This guide applies to Android devices
How Android Enrollment Works
Android enrollment in Iru Endpoint uses Google’s Android Management API to create and manage work profiles on Android devices. When users enroll their devices, a work profile is created that completely isolates work applications and data from personal content. The enrollment process establishes a secure connection between the Android device and Iru Endpoint through Google’s Android Management API, providing enterprise-grade security and management capabilities while maintaining user privacy for personal data.Prerequisites
1
Android Enterprise setup
Android Enterprise must be configured in Iru Endpoint
2
Google Admin console access
Super admin access to your organization’s Google Admin console (learn more about super admin roles)
3
Device requirements
Company-owned Android devices in factory restored state (Android 7.0+ required for QR code enrollment)
4
SSO configuration
(Recommended) Single sign-on (SSO) configured for secure authentication
Configure Android Enterprise
Before enrolling Android devices, you must configure Android Enterprise integration:1
Set Up Android Enterprise Integration
In the Iru Endpoint web app, navigate to Integrations → Android and click Configure Android Enterprise.Follow the prompts to connect Iru Endpoint to your organization’s Google Admin console. This integration is required to manage Android devices and requires super admin access to the Google Admin console.
Only the Account Owner can configure Android Enterprise integration. Other team members will not have access to the Android Enterprise configuration options. See Team Member Role Permissions for more information about role access levels.
2
Verify Integration
After configuration, verify that Android Enterprise is properly connected, your organization’s Google Admin console shows the integration, and all required permissions are granted.
Android Enterprise integration is now configured and ready for device enrollment.
Configure Android Enrollment
1
Set Up Manual Enrollment
Login to the Iru Endpoint web app and navigate to Enrollment → Manual Enrollment.Under Choose an enrollment method, select Android work profile and locate the desired Blueprint to copy the Blueprint link. This link provides enrollment instructions to end users, and if Require authentication is enabled, end users will need to authenticate to view the instructions.
2
Configure Authentication (Recommended)
Click on your desired Blueprint and select Require authentication if you want users to authenticate prior to enrollment.Optionally, check the box to Assign user to device record, which will attempt to match the authenticated user to a user in your directory integration.
3
Distribute Enrollment Instructions
Share the Blueprint link with end users to enroll company-owned Android devices with work profile.
End users will need a secondary device (computer, tablet, or phone) to load the Blueprint link and view the enrollment instructions and QR code. They cannot access the Blueprint link directly on the Android device they are trying to enroll.
Consider creating a dedicated communication template with the enrollment link and clear instructions for your users, including the requirement for a secondary device.
Devices must be in a factory restored state to enroll successfully. Users should back up any important data before factory resetting their device.
Verify Enrollment
1
Check devices
In Iru Endpoint, open Devices
2
Locate device
Locate the newly enrolled Android device (search by user email, device name, or serial number)
3
Verify work profile
Confirm the device shows as enrolled with work profile management
4
Check applications
Verify that work applications are being deployed to the work profile
Android-Specific Considerations
Device Requirements
Devices must be in a factory restored state to enroll and need to be compatible with most modern Android versions. The device must have Google Play Services installed and needs internet connectivity for enrollment.Most Android devices running Android 5.0 (API level 21) or later support Android Enterprise work profiles.
Best Practices
Test with Pilot Group
Test Android enrollment with a small pilot group before full deployment
Clear Communication
Provide clear instructions to users about work profile setup and usage
Monitor Enrollment
Monitor enrollment success rates and address any issues promptly
User Training
Provide training on work profile features and benefits. See User Experience with Android Enrollment for end-user guidance.
Troubleshooting
Enrollment fails on device
Enrollment fails on device
Possible causes:
- Device not in factory restored state
- Network connectivity issues
- Google Play Services not available
- Ensure device is factory reset before attempting enrollment
- Check internet connectivity
- Verify Google Play Services is installed and updated
Work profile not created
Work profile not created
Possible causes:
- Android Enterprise not properly configured
- Device compatibility issues
- User permissions problems
- Verify Android Enterprise integration is working
- Check device compatibility with Android Enterprise
- Ensure user has proper permissions for work profile creation
Apps not installing in work profile
Apps not installing in work profile
Possible causes:
- Work profile not properly set up
- App compatibility issues
- Policy restrictions
- Verify work profile is active and properly configured
- Check app compatibility with work profile
- Review policy settings for app installation
User can't access enrollment link
User can't access enrollment link
Possible causes:
- Authentication required but user not authenticated
- Incorrect enrollment link
- Network access issues
- Verify user authentication if required
- Check enrollment link is correct
- Ensure user has network access to enrollment portal
Android Management API Features
Security Capabilities
The Android Management API provides streamlined device setup through QR code enrollment, built-in security features, and work profile management capabilities. For company-owned work profile devices, Google provides some EMM reach into personal settings.Application Management
You can deploy work applications to work profiles, manage application updates centrally, remove work applications when needed, and control which apps can be installed in both work and personal profiles.Policy Enforcement
Iru Endpoint can enforce security settings on work profiles and some personal settings including:- Require passcodes
- Block specific personal apps
- Block camera and screenshot on personal side
- Disable apps from unknown sources
- Disallow developer mode
- Deploy and configure work apps
Device Management
Iru Endpoint can also wipe the entire device when needed for security purposes.For more information about Android Management API capabilities, see Google’s Android Management API documentation.