Google EMM Update Causes Organization Email Issues on Android

Before looking into the google admin issue I thought it was a problem with my device and wiped it clean, after that didn't work I looked into google admin for google workspaces.  

Here is some background on how the EMM provider was being used before today.  The EMM provider was setup to use with organization purchased devices, and the organization did not want to associate personal devices with the EMM provider (meraki in this case) and the changes google has made to their policy won't allow you to use Google for Staff (personal) devices and the EMM provider for organizational devices.  It seems that google now throws everything to the EMM provider if you have your domain associated with one.

I had to remove the EMM provider from the organization otherwise it was treating the device as an organizational purchased device.  When Google has made to Google Workspaces EMM Provider this caused Android devices in the organization to lose access to their Work Email. 

The organization requires data access control on devices so the only way I could get this to work was to embrace google work profiles; which isn't the best user experience but is the only way I could get this working. Google sent a notice in 2017, about the EMM Provider changes but a reminder about the coming changes would have been nice.

In an email to google about the issue, they replied with the following.

Thank you for contacting Google Workspace Support. This is ****** and I will be assisting you about how to fix the sync error you are encountering due to the old Device policy app that you are still using for your Android device. It is a pleasure assisting you.  Before we begin I would like to set the proper expectations about our new Android Device Policy app that replaced the Google Device Policy app. There is current known issue about the new Android Device Policy app that is still being checked by our Product Engineers, about a possible limitation of some Android Devices that cannot install the new Android Device policy app. And even if the app was installed, the Android device just could not be managed or simply said, the Android Device Policy app is not compatible with the Android device. However, in order to fix the sync issue these are the steps to follow. Resolution: If the device is for work and personal use: Re-register your device by removing your work profile and then adding back your Google Workspace account and work profile.    Open your device settings.  Tap Accounts and then Remove work profile. Tap Delete to confirm. Go to I’m using my own personal device and follow the steps to add your Google Workspace account and work profile. Assisted how to uninstall Device Policy app and install Android Device Policy app. remove Workspace Profile. Next steps: How do I switch to the Android Device Policy from the Google Device Policy app? If your device is for work and personal use and it "has a work profile": Remove the work profile. Open the Settings app and tap Accounts. Add the work account again and set up Android Device Policy. (A work profile is required for Android Device Policy.) My device is for work and personal use and "doesn’t have a work profile": Open the Google Apps Device Policy app. Tap Unregister. The work account is removed from the device. Open the Settings app and tap Accounts. Add the work account again and set up Android Device Policy. During enrollment, you must set up a work profile because it's required for Android Device Policy. Please check this help article for reference for the above steps:  About Android Device Policy: https://support.google.com/a/users/answer/9453213 If you have an issue on a Tablet that simply is not compatible with the Device Policy app. The only option we have is to change the Mobile management for Android Device. You currently have a Custom Mobile Device management that is set to Advanced. You can change this to Basic, the good thing about this is the Android Device Policy app is no longer needed. And this will simplify your log ins to any Device similar to your iOS devices. To change the Mobile Device management to Basic: From the Admin console > click Devices > Mobile &endpoints > Settings > Universal settings. On the next page > click General > Mobile management > change Android Mobile management to Basic. Please note: Only do this, if you believe you have no real need of the Advanced Mobile management option for your Android devices. Here are some helpful link(s) that you can use: Set up basic mobile device management:  https://support.google.com/a/answer/7400753 We value your time and effort in contacting us. That is why, I'm keeping this case open. If our resolution does not work, kindly reply to the email and provide me your phone number and best time of call, so that I can work further with you on this. It's either we can do a screen sharing session or if you send me a video or screen shot of the error that will help me identify the issue. This case will remain active and can be reopened within 30 days. If there are other concerns aside from what we've discussed, our main priority is to provide the best support experience, with this in mind, if you need assistance during this time feel free to reply to my email or call us or initiate a chat session for immediate help and this is the link for reference https://support.google.com/cloudidentity/answer/7668654 . We have 24/7 support and any of my colleagues will be glad to help. Don't forget to generate a PIN should you give us a call. You can refer to this article for instructions on how to do so https://support.google.com/a/answer/60233. Thank you for choosing Google Workspace and have a wonderful day. Sincerely,   ***** Google Workspace Support

Here are some additional information linked below

https://www.blog.google/products/android-enterprise/da-migration/
https://developers.google.com/android/work/device-admin-deprecation


To resolve the issues I removed the EMM provider so google workspaces would handle the MDM for android; as there can't really have a separation of the two anymore it seems.

So in the MDM (Meraki) I removed android enterprise from the google domain, so android devices are just managed by google workspaces.

Once that was done after a few minutes I was able to start to get my work profile working correctly from google by adding a work profile.  Here are the universal settings for how android devices are setup.

Universal Settings

You must ensure that work profile setup is enable on in your Android Settings

For users to connect their android devices they require a work profile. This will be slightly different for every android device but the steps would be relatively the same.

Remove your current work account from your device, Please note that you will only be able to have one work account associated with a device at a time (so if you need other accounts you will have to find a work around)


1 - Add the account by pressing the arrow next to your name and email.

2 - Select "Add another account".

3 - Select Google for the Account.

4 - Enter in your Email and Password

5 - Accept the Terms Of Use

6 - Install Google Device Administrator

7 - Press Install

8 - Create your google work profile. It will take about 5 to 10 minutes to create the work profile.  So Please be Patient.

Setting up google work profile

Screen after accept and continue

Almost Finished

When it is finished it should show you the added account.

Now you will have two different apps. Work Apps and Personal Apps.

Personal

Work

Work apps are shown by the little briefcase on the app.

Work apps can be paused (turned off) which will stop notifications from reaching you which can be enabled or disabled from the apps drawer.

In your Gmail app you can switch from personal and work email easily but you have to go from the account icon in the top right to switch.

I understand why google set things up like this; putting the separation between work and personal settings, making it easier to wipe devices, and remove access, etc.  It isn't as "user friendly" as I would have liked it to be and it will be a transition for some users.

Whitelisting access to the Igloo Action Button

What is the Igloo action button?

The action button gives you access to administrative tools for each page and various features within the digital workplace. These tools allow you to edit the current page, view subscriptions, change access and much more.

Now for most users they don't need to see the action button, however if a user is given any permissions of edit and above, you get access to the action button which will allow you to customize the look of your page, add widgets, etc.

For my use case we wanted users to be able to add and edit posts but did not want them to be able to add widgets or make changes to the page.  Since Igloo lacks this kind of granular permission, the following Javascript will whitelist the action button according to who is logged in.

This is done using the Igloo.currentUser.name property you can read when using SAML

Read more about the Igloo SAML variables.
 

<script type="text/javascript">

//<![CDATA[

switch (Igloo.currentUser.name){

default:

document.getElementById('contentmenu').style.display = 'none';

break;

case "Dylan Hunt":

document.getElementById('contentmenu').style.display = 'visible';

break;

case "Beka Valentine":

document.getElementById('contentmenu').style.display = 'visible';

break;

case "Shamus Harper":

document.getElementById('contentmenu').style.display = 'visible';

break;

case "Trance Gemini":

document.getElementById('contentmenu').style.display = 'visible';

break;

}

//]]>

</script>