Android Enterprise and Android Verse

This topic highlights the Android Enterprise integration features that are included with the Android Verse application, and how to take advantage of it in your deployment.

Organizations using Android Enterprise to manage their mobile applications are now able to deploy Android Enterprise application management capabilities with Android Verse, including the ability to provision application configuration settings, and enforce Android Enterprise security policies. This Android Enterprise capability is built directly into the base version of Android Verse that is delivered to mobile devices using Google Play and can be activated by following the instructions in this article.

Minimum Requirements

The following components are required at the specified minimum levels.

  • Traveler server 9.0.1.21 (or later). To take advantage of the MAM Required policy, enforcing access to an on-premises Traveler Server only through an MDM managed application, Traveler server 9.0.1.15 is required.
  • An Enterprise Mobility Manager (EMM) capable of managing Android Enterprise profiles (for example, Google, MaaS360, MobileIron, Citrix or VMWare Workspace ONE).
  • The Device Policy Controller (DPC) of the Android Enterprise provider installed on the mobile device.
  • An Android Enterprise capable device.

Be sure to check with your EMM provider to determine any minimum requirements they have for required components to support Android Enterprise.

Binding Android Enterprise to an EMM

Your EMM must be configured to enable Android Enterprise and recognize Android Enterprise users. The following URL provides an overview for configuring a third party EMM provider for Android Enterprise: https://support.google.com/work/android/answer/6174046.

Some of the steps for enabling an EMM administrator console for Android Enterprise vary from provider to provider and we recommend that you consult your EMM documentation on exactly how the EMM manages Android Enterprise devices.

Making apps available for Android Enterprise

Once an EMM is bound to Android Enterprise for a domain, the Google administrator for the domain can navigate to Google Play for Work and approve the apps to be used by users. Once the apps are approved in Google Play, they must be added to the EMM administration console.

Managing Android Verse using Android Enterprise

The following sections describe how to enable Android Enterprise application management of the Android Verse application in your environment.
  1. App-specific Configuration:

    Use App-specific configuration settings to automate the setup of Android Verse on managed devices.

    The configuration settings are specified by updating the Android Verse for Android Enterprise app custom settings using the EMM administration console.

    There are two types of custom Verse app settings that are configured using Android Enterprise: enforced or locked settings, and preferences.

    Settings that have a corresponding “Lock” option are considered preferences. If you enable the lock option for this preference, then it is enforced. If you do not enable the lock option, it is used as the default value, but the mobile app user is able to adjust that setting using the Verse app if they wish. If there is a setting that does not have a corresponding lock option, then by providing a value for that setting it is enforced and cannot be changed.

    For example, the setting called Server URL allows an administrator to provide the exact hostname and connection URL which the managed Verse app uses to connect to its Traveler server. If a value is provided for Server URL, it is considered locked and cannot be changed at the Verse app by a mobile user. The setting called Mail: Remove Mail older than is a preference that can be provided as a default value. You can change this to any suggested value in the list and when a mobile user installs the app for the first time on a new device, they receive the value you have set as the default. If you want to enforce that the mobile user receives that value AND cannot change it to any other value, enable the setting called Lock Remove Mail older than.

    Note: Any setting that is not locked is applied if not already set for the application. When a value is already stored in the mobile app, it is assumed the initial configuration was applied or the user has changed the value to one he wishes to use and is not overridden. Any setting that is locked is enforced.
    Note: Settings can be also configured at the Traveler server. The MDM settings take precedence unless a server setting is locked. If a server specified setting is locked it takes precedence and the MDM setting is ignored as well as the user is not able to modify the setting. It is recommended that all Android Enterprise settings be managed through the EMM and not through the Traveler server.

    Some of the settings that can be configured are:

    Key Default Value Details
    Configuration: Server URL none Provide the hostname or a fully qualified URL to your company's Traveler server. Only provide this value if using My Company's Server as the server type.

    For example:

    https://<server>/traveler

    Note: This value can only be set prior to the initial configuration of the HCL Verse application and any changes are ignored after the HCL Verse application is initially configured.
    Configuration: Traveler User ID none The User ID used to access the Traveler server.
    Configuration: Password none The Traveler password for the User ID.
    Logging: Enable logging off Set to on to enable more verbose app diagnostic logging.
    Logging: Log size (in K) 2000 Maximum log size in KB before the logs wrap.
    Logging: Problem Report.Auto report true Whether any problems that occur on the device are automatically sent to the server.
    Configuration: Applications to sync Mail and Calendar and People Define which applications are synced with data from the server
    Mail: Truncate mail to 2K Download each email up to the specified truncation size.
    Mail: Auto download inline images up to 0 Automatically download images within email up to the specified size.
    Mail: Auto download attachments up to 0 Automatically download email attachments up to the specified size
    Mail: Remove mail older than 5 Days Remove mail from the app when it’s older than the specified duration.
    Calendar: Show past events 1 Day Show events that have passed in the calendar for the specified time.
    Calendar: Show upcoming events 1 Week Show calendar future events up to the specified duration.
    People: Export Verse Contacts Enabled Whether Verse contacts are added to the device contacts list (if not blocked by Android Enterprise policies)
    Todo: Sync incomplete only false Whether only incomplete to dos are synced to the device from the server
    Sync: Peak sync type Real-time How often data should be synced to the device for peak times
    Sync: Off-peak sync type Real-time How often data should be synced to the device for off-peak times
    Sync: Peak days Monday, Tuesday, Wednesday, Thursday, Friday Which days of the week include peak sync time periods.
    Sync: Peak start time 480 Number of minutes past midnight to the start of peak time.
    Sync: Peak end time 1020 Number of minutes past midnight to the end of peak time.
    Custom Verse DeviceId none The setting allows the enterprise admin to provide a replaceable value to be used for the Verse application deviceID when communicating with the Traveler server. This value must be globally unique. For an Android Enterprise MaaS360 deployment it could be set to %DEVICEID% for example. Note: This value is by default restricted to 16 Hexadecimal characters. For unrestricted use of this value please see the following configuration option. Also note that this value can only be set prior to the initial configuration of the HCL Verse application and cannot be updated once the HCL Verse application has been configured.
    Use the Custom Verse DeviceId Unmodified false When set to true, this removes the default restriction of 16 hexadecimal chars for the custom DeviceID and also removes the default Android_ prefix added by HCL Verse Android. This may be required when attempting to use an EASDeviceID that cannot be prefixed and must be 32 chars long.
  2. Data at Rest Security:

    When devices are configured for Android Enterprise, device encryption is required. Before a work profile can be created, encryption must be enabled. All data at rest and managed by applications is encrypted.

  3. Remote App and Data Wipe:

    In an Android Enterprise environment, there can be situations when a device must have the enterprise data associated with the Verse app wiped. This may happen because the device has been lost, the device is no longer compliant with your security policies or perhaps the user has left the company and should no longer have access to this data. If any of these occur, the Android Enterprise administrator can choose to wipe just the Android Enterprise apps and data from the device. This removes the Android Enterprise work profile and all data associated with the Android Enterprise apps. Any Android Enterprise apps are also removed. Apps installed in the personal profile remains. The wipe of the work profile is performed from the EMM administration console you’re using to manage your Android Enterprise environment.

    Note: Even when the device is managed by Android Enterprise, the Traveler server retains the ability to wipe Traveler data.
  4. Secure Tunneling:

    In order to grant Android Verse access to a Traveler server deployed within a company intranet topology, the Android Verse application must be configured to point to the server URL of an edge proxy, such as HCL SafeLinx or a per-app VPN must be used. When using a per-app VPN, the VPN application must be an approved Android Enterprise application and deployed within the work profile.

  5. Preventing Data Leaks:

    With Android Enterprise, data can be copied and pasted between applications within the Work profile since they have been approved by the company Android Enterprise administrator. Similarly, the screen capture capability is controlled through the EMM administration console for all applications managed within the work profile. Attachments and files can be shared with other applications with the work profile since those applications are also approved and managed.

  6. App Passcodes:

    Starting with Android 7, app passcodes can be configured for the work profile so when an Android Enterprise application is launched, the passcode must be entered. This capability is dependent on your specific EMM provider support.

Updating the Android Enterprise enabled version of Android Verse application on mobile devices

As with all Android Enterprise enabled applications, updates to the secure applications are managed through the Google Play for Work app store. If there are permission changes, the administrator (Google account binding the EMM to Android Enterprise) must review and accept the permissions for the upgrade to take place through the EMM.

Behavioral differences when using the Android Enterprise managed version of Android Verse application

The Android Enterprise enabled version of the Android Verse application behaves differently in some areas when compared to the standard version. The differences are summarized here:

  • Server Security policies:

    In general, most Android Verse application security policies are now managed through the Configuration settings when editing the app in the EMM admin console. In the cases where a security policy is still set at the Traveler server for Android devices but the same policy can be managed by Android Enterprise restrictions, then the Android Verse application ignores the policy setting from the Traveler server unless that setting is locked by the Traveler server. When a Traveler server setting is locked, that value takes precedence and be enforced by the Android Verse application. It is recommended that when Android Enterprise is used to manage Android Verse, that all configuration settings be applied through the EMM administrator console and not through the Traveler server.

  • User interface changes:

    There are several changes to the user interface for this version of Android Verse application:

    • The managing agent identifier that is visible on the About screen has the Android Enterprise badge (briefcase) applied.
    • The Android Verse application requests configuration from EMM to use in the initial configuration wizard.
    • The Android Device Administrator for Android Verse is no longer required.
    • The user is prevented from modifying the following configuration settings in the Verse configuration wizard when they are provided by the EMM app specific configuration:
    • Server URL
    • User ID
    • The menu item Tools > Uninstall has been removed. To uninstall Android Verse, use the Android application manager accessed through Android Settings.
    • The menu item Tools > Security has been removed. All security compliance is managed by the EMM in this environment.