Search
Clear search
Close search
Google apps
Main menu
true

Setup with a third-party EMM provider

If your company isn’t a G Suite customer, you need to select a third-party enterprise mobility management (EMM) provider to set up Android. An EMM provider gives your company administrator access to tools to remotely manage your company’s devices.

To set up Android for your company you can use a Managed Google Account or managed Google Play Accounts. 

Managed Google Play Accounts

Managed Google Play Accounts can be set up quickly, as you don't need to prove domain ownership. You can also create multiple managed Google Play Accounts enterprises for your organization. For example, departments or regions within a company might set up separate managed Google Play Accounts enterprises and different EMM providers may be used for each. You must have a third-party EMM provider to use managed Google Play Accounts. For more information see Managed Google Play Accounts

Managed Google Account

If you want to use a Managed Google Account, you’ll need to prove domain ownership during the setup process. Your account will also give you access to the Google Admin console to add Android management for your business. Learn more about verifying your domain for G Suite services.

G Suite customers can choose to use Google Mobile Management or a third-party EMM provider. Customers who don't use G Suite must select a third-party EMM provider.

After you set up Android for your organization, your users can set it up on their devices.

Create a service account

Note: The Google Mobile Management EMM provider (for G Suite customers) and some third party EMM providers do not require you to create a service account. Check with your EMM provider to see if you need to create a service account.

What is a service account?

A service account belongs to an application instead of to an individual end user. An application calls Google Application Programmer Interfaces (APIs) on behalf of the service account, where user consent is not required.

The Google authentication system supports interactions between web applications and Google services. To authenticate these interactions, applications need a service account. Applications call Google APIs using service account credentials to authenticate the API calls so that users aren’t directly involved.

When your third-party EMM provider calls the EMM Play APIs, a service account is used to verify that the EMM provider is authorized to make API calls to your domain.

How to create the service account

  1. Sign in to the Google Developers Console using a Google Account that has 2-step verification enabled. See Security considerations.
  2. Click Create project to create a project for the service account, then enter your project name and click Create.
  3. (Optional, but highly recommended) Add additional project owners by granting the Owner role to existing project members.
  4. Open the Credentials page.
  5. Click Credentials > New credentials.
  6. Select Service account key > New service account.
  7. Enter a name for your account.
  8. Select your preferred key type and click Create. Your new public/private key pair is generated and downloaded to your machine and is the only copy of this key. You’re responsible for storing it securely.

Important: Don’t delete the project or service account. Also make sure there’s always at least one project owner so your company can access the project and service account. 

Security considerations

When you sign in to the Google Developers Console, it's best to enable 2-Step Verification on an account like this that's used for administrative purposes. 2-step verification adds an extra layer of security to your account. 

If you're a G Suite customer

To set up Android, you must be signed in with super administrator privileges. However you may not have set up the original G Suite account, if you don’t know who that person is, see the G Suite domain troubleshooter for help.

Add Android management from the Google Admin console:

  1. Sign into the Admin console at admin.google.com
  2. Do one of the following options:
    • If you already added Android management,  then go to Use a third-party EMM provider.
    • In the right pane under ​Common tasks​, click ​Get more apps and services​.
      Can't see the right pane? At the top right, click Open Open to show it.
  3. Under Android management, click Add It Now.
  4. Agree to the terms of service and click Continue.
  5. Go to Use a third-party EMM provider.
If you aren't a G Suite customer

After you sign up for Android in the enterprise, you have to create a G Suite account to verify your domain and get access to the Google Admin console so you can add Android management. The Admin console is a web interface for managing your account, and it has different features depending on the Google services that you use. To perform the steps in the Google Admin console, you must be signed in with an administrator account that has super administrator privileges.

If the company hasn’t used its domain name to sign up for another Google service, an IT administrator can sign up for Android in the enterprise before adding the service. If one of your users created a personal Google Account with your company's domain (@mycompany.com), they'll be prompted to resolve the conflicting account the next time they sign into their personal Google Account.

  1. Sign up to use Android devices at your company.
  2. Create a Google Account with a super administrator for your company’s domain. 
    After creating a Google Account, administrators have 14 days to verify domain ownership. Otherwise, the account expires and you have to restart the sign-up process.
  3. Verify domain ownership.
  4. Sign in to the Admin console at admin.google.com as a super administrator for the company's domain.
  5. In the right pane under ​Common tasks​, click ​Get more apps and services​.
    Can't see the right pane? At the top right, click Open Open to show it.
  6. Under Android management, click Add It Now.
  7. Agree to the terms of service, click Continue.
  8. Go to Use a third-party EMM provider.
Use a third-party EMM provider

After you add your EMM provider, your mobile users need to download their device policy controller to use their Android devices in the enterprise.

Part of adding your third-party provider involves sharing your company’s EMM token with the provider. After you generate a token, you have 30 days to share it. If the token expires, you have to generate a new one. 

To use a third-party EMM provider:

  1. Choose a provider from the list of approved vendors
  2. Contact the EMM provider to find out how to share your EMM token. 
  3. Sign in to the Google Admin console as a super administrator to generate an EMM token or see an unexpired one.
  4. Click Security > Manage EMM provider for Android.
  5. Copy the token (a string of characters) or click Generate Token to generate a new token and then copy it.
    Note: If you're already using Android at your company, you can't view or generate a token.
  6. Share the token with your EMM provider. 
  7. Have users download the EMM's device policy controller from managed Google Play.
     

If you want to change your EMM provider, see Changing your EMM provider.

Was this article helpful?
How can we improve it?