Creating an Android Enterprise Device Policy

About this task

Use this procedure to create an Android Enterprise Enrollment Policy.
Important: As of SOTI MobiControl v14.4, all fresh installations of SOTI MobiControl have Android Enterprise selected as the default Android Plus Management style. To continue with this procedure, you must confirm that you have selected OEM Specific for All Android Devices or OEM Specific for Android 6.0 and Below. See Choosing an Android Deployment Type for instructions.

Procedure

  1. From the main hamburger menu from the top-left corner, select Policies > Enrollment > All Policies. The Enrollment Policies window opens.
  2. Select New Enrollment Policy—the Enrollment Policy wizard launches.
  3. Select Android > Android Enterprise device family type. The General tab opens.
  4. On the General tab, enter a name and description for the policy. Make the name brief but descriptive, especially if you plan to create many enrollment policies.
  5. Select one of the following enterprise binding options:
    Google Account TypeDescription
    Managed Select a Managed Enterprise Account from the list or select Manage Accounts to delete accounts or add new ones. See Enterprise Bindings for more information.
    Domain Select a Google Domain from the list or select Manage Accounts to delete accounts or add new ones. See Enterprise Bindings for more information.
    None No enterprise binding.
  6. Select Next. The Device Type tab opens.
  7. Select one of the following device management types:
    Management TypeDescription
    Work Managed

    On a Work Managed device, the organization manages the entire device. You can view and control apps, data, and settings through SOTI MobiControl.

    See Android Enterprise Work Managed for details.
    Work Profile

    A device with a Work Profile is a personal device owned by the device user. This management style is often called Bring Your Own Device (BYOD). You can choose to enroll devices via Android Enrollment API (AMAPI). For more information about work profiles, see Android Enterprise Work Profile.
    Corporate Personal

    On a Corporate Personal device, the organization manages the entire device but allocates a section (or container) for the user's personal apps and data. See Android Enterprise Corporate Personal for details.
  8. Select Next. The Groups tab opens.
  9. Choose if the enrollment requires authentication. No authentication means that devices can enroll without user verification. If you require authentication, select one of the following authentication options:
    AuthenticationDescription
    Password Type a single password for use across all devices that enroll with this policy.
    Directory Select to add directory groups. Choose a directory service from the list and use the Search Groups field to find a group. You can add a new directory service connection by selecting Manage Services. From the menu, choose Directory, Identity Provider, or SOTI Identity. See Identity Management for more information. Once you add the directory group, select a device group destination and applicable terms and conditions.
    Tip: Users must configure OpenID Connect (OIDC) in Microsoft Entra ID to make the configured directory visible in an enrollment policy. Additionally, the server URI for the SOTI MobiControl server on Microsoft Entra ID must be in this format:
    • https://{server name}/mc/duas/oauth/2.0/azure/handleAuthCode

    Where you replace {server name} with the name of your SOTI MobiControl server.
    Selecting Directory enables the following configuration to manage device unenrollment if the associated Active Directory user becomes inactive:
    FeatureDescription
    Enable Unenrollment Actions Toggle this option to manage device unenrollment action.
    Restriction: This feature is applicable only to Microsoft Active Directory connections.
    Set Actions for Disabled Active Directory Users Choose from the following device action when the Active Directory user becomes inactive.
    • Disable Device: Disconnects a device from the SOTI MobiControl deployment server. Disconnected devices do not receive configuration changes or updates from SOTI MobiControl until re-enabled.
    • Unenroll Device: Unenrolls a device from SOTI MobiControl management, allowing you to refresh it for a new user or with an enrollment policy.
      Note: Requires enabling Check for Disabled Users from Microsoft Active Directory Services in Global Settings.
    Note: Device unenrollment from SOTI MobiControl occurs only after SOTI MobiControl queries and verifies the status from Active Directory. Due to potential latency between SOTI MobiControl and Active Directory services, users should not expect immediate unenrollment.
    Note: The query used for identifying inactive users from Active Directory is: (&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)), refer the link for more information.
  10. Select Next. The Settings tab opens.
  11. Select from the available settings, then select Finish. You have created a new enrollment policy, and the Enrollment Policy Info page displays.
    Tip: This page lists policy details and device enrollment options. You can also choose how to install the SOTI MobiControl Device Agent on devices by using an available APK file or downloading an INI file. Configuring a QR code to enroll Android Enterprise devices is also an option.
  12. Select OK to complete the process.