Guide for existing EMM partners

EMM partners already using the Google Play EMM API can use the Android Management API to support the following solution sets:

The Android Management API is a self-contained API that eliminates the need for you to create your own Device Policy Controller (DPC). Instead, managed devices use Android Device Policy to enforce policies app and device management policies sent via the API.

Overview of authentication methods

You can choose one of the following authentication methods for calling the Android Management API and the Google Play EMM API:

  • Service account configured via Cloud IAM (recommended), the same way as new partners.

  • Programmatically created ESAs, the old approach.

You can change authentication method at any time, for both new and existing customers, and the two methods can be used simulateneously.

With this authentication method you call the APIs with a unique service account registered with your Cloud project via Cloud IAM.

Advantages

  • You can create enterprises using any of the two APIs, including the new fully programmatic enterprise creation available in the Android Management API.
  • You can monitor and adjust API quotas (for both APIs).

Limitations

  • This method is incompatible with on-premise deployments because the service account is unique for the EMM. Support for on-premise deployments is in development, please reach out via the Android Enterprise EMM Provider community for more details.
  • The Play EMM API notifications are unavailable with this method (notifications are used by very few EMM partners).

Setup {cloud-iam-setup}

To use this authentication method you need to set up your Cloud project and service account:

  1. Set up your Cloud project:

    1. Select or create a project.

      Go to the Projects Page

    2. Sign into the Android Enterprise EMM Provider community. You must be a registered EMM to have access to this site.

    3. Open the EMM product modification form.

    4. Enter the required information, including your associated DPC identity and Cloud Project ID.

    5. Submit the form and wait for confirmation from Google that your project has been registered.

  2. Follow the instructions for creating a service account. You can change your service account at any time as long as it has the role Android Management User on the Cloud project configured via the Android Enterprise EMM Provider community.

Create an enterprise

To create an enterprise when using a service account configured via Cloud IAM, you can use either the Android Management API or the Google Play EMM API:

  • If using the Android Management API, call enterprises.create and specify the Cloud project configured above.

  • If using the Google Play EMM API, use your MSA (which may be the same service account as the one configured above) to call enterprises.generateSignupUrl and enterprises.completeSignup.

Note that enterprises created using the Android Management API can never be managed using a programmatically created ESA, and should always be managed using a service account configured via Cloud IAM. Enterprises created using the Google Play EMM API can be managed using any authentication methods.

Using programmatically created ESAs

Limitations

  • You cannot use the fully programmatic enterprise creation in the Android Management API.
  • You cannot monitor and adjust API quotas.

Setup

To use this authentication method you need to set up your Cloud project:

  1. Select or create a project.

    Go to the Projects Page

  2. Sign into the Android Enterprise EMM Provider community. You must be a registered EMM to have access to this site.

  3. Open the EMM product modification form.

  4. Enter the required information, including your associated DPC identity and Cloud Project ID.

  5. Submit the form and wait for confirmation from Google that your project has been registered.

Use this Cloud project to set up Pub/Sub notifications.

Create an enterprise

To create an enterprise when using programmatically created ESAs, you need to use the Google Play EMM API.

Note that enterprises created using the Android Management API can never be managed with a programmatically created ESA.

Migrate from programmatically created ESAs to Cloud IAM

To migrate from using programmatically created ESAs to using a service account configured via Cloud IAM, proceed in the following order:

  1. Follow the instructions to create and set up your service account. You can alternatively reuse your existing MSA instead of creating a new service account, if doing so ensure that you have registered your Cloud project in the community and granted the role Android Management User to your MSA.

  2. Use this new service account to call the Play EMM API instead of the programmatically created ESAs.

  3. Stop creating programmatically created ESAs when creating a new enterprise. This means you should no longer call the methods enterprises.getServiceAccount and enterprises.setAccount of the Google Play EMM API.

  4. Optionally, create enterprises using the fully programmatic enterprise creation in the Android Management API, instead of the Google Play EMM API. This will simplify the onboarding for your customers.