If you’ve been following along with our blog here, you may recall a similar post titled: BES12 v12.3: Activating Work Only (COBO) on Android for Work. That post described how to set up Android for Work in work only mode using Android 5.1.1. This is also known as a COBO or corporate owned, business only.
The activation process has changed a bit in Android 6.x, which is what I’m going to cover here. To make it easier to follow I’m going to cover the whole process start to finish – not just the differences – so some sections are repeated from my previous blog post.
For this setup, we are using BES12.5, and a fresh Nexus 5, running Android 6.0.1.
Before you try these steps, there are some prerequisites that must be in place. First, you’ll need to configure a Google domain on your BES. The user activating must also have a Google account on this domain that they’ll use for activation. A public Gmail account won’t work for this process.
You also need to ensure that “Enforce EMM policies on Android devices” is checked in your Google domain as shown in the screenshot below.
To verify if this is checked, perform the following steps:
- Open https://admin.google.com
- Sign in as BlackBerry admin account
- Go to Security -> Android for Work Settings
- Check if “Enforce EMM policies on Android devices” is enabled
Once you have that set up you’re ready to continue.
Step 1: Create a Workspace Only Activation Profile
Make sure your activation profile is setup for Work Only. Open up the BES admin console, select Policies and Profiles, click on Activation profile and create a new one. We called ours “Work Only”.
Under the Android tab, there are 2 choices here:
“Work space only (Android for Work)”
“Work space only (Android for Work – Premium)”
The difference is that “Premium” requires either a Gold license or Collaboration Suite (or higher) license and allows the use of BlackBerry Secure Connect Plus (BSCP). The non-premium option is available with any license type. If you choose the non-premium, you will not get a BSCP connection, which means you will need to use some other mechanism for “behind the firewall” access for email and applications (such as a VPN).
Here is what setting up the activation profile looks like in the BES admin console.
Step 2: Send Activation Emails to the User
This step is a bit different than a normal activation for both the BES admin and the user. When setting an activation password for the user, the BES admin needs to change the activation email template from the default to “Works space only (Android for Work) activation email”, as shown in the screenshot below.
The user will get an additional email with a Google activation code when the BES activation password is set, even if they created the BES activation password. One message will be the familiar BES activation email, the second will have a Google activation code that is randomly generated. The Google activation code is only used if you are activating on a device running Android 5.x. Since we are using 6.x, we can ignore this second email. There are potentially 4 email messages that could be sent to the user. Those 4 email messages contain:
- BES12 Enterprise Activation Password
- BES12 Enterprise Activation Instructions
- Google Token used for Android 5.x
- Google Domain Account password (sent only if the user didn’t have a Google Domain password already set).
Step 3: Activate your Android for Work Device
To activate as a work only device you’ll need one that has been factory reset or is fresh out of the box. When a device is in this state the first thing you see is the device setup wizard, like the screenshot below. If you don’t’ see that, then your device has likely already been activated. In that case, perform a factory reset by going into the Settings, Backup and Reset, Factory rest. WARNING reset means reset, everything will be erased! If the Google domain account is different than the Google account currently configured on the device, you’ll need to sign out before doing a factory reset. To do that go to Settings, Users, select You and then choose Delete from the menu. If you don’t sign out, you’ll need to sign back in using the same account after the device has been wiped. This is part of Android’s anti-theft feature.
Once that is complete and the device has restarted, you’ll be at the first screen of the setup wizard.
Continue through the setup wizard, setting up WiFi, sim card, etc… until you get to the sign in page as shown below. Now, you might recall from the previous article that if you were running Android 5.x, you’d need to select “Set up work device” from the menu. The “Set up work device” menu option is removed in Android 6.x. When using 6.x, you simply enter the work email address you wish to set up. When the device checks in with Google’s servers it’ll be informed it should perform a work only activation. If you are using Android 5.x, refer to my previous article BES12 v12.3: Activating Work Only (COBO) on Android for Work.
If you go through this process and the device sets itself up as a personal device, have your administrator log into your Google domain and verify “Enforce EMM policies on Android devices” is checked. The instructions for to do this are presented earlier in this article.
Next you’ll need to enter your password. This is the password for your Google domain account. If you didn’t have a Google domain account password already set, one would have been randomly generated and emailed to you.
Now the device will check in with Google’s servers. This is the point it realizes it needs to perform a work only activation.
The device discovers that it needs to perform the Android for Work activation and prompts you to install the BES12 Client. If it doesn’t prompt you to install the BES12 Client, the device is performing a personal activation.
The next few steps will involve downloading and installing the BES12 Client. You’ll also need to accept the permissions it requires and agree to the license agreement. Once you’ve done so the BES12 Client will prompt you to enter an email address. Enter the same email address again here.
The BES12 Client will now prompt you to enter your activation password. This is the password that was configured on BES12, and sent to you over email.
After you press the “Activate my device” button you’ll be prompted to accept a certificate and then the BES12 Client will kick off the activation process.
If your device is not configured to use encryption by default – all BlackBerry Android devices are – you’ll be prompted to encrypt your device. Make sure your device remains plugged into its charger during this process. It can take a while and there will be problems if the device runs out of power while encrypting. To help avoid this, the encrypt process will not begin until your device has a near full charge.
When the encryption process is complete, the activation process will continue as shown in the screenshots below.
The next thing you’ll need to configure is a device PIN or password. Choose whichever one you prefer.
The BES12 Client will continue its activation process after you’ve set your device PIN or password.
Once activation is complete, you should see the screen below showing your device has activated and is compliant. The Android for Work COBO (work only) activation is now complete and your device is ready to use. Open up the application grid and you’ll probably see a much smaller set of applications compared to what is typically available on a device that has a personal profile. The BES administrator has control over the applications that are available to you. Any application in Google Play can be whitelisted for use in work only mode. You can also deploy private, internally developed applications that are only available to your Google domain. The BES admin has complete control over the applications you’re able to use.