fleet icon indicating copy to clipboard operation
fleet copied to clipboard
verified publisher icon fleetdm

Enroll and manage Android hosts

Open noahtalerman opened this issue 1 year ago • 2 comments

Goal

User story
As a Client Platform Engineer,
I want to enroll and manage my Android hosts
so that I can enforce settings to ensure these hosts meet compliance needs.

Context

  • Product designer: @noahtalerman

Changes

Product

  • [ ] UI changes: TODO
  • [ ] CLI usage changes: TODO
  • [ ] REST API changes: TODO
  • [ ] Fleet's agent (fleetd) changes: TODO
  • [ ] Permissions changes: TODO
  • [ ] Outdated documentation changes: TODO
  • [ ] Changes to paid features or tiers: TODO

Engineering

  • [ ] Database schema migrations: TODO
  • [ ] Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

  • Requires load testing: TODO
  • Risk level: Low / High TODO
  • Risk description: TODO

Manual testing steps

  1. Step 1
  2. Step 2
  3. Step 3

Testing notes

Confirmation

  1. [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
  2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.

noahtalerman avatar Jun 25 '24 15:06 noahtalerman

Just want to give a +1 on this feature request! Ty!

bolaussen avatar Aug 26 '24 15:08 bolaussen

@noahtalerman enrollments should support Work Profile or Profile Owner mode. See https://www.ibm.com/docs/en/maas360?topic=modes-work-profile-profile-owner-po-mode

dherder avatar Aug 30 '24 12:08 dherder

enrollments should support Work Profile or Profile Owner mode. See https://www.ibm.com/docs/en/maas360?topic=modes-work-profile-profile-owner-po-mode

Thanks @dherder! I'm curious, who did we get this info from? A customer? If so which one?

noahtalerman avatar Sep 03 '24 18:09 noahtalerman

  • Enroll via work profile
  • Enroll in regions that don't support work profiles (mainly China). Intune uses AOSP
  • For both enrollment methods, auto-install and self-service software
  • For both enrollment methods, enforce OS settings (e.g. PIN, screenlock, etc.)

noahtalerman avatar Nov 14 '24 14:11 noahtalerman

@noahtalerman for customer-pingali the requirements for Android also includes:

  1. Managed Play Store for Android devices
  2. Must be possible to limit MDM capabilities for devices that are not owned by them. Any MDM administrator must not be able to send device wipe commands and data collection should be limited where possible on these types of devices

ambrusps avatar Nov 15 '24 16:11 ambrusps

Dropping a link here for all commands that can be issued on a fully managed device. Working with a prospect that wants to leverage the volume control features: https://developers.google.com/android/work/requirements/fully-managed-device

harrisonravazzolo avatar Jan 28 '25 18:01 harrisonravazzolo

Hey @zayhanlon & @Patagonia121, we shipped #23231 in 4.65.0, only for dogfooding. Let's wait to ask numa and pingali for feedback. More improvements coming in Q2, including configuration profiles, OS updates, and app install.

marko-lisica avatar Mar 17 '25 14:03 marko-lisica

okay so you'll let us know in a sprint or two? @marko-lisica

zayhanlon avatar Mar 17 '25 14:03 zayhanlon

Greetings all! a real +1 to this feature request! Just wanted to know as a end user, when will we able to use this feature as a whole and complete feature? is there any estimation for BYOD and the enrollment process to work?

and also for devices using AOSP and not being able to use the Android Enterprise is there any plan to work?

Ty!

meghasemim1999 avatar Jun 29 '25 12:06 meghasemim1999

  • @noahtalerman: We think pingali also needs to be able to deploy certificates to connect end users to Wi-Fi/VPN. Can you do this with a configuration profile?

@marko-lisica I think the answer is yes, right? If Fleet's supports any of the Android policies via configuration profiles in Fleet, Fleet will support this

noahtalerman avatar Jul 14 '25 23:07 noahtalerman

  • @noahtalerman: We think pingali also needs to be able to deploy certificates to connect end users to Wi-Fi/VPN. Can you do this with a configuration profile?

@marko-lisica I think the answer is yes, right? If Fleet's supports any of the Android policies via configuration profiles in Fleet, Fleet will support this

@noahtalerman I think so. I still need to learn more about this topic. I believe we'll useopenNetworkConfiguration.

marko-lisica avatar Jul 15 '25 10:07 marko-lisica

Greetings all! a real +1 to this feature request! Just wanted to know as a end user, when will we able to use this feature as a whole and complete feature? is there any estimation for BYOD and the enrollment process to work?

and also for devices using AOSP and not being able to use the Android Enterprise is there any plan to work?

Ty!

Hi! Can somebody please answer my questions? Thanks

meghasemim1999 avatar Jul 15 '25 11:07 meghasemim1999

Hey @meghasemim1999! BYOD enrollment is available today! https://fleetdm.com/guides/android-mdm-setup

Other features like enforcing OS settings, lock/wipe, are planned for Q3 2025.

Management for devices that can't use Android enterprise isn't planned for Q3. Fleet might revisit this in the future.

noahtalerman avatar Jul 15 '25 21:07 noahtalerman

Pulling these stories out of this request's sub-issues and leaving them here for safekeeping.

My understanding is that they're not required for pingali nor sarahwu. I think we might want to come back to them in the future (post Q3).

  • https://github.com/fleetdm/fleet/issues/23232
  • https://github.com/fleetdm/fleet/issues/26028
  • https://github.com/fleetdm/fleet/issues/26028

noahtalerman avatar Jul 16 '25 13:07 noahtalerman

@kc9wwh @zayhanlon https://github.com/fleetdm/fleet/issues/26519 shipped in Fleet 4.70.0 🎉

rachaelshaw avatar Jul 30 '25 22:07 rachaelshaw

  • @noahtalerman: We think pingali also needs to be able to deploy certificates to connect end users to Wi-Fi/VPN. Can you do this with a configuration profile?
    • @marko-lisica Certificates can be delivered with configuration profiles, but there's a separate story for certificate deployment (to enable variables with cert content from configured CA).

Hey @noahtalerman, during the estimation of the Android configuration profiles story, a question arose regarding the certificate deployment. We decided to create a separate story (#32054). It will be supported when we release configuration profiles (#25557), but users will only be able to manually include certificate content. We need to build support for variables from configured CAs. I think customers will be able to at least test how certificates work.

marko-lisica avatar Aug 18 '25 17:08 marko-lisica

It will be supported when we release configuration profiles (https://github.com/fleetdm/fleet/issues/25557), but users will only be able to manually include certificate content. We need to build support for variables from configured CAs. I think customers will be able to at least test how certificates work.

@marko-lisica thanks for the update! Makes sense.

I added the story to the roadmap board so we don't lose it: https://github.com/fleetdm/fleet/issues/32054

@georgekarrv can you please help us T-shirt size the story and add it to a sprint on the roadmap? We want it to fit into Q4. If it can't, please let me know!

noahtalerman avatar Aug 19 '25 16:08 noahtalerman

Linked to Unthread ticket:

Inquiry about Configuration Profiles for Android in Airwatch #8962

Sampfluger88 avatar Oct 03 '25 12:10 Sampfluger88