AMAPI Goes GA with Workspace ONE UEM: What It Means for You
Last year we announced the beta version of AMAPI and now we are happy to share that it is generally available with the release of Workspace ONE UEM 2406. As more organizations adopt Android devices in their operations, the demand for scalable, flexible, and robust management solutions has grown. AMAPI meets these needs by providing a modern, cloud-based API that enables EMM providers to manage Android devices more effectively, ensuring enhanced security, compliance and user experience.
How is AMAPI different from Android EMM?
The current approach to Android device management in Workspace ONE UEM is called Custom Device Policy Controller (Custom DPC). Android Management API is based on a native device management API layer built by Google. Workspace ONE UEM integrates directly with AMAPI to manage and secure devices. This allows Google and Workspace ONE to be more agile while also making new device management functionality possible. By supporting the AMAPI management approach, Workspace ONE UEM is stepping into the future of Android device management and aligning with Google’s vision of the Android Enterprise ecosystem.
With the integration of AMAPI, Workspace ONE UEM now gives customers the flexibility to manage Android devices using AMAPI, while continuing to support Custom DPC. This blog offers insight into how AMAPI management works in conjunction with Workspace ONE UEM.
AMAPI Requirements
The following requirements are to be met to enable AMAPI on Workspace ONE UEM Console.
Console requirements:
- Workspace ONE UEM Console 2406
- Modern architecture enabled
- Control Plane Joined Environment
Device requirements:
- Intelligent Hub 24.05+
- Android 7+
Supported Android enrollment modes:
- Work Profile Mode - this mode allows for management of employee-owned devices
How to enable AMAPI in the Workspace ONE UEM Console?
With the pre-requisites met, the administrator first needs to set up Android Management API in the Workspace ONE UEM Console. If Android EMM Registration wizard has not yet been completed in the environment, the setup wizard will set up AMAPI. If Android EMM Registration has been completed in a Workspace ONE UEM environment where AMAPI support was not yet available (see pre-requisites above), administrators need to complete a one-time registration action from the Android EMM Registration settings page.
Workspace ONE UEM Console registration with AMAPI should be done only at a Customer Type OG, which in most cases is the root OG. In cases where Android EMM Registration was previously completed before AMAPI becoming available, AMAPI setup is completed at the same Organization Group where Android EMM Registration was completed. Completing AMAPI registration itself does not impact the Workspace ONE UEM environment however additional action is needed to require new device enrollments to use Android Management API instead of Custom DPC. To configure new devices to use AMAPI device management, the enrollment settings at the OG need to be changed. The setting seen here only impacts how new employee-owned devices will be enrolled into the Workspace ONE UEM environment.
These settings must be changed as custom DPC and AMAPI-based enrollment setting cannot be enabled at the same OG.
Register with AMAPI
To register Workspace ONE UEM with AMAPI, complete the following steps.
- In the Workspace ONE UEM console, navigate to Groups & Settings > All Settings > Device & Users > Android >Android EMM Registration.
- Click on Register.
- Enter Mandatory information and click Complete Registration.
- On the Android EMM Registration page, for Work Profile Management Mode select Android Management API and click Save. This configures new devices to use AMAPI.
Configure an AMAPI Profile
To configure AMAPI based profiles navigate to Resources > Profile > Add > Add Profile > Android > Android Management API. Steps to configure AMAPI profile payload is similar to Custom DPC. If you are new to configuring a profile, check out Omnissa documentation on how to Configure a Profile.
How AMAPI manages devices along with Workspace ONE UEM
Most features supported in profiles for Custom DPC devices are also supported for AMAPI devices, and in future releases AMAPI will also support additional functionality.
Administrators will continue to use Workspace ONE UEM console to configure profiles, applications and settings for enrolled devices. The majority of policies utilizing AMAPI will be sent to Google Cloud (AMAPI)as seen in image below, which will then enforce them on individual devices via the Android Device Policy app, a native Android application.
However, policies like Certificates and Internal Applications will continue to depend on Intelligent Hub for installation on enrolled devices. Intelligent Hub is automatically installed on all devices during AMAPI enrollment.
How to choose enrollment option for your environment?
Google has introduced AMAPI to improve the overall experience of an end user, onboarding being one of the key experiences. With AMAPI, end users have three ways to enroll into Workspace ONE UEM which are listed below.
- Enrollment URL: The administrator copies an Enrollment URL from the Workspace ONE UEM Console and distributes it as a link or as a QR code. The user can either launch the link or scan the QR code to start enrollment.
- Hub Method: Similar to Custom DPC, end users install Intelligent Hub on their devices and launch it. Users enter their email address or the UEM environment details to start enrollment.
- Manual Token: The administrator copies a Sign-Up Token from the Workspace ONE UEM Console and distributes it to end users. From the Android Settings application, end users enter the token to start enrollment.
In all the three approaches, only the initial stage differs. Once the end users start enrollment, all the approaches redirect them to a web-based enrollment wizard in their device’s default browser.
Enrollment flow
Let us look at the enrolment flow when a user enrolls a device using Enrollment URL.
Note: The diagram assumes Chrome is the default browser on the Android device.
- Administrator sends email to user with the enrollment URL
- User Click on URL and is redirected to AMAPI, AMAPI identifies what organization the user is enrolling with based on the token provided with the Enrollment URL
- Google redirects the device to UEM to start the web-based enrollment wizard
- Chrome is launched and loads the web enrollment landing page
- UEM retrieves device ownership and user details from AMAPI
- User provides Groups ID and credentials to UEM, accepts Terms of Use set by the organization, and accepts any optional enrollment screens configured by the administrator
- Workspace ONE UEM creates a record for the device in AMAPI and returns an enrollment token to the device
- Android Device Policy asks user to install and set up Intelligent Hub. When launched, Intelligent Hub completes device enrollment
- The device exits the setup wizard. Resources (profiles, apps) are now provisioned to the device
Features supported with AMAPI
With Workspace ONE UEM 2406, the following features are supported for devices managed using AMAPI and enrolled in Work Profile mode.
- Provisioning of profiles and public applications
- Administrative actions, such as clearing the device passcode and wiping the Work Profile
- Most Compliance Policy Rules and Actions
Features supported with AMAPI leveraging Intelligent Hub
Certain features that cannot be managed exclusively through AMAPI as of now rely on Intelligent HUB for configuration. Listed below are profiles and commands that are delivered to devices through Intelligent HUB on device managed using AMAPI.
Profile
- Tunnel
- Credentials
Command
- Send Notification
- Request Device Log
- Remote Management
Summary
AMAPI is a new method for managing Android Enterprise devices, and when combined with Workspace ONE UEM, it helps manage devices effectively while providing a rich user experience with improved features and capabilities.
To track AMAPI updates with Workspace ONE UEM check out the Android Management API Support in Workspace ONE UEM KB article.