Sign up for Android management using managed Google domains

Managed Google domains allow customers to use multiple Google products in their organization. The Google Admin console allows IT admins to manage these products.

It’s highly recommended to use a managed Google domain because of the cross platform user experience enhancements, additional manageability, and security benefits it provides for your organization. However, if you don’t believe your organization will be able to use a managed Google domain, you can create a managed Google Play accounts enterprise as a fall back option.

Some products such as Google Workspace and Cloud Identity include security and management capabilities for Android as part of Google endpoint management. Alternatively, you can use a third-party enterprise mobility management (EMM) provider.

Use Google endpoint management (GEM)

Note: Google endpoint management is included in most editions of Google Workspace and Cloud Identity. If your managed Google domain does not include this feature, you may need to upgrade your plan.

When you set up Google endpoint management, you can choose basic or advanced management. You can also customize management for different device platforms.

  • Use basic management if you want to secure devices with a screen lock or passcode, remotely wipe corporate accounts from devices, and manage Android apps.
  • Use advanced management for more control over device policies and passwords, to keep work and personal apps separate, and for the ability to wipe all data from devices.

Compare mobile management features.

To use Google endpoint management as your EMM provider:

  1. Set up basic mobile device management or advanced mobile device management.
  2. Source devices.
Select a third-party Android EMM provider

Instead of a Google endpoint management (GEM), you can use a third-party Android EMM provider with your managed Google domain. Third-party EMM providers support similar features to advanced Google endpoint management.

Multiple EMM providers can now be bound to a single Google Workspace or Cloud Identity organization. This enables different EMM providers to manage a distinct set of users. Each provider can be configured with different settings, and used to manage devices of different user organizational units (OU) by enabling the desired EMM provider for that organizational unit.

Note: While multiple third-party EMMs can be used, advanced Google endpoint management can't coexist with other third-party EMMs. Read more about the difference between basic and advanced device management with GEM.
Use the Enterprise Solutions Directory to find a third-party EMM provider for your organization. Android Enterprise Recommended providers meet an advanced set of enterprise requirements.
EMM setup

IT admins are required to register their organization with Google to take full advantage of the Android Enterprise features. For example, by registering with Google, organizations are able to access Managed Google Play and deploy applications to end-user devices.

IT admins will be redirected to the Android Enterprise sign-up flow by their chosen EMM provider and will follow these steps:

Step 1: Bind a third-party EMM provider
If your organization doesn’t have an existing managed Google domain

From 2024, all new Android Enterprise customers will be directed to use their managed Google domain when enabling Android management through their chosen EMM provider. You will be prompted via email to confirm your email address and there is an optional step for full domain verification.

If your organization already has an existing managed Google domain

You can allow a third-party EMM provider to manage Android devices in your organization. After you select a third-party EMM provider, follow their instructions to enable Android Enterprise management and bind to your existing managed Google domain. You can then enable the EMM provider for selected organizational units using the Google Admin console.

Note: If your managed Google domain has users synced to it, you may receive an additional prompt to enable Authenticate using Google (Step 5) during binding.
If you previously used Google endpoint management as your EMM

Before you begin: Set mobile device management for the organizational units you want to manage with the third-party EMM to “Basic”. Learn how.

After you add a third-party EMM provider:

  • You can’t manage Android apps for any organizational unit through the Admin console. If you previously used Google endpoint management to manage apps, those apps are unmanaged until you enable the provider for organizational units.
  • You can still use basic mobile management in Google endpoint management to manage device security for any organizational units that you don’t enable the EMM provider for. Organizational units will not support advanced Google endpoint management once a third-party EMM has been added.

Within the EMM console, you will find an option to set up Android Enterprise. Check your EMM documentation for details on how to do this. Here are some tips for successfully signing up your third-party EMM with Google:

  • Use your corporate email address during the sign up process.
  • If your organization doesn’t already have a managed Google domain, you will be prompted to enter some basic information about yourself and your organization. You will also be asked to create a password for your account.
  • You may be given the option to manage other Google product in addition to Android.
  • If your corporate email address is already part of a managed Google domain or is linked to a consumer Google account you will be guided to take some additional steps in order to complete sign up.

Following completion of the setup process, the IT admin can manage their Android Enterprise devices through their EMM console. The IT admin will also have access to the Google Admin console to manage all their EMM bindings and other Google services used by their organization.

For more info on how to manage EMM bindings in your organization, see Manage EMM bindings.

Step 2: Enable the EMM provider
 

Before you begin: If you need to set up a department or team for this setting, go to Add an organizational unit.

  1. Sign in with a super administrator account to the Google Admin console.

    If you aren’t using a super administrator account, you can’t complete these steps.

  2. Click Android EMM.
  3. (Optional) To apply the setting to a department or team, at the side, select an organizational unitShow me how
  4. Check the Enable third-party Android mobile management box.
  5. Click Save. Or, you might click Override for an organizational unit.

    To later restore the inherited value, click Inherit.

(Recommended) Step 3: Verify your domain for Android management

Domain verification walkthrough

Domain verification is a simple process guided by the Google Admin console. It typically involves adding a DNS record to their domain to prove ownership. Here’s the official documentation.

Verifying your managed Google domain enables additional functionality for your organization:

  • Syncing your identities: Enables seamless synchronization of users between your organization's identity provider (IDP) and your managed Google domain.
  • Configuring SSO: Allows IT admins to configure SSO.
  • Enabling management of other Google services: Allows IT admins to manage a number of Google products for their organization (e.g. Workspace, Chrome Enterprise Upgrade, Chrome Browser Cloud Management) in one consolidated location.

Read Verify your domain to unlock features for more details.

Considerations for Domain Verification for Workspace customers

The Workspace product called “Google Workspace Essentials Starter” is not available to customers who verify their domain. Customers must adjust their Workspace subscription should they have enabled this product when signing-up for Android Enterprise.

If you don’t wish to upgrade to a paid version of Workspace following domain verification, you have two options:

Recommended approach

  1. Before starting the domain verification process, navigate to Menu Billing Subscriptions.
  2. Remove the subscription to “Google Workspace Essentials Starter”.
  3. Add a subscription to “Google Workspace Enterprise Essentials (Free trial)”.
  4. Begin the domain verification process.

Alternative approach

  1. Begin the domain verification process.
  2. When asked to upgrade to the “Google Workspace Enterprise Essentials” product, exit the domain verification process.
  3. Navigate to Menu Billing Subscriptions.
  4. Remove the subscription to “Google Workspace Essentials Starter”.
  5. Resume the domain verification process.

Important: Attempting to remove “Google Workspace Essentials Starter” and not replacing it with another Workspace subscription (e.g. Google Workspace Enterprise Essentials (Free trial)) prior to starting the domain verification process may lead to issues during the verification process.

(Recommended) Step 4: Sync your identities to your managed Google Domain

Identity sync walkthrough

Syncing your identities ensures that the user base in your IDP (e.g., Microsoft Entra ID) is mirrored in your managed Google domain. This provides additional benefits to your organization:

  • Streamlined User Creation: Allows IT admins to create user accounts in bulk without manually inviting each individual.
  • Simplified Device Login: Employees can use their existing work credentials to log into their work devices. See step 6 to enable this functionality.
  • Seamless Access to Google Services: Employees can access approved Google services with their work accounts, streamlining their workflow.

There are multiple methods for syncing your identity. We recommend using one of Google's directory sync tools. This can be set up through the Google Admin console and automatically copies user groups from the IDP. For more information on performing a directory sync, please see our documentation. There are other alternative options offered by Google and various IDPs, including manual user creation, but they may be less efficient for larger organizations. For more details see here.

(Recommended) Step 5: Enable Authenticate Using Google

Enable Google Authentication walkthrough

If your EMM provider supports "Authenticate Using Google", you can require new knowledge workers to sign in with their work email when enrolling their devices. If your managed Google domain already had users synced to it, you may have already enabled "Authenticate using Google" when binding your EMM in step 1 or upgrading to a managed Google domain.

To enable this feature for your EMM provider:

  1. In the Admin console, go to Menu Devices  Mobile & endpoints  Settings Third-party integrations, then click Android EMM.
  2. Click Manage EMM Providers.
  3. Toggle Authenticate Using Google to ON for your EMM provider.
Note: This option will be unavailable if your EMM provider doesn't support this feature.
(Recommended) Step 6: Configure SSO

See our help article on configuring SSO here.

Back   Next: Source Android devices

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
2594908559312001093
true
Search Help Center
false
true
true
true
true
true
108584
false
false
false
false