EMM For Android

  1. What is EMM?

    1. EMM stands for Enterprise Mobility Management.

    2. Android EMM solution is an umbrella that separates the MDM into 4 different sets vis-a-vis,

      1. COSU - Corporate Owned Single Use

      2. WM - Work Managed Device

      3. MAM - Mobile Application Management

      4. BYOD - Bring Your Own Device

    3. The solution is referred to as AfW - Android for Work.

  2. What solution set does MobiLock Pro Support?

    1. MobiLock supports the WM - Work Managed Device solution set.

    2. A device enrolled using the Work Managed methods will be referred to as Work Managed device or an AfW device. The normal devices registered using regular MobiLock methods will be called MLP managed device. This is internal terminology that we can use for ourselves.

  3. What feature set does MLP offer with it’s EMM-WM solution set?

    1. We support the mandatory features at this point that Google mandates us to implement to be certified. The following are supported at the time of writing this document,

      1. Enrolling and Un-Enrolling an enterprise with MLP.

      2. Deploying applications directly from Play Store to Work Managed device.

      3. Enforcing App Permission policies for the applications approved from Managed Google Play Store.

      4. Enforcing App Configuration policies for the applications approved from Managed Google Play Store.

      5. Enforcing Password policies on Work Managed device.

      6. Ability to remotely Screen Lock and Factory reset the device.

    2. Additionally we have provided one feature from our side so that user can leverage this solution set better on Work Managed devices

      1. We have given the user the ability to configure Chrome with the defined Whitelist websites

      2. We have given the user the ability to configure Chrome to be the default browser for these Whitelist websites instead of MobiLock browser.

  4. Do these features in 3 work with all the devices?

    1. NO. No the above features work with Work Managed devices only!! Normal devices continue to work as before.

    2. The device needs to have a minimum of Android 6.0 and above.

    How to Enroll for Android EMM?

    The first step to start using the EMM features is to enroll your enterprise with MobiLock Pro. For this you would require a GMail account. We strongly recommend using a corporate account for this purposes. You would have to follow the below steps (Refer Enrollment Flow illustration below),

    1. Request Access for the “EMM > Android” feature and fill out basic details.

    2. Click on “Configure Android”, which would take you to the Google Android for Work page.

    3. Choose or Create a GMail account to be used and click on “GET STARTED”

    4. Fill out the Organization Details and Accept the Terms after reading and Complete Registration.

    (Illustration - Enrollment Flow)

    How to Start Enrolling your Devices

    Once you are done with Enrollment, you can start enrolling your devices. The devices that can be used are,

    1. Devices running Android 6.0 and Higher that are fresh OOB or are factory reset.

    2. These Devices should follow standard Android OOB experience, that is allow you to enter GMail account during device setup.

    On the device follow the below steps to enroll (Refer Device Enrollment illustration below)

    1. Power On the device.

    2. Select your language and configure a WiFi. A WiFi connection is needed to download MobiLock Pro client.

    3. When you see the screen asking you to configure GMail account, enter “afw#mobilock”

    4. Wait for the MobiLock Pro client to be downloaded.

    5. Click Install when prompted.

    6. Once done you should see the MobiLock Pro landing screen, where you can Login using your Dashboard account or a License Key.

    7. On the Permissions Page, Set MobiLock Pro as Device Owner.

    8. Complete the Setup by choosing to Create an AfW account.

    9. MobiLock Pro performs silent setup in the background to make the device managed, which usually takes 10-15 minutes.

    10. If everything is setup properly you would see a Briefcase icon next to the device on Dashboard.

    Known Issues/Behaviour

    1. The Contacts App crashes on first time setup. This is a Known issue on Android devices enrolled via this methods.

    2. If you exit the Setup process before Completing the SetUp the device needs to be factory reset again.

    (Illustration - Device Enrollment)

    Searching, Approving and Publishing Apps from Google Play Store

    With EMM for Android, you can now search and publish applications from Google Play Store, on the devices that are enrolled via afw#mobilock.
    The process is quite easy, here are some steps and illustrations to get you started,

    1. Navigate to “Enterprise > My Apps”

    2. Go to the “PLAY FOR WORK APPS” Tab.

    3. Click on SEARCH & ADD

    4. Search for the desired application. In our Illustration we have shown how to Approve Google Chrome.

    5. Approve the application.

    6. Publish the Approved application to the desired devices. The application will be silently installed on devices

    Tip: With EMM for Android, you can enable Play Store on your devices and the user’s will only see the applications that you have approved. This gives them a quick way to install it themselves as well.

    (Illustration - Searching and Approving Apps)

    Handling of Updates for Approved Applications

    While Approving the application you would see two options as your Approval Preferences.

    1. Keep approved - This means the app will stay approved but NOT silently updated. If you had approved an application, that has an Update available, then you would have to PUBLISH the application again. Please note that at this point we cannot notify you if an Update is available

    2. Review App Approval - This means the application will be Un-Approved. For an application that has been Un-Approved because it requested for new permissions, you would have to Search and Re-Approve the application and PUBLISH it again.

    Managing Permissions for Applications

    Applications that require runtime permissions, ask the end user to Allow permissions when the application is used on device. For the Work Managed devices, you can manage the Grant state for these permissions at a Global Level or at a Per-App level.
    Manage Permissions at Global Level
    To Manage Permissions at Global Level,

    1. Navigate to “Enterprise > My Apps”

    2. Go to the “PLAY FOR WORK APPS” Tab

    3. Click on the 3 dots Menu

    4. Select the default state for permissions for all the applications Approved and Installed via Play for Work

    (Illustration - Managing Permissions - Global Level)

    Manage Permissions at Application Level
    To manage Permissions at Application Level,

    1. Navigate to “Enterprise > My Apps”

    2. Go to the “PLAY FOR WORK APPS” Tab

    3. Click on the app for which you want to set the permissions

    4. Click on the Permissions button and choose the state for each permission

    (Illustration - Managing Permissions - App Level)

    Managing Application Configurations

    For applications Approved via Play for Work Apps, you can create and push configurations. This can be done only if the app’s themselves give support for configurations. Some examples are configuring DropBox with an Auth-Token or TeamViewer with credentials. We have given example on how to configure Chrome, but the same can be done for any application that supports configurations.

    If you are using a lot of Whitelist Websites then we have made it easy to configure Chrome to open these shortcuts on MobiLock Pro. Below are the steps and illustration that shows on how to do it,

    1. Navigate to “Enterprise > My Apps”

    2. Go to the “PLAY FOR WORK APPS” Tab

    3. Click on Chrome > PUBLISH

    4. Click on the App Configurations tab

    5. Click to Create a Configuration

    6. Give the Configuration a Name

    7. Under the BASIC tab > Allows access to a list of URLs, Import from your WhiteList websites

    8. If you want to block access to all other sites, then In Block access to a list of URLs select “Block All Except WhiteListed"

    9. Navigate to MOBILOCK SETTINGS tab and choose to use Chrome to open Website shortcuts in MobiLock Pro

    10. You can also choose to auto-whitelist future whitelisted websites


    1. It takes around 10-15 minutes for the configuration to take effect.

    2. We suggest hiding the Chrome app after publishing it from Device Profile or Devices.

    3. Only the WhiteList Website URLs are imported in Chrome configuration, the other properties of websites cannot be imported.Chrome offers multiple other options, please enable the ones that fit your need.

    (Illustration - Creating and Applying Configurations)

    (Illustration - Device with Configurations)

    Managing OS Update Policy

    On the Work Managed devices, you can control how the OS/System updates are applied. Follow the below steps to do the same,

    1. Navigate to Enterprise > Secure Settings

    2. Click on GLOBAL SETTINGS OR Settings icon next to a Work Managed device.

    3. Scroll down to the “System Update Policy” section. You can choose to do the following,

      1. None - This setting has no effect.

      2. Postpone - Postpones the update

      3. Automatic Install Updates - Automatically installs the Update

      4. Install with Maintenance Window - Choose a time during the day to install the updates

    4. Click on SAVE SETTINGS

    (Illustration - System Update Policy)

    Setting a Passcode Policy

    For the Work Managed devices, you can force your end-users to set a Passcode. To do this do the following,

    1. Navigate to Enterprise > Passcode Policy

    2. Enable Require Passcode

    3. Choose the Strength/Complexity and “SAVE”

    4. Click APPLY and choose Devices or Profiles where you want to apply.


    1. Note the user’s will be enforced to set a passcode and will not be able to use any applications.

    2. At this point we support only one type of policy.

    (Illustration - Create and Apply Passcode Policy)

    Factory Reset Devices

    You can choose to Factory Reset the Work Managed devices. Please follow the below steps,

    1. Navigate to the Devices section.

    2. Click on the Device in List view or View Details in Grid view, for the device that you want to Factory Reset.


    1. Once the device is Factory reset, it can no longer be managed from Dashboard.

    2. You would have to Delete the device from Dashboard to stop it from appearing.