Configure Google Workspace authentication

Once you configure the Android Enterprise environment, you can integrate your Knox Manage tenant with Google Workspace. This integration allows you sync directory resources, such as users and groups, from your Google Admin Console. Once it’s integrated, users can enroll Android Enterprise or Android Management API (AMAPI) devices with their Managed Google Domain Accounts.

Prerequisites

To sync your tenant with Google Workspace, you must meet the following prerequisites:

Managed Google Domain account

You must have registered your Android Enterprise environment with a Managed Google Domain account, not a personal one.

You can check what account you’re registered with by going to Setting > Android > Android Enterprise. Your account type displays beside Enterprise Type.

If the Enterprise Type isn’t Managed Google Domain, then you must unlink your account and re-register with a Managed Google Domain account. See Update EMM provider information to learn more.

Chrome OS settings

If you are set up for Chromebook management in your tenant, you must unlink your Chrome OS settings. See Manage Chromebooks for more information.

Connect to Google Workspace

To connect to Google Workspace:

1. Go to Setting > Android > Google Workspace. The Link Account with Google page opens.

2. Click Sign in with Google at the bottom of the page. You’re redirected to Google to sign into the Managed Google Domain account you registered your Android Enterprise environment with.

3. Once you sign into your Google account, you’re prompted to grant Knox Manage access to your Google account. Select what resources Knox Manage can view and manage from Google Workspace:

   • Group subscriptions
   • Organization units
   • Groups
   • Users

4. Click Continue.

5. You’re directed back to the Link Account with Google page in Knox Manage. The Google Authorization Code is automatically filled. Click Authorize at the bottom of the screen.

   

6. Click Authorize. Your account is linked.

7. The Google Workspace page opens. To enable synchronization between Google Workspace and Knox Manage, you must validate the connection. Beside Connection between Knox Manage and Google, click Test Connection.

Directory resources from Google Workspace can now sync with Knox Manage.

Enroll devices with their Managed Google accounts

Device enrollment with a Managed Google account is available through the following methods:

• QR code — Enrolls devices with a QR code. You send the enrollment guide to the device user, and then the device user scans the QR code inside. This method allows you to provision devices individually or in bulk.
• Token — Enrolls devices with a token. The device user enters the token afw#KnoxManage when setting up their device.

See Enroll a single device to learn more.

Before users can enroll devices with their Managed Google accounts, you must configure a few more settings depending on whether you manage Android Enterprise devices or AMAPI devices.

For Android Enterprise devices:

1. Go to Setting > Android > Android Enterprise.
2. Beside Authenticate using Google Workspace, click Enable.

3. Beside Allow User to Skip, select one of the following options:
   • Allow user to skip — Allows users to sign into devices with their Knox Manage credentials instead of their Google accounts.
   • Force user to sign-in — Forces users to sign into devices with their Google accounts.

Users can now enroll Android devices with their Google credentials.

For AMAPI devices:

1. In the Google Admin Console, navigate to Third-party integrations.

2. Click Manage EMM providers. Beside the entry for Knox Manage, enable Authenticate Using Google.

   If you don’t enable Authenticate Using Google, device users can’t sign in with their Google accounts, but your resources will continue to sync from Google Workspace to Knox Manage.

Users can now enroll AMAPI devices with their Google credentials.

Manage Google Workspace connection

Once your tenant is integrated with Google Workspace, you can manage your connection from Knox Manage on the Google Workspace page. The following sections are available: Server Settings and Google Workspace Sync Settings.

At the top of the page, the following details are displayed:

• Domain — Your Knox Manage domain.
• Google Workspace Email — Your Managed Google Domain email.
• Google Workspace Sync Interval — The frequency, in days, that Google Workspace syncs with your tenant. You can set this under Sync Start Time.

Server Settings

The following information displays in the Server Settings section.

• Connection between Knox Manage and Google — Validates that the connection between your tenant and Google Workspace is successful, enavbling synchronization. Click Test Connection.
• Sync Google Workspace — Syncs resources from Google Workspace.

Google Workspace Sync Settings

The following information displays in the Google Workspace Sync Settings section.

• Sync Start Time — Set the frequency, in days, that Google Workspace automatically syncs with your tenant.
• Apply Auto Profile for User — Applies a profile to a user’s device only when their organization’s details change in Google Workspace.
• Apply or Unassign Auto Profile/App for Group — Specifies when to push a profile or app to a group and its members.
• When adding a user from group, profiles and apps will be applied to the user — Associated profiles and apps are assigned to users when they’re added to a group.
• When deleting a user from group, profiles and apps will be unassigned from the user — Associated profiles and apps are un-assigned from users when they’re removed from a group.
• When deleting a group, profiles and apps will be unassigned from the group — Associated profiles and apps are un-assigned from group members when the group is deleted.

Sync behavior

The following behaviors apply to all resources synced from Google Workspace:

• Resources can’t be synchronized individually, and must be synced all at once.
• If resources are deleted in Google Workspace, then they’re also deleted in Knox Manage.

Users

The following behaviors apply to all users synced from Google Workspace

• If a Google Workspace user has the same email as an existing Knox Manage user, they replace the Knox Manage user.
• If a Google Workspace user doesn’t have same email as an existing Knox Manage user, a new user is added to Knox Manage and their User ID will consist of the section of their email address before the @domain. If this User ID overlaps with an existing User ID, three digits are added onto the end, such as lucymak001.
• Google Workspace updates to users are always reflected in Knox Manage.

Groups

• Google Workspace updates to groups are always reflected in Knox Manage.

Organizations

• If a Google Workspace organization has the same Organization code as an existing Knox Manage organization, they replace the Knox Manage organization.
• Google Workspace updates to organizations are always reflected in Knox Manage.

Disconnect from Google Workspace

You can unlink your Google Workspace account from your Knox Manage tenant. When you unlink your account, any users, groups, and organizations that are synched from Google Workspace are removed from Knox Manage.

Before you unlink your account, you must first unenroll all Android Enterprise and AMAPI devices enrolled with a Managed Google Account. See Unenroll and delete devices to learn more.

To unlink your Google Workspace account:

1. Go to Setting > Android > Google Workspace.
2. At the top of the page, click Unlink Account. The Unlink Account dialog appears.
3. Confirm your intention by clicking OK.