Register domain with Google
If you already have a Managed Google Domain, for example because you have signed up for Google Workspace, you can skip this step.
- Open Google’s Sign up for Android Enterprise web page.
- Enter the required information.
- Under What’s your business’s domain name?, enter the domain that will be used as the Managed Google Domain.
- Under How you’ll sign in, enter the credentials for a new domain administrator.
Make a note of the credentials as you will need them later in the setup procedure.
- Click the button to create the domain administrator account.
This opens the Google Admin console.
- In the Google Admin console, start the procedure to verify your domain ownership.
Follow the instructions provided by Google to verify your domain.
Create Google service account
A Google service account is a special type of Google account for an application. This account is used by Sophos Mobile to communicate with the Google APIs.
Create a project
- Sign in to the Google API console with your domain administrator account.
- In the header bar of the Google API console, click Select a project > New project.
If there’s already a project selected, click its name and then New project.
- In the New project dialog, enter a project name, for example
Android Enterprise
, and then click Create. - Optional: If the header bar shows another project, click its name and then select the new project.
Enable the Admin SDK API
- Click the Navigation menu button in the top left corner and then APIs & Services > Library.
- On the Welcome to the API Library page, enter the string
admin sdk
in the search field. - In the search result list, click Admin SDK API.
- On the Admin SDK API page, click Enable.
Enable the Google Play EMM API
- On the Welcome to the API Library page, enter the string
emm
in the search field. - In the search result list, click Google Play EMM API.
- On the Google Play EMM API page, click Enable.
Create a service account
- In the left-hand menu of the Google Play EMM API page, click Credentials.
- Click Create credentials > Service account.
- Under Service account details, enter a name to identify the service account, for example
Android Enterprise
. - Click Create and continue.
- Under Grant this service account access to the project, click Continue.
- Under Grant users access to this service account, click Done.
- In the Actions column of the service accounts list, click Manage keys next to the account you just created.
- Click Add key > Create new key.
- Select JSON and click Create.
The private key for your service account is generated and saved to your computer in a JSON file.
Store the JSON file in a secure location. You need it to bind Sophos Mobile to your Managed Google Domain.
- Click Close.
Configure API access
- Sign in to the Google Admin console with your domain administrator account.
- Click Security > Access and data control > API controls.
- Under Domain wide delegation, click Manage domain wide delegation.
- Click Add new.
- Open the JSON file in a text editor and copy the
client_id
value into the Client ID field.For example, if your JSON file contains a line
"client_id": "123456789"
, then enter123456789
in the Client ID field. - In OAuth scopes, enter the following (without line break):
https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/androidenterprise
- Click Authorize.
Configure mobile management in Google Admin
In Google Admin, you must configure mobile management and generate a binding token for Sophos Mobile.
- On the Google Admin console start page, click Devices.
- In the left-hand pane, click Mobile and endpoints > Settings > Universal settings.
- Expand General.
- Check that Mobile management is Basic or Unmanaged.
- If Mobile management is Basic: Click Edit next to Password requirements.
- Turn off Require users to set a password.
- In the left-hand pane, click Mobile and endpoints > Settings > Third-party integrations.
- Click Edit next to Android EMM.
- Turn on Enable third-party Android mobile management.
- Click Add EMM providers.
- Click Generate token.
- Click Copy next to the token to copy it to the clipboard.
- Save the token temporarily. Later in this procedure, you must enter it in Sophos Mobile Admin.
- Click Close in the top left of Manage EMM providers.
- Click Save.
- Click Save anyway.