - Then setup your meraki with the info provided and enroll your organization.
Step 5 - Configure Meraki Settings for Android. Go to System Manager → Settings
Step 6 - Add Profile
Step 7 - Add Device profile (default)
Step 9 - Restrictions
Step 10 - Passcode Policy
Step 12 - Privacy
Step 15 - Android System Apps
This can be setup to be black or whitelist. For the purposes I need using the whitelist is preferred.
Step 16 - Setting Up Devices
You have 3 options when configuring Android Devices.
- A work Profile (typically used when a user has a personal device)
- Device Owner (typically used for devices owned by the organization)
- Knox Enrollment (More info here)
Now the one I'll be using for these devices are device owner because I want complete control of the device (please refer to the Android Enterprise Deployment Guide for exact differences). When you go to assign the phone an account type in afw#meraki then put in the 10 digit code or scan the QR Code. This will add the device to the Meraki MDM. You will be prompted to add an account; the default will be Android Enterprise, but because this is not a meraki managed account, we need to use a different account to adding the device to the MDM which I have pre-configured in the Google Admin Console
Step 17 - If the device is not new Factory reset the device. Select the language as English US and English Canada
Step 18 - Set Internet Connection for Only WiFi Connection
Step 19 - Connect to a network
Step 20 - Accept Privacy Rights Terms
Step 21 - Setup As a New Device
Step 22 - Put in afw#meraki for the Google Account. This will start the android for enterprise enrollment.
Step 23. Sign in with an domain account you want associated with the device.
Step 24 - Accept the terms from the Google Device Admin and Install
Step 25 - Accept all elevation permissions from meraki and google device admin. Go to Settings -> Accounts and Remove the Android enterprise account.
Step 26 - Run all system updates applicable and install
Step 27 - Double check the keyboard by going Settings -> Language and Input -> Virtual Keyboard. You should See ZenUI Keyboard. Go to Manage keyboard and Disable Google Voice Typing. (This you will have to fix after security patches seems to been a ZenUI issue with Meraki)
Step 28. Disable Notifications by going to Settings -> Sound & Vibrartion -> enable do not disturb. Set to Until you turn this off. Disable - all from the allow list. Enable - Block when screen is on. Disable Notiification.