SOTI Pulse Logo

Zebra TC58 AEDO -> WorkManaged vs Work profile ?

Solved
C
Christophe
Post & Telecommunications Luxembourg

Hello all,

first sorry, we discover Android Entreprise and we are little lost when we enroll devices ..

server mobicontrol is on version: 15 5 1 1010

We have some new device Zebra TC58 under android 11.

If i take new device OUT OF the box, i follow the step to initialize the device and type afw#mobicontrol and the agent google entreprise is well downloaded and after i enter the code to enroll device to mobicontrol,

The result is, device is enroll into management type -> Work Managed device -> PERFECT

All seems to work, remote connexion, install profile, rules, and so on ...

If i take an other new device OUT of the box, take the same agent from mobicontrol (v 15.4.4.1063), copy paste the agent,  install agent, enroll device into mobicontrol.

The result device is enroll into management type -> Work managed profile -> BAD

Because, we notice there is two " path " on the device (professionnel / personnel), if we starts a remote control (name is remote view), end user need to ACCEPT the permission before the remote , problem with rules, ...

We don t want to enroll device as a work profile ..because we notice, this mode can be too much restrictif for us and perhaps lose time when we meet some incident ..

My question is, is it possible to enroll device into management type Work Managed device when the device has been initialize ?

Because if i copy paste the agent soti 15.4.4.1063 , install it, the device is enroll into work profile ..

a command exist perhpas or something else ? 

thanks for your time

WORK MANAGED Work Profile aedo
2 years ago
SOTI MobiControl
ANSWERS
RS
Rafael Schäfer
2 years ago

You have many possibilitys to go through but in general as Raymond already said: It has to be enrolled from very first beginning to correct mode. This means all already enrolled devices which are not fully managed (you called it "work managed device") need to be wiped and enrolled correctly.

1. You can enroll using Google Zero-Touch which requires:
- Devices are claimed to the Google Zero-Touch portal by reseller
- Devices have (Internet) connection to the portal (Zebra StageNow can provide a Zero-Touch Barcode (scanned by the imager) to install a maybe needed Wifi easily)
- Devices inside of the portal needs a correct config assigned so they end up in your Mobicontrol instance
(Benefit: If a device gets lost or stolen and get's reenrolled by anyone, it still always get's pointed to your Mobicontrol instance which mean it's useless for that person depending on your setup in Mobicontrol)

2. You can use Zebra StageNow barcodes (scanned by the imager) to enroll your devices the correct way
- Too many specific steps to be described here

3. You can use a QR-Code enrollment:
- In the welcome screen tap X times on the background until QR-reader app opens
-- The device needs to have a QR-Reader app installed by default which could be NOT the case on Zebra devices (i only have TC51 which don't have one)!
- Scan the QR with the relevant Data and follow the next steps
- Device gets enrolled to your mobicontrol instance

4. Do the manual way using DPC identifier (afw#mobicontrol) on every single device as you already did with all manual steps being done.

Solution
MD
Matt Dermody Diamond Contributor
2 years ago

Zebra StageNow is my recommended method for Zebra AEDO enrollment.

I'll also echo what Rafael and RC have already said here. You've stumbled upon a fundamental design of Android Enterprise which is a built in consumer protection feature that would prevent and end consume from accidentally enabling a nefarious app on their mobile phone with Device Owner privileges. This was a problem in the Device Administrator world of Android management as a user could unwittingly download an app from the Play Store and blindly grant it DA privileges without understanding the implications. Android Enterprise solved for this problem by creating the concept of Device Owner for fully managed devices and Profile Owner for the BYOD use case. In order for a DPC like the SOTI agent to be granted the Device Owner privilege it has to be granted from a factory reset state. You will never be able to sideload an EMM agent directly or download it manually from the Play Store and get a device into the Device Owner /fully managed state, and that is by design. This is a principal that applies to all Android Enterprise management and is not unique to SOTI. 

Most Android Enterprise Device Owner enrollment requires some sort of activation through the Google Setup Wizard. These native options are ZTE, DPC Identifier (afw#mobicontrol), QR, and NFC. Each of these options have some level of nuance to their usage that for me makes them all undesirable. Thankfully Zebra has provided a bonus mechanism through StageNow to allow for quick and easy AEDO enrollment into SOTI. That is my recommended approach if you're using Zebra devices and SOTI together. 

RC
Raymond Chan Diamond Contributor
2 years ago

There is no script command to change an initialized device into  AE Work Managed mode.   Installing and running an AE agent without going through factory reset will force the device to run in work profile mode, which by design is for BYOD/CYOD use case in which the device is supposed to be owned by the device end-user.

For security reasons, a device has to be factory reset to ensure that the entire file system is clean and can then be run in AE Work Managed mode.

EG
Edgar Gomez
2 years ago

Well, there really is a method to enroll AEDO devices without going through any of the methods described above. This has been especially helpful lately because Agent 15.4 is no longer compatible with Android 6, and some customers still want to use their old devices with Android Enterprise. With the enrollment by DPC Identifier, the latest version of the agent is always downloaded and since in Android 6 there is no possibility of reading QR, the only way is via USB.

C
Christophe
2 years ago

Hello all,

@raymond -> Ok thanks for information

@rafael -> Ok we need to make factory reset i need to inform the technicien ..
                  Yes i read some doc about zero touch but we need to read again

@matt -> Yes certainly we are not well documented about AE and what change exactly
                Thanks for information

@edgar -> Ok thanks for information

Many month we don't touch to AE because we developed apps and it was the priority ..

Now, our last device is not produce (TC75x) and of course we need to replace them..

Now we need to run for to pass into AE :)

thanks a lot for the time you spend here

M
MPMOD@SOTI
2 years ago

Hi Christophe,

Thank you for posting on SOTI Pulse! 

I am glad to see that your issue was resolved. 

Please feel free to reach out to us if you have any further questions in the future.

Kind regards,

Technical Support Specialist | SOTI | +1 905.624.9828 | SOTI.net lDiscussion Forum | Log a Case Online l Facebook l LinkedIn l Twitter 

Similar Discussions