Objective
Support for COSU Android Enterprise devices

Endpoint Management supports the management of corporate owned single use (COSU) Android Enterprise devices. COSU devices fulfill a single use case, such as digital signage, ticket printing, or inventory management. Administrators restrict these devices to one app or small set of apps. Administrators also prevent users from enabling other apps or performing other actions on the device.

To provision COSU devices:

• Add a role-based access control (RBAC) role that allows Endpoint Management administrators to enroll COSU devices to your Endpoint Management deployment. Assign this role to users whom you want to enroll COSU devices.
• Add an enrollment profile for Endpoint Management administrators that you allow to enroll COSU devices to your Endpoint Management deployment.
• Whitelist the app or apps you want the COSU device to access.
• Optionally, set the whitelisted app to allow lock task mode. When an app is in lock task mode, the app is pinned to the device screen when the user opens it. No Home button appears and the Back button is disabled. The user exits the app using an action programmed into the app, such as signing out.
• Provision each device using xfw#mobile, NFC bump, or QR code method, when the device is first powered on after factory reset. See afw#xenmobile, NFC bump, or QR code.

System requirements

• Support for enrolling Android COSU devices begins with Android 6.0.
• Device must be new or factory reset.

Add the COSU role

The RBAC role for enrolling COSU devices enables Endpoint Management to silently provision and activate a managed Google Play account on the device. Unlike managed Google Play user accounts, these device accounts identify a device that is not tied to a user.

You assign this RBAC role to Endpoint Management administrators to enable them to enroll COSU devices.

To add the RBAC role for enrolling COSU devices:

1. In the Endpoint Management console, click the gear icon in the upper-right corner of the console. The Settingspage appears.

2. Click Role-Based Access Control. The Role-Based Access Control page appears, which displays the four default user roles, plus any roles you have previously added.

3. Click Add. The Add Role page appears.

4. Enter the following information.

   • RBAC name: Enter COSU or other descriptive name for the role. You cannot change the name of a role.
   • RBAC template: Choose the ADMIN template.
   • Authorized access: Select Admin console access and COSU devices enroller.
   • Console features: Select Devices.
   • Apply permissions: Select the groups to which you want to apply the COSU role. If you click To specific user groups, a list of groups appears from which you can select one or more groups.

5. Click Next. The Assignment page appears.

6. Enter the following information to assign the role to user groups.

   • Select domain: In the list, click a domain.
   • Include user groups: Click Search to see a list of all available groups. Or, type a full or partial group name to limit the list to only groups with that name.
   • In the list that appears, select the user groups to which you want to assign the role. When you select a user group, the group appears in the Selected user groups list.

   Note:

   You can assign a role to user groups only for Active Directory users, not local users created in Endpoint Management.

7. Click Save.

Add a COSU enrollment profile

When your Endpoint Management deployment includes COSU devices, a single Endpoint Management administrator or small group of administrators enroll many COSU devices. To ensure that these administrators can enroll all the devices required, create an enrollment profile for them with unlimited devices allowed per user. Assign this profile to a delivery group containing the administrators who enroll COSU devices. That way, even if the default Global profile has a limited number of devices allowed per user, administrators can enroll an unlimited number of devices. Those administrators must be in the COSU enrollment profile.

1. Go to Configure > Enrollment Profiles. The default Global profile appears.

2. To add an enrollment profile, click Add. In the Enrollment Info page, type a name for the enrollment profile. Ensure that number of devices that members with this profile can enroll is set to unlimited.

   

3. Click Next. The Delivery Group Assignment screen appears.

4. Choose the delivery group or delivery groups containing the administrators who enroll COSU devices. Then click Save.

   The Enrollment Profile page appears with the profile you added.

   

Whitelist apps and set lock task mode

The Kiosk device policy let you whitelist apps and set lock task mode. By default, Secure Hub and Google Play services are whitelisted.

To add the Kiosk policy:

1. In the Endpoint Management console, click Configure > Device Policies. The Device Policies page appears.

2. Click Add. The Add a New Policy dialog box appears.

3. Expand More and then, under Security, click Kiosk. The Kiosk Policy page appears.

4. Under Platforms, select Android Enterprise.

5. In the Policy Information pane, type the Policy Name and an optional Description.

6. Click Next and then click Add.

7. To whitelist an app and allow or deny lock task mode for that app:

   Select the app you want to whitelist from the list.

   Choose Allow to set the app to be pinned to the device screen when the user starts the app. Choose Deny to set the app not to be pinned. Default is Allow.

   

8. Click Save.

9. To whitelist another app and allow or deny lock task mode for that app, click Add.

10. Configure deployment rules and choose delivery groups. For more information, see Device policies.

Endpoint Management supports the management of corporate owned single use (COSU) Android Enterprise devices. COSU devices fulfill a single use case, such as digital signage, ticket printing, or inventory management. Administrators restrict these devices to one app or small set of apps. Administrators also prevent users from enabling other apps or performing other actions on the device.