© 2013 AirWatch, LLC. All Rights Reserved.

This document, as well as the software described in it, is furnished under license. The information in this manual may only be used in accordance

with the terms of the license. This document should not be reproduced, stored or transmitted in any form, except as permitted by the license or by

the express permission of AirWatch, LLC.

Other product and company names referenced in this document are trademarks and/or registered trademarks of their respective companies.

Android for Work – Provisioning a Work Managed Device | v.2015.06 | June 2015

Copyright © 2011 AirWatch, LLC. All rights reserved. Proprietary & Confidential.

Android for Work – Provisioning a Work

Managed Device

For AirWatch v8.0 FP2

Android for Work – Provisioning a Work Managed Device | v.2015.06 | June 2015

Copyright © 2011 AirWatch, LLC. All rights reserved. Proprietary & Confidential.

Page 1

Android for Work – Provisioning a Work Managed Device

Overview

Android for Work has two modes that can be used depending on ownership of the device. The Android for Work – Work Profile

can apply to either BYOD or Corporate owned devices as it creates a dedicated storage area on the device for only business

applications and content. This allows AirWatch to only control this business dedicated space (the Work Profile) and not control

the entire device.

Again, this is great for BYOD and certain corporate ownership scenarios but some scenarios require control over the entire

device. Because of this, Google has created a true corporate ownership mode that allows AirWatch and the IT administrator to

control the entire device. This mode is known as “Work Managed Device” mode. The purpose of this document is to describe

how to provision/setup a device in “Work Managed Device” mode and enroll it into the AirWatch EMM server for

management.

Parent vs Child Devices

Provisioning the Work Profile mode vs the Work Managed Device mode is different. For the Work Profile, a user will go to the

Google Play Store using their personal Google account and download/install the agent and enroll. Since the user gets the agent

from the Play Store, AirWatch will setup the Work Profile as this will be for BYOD scenario.

Setting up a Work Managed Device mode requires a staging process. This means that since the devices being provisioned are

truly for corporate ownership, they will be staged and enrolled by the IT administrator before being given to an end user. This

will require a staging device or a “parent device” that will stage a “child device”. The parent device will have an application

called the AirWatch Relay installed on it. This application will relay information through NFC telling the child device to:

� Set the device date/time and locale

� Connect to the staging Wi-Fi network

� Download the latest production version of the AirWatch Agent for Android

� Silently set the AirWatch Agent as device administrator

� Automatically enroll the agent into AirWatch

Note: the child device must be in a factory reset state and support/have NFC turned on by default in order to be provisioned

into Work Managed Device mode. This will guarantee that the device is not setup for personal use.

Using the AirWatch Relay Application

The AirWatch Relay Application can be downloaded and installed on the parent device from the Google Play Store by searching

for “AirWatch Relay”.

� Launch the app and you will see wizard screens explaining what the application is for. Choose Skip to skip the

entire wizard or Swipe Left or Next to navigate through the wizard

Android for Work – Provisioning a Work Managed Device | v.2015.06 | June 2015

Copyright © 2011 AirWatch, LLC. All rights reserved. Proprietary & Confidential.

Page 2

� For AirWatch Admins – “For Admins to quickly bulk enroll Android for Work devices into AirWatch. This is not

an end user application.”

� Provision Android for Work – “Automatically connect an end user’s device to Wi-Fi to silently download and

install the AirWatch Agent and provision Android for Work.” Next

� Perform NFC Bump – “Simply place devices back to back to start the provisioning process.” Get Started

Android for Work – Provisioning a Work Managed Device | v.2015.06 | June 2015

Copyright © 2011 AirWatch, LLC. All rights reserved. Proprietary & Confidential.

Page 3

� After the wizard, you will see the main landing page where you will have to do two configurations which

represent the two NFC bumps that will be performed. Select Setup for the Connect portion.

� For the Connect setup you will define the Region settings which include the Time Zone and Locale information.

It also includes the Wi-Fi network that will be used to connect to and download the AirWatch Agent. The

AirWatch Agent download location is hardcoded into the app and is stored and secured in a central repository

owned by AirWatch.

� Once complete, you can perform the first NFC bump by bringing the Parent and the Child devices back to back.

Remember to make sure the Child device is in a factory reset state.

Android for Work – Provisioning a Work Managed Device | v.2015.06 | June 2015

Copyright © 2011 AirWatch, LLC. All rights reserved. Proprietary & Confidential.

Page 4

� Once you put the devices back to back and Touch To Beam the child device will automatically connect to the

Wi-Fi network you defined in the Android Relay application.

� Then it will automatically download the Admin app which in this case is the AirWatch Agent.

� Then it will silently install the AirWatch Agent.

Android for Work – Provisioning a Work Managed Device | v.2015.06 | June 2015

Copyright © 2011 AirWatch, LLC. All rights reserved. Proprietary & Confidential.

Page 5

� Then it will set the AirWatch Agent as the device administrator, also known as the device owner.

� Once set, it will take the user to the home screen to show that the first NFC bump and first part of provisioning

the device as a Work Managed Device is complete

� You can prove the device is in a Work Managed Device mode by navigating to the device settings->security-

>device administrators and you will see that AirWatch Agent is a device administrator and cannot be de-

activated. Also notice from the native launcher that there are only a handful of apps that are allowed. Any

other applications that will be shown on the device will need to be approved by the administrator through the

AirWatch console.

Android for Work – Provisioning a Work Managed Device | v.2015.06 | June 2015

Copyright © 2011 AirWatch, LLC. All rights reserved. Proprietary & Confidential.

Page 6

� Once complete, you can continue on provisioning other Child devices with the first NFC bump to get to this

point or go on to the second NFC bump to complete AirWatch enrollment.

� To perform the second NFC bump, go back and open the Parent application and navigate to the Enroll Setup

screen.

� From here, define the AirWatch Server URL, organization Group ID, Staging User and Staging Password which

will be used to automatically enroll the device with the second NFC bump.

� Perform the second NFC bump by again placing the Parent and Child devices back to back and Touch To Beam.

This will launch the AirWatch Agent and begin enrollment.

Android for Work – Provisioning a Work Managed Device | v.2015.06 | June 2015

Copyright © 2011 AirWatch, LLC. All rights reserved. Proprietary & Confidential.

Page 7

� The only manual entry required will be entering the password for the corporate Google account tied to the

enrollment user used to enroll. You will be prompted with the Google account password screen. Enter this here

and select Next.

� Success! You are now enrolled into AirWatch and profiles and applications will start to push and install.

� Once complete, you can continue on provisioning other Child devices with the second NFC bump to get to this

point.

Android for Work – Provisioning a Work Managed Device | v.2015.06 | June 2015

Copyright © 2011 AirWatch, LLC. All rights reserved. Proprietary & Confidential.

Page 8