Skip to main content
This guide applies to Android devices
Android devices in Iru Endpoint use the Android Management API with work profile management for secure enterprise device management. This approach provides complete separation between work and personal data while giving organizations full control over work-related applications and policies. For enabling the Android platform and a quick enrollment overview, see Android Setup and Android Enrollment.

How Android Enrollment Works

Android enrollment in Iru Endpoint uses Google’s Android Management API to create and manage work profiles on Android devices. When users enroll their devices, a work profile is created that completely isolates work applications and data from personal content. Blueprints can use Assignment Maps to apply conditional logic based on device attributes, user information, or other organizational criteria. The enrollment process establishes a secure connection between the Android device and Iru Endpoint through Google’s Android Management API, providing enterprise-grade security and management capabilities while maintaining user privacy for personal data.

Prerequisites

Before configuring Android enrollment, ensure you have:
  • Android Enterprise configured in Iru Endpoint (see Android Setup)
  • Super admin access to your organization’s Google Admin console (learn more about super admin roles)
  • Third-party Android mobile Management enabled in Google Workspace (see Android Setup)
  • Company-owned Android devices in factory reset state (Android 7.0+ required for QR code enrollment)
  • Blueprint configured for Android devices
  • (Recommended) Single sign-on (SSO) configured for secure authentication

Configure Android Enterprise

Complete Android platform enablement and Android Enterprise integration before configuring enrollment. See Android Setup for enabling the Android platform in Organization settings.

Configure Android Enrollment

1

Configure Enrollment Portal

a. Go to EndpointEnrollmentManual Enrollment in Iru Endpoint.b. Ensure the Enrollment Portal is active.c. Under Choose an enrollment method, select Android work profile and locate the desired Blueprint. Copy the Blueprint link for that Blueprint. If Require authentication is enabled on the Blueprint, end users will need to authenticate to view the instructions.
2

Configure authentication

a. Click the Blueprint and select Require authentication if you want users to authenticate prior to enrollment. Optionally check the box to Assign user to device record to match the authenticated user to a user in your directory integration.b. This integrates with your Single Sign-On (SSO) configuration for secure enrollment. If you see a banner that No single sign-on connections are configured, go to Access (Account Menu Button → Access) and configure Single sign-on. See SSO Setup for setup steps.
3

Share enrollment information

a. Share the Blueprint link with end users to enroll company-owned Android devices with work profile.b. Provide clear instructions for the Android enrollment process, including the requirement for a secondary device to view the enrollment instructions and QR code.c. Consider creating a dedicated email or help article with the Blueprint link and these instructions for consistency.
Each QR code can only be used once. If a user needs to enroll multiple devices, they must refresh the enrollment instructions page after each enrollment to generate a new QR code.

Verify Enrollment

1

Check devices

In Iru Endpoint, open Devices
2

Locate device

Locate the newly enrolled Android device (search by user email, device name, or serial number)
3

Verify work profile

Confirm the device shows as enrolled with work profile management
4

Check applications

Verify that work applications are being deployed to the work profile

Android-Specific Considerations

Device Requirements

Devices must be in a factory restored state to enroll and need to be compatible with most modern Android versions. The device must have Google Play Services installed and needs internet connectivity for enrollment.
Most Android devices running Android 5.0 (API level 21) or later support Android Enterprise work profiles.

Best Practices

Test with Pilot Group

Test Android enrollment with a small pilot group before full deployment

Clear Communication

Provide clear instructions to users about work profile setup and usage

Monitor Enrollment

Monitor enrollment success rates and address any issues promptly

Require Authentication

Require authentication for enrollment and link Blueprints to your identity provider. See SSO Setup for configuration.

User Training

Provide training on work profile features and benefits. See User Experience with Android Enrollment for end-user guidance.

Pre-stage Items

Pre-stage Wi-Fi, certificates, SCEP, and password policies in the Blueprint so devices come online with required trust and connectivity.

Troubleshooting

Possible causes:
  • Device not in factory restored state
  • Network connectivity issues
  • Google Play Services not available
Solutions:
  • Ensure device is factory reset before attempting enrollment
  • Check internet connectivity
  • Verify Google Play Services is installed and updated
Possible causes:
  • Android Enterprise not properly configured
  • Device compatibility issues
  • User permissions problems
Solutions:
  • Verify Android Enterprise integration is working
  • Check device compatibility with Android Enterprise
  • Ensure the user has proper permissions for work profile creation
Possible causes:
  • Work profile not properly set up
  • App compatibility issues
  • Policy restrictions
Solutions:
  • Verify work profile is active and properly configured
  • Check app compatibility with work profile
  • Review policy settings for app installation

Android Management API Features

Security Capabilities

The Android Management API provides streamlined device setup through QR code enrollment, built-in security features, and work profile management capabilities. For company-owned work profile devices, Google provides some EMM reach into personal settings.

Application Management

You can deploy work applications to work profiles, manage application updates centrally, remove work applications when needed, and control which apps can be installed in both work and personal profiles.

Policy Enforcement

Iru Endpoint can enforce security settings on work profiles and some personal settings including:
  • Require passcodes
  • Block specific personal apps
  • Block camera and screenshot on personal side
  • Disable apps from unknown sources
  • Disallow developer mode
  • Deploy and configure work apps

Device Management

Iru Endpoint can also wipe the entire device when needed for security purposes.
For more information about Android Management API capabilities, see Google’s Android Management API documentation.

User Experience with Android Enrollment

What to expect when enrolling your Android devices and setting up a work profile

Android Enrollment

Set up work profile enrollment for Android devices

Configuring Apple Enrollment

Configure Apple device enrollment with Automated Device Enrollment (ADE)

Configuring Windows Enrollment

Complete guide to Windows device enrollment and management setup